In the wake of the massive cyber breach impacting anywhere from 4 million to 18 million current and former federal employees, contractors, congressional staff and even their family members, the Office of Personnel Management may need to ask Congress for more money in fiscal 2016.
OPM Director Katherine Archuleta told the Senate Appropriations Subcommittee on Financial Services and General Government that the data breach affecting 4 million current and former federal employees is costing between $19 million and $21 million.
So, if OPM has to pay for credit monitoring services and identity protection services for 14 million or 18 million or however many more people the breach affects, the costs could reach $80 million or more.
“We are analyzing right now with the Office of Management and Budget and my CFO to determine what the request might look like. I hope to get back to you by the end of the week,” Archuleta said during the hearing.
That amendment to the budget request already comes on top of a $32 million plus-up for 2016 over OPM’s 2015 budget. That increase includes $21 million to complete much-needed cybersecurity and IT modernization efforts.
OPM is in its second year of a three-year plan to fix long-standing IT infrastructure and cybersecurity issues. Archuleta said OPM already has invested $67 million in this program in 2014 and 2015.
IG flash audit pokes holes in OPM modernization plan
But, as OPM goes to Congress for more funding, its inspector general is issuing a warning that the IT modernization program is not on a solid path toward success.
The IG released a flash audit before the hearing highlighting serious concerns about the program.
“One area of significant concern we have identified is that OPM doesn’t have a dedicated funding source for the entire project. Its estimate of $93 million includes only the initial phases of the project, which covers tightening up the security controls and building a new shell environment,” said Michael Esser, the assistant IG for audits. “The $93 million estimate doesn’t include the cost of migrating approximately 50 major IT systems to this new shell environment. The cost of this work is likely to be substantial and the lack of a dedicated funding source increases the risk that the project will fail to meet its objectives.”
But it’s not just the lack of a funding source that worries the IG. Auditors say OPM didn’t do some basic documentation such as an OMB Exhibit 300, which is required for major IT systems, a feasibility study to address scope and timeline, and even a high-level test plan.
The audit also questions OPM’s decision to award what it calls a sole-source contract to a vendor for the first two stages of this four-stage project.
The flash audit doesn’t name the contractor, but the IG said OPM should compete the third and fourth phases of project under a new contract.
Esser said the IG wasn’t aware of the IT modernization program until a few months ago and then started looking into it.
OPM said if the agency were to follow the IG’s recommendation to adhere to the regular timetable of submitting this project as part of the fiscal 2017 budget process, then “it would be necessary for OPM to begin a process that could not be completed in time and that would only serve to stall the critical efforts already underway.”
In light of the flash audit and the initial increase, Sen. John Boozman (R-Ark.) said more money is not always the answer to the agency’s problems.
“It is easy to suggest more money is the solution. That seems to be the response the administration leans on every time there is a problem. But it is often the wrong choice, especially in situations like this where it appears that the problem is something much greater than a lack of resources,” he said. “In the FSGG [Financial Services and General Government] bill alone, billions have been spent over the years on tax systems modernization at the IRS, work that has been continuing for decades and is still incomplete. Even for projects now on track, past problems generated millions in additional costs and years of delay. And as we have seen recently at IRS, and once again with the OPM breach, both of which have compromised the personal data of millions of Americans, billions of federal dollars spent are no guarantee of security.”
Boozman said he’s not against allocating more funding to OPM.
“I’m very willing and very open to see what we need to be spending. We need to spend whatever it takes to keep us safe,” he said. “The point I was trying to make was buying a bunch of stuff, which we have done in the past and really don’t have anything to show for it, is not going to keep us safe. I think the truth in that is there is a lot of talk about the legacy systems and you can’t update them. But today in the testimony, as we’ve heard earlier, a lot that was involved were not legacy systems. These were systems that could have been upgraded with appropriate means we have now with minimal cost and minimal protocol, and would have kept us much safer than what we are.”
Calls for Archuleta’s resignation grow
Boozman said there is a management problem at OPM because there hasn’t been enough accountability and oversight of the IT investments.
Sen. Chris Coons (D-Del.), the subcommittee’s ranking member, said he too is alarmed by the IG’s flash audit.
But Coons said without the funding, the IT modernization project, the investment of the two previous years, cannot be completed.
While Boozman held off calling for Archuleta’s resignation, Sen. Steve Daines (R-Mont.) said it’s time for Archuleta to go.
“Under Katherine Archuleta’s watch, OPM allowed one of the largest breaches of federal employees’ personal information in our nation’s history. More, Ms. Archuleta has refused to take accountability for this great failure – in turn failing the American people, whom she swore an oath to protect and defend,” said Daines, who served as vice president of RightNow Technologies before coming to the Senate. “Leadership starts at the top, and in light of this unprecedented theft of our citizens’ records, we must hold those in positions of responsibility accountable. I lack the confidence that Ms. Archuleta can institute the needed reforms within OPM to protect Americans from future cyber theft. We must continue to diligently pursue these hackers to the fullest extent of the law and take much-needed steps to ensure these breaches aren’t repeated.”
Daines is one of the first senators to call for Archuleta’s ouster, but several House members went public with their decision that it’s time for her to resign.
Archuleta and OPM executives are scheduled to appear before the House Oversight and Government Reform Committee Wednesday for a second hearing on the data breach. Then on Thursday, OPM, along with federal CIO Tony Scott and others, will testify before the Senate Homeland Security and Government Affairs Committee to answer more questions on the cybersecurity incident.