OPM response to cyberbreach challenged again

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.washingtonpost.com/blogs/federal-eye/wp/2015/09/14/opm-response-to-cyberbreach-challenged-again/

Months into a government effort to better protect personal information it
holds on tens of millions of Americans following two major hacks, auditors
remain concerned that planning and funding shortcomings continue to leave
the project at “high risk” of failure.

The inspector general of the Office of Personnel Management has said that
he stands by that view, after considering OPM management’s responses to an
earlier report criticizing the computer security upgrade intended to
prevent a repeat of the kind of cyberthefts disclosed in the spring.

OPM had rejected several of the June audit’s recommendations, including one
that it first go through a full planning process called a Major IT Business
Case in government parlance, and downplayed the IG’s concerns about lack of
competition for the contract for the first stages of the work. The
personnel agency cited the need to act quickly to close the cyber barn
doors after separate breaches of personnel and security clearance files.

The former involved records of some 4.2 million current and former federal
employees, implicating personal identifying information, educational
background, work histories and similar information. The second involved
some 21.5 million persons who applied for security clearances, or had them
renewed, since 2000 and in some cases before.

That hack included some 3.6 million current and former federal employees,
virtually all of whom had been hit by the personnel files attack, plus
contractor and military personnel, and family members mentioned in
clearance application files. In addition to basic identifying information,
highly personal information that applicants must disclose was stolen,
including on personal financial and medical histories, foreign travel, and
family information — and in some cases, also fingerprints and notes by
background investigators.

Credit monitoring, identity theft restoration and similar services already
have been offered to victims of the personnel files breach, while notices
offering similar services for the clearance files breach are to go out in
the upcoming weeks and continue for several months.

In his latest report, Inspector General Patrick E. McFarland responded in
turn to OPM management’s replies to the original audit. The IG said that
the time and effort needed to develop a full business case “proves the
importance of this point. OPM did not take the time to complete the
necessary planning, budgeting, and technical analysis before initiating
this massive undertaking.”

It said that as a result, the process to identify existing systems,
evaluate their technical specifications, determine requirements, and
estimate costs of moving the data into a more secure environment still has
not been completed. Nor is there support for OPM’s belief that some the
cost of moving the data can be funded through discontinuing obsolete
software, it said, calling OPM’s plan to find the rest of the funding from
other accounts “inadequate and inappropriate.”

“Without this rigorous effort, we continue to believe that there is a high
risk of project failure,” it said.

OPM also had rejected the IG’s recommendation to adopt industry best
practices for planning such a project, saying it was following its own
policies based on government standards. But the IG said that “based on
documentation we have reviewed, we have determined that OPM is not in
compliance with either best practices or its own policy.”

It noted that since the first report, former OPM director Katherine
Archuleta had resigned under pressure and a Senate committee rejected a bid
to add funding for the project even while backing extending the services to
the victims. “In such a turbulent environment, there is an even greater
need for a disciplined project management approach to promote the best
possibility of a successful outcome,” it said.

Another point of contention is how OPM has characterized the contract for
the project. “OPM’s original assertion that the sole-source contract was
not intended to be used for the Migration and Clean-up phases of the
Project is not correct,” the IG said. “In fact, the conflicting statements
from OPM officials regarding this contract are extremely concerning,
especially the comments that were made under oath before Congress by both
former Director Archuleta and CIO [Donna] Seymour.”

The report, dated Sept. 3, was released Monday by both the IG’s office and
the House Oversight and Government Reform Committee, one of several panels
that have held contentious hearings with administration officials on the
breaches and the response.

“OPM continues to ignore serious concerns about their IT infrastructure
improvement plan from the Inspector General,” Rep. Jason Chaffetz (R-Utah),
chairman of the oversight panel, said in a statement. “It’s unsettling that
despite a data breach that put the sensitive, personal information of 21.5
million Americans at risk, OPM once again refuses to heed warnings from the
IG.”

“Ignoring the IG’s warnings largely got them into this mess in the first
place,” he said. “If OPM wants to regain the trust of Congress and the
American people, they must make implementing the IG’s recommendations a top
priority.”

Since the earlier report, the IG had separately complained that OPM’s
Office of the Chief Information Officer had “hindered and interfered with”
his office’s oversight of the project and had given the IG “incorrect
and/or misleading information.”

In a Sept. 9 response to the latest audit, OPM said that it has improved
communication with the IG and has updated its project documentation, which
it will submit to the Office of Management and Budget as a formal business
case plan. It also said that the original contract will involve only
limited work on the data migration and cleanup phases and that for the bulk
of the work, “OPM intends to meet its needs through other acquisition
strategies or through existing OPM processes, as appropriate.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!