Fortunately for Katherine Archuleta she is not scheduled to attend yet another hearing Wednesday on the massive federal employee data breach. After a marathon run of four scathing congressional sessions last month she wont have to again hear about the failures of the Office of Personnel Management she directs.
Her chief information officer Donna Seymour was invited to testify at the House Committee on Science Space and Technology hearing but declined. OPM cited her extensive involvement" in repairing the cyber failures.
Failure" or some variation is repeated again and again in statements and testimony submitted for the hearing organized by two subcommittees that raises this disturbing question in its title: Is the OPM Data Breach the Tip of the Iceberg?"
Thats not just a clich question.
OPM acknowledged on June 4 that personal information of 4.2 million current and former federal employees was purloined. Committee Chairman Lamar Smith (R-Texas) calls it the largest known cybersecurity failure by a federal agency."
But a second breach could be the larger part of the iceberg. It hit the records of an unknown number of employees contractors and applicants seeking security clearances. Amid fears that the unknown number could dwarf 4.2 million Archuleta said in her blog that we hope to be able to share more on the scope of that intrusion" this week. Her article was posted at 8 p.m. on July 4 implying she or someone was working late on a holiday.
Feds appreciate hard work but the continued lack of information leaves them steamed.
OPM has thus far failed in its basic duty to inform individuals affected by the second and more troubling breach announced June 12 and continues to fail to answer many important questions about both breaches" David Snell the National Active And Retired Federal Employees Associations federal benefits service director says in his testimony.
Archuleta closed her blog by encouraging feds to take some time to learn about the ways you can help protect your own personal information." That sounds reasonable enough but in this charged atmosphere it hit some employees the wrong way. Susan R. Johnson a Foreign Service officer and former president of the American Foreign Service Association said Archuletas comment would come across as uncaring if it were not so ironic."
Ironic Johnson explained by email because OPM is the one who needs to take time to think and learn more about the responsibility to protect confidential personal information rather than advising employees to do so. It seems like a variant of the fox guarding the chicken coop or the culprit claiming to be the victim or some other Orwellian reversal of reality."
The failure theme is at the beginning of testimony prepared by Michael R. Esser an OPM assistant inspector general. He says the agencys long history of systemic failures to properly manage its IT infrastructure may have ultimately led to the security breaches and loss of sensitive personal data at OPM."
OPM apparently also failed to be fully forthright according to Esser in its June 29 announcement on the suspension of e-QIP a web-based program used to process security clearance forms.
OPMs official statement on this issue claims that the agency is acting proactively by shutting down the e-QIP system" Esser says in his testimony. However the current security review ordered for this system is a direct reaction to the recent security breaches. In fact the e-QIP system contains vulnerabilities that OPM knew about but had failed to correct for years. As part of the systems Authorization process in September 2012 an independent assessor identified 18 security vulnerabilities that could have potentially led to a data breach. These vulnerabilities were scheduled to be remediated by September 2013 but still remain open and unaddressed today."
While the inspector generals office is careful to acknowledge OPMs progress in certain areas" Esser says OPM officials have also failed to follow industry best practices as well as OPMs own…requirements for basic project management activities and documents" related to a major technology overhaul following a March 2014 breach.
Generally Democrats have been critical yet more forgiving of President Obamas personnel office than their Republican colleagues. In her opening statement Rep. Eddie Bernice Johnson (Texas) the top Democrat on the committee expresses frustration with OPM then adds: addressing their information security systems is a top goal of the new OPM leadership."
Thats true. But its also true the inspector generals office has found numerous shortcomings under Archuletas leadership. Essers testimony points to 11 OPM systems that were operating without valid authorization a drastic increase from prior years" as the inspector generals office has noted previously. But Esser will go beyond that Wednesday to say the number of systems without authorization could double because of recent OPM action or inaction. In April Seymour extended certain system authorizations that had expired or are scheduled to expire by September 2016 Esser will tell the panel. That could result he adds in up to 23 systems that have not been subject to a thorough security controls assessment."
This action to extend Authorizations is contrary to OMB guidance…" says Esser. We believe that this continuing disregard of the importance of the Authorization process is an indication that the agency has not historically and still does not prioritize IT security."
