The massive data breach the Office of Personnel Management suffered in 2015 was due, in part, because of old technology systems and software. One of OPM’s first actions to clean up the breach was to accelerate its efforts to modernize its aging technology infrastructure.
Nearly three years later and tens of millions of dollars spent, OPM’s efforts to bring its software and hardware into the modern era continue to struggle.
In OPM’s inspector general’s latest management report on the IT modernization initiative, auditors called into question the agency’s planning process. The IG says OPM continues to make the same mistakes that plagued its recent unsuccessful “shell” initiative.
Congress gave OPM $11 million in fiscal 2017 to improve the security of its data and systems, but the IG says the funding isn’t supported by a strategy or cost analysis.
Understand progress being made in the evolving cyber scorecard. Download our free Expert Edition: Cyber Exposure in DoD.
“While we believe that the plan is a step in the right direction toward modernizing OPM’s IT environment, it falls short of the requirements outlined in the appropriations act. The plan identifies several modernization related initiatives and allocates the $11 million amongst these areas, but the plan does not identify the full scope of OPM’s modernization effort or contain cost estimates for the individual initiatives or the effort as a whole,” the report states. “Rather than developing a modernization strategy, evaluating alternatives, estimating the costs, and following established capital budgeting processes, OPM is doing it backwards. The starting point for the plan is a modernization budget not supported by strategy or cost analysis, which was then followed by a determination of how to spend the money.”
OPM kicked off its IT modernization initiative in 2014 and since then had five different permanent or acting chief information officers.
OPM ended the “Shell” initiative in 2016 and replaced it with a broad based effort to better understand where its boundary lines are for its networks and know the data that needs to protected at all levels.
Over the last three years, OPM’s struggles with IT modernization doesn’t mean its systems are not more secure than they were at the time of the attack. OPM has made significant progress with its cybersecurity. But legacy technology continues to be an Achilles Heel for every federal agency’s cyber posture.
The IG says OPM’s new plan is devoted to improving the environment that would enable the proper planning and strategy to evolve.
“It is concerning that almost three years after the data breach of 2015 and the unsuccessful ‘Shell’ project that followed, OPM has still not clearly identified a comprehensive modernization strategy or established the required planning and budgeting mechanisms that would accompany such a project,” the IG states. “While some progress has been made, it remains to be seen whether OPM can effectively manage the modernization of its aging technical infrastructure and implement the security improvements that are only possible with current technology.”
Among the shortcomings the IG found in the planning is OPM’s failure to identify the full scope or cost of the project as well as not following the requirements of creating a business case as detailed in Office of Management and Budget Circular A-11 for capital planning.
“The process of developing a business case should have involved a variety of disciplined project management activities that would have allowed OPM to fully evaluate the costs, benefits and risks associated with its project, and to present the project to OMB to seek approval and dedicated funding,” the IG states.
The IG says OPM also hasn’t resolved a long-standing challenge of decentralization of IT oversight and authorities. The IG says it wouldn’t go as far as to say OPM is violating the Federal IT Acquisition Reform Act (FITARA), but detailed significant concerns.
“OPM’s business units continue to have an improper level of influence over IT management, and that the CIO’s office does not directly receive the dedicated funding needed to fulfill its mission,” the report states.
Rep. Gerry Connolly (D-Va.), the co-author of FITARA, said he’s frustrated by OPM’s lack of progress on IT modernization and FITARA. In the FITARA scorecard from November, OPM earned a C+, up from a D+ six months earlier.
“I am also concerned that OPM is not complying with FITARA regarding the role of the agency’s CIO in the overseeing the budget and scope of all of OPM’s IT acquisitions, but especially in this modernization effort,” he said in an email to Federal News Radio. “Complying with laws passed by Congress is not optional. In OPM’s case, complying with the provisions of FITARA and the requirements of Consolidated Appropriations Act of 2017 would actually help OPM secure its networks, protect the data of millions of federal employees, and better serve its customers.”
New OPM CIO David Garcia, who started in October, inherits this challenge with four years of baggage.
An email to OPM seeking further comment was not immediately returned. OPM responded to the IG’s report by concurring with all four recommendations.
Garcia wrote to the IG that the agency “appreciates the critical nature of much of your review and are committed to improving the necessary elements that will serve as a starting point for a comprehensive IT improvement strategy. Specifically focusing on improving IT governance and enterprise architecture as ‘a necessary prerequisite to developing and executing a modernization strategy’ that will improve OPM’s capabilities to develop and execute IT improvements and modernization.”
In its 2019 budget justification to Congress, OPM details how it will use the $11 million in 2018.
OPM plans to use the money to improve its governance by bringing in additional staff to develop, document, implement and manage projects and efforts to establish an agencywide enterprise architecture.
“This investment will establish the policy and oversight required to ensure the success of additional implementation strategies and future,” OPM states in the budget document.
The second focus area is around environment modernization, which will modernize parts of its critical infrastructure that OPM determines are beyond ‘end of life’ and pose a significant to the agency.
“Investing in the upgrade of the current network infrastructure helps re-align the environment to match the efforts already established. This will be a significant modernization action and will ensure OPM implements innovative mechanisms and established architecture designs that provides enhanced services and capabilities, and improved efficiencies,” the document states.
The third area is around business modernization where OPM plans to update legacy applications to use modern development languages and databases.
“The IT system upgrades, applications development, infrastructure improvements, and migration to shared services will continue in fiscal 2019,” the budget document states. “In addition, OPM will continue modernizing its computing infrastructure with common security controls, current technology, and modern operations practices during fiscal 2019. In previous years, refreshing network devices and other infrastructure was postponed in favor of investments in cybersecurity and data center consolidation efforts. Thus, in fiscal 2019, as OPM reaches milestones in data center consolidations, some investments will be shifted to replace aged network devices, servers, laptops and other devices.”
The agency also asks for another $14 million to develop the employee digital record and upgrade its Trust Fund Federal Financial System.
The IG has issued four other similar reports as this one, with the most recent one coming in 2016. In that analysis, auditors found similar planning problems, which OPM promised to fix.
Two years later and OPM continues to struggle with the technology that, in part, led to 21.5 million current and former feds having their personal data stolen.