OPM's sensitive data on feds still not encrypted
More than a year after the hack of federal personnel systems was revealed, the Office of Personnel Management is still unable to encrypt personal data on 4 million federal employees.
Acting OPM Director Beth Cobert
More than a year after a hack of Office of Personnel Management systems compromised more than 22 million records, the agency has not been able to encrypt all the sensitive data on 4 million federal employees, including Social Security numbers.
"There are still elements of OPM systems that are difficult to encrypt," acting OPM Director Beth Cobert said during a May 13 hearing of the House Oversight and Government Reform Committee.
Rep. Stephen Lynch (D-Mass.) said he was hearing too much "happy talk" with regard to OPM’s progress in the matter and emphasized that full encryption had yet to be achieved.
Federal CIO Tony Scott said he has been meeting regularly with OPM and Defense Department officials on issues arising from the breach, including the establishment of the National Background Investigations Bureau. The joint OPM/DOD effort to replace the Federal Investigative Services puts DOD in charge of IT operations used in federal employee background checks.
Scott said OPM has been doing "all kinds of work" to improve its security posture, including penetration testing, and has "applied tools to the limits they can, within the limits of current technology." Furthermore, the agency is "leading federal agencies right now in terms of their efforts" in cybersecurity. OPM, for example, is at the forefront of implementing the Continuous Diagnostics and Mitigation services coordinated by the Department of Homeland Security.
At the same time, Scott added, "there are things that can't be encrypted because the technology doesn't allow it."
The OPM has a target date of Sept. 30, 2016 to have full encryption on all federal employee data in its systems, agency spokesman Sam Schumach told FCW in an email. In addition, the agency requires two-factor authentication for network logins and uses the Einstein 3A network security system from the Department of Homeland Security to detect potentially malicious activity.
"Although there are technical limitations and challenges posed by our legacy systems, OPM has a technical roadmap to perform the necessary upgrades to these systems in order to support full encryption of federal employee data," Schumach said.
Cobert told the committee that the relationship between the OPM CIO office and the inspector general has improved dramatically. She said she meets with the acting IG on a biweekly basis, and teams have been set up to address technology, procurement and NBIB’s creation.
Cobert's nomination to be OPM director and shed her acting status remains stalled in the Senate. Sen. David Vitter (R-La.) told lawmakers that he will continue the hold on her confirmation vote pending a change in the way Congress is treated under the Affordable Care Act.
This article was updated May 13 with comment from OPM.