OPM yanks background check system offline
Weeks after first disclosing massive breaches, OPM has shuttered a vital background check system.
Weeks after first disclosing massive breaches, OPM has shuttered a vital background check system in the face of newly discovered vulnerabilities. (Image: edited screen capture / OPM)
Nearly a month after news broke of a massive breach at the Office of Personnel Management -- and three weeks after first denying, then admitting, that security clearance information was stolen -- OPM has shut down its electronic background check system.
The agency said the move is a proactive step, not a reaction to another hack.
In a June 29 alert posted on OPM's website, the agency says, "The [Electronic Questionnaires for Investigations Processing] e-QIP system will be down for an extended period of time for security enhancements."
There was no word on how background checks would be handled with the system out of service. In an emailed statement, OPM spokesman Sam Schumach said e-QIP would be down for four to six weeks.
e-QIP is the OPM system through which some 90 percent of all federal background checks pass. The compromised SF-86 background check forms used in the system have been called the "Holy Grail" of counter-intelligence information, because of the sheer amount of intensely personal details they disclose about individuals' vices, sex lives and more.
The move stalls a security clearance system that has been in place since 2003.
"During this ongoing review, OPM and its interagency partners identified a vulnerability in the e-QIP system," Schumach said. "The actions OPM has taken are not the direct result of malicious activity on this network, and there is no evidence that the vulnerability in question has been exploited. Rather, OPM is taking this step proactively, as a result of its comprehensive security assessment, to ensure the ongoing security of its network."
Schumach promised OPM would work on "alternative" solutions for affected agencies while e-QIPs is down, though he did not specify what those solutions might look like.
"The security of OPM's networks remains my top priority as we continue the work outlined in my IT Strategic Plan, including the continuing implementation of modern security controls," said OPM Director Katherine Archuleta. "This proactive, temporary suspension of the e-QIP system will ensure our network is as secure as possible for the sensitive data with which OPM is entrusted."
OPM released a cybersecurity report last week outlining 23 steps it was taking to improve its defenses, but e-QIP overhaul was not specifically mentioned among those steps.
John Schindler, a former NSA analyst and intelligence/security blogger, had a one-sentence reaction to the news that e-QIP had been taken down: "[W]hat took them so damn long?!?"
NEXT STORY: McCormack details changes at DHS CIO office