WASHINGTON (AP) — For years, the Office of Personnel Management’s independent watchdog tried to warn the public about the agency’s cybersecurity failures.
Now, the OPM inspector general is sounding an alarm about what it says is the agency’s ill-conceived plan to fix some of those problems in the wake of a devastating cybertheft of personal information belonging to millions of federal employees.
In a “flash audit,” circulated to Congress Wednesday, the Inspector General Patrick McFarland raised “serious concerns” about a proposed $91 million computer overhaul of OPM networks, saying it had not followed management guidelines and relied on a no-bid contract to a single vendor.
Office director Katherine Archuleta, a former school teacher who worked on President Barack Obama’s 2012 re-election campaign, told Congress this week that her agency’s computer systems were so old they needed an immediate modernization. The antiquated computer architecture, she asserted, was one reason hackers were able to infiltrate the system and make off with sensitive data on millions of federal workers and security clearance holders.
McFarland wrote that he agreed in principle with the idea, but he noted that agency leaders launched the project with crucial questions unanswered, including how much it would cost. He questioned the $91 million estimate by the agency.
“We have serious concerns regarding OPM’s management of this project,” McFarland wrote in the audit, obtained Thursday by The Associated Press. “The project is already underway and the agency has committed substantial funding, but it has not yet addressed several critical project-management requirements.”
He said there was “a high risk that this project will fail to meet the objectives of providing a secure operating environment for OPM systems and applications.”
OPM spokesman Samuel Schumach had no comment.
McFarland’s office had warned since 2007 about OPM’s substandard computer network security, and his deputy, Michael Esser, told a House oversight committee Tuesday that those failures contributed to the cyberbreach.
Now, the inspector general is saying, the proposed solution could also be a disaster.
“In our opinion, the project management approach for this major infrastructure overhaul is entirely inadequate and introduces a very high risk of project failure,” McFarland wrote.
Many critical agency applications run on OPM’s aging mainframe computers, he wrote, including those that process payments for federal retirees, reimburse health insurance companies for claims and manage background investigations.
“These applications are based on legacy technology and will need to be completely renovated to be compatible with OPM’s proposed new IT architecture.” A much smaller migration of a single system cost $30 million and took two years to complete, McFarland wrote.
OPM estimates that its proposed overhaul will take 18 to 24 months to finish, he wrote. “We believe this is overly optimistic and that the agency is highly unlikely to meet this target.”
McFarland added that OPM officials “informed us that the urgent and compelling nature of the situation required immediate action, and this is the reason that some of the required project management activities were not completed.”
He agrees that urgent action was needed, he wrote, but that was not a justification for cutting corners over the life of the project.
“The other phases of the project are clearly going to require long-term effort, and, to be successful, will require the disciplined processes associated with proper system development project management,” McFarland wrote.