The Washington PostDemocracy Dies in Darkness

More questions raised about OPM’s response to breaches of background, personnel records

Placeholder while article actions load

A year after the government disclosed that personal information about millions of current and former federal employees and others had been stolen from two Office of Personnel Management databases, auditors remain skeptical of OPM’s steps to shut the cyber barn door.

“We continue to believe that there is a very high risk that the project will fail to meet its stated objectives of delivering a more secure environment at a lower cost,” the office of the agency’s inspector general said in a report issued Thursday.

The report is the latest in a series from the office criticizing OPM management for not carrying out standard planning steps for such a project, including exploring all the options first and fully understanding the project’s scope, its cost and how it will be funded.

The first of those reports shortly followed OPM’s acknowledgement of breaches of separate databases of federal employee personnel records and of background investigation records.

Computer system that detected massive government data breach could itself be at ‘high risk,’ audit finds

The former breach involved records of some 4.2 million current and former federal employees, including personal identifying information, educational background, work histories and similar information. The latter involved some 21.5 million current and former federal, military and contract personnel and others who had background investigations performed on them since 2000 and in some cases before. Those checks are performed for reasons including security clearance applications, which require disclosure of highly personal information such as financial or legal troubles, or to gain permission to enter certain government buildings.

Since a second IG report last September, OPM has submitted a standard business case document to the Office of Management and Budget, but that justification does not meet OMB’s requirements nor the intent of the earlier IG recommendations, said the latest report from acting IG Norbert E. Vint.

OPM response to cyberbreach challenged again

In the newest report, auditors said that given the initial urgency, it was understandable that OPM would have to short-cut the planning process. That stage has now passed, they said, but after reviewing OPM’s latest actions, “we are even more concerned than ever about the lack of disciplined capital planning processes.”

The report said that thorough planning is even more important in light of the announcement in January that a new semi-independent National Background Investigations Bureau will be created inside OPM to take over the background investigations OPM performs, while the Defense Department will take over responsibility for storing and protecting the information — further complicating the task at hand.

In a response included in the report, OPM’s chief information office said it agrees that a complete study of the options — an “analysis of alternatives,” in government contracting lingo — “would be beneficial to OPM and bring enhanced rigor to the capital planning process. It is particularly beneficial in light of the recent decision to transition background investigation services to the National Background Investigations Bureau and have DoD provide the IT support to the NBIB.”

Pentagon to take over control of background investigation information

The report also warned that OPM may be underestimating the costs of maintaining its legacy systems, potentially to the point where there would be “no funding available for modernization and migration.”

“Because OPM’s lifecycle cost estimates are unsupported and probably significantly understated, there is a high risk that future budgets will continue to be inadequate to complete the Project,” it said. Meanwhile, “potentially wasteful spending” has occurred in creating a new security environment “before it was clear that it was the best solution.”

In its response, OPM said it “also concurs with the OIG’s recommendation that the agency would benefit from more rigorous estimation of lifecycle costs” and that it has put in place a management system designed to do so.

An OPM spokesman had no comment beyond the responses within the report.