Cybersecurity hasn’t always been a top priority for the director of the Office of Personnel Management, but since the massive data breaches at the agency in 2015, it persists as an issue that defines the role.
As President Donald Trump’s nominee to head OPM, Jeff T.H. Pon spent much of his nomination hearing Wednesday before the Senate Homeland Security and Governmental Affairs Committee answering questions about the state of OPM’s cybersecurity in the wake of those breaches. Two years after, the agency’s inspector general found this summer that it’s still struggling with “significant problems” in security assessment and authorization methodology.
“This is my number one priority to make sure that we have security — not only information security but personal security, making sure that we have a safe workplace,” Pon testified.
Speaking about the July IG report, Pon explained how he would deal with the remaining issues if confirmed by the Senate.
“On my watch, we will make sure we have not only the qualified people but we have a plan to execute and deter the risks we have,” he said. “We have a designed threat analysis, I want to make sure that those are robust, so we can prioritize and alert people on what those risks are so we have a game plan for closing those gaps. It is unacceptable to me to have people that are not trained in the current ways in which we protect our data, offensively and defensively.”
Joining him during the hearing were the nominee to be his deputy, Michael Rigas, and the nominee to head the General Services Administration, Emily Murphy. Rigas was also pressed on OPM cybersecurity.
“One of the first things I would do if confirmed is work wit the internal and external stakeholders involved in the IT area for OPM and that would include both the CIO and CISO to assess what progress has been made to date, what their plans are for ongoing progress and assess if we need to change course, if we are on target to meet the security and data protection needs that the federal government demands and that the public would demand for federal employee data,” Rigas said.
The assembled lawmakers were receptive to Pon’s ideas and understanding of IT at OPM. If confirmed, this wouldn’t be his first tenure with the agency — he spent time more than a decade ago as deputy director of e-government, during which he focused on OPM’s shared service operations for human resources, payroll modernization and the introduction of the federal jobs site, USAJobs.gov.
“Information security is something we all need to work on on a daily basis,” Pon said.
Later, he added “These things are moving — the bad actors are getting worse, and the level of skill trying to defend our systems against those things, we need to up our game and make sure we have the right people but also the right plans and mitigation mechanisms for doing that, and I plan to share that with the committee, IG and GAO with those practices that emerge.”
The politics around OPM have become more complicated lately, too. Beth Cobert led the agency for a couple of years without Senate confirmation, in part because some Republican members took exception to a contentious ruling OPM issued in 2013 on how the Affordable Care Act applies to members of Congress. The ruling will weigh on Pon’s nomination, too. Committee Chairman Ron Johnson, R-Wis., told Pon he would consider withholding his vote for confirmation until the committee receives requested documentation on the ruling.
Pon said OPM is in the process of providing the requested documentation.