Sen. James Lankford (R-Okla.) is questioning the Office of Personnel Management’s ability to secure data and its systems, and he wants some answers.
Lankford, the chairman of the Homeland Security and Governmental Affairs Subcommittee on Regulatory Affairs and Federal Management, sent a letter to OPM Director Kathleen Archuleta today seeking answers to nine questions by June 22.
Lankford said despite the fact that OPM continues to say cybersecurity is top priority, this third breach of federal employee data over the last year is troubling.
“OPM’s inconsistent responses to the USIS and KeyPoint breaches only deepen our concern of OPM’s ability to self-assess the security of its internal IT systems, which
were likely similarly vulnerable, and which have resulted in a breach significantly more devastating,” Lankford wrote. “In response to the self- reported USIS breach, which exposed 25,000 federal employees’ personally identifiable information, OPM went so far as to suspend work with the company and eventually cut all ties with USIS. In contrast, OPM merely gave KeyPoint a slap on the wrist for a breach, which compromised 48,000 federal employees, and which was only detected by the Department of Homeland Security. At the time, OPM issued a statement promising that ‘KeyPoint has worked closely with OPM to implement additional security controls that will afford it network greater protection.’ That OPM would so disparately reprimand its contractors for their IT security while failing to prevent a breach 55 times larger than the USIS and KeyPoint breaches combined, raises serious questions about the integrity of OPM’s IT security.”
An email to OPM seeking comment on the letter was not immediately returned.
OPM’s challenges with cybersecurity are well documented. Its inspector general repeatedly found in November 2014 that the agency had regressed in some IT security areas.
“[O]ur audit also determined that of the 21 OPM systems due for a security assessment and authorization in FY 2014, 11 were not completed on time and are currently operating without a valid authorization,” auditors wrote in the IG’s semiannual report to Congress issued in March. “The drastic increase in the number of systems operating without a valid authorization is alarming, and represents a systemic issue of inadequate planning by OPM program offices to authorize the information systems that they own. We believe that the volume and sensitivity of OPM systems that are operating without an active authorization represents a material weakness in the internal control structure of the agency’s IT security program.”
Auditors also said OPM doesn’t maintain a comprehensive inventory of servers, databases and network devices, so it’s unclear whether they meet configuration management requirements or can be scanned for vulnerabilities. The IG said several information security agreements between OPM and contractor-operated systems have expired.
Lankford’s letter is part of a growing fervor on Capitol Hill.
Tuesday night, Archuleta and officials from DHS and the Office of the Director of National Intelligence briefed House Intelligence Committee members about the data breach.
According to published reports, Rep. Devin Nunes (R-Calif.), chairman of the committee, told reporters that OPM, DHS and ODNI still were trying to figure out the scope and the extent of the data loss.
Rep. Jason Chaffetz (R-Utah) plans to hold the first of what is likely to be several hearings on the breach. Chaffetz sent an advisory out to committee members Tuesday telling them to plan for a June 10 hearing. PoliticoPro first reported Chaffetz’s plans.
A spokesman for Lankford said the senator is considering a hearing, but no decision has been made.
Additionally, Sens. Mark Warner (D-Va.) and Angus King (I-Maine) sent a letter to the Appropriations Committee urging them to fund OPM’s 2016 budget request, which is $32 million above its 2015 level.
“This attack on OPM’s IT infrastructure is not the first and will likely not be the last. The federal government’s analysis of this attack, which occurred in December of last year, has concluded that the OPM is now a target of cyber- attackers,” the lawmakers wrote. “As the keeper of sensitive data — including personally identifiable information for 32 million federal employees and retirees — OPM has a huge responsibility to maintain and consistently upgrade their cybersecurity controls. The funding requested includes $21 million to continue and finish upgrades initiated after a FY2014 attack and represents the recommendations of a comprehensive security analysis meant to protect OPM’s network well into the future. While OPM may need to revise their request further in light of the most recent attack, it is abundantly clear that technology and cyber attackers evolve in real time and the federal government needs more resources and budget certainty to keep their infrastructure current and strong.”
Warner and King said the additional funding would go toward sustaining the agency’s security operations center and real-time monitoring of its network, support for stronger firewalls and storage devices for capturing security log data to analyze threats and vulnerabilities, and additional staff for the SOC.
OPM has been moving in the direction toward better, real-time cybersecurity for much of the past year.
Jeff Wagner, OPM’s director of IT security, said in March the agency is moving toward a concept that includes more automation of detecting and responding to cyber threats.
Despite these efforts, Lankford is concerned that OPM isn’t doing enough to stem the tide against these consistent cyber problems and data leaks.
Among the questions that Lankford asked for answers to include:
On what date(s) did the breach announced June 4 occur, and for how long did it persist?
On what date did OPM learn of the breach? Please provide chronology of OPM’s investigation.
On what date did OPM fulfill its obligation under [the law] to notify the federal information security incident center of the breach?
How will OPM fund these [credit monitoring] efforts, and from which appropriated accounts? On what date did OPM arrange with CSID to provide credit monitoring services?
How did OPM identify CSID as a vendor? What procurement process was used?
Does OPM intend to revise its strategic IT plan in light of the security breaches within the agency over the past year, as well as those at its contractors? What additional
remedial measures does OPM intend to take?
Despite the third breach of federal employee data over the last year, White House spokesman Josh Earnest said at the daily briefing with reporters Tuesday that President Barack Obama still has confidence in Archuleta.
“Well, the President has confidence that every single member of his staff understands that cybersecurity needs to be a priority. And, again, in talking about this yesterday, the President was pretty direct about the fact that we’ve got our work cut out for us when it comes to taking what, in some cases, are pretty old computer systems and making sure that they have modern, adaptable security measures in place to protect against cyber intrusions,” he said. “[T]he President convened this Cabinet meeting a couple of weeks ago — two or three weeks ago, I guess it was now — where this was an item on the agenda, the need to make sure that, institutionally, agencies across the administration understand that these kinds of threats are real and require the attention of the senior- level officials at each of these agencies.”