OPM

OPM’s cleared up some IT rough spots, but encryption still unfinished

When the Office of Personnel Management announced that hackers had stolen personally identifiable information for roughly 22 million federal employees, contractors and prospective feds and contractors, critics quickly pointed out the fact that those records had not been encrypted.

They’re still not, but OPM has only one major database, which contains some high-value assets and Social Security numbers, left to encrypt. That information will be encrypted by the end of this year, said OPM Chief Information Officer David DeVries.

“We have begun a vigorous program in 2016 to encrypt the databases. It’s not just encrypting the Social Security numbers, but it is the databases that contain [that] critical information,” he said during a Feb. 2 hearing before the House Oversight and Government Reform Committee.

Earn 1 CPE credit and learn about the expansion of risk management in government with analysis from GAO and Justice OIG. Register now for the free webinar.

It’s been nearly a year since OPM leadership first testified on the agency’s plans to reform its IT systems, cybersecurity and security clearance process, and lawmakers still have many of the same questions they had before.

Advertisement

“There are similar terms that I’m hearing today that give me concern that ‘we’re making progress,'” Rep. Mark Meadows (R-N.C.) said. “How do we define success? … We’ve been promised encryption over and over and over again, and yet, even today, we’re not there.”

Yet despite lawmakers’ concerns — and a 2016 annual inspector general report — OPM says its systems are better off than they were before.

The agency’s new chief information security officer, Cord Chase, said his first task when he arrived at OPM about eight months ago was to bring the agency up to a standard baseline.

“We understood that there were quite a few systems that were out of compliance,” Chase said. “We knew that we had to take steps to get those back into compliance. We also had another layer of engineering tasks, which included network segmentation, making sure that we had the appropriate monitoring tools in place and then the tuning process to support that.”

Those tasks are complete now, Chase said, but only to “a standard baseline where we feel comfortable that we can control our environment and we understand where we were with the IT system boundaries.”

When OPM’s inspector general conducted its annual review of the agency’s IT systems under the Federal Information Security Modernization Act (FISMA), the IG found 18 major systems lacked proper authorizations.

Now, all systems have authorities to operate, DeVries said.

“So we can tell all of those employees or potential employees or those who have their personal lives’ history looked at, that by the end of 2017, that you have great assurance that we have the most up to date, sophisticated cybersecurity protection that they that will ever see and it will be segmented in a way that if somebody gets in the front door that they won’t be able to go through the whole system?” Meadows asked.

“That is correct,” Chase said.

Both DeVries and Chase acknowledged that there are still some outstanding recommendations from the IG that OPM has yet to address. But the agency has made small steps in other areas, they said. All OPM users have multi-factor authentication to access the agency’s systems.

“It is not the same legacy infrastructure that it was in 2015, not by a long shot,” DeVries said.

OPM is also finalizing its plan to close the agency’s data centers. The Office of Management and Budget will receive that plan at the end of this quarter, DeVries said.

The plan is to move from seven OPM data centers to two, he added. The agency closed two data centers and will soon close a third one.

The hearing often strayed from the topics of OPM cybersecurity and the National Background Investigation Bureau and at times delved into heated debates between majority and minority members over election hacking. When it did stay on topic, lawmakers mainly focused on the state of OPM’s IT systems. The security clearance process itself received little attention.

The Defense Department will deliver several prototype capabilities for the NBIB’s systems by the end of fiscal 2017.  It will achieve initial operating capability for the full investigative process by the fourth quarter of fiscal 2018, said DoD CIO Terry Halvorsen.

Yet committee Chairman Jason Chaffetz (R-Utah) expressed his frustration that NBIB is not using social media more prominently in its clearance investigations.

NBIB is currently in the middle of a pilot to determine how the agency can build social media into its investigation process, Phalen said, but that answer didn’t satisfy Chaffetz.

“This takes so long, because every time we have a problem, what’s the very first thing the FBI and other law enforcement want to do?” Chaffetz said. “They want to dive into their social media. That’s the best way for them to figure out what has been going on, what is the attitude, who are they communicating with. If we’re going to give a security clearance, it seems reasonable.”