Sen. Jon Tester (D-Mont.) wants the Office of Personnel Management's inspector general to investigate the full-suite of systems OPM uses to store personal...
Sen. Jon Tester (D-Mont.) is calling on the Office of Personnel Management’s inspector general to investigate the critical data system that OPM uses to store personal background investigation information.
In a letter to OPM IG Patrick McFarland, Tester expressed concerns about potential vulnerabilities in the EPIC suite system in OPM’s Federal Investigative Service (OPM-FIS).
“On June 29, OPM promised to re-evaluate its Electronic Questionnaires for Investigations Processing (e-QIP) and has taken it offline for a period of four to six weeks,” he wrote. “I am concerned, however, that the larger suite of products under which e-QIP is housed, known as ‘EPIC,’ remains vulnerable despite significant investments into the system.”
Tester asked the IG to conduct the investigation during and after the planned 30-day review by the Office of Management and Budget and make recommendations to OPM.
OPM said in a statement that the decision to take e-QIP down didn’t have to do with the massive cyber breach it suffered earlier this year.
The e-QIP system, developed first in 2003, lets employees, contractors or potential workers add their information to the SF-86 form and SF-85P over a secure Internet connection. Over the last year or so, OPM initiated a pilot to let users digitally sign their forms.
In response to the IG office’s Fiscal Year 2014 Top Management Challenges memorandum, OPM Director Katherine Archuleta noted that the EPIC system has not been run with a comprehensive evaluation that declares if the system meets security requirements.
“This vulnerability may have exposed both EPIC suite’s e-QIP system and the entirety of the data housed within it,” Tester wrote. ” In particular, such a breach would expose elements from the Standard Form-86 (SF-86s) completed in the course of investigating the millions of current and former candidates for security clearance. This form includes incredibly personal information, including a candidate’s level of debt, history of substance abuse, and sexual behaviors.”
Although OMB ordered agencies in June to act over 30 days to improve the security of their systems and data, a June 17 flash audit by the OPM IG revealed that the agency needed to follow best practices and determine the full scope and cost of the IT security upgrade.
“In the case of the EPIC suite upgrades, it is necessary for OPM to conduct proper and thorough planning of system upgrades, consult with multiple vendors, and develop its systems and software to obtain proper Authorization,” Tester wrote. ” Given that the total estimated costs of updating the EPIC suit from fiscal years 2010-2015 was more than $164 million, it is troublesome that IT systems management best practices appear not to have been in place.”
He added that it was critical for McFarland’s office to continue to be diligent in its oversight of EPIC, especially considering OPM’s $23 million Fiscal Year 2015 Acceleration Option request.
On June 4, OPM notified 4 million current and former federal employees that their personally identifiable information may have be exposed in a cyber breach. This was followed by news of a second breach that exposed information from contained in SF-86s.
It is unclear, at this point, how many people were impacted by a second breach on the government’s security clearance database. In congressional testimony, Archuleta did not confirm or deny speculation that as many as 32 million people could be affected, citing the ongoing law enforcement investigation.
Read all of Federal News Radio’s coverage of the OPM Cyber Breach.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Michael O’Connell is senior digital editor of Federal News Network optimizing content for the best user experience. Follow @moconnellWFED
Follow @moconnellWFED