The Office of Personnel Management finally tried to get ahead of the hearings and the bad news.
OPM released an eight-page plan to make a host of cyber improvements over the next six months, just before the second of three hearings this week focused on the massive data breach kicked off on Wednesday.
In the document, Archuleta detailed 15 steps OPM plans, starting with hiring a new cybersecurity advisor that will report directly to her.
“This cybersecurity advisor will work with the OPM chief information officer to manage ongoing response to the recent incidents, complete development of OPM’s plan to mitigate future incidents and assess whether long-term changes to OPM’s IT architecture are needed to ensure its assets are secure,” she said. “This individual is expected to be serving by Aug. 1.”
Archuleta also will hold a summit with private sector security experts in the coming weeks to help learn from their experiences and see if there are things OPM can borrow from their successes and failures.
She also said OPM will complete the deployment of two-factor authentication using smart identity cards for all employees to log-on to the network by Aug. 1.
OPM will review and plan to encrypt all databases that are on modern technology platforms and can accept encryption by July 15.
The agency wrote in the strategy that many of these actions are based on recommendations that have been provided by independent experts such as the agency’s inspector general, the Government Accountability Office (GAO) and other federal partners.
OPM IG Patrick McFarland said there are four steps the agency should take immediately to improve its cybersecurity.
Implement multi-factor authentication using smart identity cards.
Develop a comprehensive inventory of servers and databases
Implement encryption and data loss prevention tools
Proceed with their IT infrastructure modernization and overhaul.
Rep. Elijah Cummings (D-Md.) asked McFarland whether OPM’s new plans satisfy many of his concerns.
“No it doesn’t satisfy me as far as our concerns. We have a whole suitcase of concerns that we’ve identified in our reports,” McFarland said. “I think that the best way to explain or answer that question is that we are very frustrated that we ask for answers of OPM, it takes a long time to get answers. We ask definitive questions and we don’t necessarily get definitive answers.”
Many times during the hearings over the last two weeks, Archuleta assured lawmakers that she and OPM take cybersecurity seriously.
The plan, in many ways, is another example of her commitment.
“Director Archuleta has directed that these actions be carried out with all due speed, as further steps to protect the critical assets and data OPM is entrusted with are of the utmost urgency,” the document stated.
The plan comes on top of 23 other steps OPM has been taking over the last 19 months to improve its cyber posture. Archuleta and OPM CIO Donna Seymour told House and Senate lawmakers that the agency’s legacy systems, some running COBOL, made it difficult to implement the latest security tools.
OPM asked for an additional $21 million above its fiscal 2015 budget to complete its IT infrastructure upgrade program started in 2014.