The Office of Personnel Management this week released a 15-point plan to bolster its cybersecurity in the aftermath of two major breaches that compromised the information of millions of federal employees.
Included in the report are points that OPM Director Katherine Archuleta has mentioned in several congressional hearings this week — including hiring a cybersecurity adviser who will report to the director, conducting a major overhaul of OPM’s legacy IT systems and discussing cyber best practices with security officials from outside government.
The plan also talks about boosting the agency’s cyber policies — like two-factor authentication, continuous monitoring and encryption — and hosting a workshop with the officials to address how the agency can improve its cybersecurity stature.
“Director Archuleta has directed that these actions be carried out with all due speed, as further steps to protect the critical assets and data OPM is entrusted with are of the utmost urgency,” the plan said.
OPM announced June 4 that it learned of a breach in its system containing more than 4 million federal personnel files. Investigators later found a second breach that compromised the agency’s system that holds records for federal background checks. OPM has not confirmed the total number affected in that breach, but some reports say it could be as high as 18 million.
In several hearings since the breaches, lawmakers have called for Archuleta’s resignation. She, however, said there’s no one “personally responsible” for the hacks, placing the responsibility of cybersecurity on the larger federal government.
“This is an enterprisewide problem and cybersecurity is the responsibility of all of us,” Archuleta said. “That is why, with [U.S. Chief Information Officer] Tony Scott’s assistance and with his efforts, we’re going to address this on an enterprisewide basis, as well as at OPM.” Scott defended the administrator in a hearing Thursday.
Last week, OPM’s Office of the Inspector General released the results of a flash audit of the agency’s IT modernization plans, which found the massive project was at risk of failing. In the new cybersecurity plan, OPM said it would heed the recommendations of the OIG in that report and look to Congress for additional funding. The agency said it would deliver its requests to congressional appropriations committees by the end of the week.
When Archuleta announced the plans during a hearing Wednesday, OPM Inspector General Patrick McFarland told Maryland Democratic Rep. Elijah Cummings he wasn’t thrilled with the actions presented.
“We have a whole suitcase of concerns,” McFarland said.