Contractors are concerned they might lose government business for coming forward about suspected internal data breaches, after the unprecedented decision by two departments to halt contracts with a hacked background investigation firm.
It is believed the personal information of Department of Homeland Security employees likely was compromised when a suspected nation state penetrated a USIS corporate network. USIS conducts personnel investigations on behalf of many agencies, including the Office of Personnel Management. DHS and OPM temporarily ceased some jobs with USIS after the incident.
OPM did not pause work as a punishment, but rather as a way to protect federal employees until more details about the intrusion are known, agency officials told Nextgov on Friday. But officials said they do not host information with USIS on the same system DHS uses.
DHS has issued stop work orders to temporarily halt activities that involve personal information, until the department can assess the full scope of the potential intrusion and repairs, Homeland Security officials told Nextgov.
Some lawmakers are calling for DHS to reassess contracts with other vendors.
Rep. Bennie Thompson, D-Miss., ranking Democrat on the House Committee on Homeland Security, in a statement, called on DHS "to evaluate its relationships with its contractors that hold sensitive data and ensure those companies have proper protections to mitigate an attack.”
Today, contractors are not required to disclose all data compromises on their own systems to agency customers. Reporting typically is only necessary for breaches of classified information or Pentagon technical data and other so-called unclassified controlled technical information.
The contractor industry is watching the USIS situation for signs of new breach penalties.
"I believe contractors should be paying close attention to this case, particularly how quickly the contractor and government are able to work collaboratively to get back to meeting the mission need," said Roger Jordan, vice president of government relations at the Professional Services Council.
It is inevitable that, despite the best efforts of vendors and the government, breaches will occur, he added.
So it’s important for the government and the affected company to collaborate on sharing information and “take mitigating steps quickly to ensure they can return the focus to the mission needs being served under the contract," Jordan said.
Information technology contractors say they long have worried about losing business after a hack, despite following security protocols.
"There is always a concern that the government will take steps against a company when they have made an effort to comply with contractual requirements and those compliance efforts fail," said Trey Hodgkins, public sector senior vice president at the Information Technology Alliance for Public Sector.
New regulations dictate the government have physical access to machines and networks hit by attackers, in some circumstances. It can be a challenge "letting the government take control" of systems "where you may have multiple clients' information," Hodgkins said. "In many instances, these are global networks."
USIS said in a statement Wednesday its own staff recently discovered the intrusion. "We immediately informed federal law enforcement, the Office of Personnel Management and other relevant federal agencies," company officials said.
USIS is working with OPM and DHS to shore up network protections and quickly resolve the problems, they added. USIS officials said they "look forward to resuming service on all our contracts with them as soon as possible."
OPM is maintaining a separate contract with the company for support services, agency officials said Friday. Only work that involved sharing investigative information is on hold. The agency wants to make sure safeguards are in place and that the problem is contained before resuming that business relationship.
"Out of an abundance of caution, we are temporarily ceasing field investigative work with USIS," OPM Communications Director Jackie Koszczuk said in a statement. "To date, we have not been notified of any loss of personally identifiable information for OPM managed investigations."
OPM itself suffered a breach in March. Its customers -- other federal agencies – still rely on the agency’s systems. The hackers, believed to be from China, apparently wanted files on staff who have applied for top-secret security clearances. Federal officials say there is no proof yet personal data was exposed.
USIS conducted checks on ex-National Security Agency contractor Edward Snowden and Navy Yard shooter Aaron Alexis.
Separate from the hacking incident, the company is being sued for allegedly filing incomplete investigations to drive up profits.