The Federal Retirement Thrift Investment Board plans to issue, by Dec. 31, a request for proposal on a new contract for Thrift Savings Plan data center services.
The contract will include “very stringent” IT security requirements aimed at preventing future data breaches, such as one announced two months ago that affected 123,000 TSP accounts, said Greg Long, the agency’s executive director, Tuesday before the Senate Homeland Security and Governmental Affairs subcommittee on Oversight of Government Management, the Federal Workforce and the District of Columbia.
“We’re in the process of designing the procurement action,” Long said. “We anticipate rolling that out on the street by the end of this calendar year, and then awarding next fiscal year.”
In July 2011, hackers accessed IT systems at the FRTIB contractor Serco, Inc. The breach, announced in May, mostly compromised Social Security numbers. About 43,000 accounts, including subcommittee chairman Sen. Daniel Akaka’s (D-Hawaii), contained names, addresses, Social Security numbers and possibly bank routing numbers.
FRTIB spokeswoman Kim Weaver told Federal News Radio the agency decided to restructure the contract last fall, well before it found out about the cyber attack.
“I anticipate that the incumbent typically is a bidder,” Long said. “But it will be a full and open competition. We are seeking robust competition from all parties.”
Shorter data retention schedules might improve privacy
Long said beyond improving network security, agencies can reduce their risks of security breaches by shortening the retention times for documents containing personal information.
“Currently, [the law governing FRTIB] does not contain a statute of limitations for judicial review of a claim for benefits brought by a TSP participant or beneficiary,” Long said in written testimony. “This indefinite exposure to potential litigation over benefits forces the TSP to retain records of benefits paid for an unlimited period of time, even after a participant’s account balance has been completely disbursed and he or she is no longer a participant. The absence of a statute of limitations, therefore, results in an extraordinary record retention burden, which increases the data potentially available to be accessed through a cyber attack or other data breach.”
The Government Accountability Office also advocates for shorter data retention periods among FRTIB and other agencies.
“The principle is just, ‘for as long as you need the information, keep it, protect it. Once that need no longer exists, get rid of it, delete it,'” said Greg Wilshusen, GAO’s director of information security issues.
But agency leaders are hesitant to embrace the concept, said Mary Ellen Callahan, the Homeland Security Department’s outgoing chief privacy officer. “One because they already have an approved retention period from the National Archives, and you don’t want to go counter to that. And second, there’s also the question about whether or not it affects operations if you delete information on a more subjective standard as Mr. Wilshusen had argued.”
This story is part of Federal News Radio’s daily Cybersecurity Update. For more cybersecurity news, click here.