OPM’s IT Systems Still Lacking Nearly Three Years After Data Breaches

OPM has struggled to update its IT systems after the 2015 data breaches, and now a House Committee is asking the agency for information.

The Office of Personnel Management has had some catastrophic failures in the IT space in the last few years.

In 2015, it suffered two data breaches of its systems that left the personal information of nearly 26 million current and former federal employees vulnerable. Of the 21.5 million individuals whose data were exposed in the second of the two breaches, OPM disclosed that 5.6 million individuals also had their fingerprint data stolen.

The fallout from the event then ensued. Katherine Archuleta, OPM’s director at the time, resigned, followed a few months later by OPM’s Chief Information Officer Donna Seymour. Identity theft protection was paid for by the government and provided to the affected federal employees.

Auditors Still Worried

So have improvements been made to OPM’s systems?

Just last year, a Government Accountability Office report said that OPM’s IT security was still not where it needed to be following the data breaches. The report at the time said there were 19 recommendations made by the United States Computer Emergency Readiness Team, and OPM has completed actions for only 11 of the recommendations and taken actions for the remaining 8, with actions for 4 of these 8 requiring further improvement.

“Until OPM completes implementation of government-wide requirements, its systems are at greater risk than they need be,” wrote GAO.

An even more recent OPM Inspector General’s report from February 15, 2018 said that OPM is continuing to make the same mistakes it has in the past.

According to the report, OPM’s Shell initiative, the goal of which was to consolidate OPM’s outdated and decentralized technical infrastructure into two new and modern data centers, failed in several respects. The report said that OPM did not identify the full scope or cost of the project, did not follow proper project management processes, and never performed an Analysis of Alternatives to evaluate whether the Shell project was the best solution to address the agency’s needs.

The end result, according to the IG report, was a complete failure, something the IG predicted would happen. The IT contractor doing the work on the project went out of business, the two new data centers that had been set up were shut down, and the project was abandoned.

The report notes that OPM appears to be repeating the failed approach with its new strategy for its latest effort to modernize its IT systems:

On the surface, OPM is continuing to make the same mistakes that plagued its recent unsuccessful “Shell” initiative. Rather than developing a modernization strategy, evaluating alternatives, estimating the costs, and following established capital budgeting processes, OPM is doing it backwards. The starting point for the Plan is a modernization budget not supported by strategy or cost analysis, which was then followed by a determination of how to spend the money.

…We were told that OPM lacks the IT governance and enterprise architecture to complete a comprehensive modernization strategy or to be able to estimate the costs of implementing it.

It is concerning that almost three years after the data breach of 2015 and the unsuccessful Shell project that followed, OPM has still not clearly identified a comprehensive modernization strategy or established the required planning and budgeting mechanisms that would accompany such a project. While some progress has been made, it remains to be seen whether OPM can effectively manage the modernization of its aging technical infrastructure and implement the security improvements that are only possible with current technology.

If there was any good news from the IG report, it was that OPM has made “incremental progress” since abandoning the Shell project. It had incorporated many of the technical security tools from that project into its existing environment and made progress in consolidating its historically decentralized data centers.

The IG report summed up OPM’s most recent planning for modernizing its IT systems by saying, “…in our discussions about the Plan with OCIO [Office of the Chief Information Officer] officials from May through December 2017, it seemed obvious that a comprehensive, post-Shell IT modernization strategy is still a work in progress.”

House Oversight Committee Seeking Information

Now, the House Committee on Oversight and Government Reform has become worried about what it is hearing from the agency’s IG and wants to see a copy of the agency’s IT modernization plan.

In a letter sent this week to the agency’s new Director Jeff Pon, the Committee wrote:

Three years after the data breach…the Committee remains concerned about the state of OPM’s IT systems. While the IG report indicated there are positive developments in securing OPM’s IT system, the agency appears unable to fully modernize its legacy IT systems due to an outdated and ineffective approach to managing major IT projects.

The letter gave OPM until April 3 to comply with the request.

2018-03-20 House Oversight Committee Letter Re: OPM IT Modernization Plan

About the Author

Ian Smith is one of the co-founders of FedSmith.com. He has over 20 years of combined experience in media and government services, having worked at two government contracting firms and an online news and web development company prior to his current role at FedSmith.