Government agency's effort to stop future cyberthefts again draws auditors' criticism
Months into a government effort to better protect personal information it holds on tens of millions of Americans following two major breaches, auditors remain concerned that planning and funding shortcomings continue to leave the project at "high risk" of failure.
The inspector general of the Office of Personnel Management has said he stands by that view, after considering OPM management's responses to an earlier report criticizing the computer security upgrade intended to prevent a repeat of the kind of cyberthefts disclosed in the spring.
The OPM had rejected several of the June audit's recommendations, including one that the agency first go through a full planning process called a Major IT Business Case in government parlance, and played down the inspector general's concerns about lack of competition for the contract for the first stages of the work. The personnel agency cited the need to act quickly to close the cyber barn doors after separate breaches of personnel and security clearance files.
The former involved records of about 4.2 million current and former federal employees, implicating personal identifying information, educational background, work histories and similar information. The second involved 21.5 million people who applied for security clearances, or had them renewed, since 2000 and in some cases before.
That breach included about 3.6 million current and former federal employees, virtually all of whom had been hit by the personnel files attack, plus contractor and military personnel, and family members mentioned in clearance application files. In addition to basic identifying information, highly personal information that applicants must disclose was stolen, including on personal financial and medical histories, foreign travel and family information - and in some cases, also fingerprints and notes by background investigators.
Credit monitoring, identity theft restoration and similar services already have been offered to victims of the personnel files breach, while notices offering similar services for the clearance files breach are to go out in coming weeks and continue for several months.
In his latest report, Inspector General Patrick McFarland responded to OPM management's replies to the original audit. The IG said that the time and effort needed to develop a full business case "proves the importance of this point. OPM did not take the time to complete the necessary planning, budgeting, and technical analysis before initiating this massive undertaking."
The report said that as a result, the process to identify existing systems, evaluate their technical specifications, determine requirements and estimate costs of moving the data into a more secure environment still has not been completed. Nor is there support for OPM's belief that some of the cost of moving the data can be funded through discontinuing obsolete software, the report said, calling OPM's plan to find the rest of the funding from other accounts "inadequate and inappropriate."
"Without this rigorous effort, we continue to believe that there is a high risk of project failure," it said.
The OPM also had rejected the inspector general's recommendation to adopt industry best practices for planning such a project, saying it was following its own policies based on government standards. But the IG said that "based on documentation we have reviewed, we have determined that OPM is not in compliance with either best practices or its own policy."
Another point of contention is how the OPM has characterized the contract for the project. "OPM's original assertion that the sole-source contract was not intended to be used for the Migration and Clean-up phases of the Project is not correct," the IG said. "In fact, the conflicting statements from OPM officials regarding this contract are extremely concerning, especially the comments that were made under oath before Congress by both former Director (Katherine) Archuleta and CIO (Donna) Seymour."
In a Sept. 9 response to the latest audit, OPM said it has improved communication with the IG and has updated its project documentation, which it will submit to the Office of Management and Budget as a formal business case plan. It also said the original contract will involve only limited work on the data migration and cleanup phases and that for the bulk of the work, "OPM intends to meet its needs through other acquisition strategies or through existing OPM processes, as appropriate."