Count that as yet another failure.
http://www.washingtonpost.com/blogs/federal-eye/wp/2015/07/07/opm-failures-are-topic-of-fifth-hearing-on-data-breach/
Fortunately for Katherine Archuleta she is not scheduled to attend yet another hearing Wednesday on the massive federal employee data breach. After a marathon run of four scathing congressional sessions last month she wont have to again hear about the failures of the Office of Personnel Management she directs.
Her chief information officer Donna Seymour was invited to testify at the House Committee on Science Space and Technology hearing but declined. OPM cited her extensive involvement" in repairing the cyber failures.
Failure" or some variation is repeated again and again in statements and testimony submitted for the hearing organized by two subcommittees that raises this disturbing question in its title: Is the OPM Data Breach the Tip of the Iceberg?"
Thats not just a clich question.
OPM acknowledged on June 4 that personal information of 4.2 million current and former federal employees was purloined. Committee Chairman Lamar Smith (R-Texas) calls it the largest known cybersecurity failure by a federal agency."
But a second breach could be the larger part of the iceberg. It hit the records of an unknown number of employees contractors and applicants seeking security clearances. Amid fears that the unknown number could dwarf 4.2 million Archuleta said in her blog that we hope to be able to share more on the scope of that intrusion" this week. Her article was posted at 8 p.m. on July 4 implying she or someone was working late on a holiday.
Feds appreciate hard work but the continued lack of information leaves them steamed.
OPM has thus far failed in its basic duty to inform individuals affected by the second and more troubling breach announced June 12 and continues to fail to answer many important questions about both breaches" David Snell the National Active And Retired Federal Employees Associations federal benefits service director says in his testimony.
Archuleta closed her blog by encouraging feds to take some time to learn about the ways you can help protect your own personal information." That sounds reasonable enough but in this charged atmosphere it hit some employees the wrong way. Susan R. Johnson a Foreign Service officer and former president of the American Foreign Service Association said Archuletas comment would come across as uncaring if it were not so ironic."
Ironic Johnson explained by email because OPM is the one who needs to take time to think and learn more about the responsibility to protect confidential personal information rather than advising employees to do so. It seems like a variant of the fox guarding the chicken coop or the culprit claiming to be the victim or some other Orwellian reversal of reality."
The failure theme is at the beginning of testimony prepared by Michael R. Esser an OPM assistant inspector general. He says the agencys long history of systemic failures to properly manage its IT infrastructure may have ultimately led to the security breaches and loss of sensitive personal data at OPM."
OPM apparently also failed to be fully forthright according to Esser in its June 29 announcement on the suspension of e-QIP a web-based program used to process security clearance forms.
OPMs official statement on this issue claims that the agency is acting proactively by shutting down the e-QIP system" Esser says in his testimony. However the current security review ordered for this system is a direct reaction to the recent security breaches. In fact the e-QIP system contains vulnerabilities that OPM knew about but had failed to correct for years. As part of the systems Authorization process in September 2012 an independent assessor identified 18 security vulnerabilities that could have potentially led to a data breach. These vulnerabilities were scheduled to be remediated by September 2013 but still remain open and unaddressed today."
While the inspector generals office is careful to acknowledge OPMs progress in certain areas" Esser says OPM officials have also failed to follow industry best practices as well as OPMs own…requirements for basic project management activities and documents" related to a major technology overhaul following a March 2014 breach.
Generally Democrats have been critical yet more forgiving of President Obamas personnel office than their Republican colleagues. In her opening statement Rep. Eddie Bernice Johnson (Texas) the top Democrat on the committee expresses frustration with OPM then adds: addressing their information security systems is a top goal of the new OPM leadership."
Thats true. But its also true the inspector generals office has found numerous shortcomings under Archuletas leadership. Essers testimony points to 11 OPM systems that were operating without valid authorization a drastic increase from prior years" as the inspector generals office has noted previously. But Esser will go beyond that Wednesday to say the number of systems without authorization could double because of recent OPM action or inaction. In April Seymour extended certain system authorizations that had expired or are scheduled to expire by September 2016 Esser will tell the panel. That could result he adds in up to 23 systems that have not been subject to a thorough security controls assessment."
This action to extend Authorizations is contrary to OMB guidance…" says Esser. We believe that this continuing disregard of the importance of the Authorization process is an indication that the agency has not historically and still does not prioritize IT security."
Count that as yet another failure.
http://www.washingtonpost.com/blogs/federal-eye/wp/2015/07/07/opm-failures-are-topic-of-fifth-hearing-on-data-breach/
