Seventeen Republican House members joined Chairman Jason Chaffetz (R-Utah) of the House Oversight and Government Reform Committee today in calling for the removal Office of Personnel Management Director Katherine Archuleta and OPM CIO Donna Seymour.
In a letter to President Barack Obama, the lawmakers said Archuleta and OPM leaders failed to adequately address known cybersecurity weaknesses that led to two recent cyber data breaches that exposed the personally identifiable information of millions of current and former federal employees.
“Director Archuleta and her leadership team failed to correct serious vulnerabilities to OPM’s network and cybersecurity posture despite repeated and urgent warnings from OPM’s Inspector General that date back to 2007, at least,” the letter said. “For eight years, the agency’s leadership has been on notice as to the ‘material weakness’ of OPM’s data security. As recently as 2014, the Inspector General warned that many of OPM’s major information systems were at high risk. According to the Inspector General’s FY 2014 FISMA Final Audit Report, 11 out of 47 major information systems at OPM lacked proper security authorization.”
In addition, the lawmakers criticized the way OPM’s cybersecurity policies and practices.
“There is no excuse for failing to encrypt sensitive data at rest, require multi-factor authentication for remote access to critical systems, and properly segment data within the network, among other things that OPM failed to do,” the letter said. “These are basic cybersecurity best practices that should have been addressed years ago. These catastrophic failures to implement relatively routine countermeasures allowed our adversaries to land a ‘significant blow’ to America’s human intelligence programs.”
Archuleta was on Capitol Hill answering questions about the breach, on Tuesday, before the Senate Appropriations Subcommittee on Financial Services and General Government; on Wednesday, before Chaffetz’s committee; and on Thursday, before the Senate Homeland Security and Governmental Affairs Committee.
But, Chaffetz and the 17 House Republicans were not persuaded by what Archuleta and Seymour had to say.
“Simply put, the recent breach was entirely foreseeable, and Director Archuleta and CIO Donna Seymour failed to take steps to prevent it from happening despite repeated warnings,” the letter said.
“We listened closely to both Director Archuleta’s and Ms. Seymour’s testimony before the Committee. We have lost confidence in Director Archuleta’s ability to secure OPM’s networks and protect the data of millions of Americans. We have also lost confidence in OPM CIO Donna Seymour’s ability to do the same. This country’s hard working federal employees deserve better, and these systems are too important to leave unsecured.”
So far, the Obama administration has stood behind Archuleta and Seymour.
Federal CIO Tony Scott told Federal News Radio in an exclusive interview that it would be a bad decision to dismiss Archuleta and Seymour.
“If you look at various points of time and when things really started to change in OPM, it’s when Director Archuleta and Donna Seymour came in,” he said. “They’ve driven more change, more quickly both from a governance model from putting in the right tools and technology, and from a leadership perspective than anyone ever did before them. It’s unfortunate that all of these things have happened. I think as we pointed out in a number of hearings, it was the very fact that they were putting in the right tools, organized the right way and did these other things that these breaches were discovered. But for that activity, we might still be sitting here fat, dumb and happy and thinking that everything was great. We’d be getting IG reports that everyone would ignore and all of those old behaviors that we really have to work hard to move forward on.”