The Office of Personnel Management’s inspector general has issued a formal complaint to acting director Beth Cobert about the lack of cooperation by the agency’s chief information officer.
Patrick McFarland, the OPM IG, wrote a letter to Cobert July 22, but was just released publicly Aug. 6, highlighting serious concerns about Donna Seymour and the way her office works with auditors, including whether she is “acting in good faith.”
“In certain situations, the OCIO’s actions have hindered the OIG’s ability to fulfill our responsibilities under the Inspector General Act of 1978, as amended (IG Act). Further, we have found that the OCIO has provided my office with inaccurate or misleading information, some of which was subsequently repeated by former OPM Director Katherine Archuleta at Congressional hearings,” McFarland wrote. “I am sharing this with you not to accuse any OPM employees of intentional misconduct, but rather to clear the air and rebuild a productive relationship between the OIG and the OCIO.”
The letter comes as pressure on Seymour continues in the aftermath of the massive cyber breach impacting more than 22 million current and former federal employees.
Rep. Jason Chaffetz (R-Utah), chairman of the Oversight and Government Reform Committee, wrote a separate letter to Cobert on Aug. 6 demanding Seymour is fired. This was the second time Chaffetz called on Seymour to resign. He wrote a letter to President Barack Obama on June 26 asking him to remove Seymour.
“I am deeply troubled Ms. Seymour remains at her post over a month after this request was made,” Chaffetz wrote. “My concerns about Ms. Seymour’s ability to serve are amplified by a communication the committee received from the inspector general.”
OPM pushed back against both the IG and Chaffetz’s complaints.
An OPM spokesman said by email that Cobert is pleased with Seymour and the entire CIO team’s efforts to improve OPM’s cybersecurity.
The spokesman said Cobert responded to the IG’s letter, saying “In her first four weeks at OPM she has observed that the team, including the Office of the Chief Information Officer — working side-by-side with experts from across the federal government — has been working incredibly hard to enhance the security of our information technology systems and support those who have been affected by the recent cybersecurity incidents. The recent results of the Cybersecurity Sprint demonstrate the progress that has been made, although everyone recognizes there is more to do.”
The spokesman reminded that Seymour has only been at OPM since late 2013 and has led an aggressive effort to improve the agency’s cyber and overall IT posture.
Seymour also continues to have the support of federal CIO Tony Scott, according to an Office of Management and Budget official.
Scott continues to stand behind what he said at the June 25 hearing before the Senate Homeland Security and Governmental Affairs Committee that he’s spent time with the team’s doing the cyber remediation work at OPM and has been impressed.
“They are working really, really hard and doing the right things. I’ve talked to them about the leadership that they’re getting from both [former] director [Katherine] Archuleta and Donna Seymour, and they tell me that there very, very supportive of the efforts and the leadership of that they see there,” Scott told the committee. “And the one comment I would make is, I think we need to be careful about distinguishing firestarters from firefighters in this particular case, and they have my full support.”
Despite what Cobert said and Scott’s continued endorsement, the IG is unhappy with the CIO’s office’s collaboration.
While much of the letter is redacted, McFarland said the CIO’s office interfered with the IG’s oversight responsibilities and gave them misleading or incorrect information leading to an “environment of mistrust.”
“One of the most troubling examples is how the agency embarked upon a complex and costly IT infrastructure improvement project without any notification to our office. It is disturbing that the OCIO would exclude the OIG from such a major initiative, especially given the fact that it was undertaken in response to the March 2014 data breach,” McFarland wrote. “The Office of the Chief Information Officer (OCIO) failed to timely notify the OIG of the first data breach at OPM involving personnel records. OPM did not inform the OIG of the breach until one week after it was discovered. In fact, the OIG learned about it only because the OIG Special Agent in Charge (SAC) ran into the OCIO [redacted] in the hallway, and the [redacted] asked the SAC to meet with him later (at which time the SAC was informed of the first breach).”
McFarland also highlighted two other situations where he believes OPM’s CIO wasn’t acting in a collaborative way.
He said the CIO didn’t let auditors attend a meeting with FBI and the Homeland Security Department’s U.S. Computer Emergency Readiness Team, saying the IG’s “presence would ‘interfere’ with the FBI and US-CERT’s work.”
McFarland said the IG also had planned to audit the cybersecurity of OPM contractor KeyPoint Government Solutions in October 2014, but the CIO requested they hold off. In a meeting with the IG about its audit plans in October where the CIO asked them to delay, the IG said Seymour failed to tell auditors of the cyber breach DHS discovered in September 2014.
“Our audit, which was a comprehensive evaluation of the information technology (IT) security posture of KeyPoint, was delayed for over three months,” McFarland wrote.