Congress once again wants more information from senior leaders in the Obama administration about their response to several federal cyber breaches within the past year.
Rep. Lamar Smith (R-Texas), the chairman of the Science, Space and Technology Committee, is asking for more details from the Office of Personnel Management and the Office of Management and Budget — this time calling into question the role that foreign nationals and contractors serve in protecting federal IT systems.
OPM has insisted it’s a different organization one year after last year’s two major cyber breaches.
But the House committee is particularly concerned by reports that OPM contractors, some of whom were foreign nationals and located in countries such as Argentina and China, had access to the agency’s classified systems.
“In other words, an agency that identifies foreign nations as the source of the most serious and frequently occurring threat, either failed to realize that foreign nationals had access to its database, or knew it and failed to correct the situation,” Smith wrote in a July 19 letter to Acting OPM Director Beth Cobert.
Director of National Intelligence James Clapper has suggested that hackers in China were responsible for the OPM breaches, but the administration has been hesitant to officially place the blame.
About a year after the breaches, Smith said he is unimpressed by OPM’s approach to cybersecurity. He cited a recent Government Accountability Office report, which pointed to some deficiencies with high-impact systems at four agencies, including OPM.
GAO described some confusion between OPM’s approach to cybersecurity and provisions in the Federal Information Security Modernization Act (FISMA). FISMA requires that agencies secure their own IT systems, including those that contractors operate. But OPM said it “approaches security through contractor oversight,” Smith’s letter said.
OPM has until Aug. 5, 2016 to respond to 10 questions from the committee. Some of the highlights include:
Whether OPM or an OPM contractor has ever allowed foreign nationals access to systems and databases that contain sensitive information or personally identifiable information (PII).
How OPM conducts oversight of its agency and contractor-operated IT systems.
What personnel security guidance OPM gives to its employees, contractors and foreign nationals.
How OMB communicated and interacted with OPM in the wake of the 2015 cyber breaches and subsequent cyber sprint.
How OPM complies with National Institute for Standards and Technology (NIST) guidelines related to personnel security.
Smith had similar questions for OMB. He asked Donovan about his organization’s role in overseeing agency FISMA compliance, as well as his OMB’s guidance on foreign nationals and their role in protecting federal IT systems.
The letter also asks for a progress update on the CyberStat review sessions, which OMB conducts with agencies to make sure they have the right tactics in place to maintain a strong cybersecurity posture. The OMB Cyber and National Security Unit conducted twice as many sessions in fiscal 2015 compared to the previous year, Smith’s letter said.
But the June GAO report recommended OMB finish its plans and best practices for securing federal IT systems.
OPM said in a statement it would “respond to the committee’s letter in a timely fashion.”