OPM to make it easier for feds to verify cyber breach status

Potential victims of the Office of Personnel Management’s cyber breaches who haven’t yet received a notification letter with the agency will soon have a way to check their status.

OPM, with help from the Defense Department, will set up a verification center later this month, said acting Director Beth Cobert, who President Barack Obama officially nominated Tuesday to serve as the agency’s permanent director.

“[It will] assist individuals who haven’t received a a letter and think ‘I should be getting a letter, why hasn’t it come?’ We want to wait to get the bulk of the letters mailed to do that,” Cobert said during the Chief Human Capital Officers Council meeting Nov. 10 , which was open to the public. “We’re going to be doing it again in a way that focuses on the security of the process. Given the sensitivity of the population, given the data that was affected in the breach, we’ve got a set of procedures that allow people to self identify, but also do it in a way that’s secure.”

To date, Cobert said OPM has sent about 5 million notification letters to breach victims. Near the end of October, the agency said it had notified about 3.7 million cyber breach victims.

Advertisement

About 5 percent of breach victims have enrolled in free credit monitoring and identity protection services so far, which Cobert described as a “rolling average,” while the agency continues to mail its notification letters.

Filling critical cyber talent gaps

As OPM — and other agencies — have learned in the wake of two recent cyber attacks, the nature of the threats government faces is changing, Cobert said.

Agencies need to act quickly to recruit and hire the right people who can help address those threats. The push to strengthen government’s cadre of cyber experts needs the same urgency and dedication agencies used to execute the 30-day cybersecurity sprint, Cobert said.

“In my OMB days, when we started the cybersecurity sprint around personal identity verification (PIV) authentication, the mantra was about 100 percent execution,” Cobert said. “The elements in the cybersecurity implementation plan have that same flavor. We just need to get this done. It’s on all of us collectively to say how do we take that charge and move forward with it?”

Cobert’s request comes as OPM approved new authorities for the Homeland Security Department to hire 1,000 new cyber professionals.

The Office of Management and Budget also released a new cybersecurity strategy and implementation plan (CSIP) for civilian agencies. The Oct. 30 memo and plan identified recruitment and retention of highly skilled cybersecurity experts as one of five major priorities.

According to the plan, agency CHCOs and chief information officers are expected to identify the top five cyber gaps they see within their agencies and report them to OPM and OMB.

Agencies have until Dec. 31 to finish the job coding for specialty cyber positions and report them to OPM, the agency’s CHCO and associate director for employee services, said Mark Reinhold, OPM CHCO and associate director for employee services.

And by April 30, OPM and OMB, along with DHS and the National Institute of Standards and Technology, will finish a study of the federal cyber workforce and make recommendations to improve recruiting, hiring and training for new cyber professionals.

“The report will ultimately include this detailed mapping of the cyber workforce, that will include information not just about the existing cyber employees but also open position vacancies in agencies and contractor resources that are working on cyber,” Reinhold said.

But Cobert reiterated she wants to see progress in this space sooner rather than later. She’s also looking for feedback from members of the CHCO Council.

“We have to find a different way to respond,” Cobert said. “We need the creativity, the thoughtfulness, the perspective of folks in this room. We need your dogged execution.”

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.