U.S. SENATE — U.S. Senators Steve Daines (R-Mont.) and Joe Manchin (D-W.Va.) today worked to ensure that the Office of Personnel Management (OPM) is held accountable for commitments it made following last year’s data breach.
It has been one year since OPM announced it suffered a major cyber breach, affecting more than 22 million current and former federal employees, including Daines.
Following the breach, OPM initiated an Infrastructure Improvement Project aimed at better securing information. Over the past year, OPM has refused to implement several recommendations from the Office of Inspector General (OIG).
“The success of the project is critical to ensure OPM’s IT systems are adequately protected from a future attack. It is too important to cut corners and fail to carry out basic planning practices,” Daines and Manchin wrote.
The senators requested answers to OPM’s failure to implement the recommendations no later than August 31, 2016.
The full text of the letter is available here and below:
The Honorable Beth F. Cobert
Acting Director
United States Office of Personnel Management
1900 E. St. NW, Washington, DC 20415
Dear Acting Director Cobert:
We write to express our concern with the Office of Personnel Management’s (OPM) failure to carry out repeated recommendations from the Office of Inspector General (IG) regarding OPM’s Office of the Chief Information Officer’s Infrastructure Improvement Project. Last month marks the one year anniversary of OPM’s announcement that it suffered a major cyber breach, affecting more than 22 million current and former federal employees.
You recently touted a series of actions OPM has taken to strengthen cybersecurity. While we appreciate OPM’s efforts, it is puzzling that action has been taken to implement monitoring programs and train employees but repeated warnings and recommendations from the IG’s office regarding the Infrastructure Improvement Project, a critical component of ensuring the security of OPM’s systems, have been ignored.
While we agree that OPM’s IT infrastructure certainly needs improvement, and generally support the goals of the project, we are troubled by OPM’s failure to carry out numerous recommendations from the IG. The IG’s June 2015 Flash Audit Alert and the September 2015 Interim Status Report both reported that OPM had not adequately determined the scope and costs of the project and had failed to follow the Office of Management and Budget’s (OMB) requirements and project management best practices.
Most recently, the IG’s second interim status report on the project stated, “OPM has still not performed many of the critical capital project planning practices required by the Office of Management and Budget (OMB).” The report notes that most, if not all, of the required supporting project management activities have still not been completed and that “there is a very high risk that the Project will fail to meet its stated objectives.”
The success of the project is critical to ensure OPM’s IT systems are adequately protected from a future attack. It is too important to cut corners and fail to carry out basic planning practices.
In an effort to better understand this issue, I respectfully request the following information:
1. What efforts have been made to complete the mandatory Analysis of Alternatives to evaluate whether moving all infrastructure and systems to a new environment is the best solution to provide a secure operating environment for OPM?
2. The IG has determined that your OMB Major Information Technology Business Case does not meet OMB requirements. Will the business case be revised to meet OMB requirements? If so, when?
3. Why did OPM fail to substantiate cost estimates prior to the initiation of the project? When will OPM complete the true cost estimates for the project?
4. How does the recent decision by the Sustainability and Security Performance Accountability Council Program Management Office (PAC-PMO) to transfer responsibility for the IT systems that support background investigations to the Department of Defense impact the planned funding source for the project?
I request you provide this information no later than August 31, 2016. Thank you for your assistance.
###