A powerful House lawmaker is digging deeper into the Office of Personnel Management’s massive data breach, trying to understand what documents hackers potentially stole and the role of the contractor hired to improve cybersecurity protections of the agency’s systems.
Rep. Jason Chaffetz (R-Utah), chairman of the Oversight and Government Reform Committee, sent three letters this week— one to OPM, one to the Homeland Security Department and one to OPM’s main technology contractors, Imperatis Corp., seeking a variety of documents.
Chaffetz’s letter to OPM acting Director Beth Cobert refers back to his committee’s June 24 hearing where agency Chief Information Officer Donna Seymour confirmed hackers stole security documents that could help them learn about OPM’s infrastructure.
The committee asked OPM to respond by Sept. 1 to six questions focused on security documentation and actions taken by OPM in light of the discovery that these documents had been stolen.
“The fact that security documents and systems manuals were accessed and taken from the network as discovered in March 2014 heightened the need for OPM to protect its network,” Chaffetz wrote.
Among the questions the committee wants OPM to answer include the name of the documents and the date they were taken, the dates the agency’s inspector general, Homeland Security Department’s U.S. Computer Emergency Readiness Team (US-CERT) and the FBI were notified and any documents and communications related to a breach of OPM’s mainframe system.
“OPM is committed to cooperating with congressional oversight of the agency’s activities,” said an OPM spokesperson. “OPM takes seriously the committee’s requests for information about the recent cyber incidents, and is working hard to be responsive to the committee’s interest in the issue.”
Despite these questions, OPM already tried to alleviate any concerns from the committee.
At the June hearing, Seymour told the committee when questioned about the stolen manuals that while it may aid an adversary, they didn’t get “specific configuration diagrams” of OPM’s systems and “a lot of these manuals are commercially available.”
Anne Barron DiCamillo, director of the US-CERT, also testified that the documents didn’t include proprietary or specific information about OPM’s IT architecture. She also reiterated Seymour’s comments that much of this information was publicly available.
But Chaffetz isn’t satisfied with those initial answers and wants more details from OPM, Barron DiCamillo and its contractor, Imperatis.
In a letter to US-CERT on Aug. 19, Chaffetz asks for information about when OPM contacted them about the data breaches, when US-CERT performed incident response and remediation activities and any reports or recommendations it made to OPM.
The committee asked for answers or information by Sept. 2.
In the letter to the company’s CEO, retired Maj. Gen. Mastin Robeson, Chaffetz asked for more information on OPM’s multi-phase IT infrastructure project.
The committee asked for answers to eight questions by Sept. 1.
Among the questions Chaffetz is asking include details of Imperatis’s role in each phase of the project, all communication before and since the June 2014 contract award with OPM, copies of the company’s proposal and contract for the infrastructure program and details about Imperatis’ role in responding to the two data breaches.
“Imperatis intends to be fully transparent and responsive to Chairman Chaffetz’s letter of Aug. 18, 2015,” a spokeswoman said by email. “Although we are not at liberty to discuss the contract, Imperatis proudly stands behind the work we are doing for our government customers.”