The White House’s Executive Office of the President hasn’t submitted reports detailing compliance with federal cybersecurity rules for the past three years, according to a letter to President Barack Obama written by the chairmen of two Senate committees with oversight of federal technology efforts.
The apparent lack of annual reporting is even more striking considering the White House’s unclassified computer networks were breached by hackers last fall, purportedly from Russia, leading to temporary outages as officials worked to suppress malicious activity.
The letter says the office, or EOP, hasn’t submitted annual cybersecurity reviews of its systems to either the Office of Management and Budget or congressional committees for at least the past three years. The last time White House results showed up in OMB’s annual compilation of agency reports was in fiscal 2008, according to the letter.
Annual reviews of agencies' IT security posture are mandated by the 2002 Federal Information Security Management Act, which Congress last updated in December. Independent inspectors general are also required to review agencies’ FISMA compliance.
The June 22 letter was sent by Sens. John Thune, R-S.D., the chairman of the Commerce, Science and Transportation, and Ron Johnson, R-Wis., the chairman of the Homeland Security and Governmental Affairs Committee. The Washington Post first reported on the letter.
The senators want to know if EOP complies with mandated security requirements under FISMA and why the office has failed to comply with reporting requirements in recent years. The letter seeks a response by July 13.
In their letter, the lawmakers cited the recent breach of millions of employee personnel records and background investigation data at the Office of Personnel Management.
“Recent reports that the Office of Personnel Management suffered multiple significant intrusions, resulting in the exposure of millions of employees’ personal information, only underscore the importance for every federal agency, including the EOP, to take steps to improve its cybersecurity posture,” Thune and Johnson wrote in the letter.
The letter is a follow-up to a separate April 30 letter, “for which a response is still outstanding,” Thune and Johnson wrote.
Nextgov has requested comment from OMB.
The White House IT shop has been significantly restructured in recent months. Earlier this year, EOP’s chief information officer and deputy chief information officer both resigned. In March, Obama appointed David Recordon, a former Facebook engineer, to serve as the director of White House information technology, a newly created position.
Recordon is responsible for “operating and maintaining the information resources and information systems” provided to the president, vice president and other EOP staff members in EOP, according to the presidential memo announcing the new position.