5 Ways OPM Is Still Struggling To Clean Up After Massive Breach

'Cybersecurity Sprint'

In one of the biggest breaches in history, the federal government's Office of Personnel Management revealed in June that it had been hit by two data breaches that exposed the personal records of more than 21.5 million federal workers and contractors. In the months after the breach, the department has undergone a Flash Audit to identify challenges as well as a so-called "Cybersecurity Sprint" to get it up to speed. However, the department is still struggling to implement security best practices and is actively taking some steps that could work against its security in the future, according to a letter this week from Inspector General Patrick McFarland. Keep reading for some insights from the Inspector General into what an organization should and shouldn't do after being hit with a mega breach.

Need Project Management

One of the first things the Inspector General found in its audit of OPM was a "lack of critical project management requirements" as the department looks to invest millions in upgrading its systems. The Inspector General recommended OPM create what it called a Major IT Business Case in its FY2017 budget, laying out detailed processes, financing, performance expectations and management for a large project. OPM said it rejected the need because of the "timing, the effort required, and the impact on the project's schedule," saying creating the report would take eight to 12 months to complete.

"There is no reason to disregard project management best practices developed by recognized standards-setting organizations simply because they are intended for private industry. The practices are applicable to any organization, private or public sector, involved in project management activities," the letter said.

Know What You Have

The Inspector General said another key preparation step that OPM missed when diving into upgrading its systems was taking a detailed inventory of the systems it already had in place. That is especially important when preparing for "large and complex IT development projects," such as the one planned by OPM. This step is also important, the letter said, as OPM intends to fund much of the upgrades with savings achieved through discontinuing obsolete software.

"The process to identify existing systems, evaluate their technical specifications, determine migration requirements, and estimate migration costs has still not been completed," the letter said, adding that OPM had told the Inspector General prior to the audit that it had completed the process of "shoring up security controls in the existing environment," though it had recently found security flaws in the design of its e-QIP system.

Need Funding

While it might seem simple, the Inspector General said OPM needs to clarify where it is getting its funding for the migration to consolidate data centers and upgrades from, or if it even has funding at all. The letter said that OPM has "no funding at all" for the complex IT changes ahead. OPM had requested $37 million in funding for migration, but it was rejected, and has $21 million earmarked from the official budget for security updates only. OPM defended the lack of budget by saying it would finance it from the discontinuation of obsolete software licenses and general office budgets, something the letter called "inadequate and inappropriate."

"The cost may be so high as to curtail vital OPM functions related to these programs and OPM's mission-critical activities," the letter said.

Set Performance Standards

Part of the benefit of doing the due diligence to lay out a plan ahead of time is that an organization can set performance standards by which to measure success, the letter said. That is something OPM is missing, the letter said, and furthermore creates a lack of transparency as costs are hidden in other budgets.

"OPM's refusal to develop a Major IT Business Case proposal for the overall Project will result in costs being subsumed, and therefore hidden, within the individual IT investments. There will be no reporting mechanism to evaluate the overall costs of the Project, which would, in effect, circumvent the transparency principles promoted by [Office of Management and Budget]," the letter said.

Need to Evaluate Options

The Inspector General's letter said that another "major issue" found in the audit is that OPM only used a sole-source contract for project without evaluating other options. OPM should have evaluated its contract options to find the best alternatives, the letter said, though OPM claimed it had used "full and open competition" to choose contractor Imperatis.

"The justification for the sole-source contract was the urgent and compelling situation resulting from the IT security incidents that occurred at OPM. While we agree that the initial response to the security incidents warranted a sole-source contract, we do not agree that it is justified for the entire Project," the letter said. "We recommend that OPM not leverage its existing sole-source contract for the Migration and Cleanup phases of the Project. Contractor support for these phases should be procured using existing contracts already supporting legacy information systems or via full and open competition."