OPM’s IT Security Overhaul Remains Under Scrutiny

The Office of Personnel Management and its inspector general remain caught in a back-and-forth over IT security upgrades at the agency.

In a new report, dated Sept. 3 but only made public Monday, the agency’s internal watchdog blasts the agency for dismissing the findings of an emergency report issued earlier this summer.

The IG’s "flash audit" was first issued in the aftermath of the largest known breach of federal employee information, which has largely been blamed on OPM IT practices. The initial assessment criticized an IT consolidation contract awarded without competition and the agency’s neglect to budget the project.

At a June hearing, then-OPM Director Katherine Archuleta testified the sole-source contract awarded to lmperatis, because of the urgent security situation, would only be used for the first phase of the IT update. But in a new memo sent to the IG this month, Acting Director Beth Cobert acknowledged the company is supporting the entire project.

Some parts of the interim report are redacted.

Since the flash audit was first issued, three developments have come to light, IG Patrick McFarland said: the resignation of Archuleta, a Senate committee's refusal to provide extra funding to accelerate the IT upgrade, and a situation too sensitive to be made public that is blacked out. 

Cobert, in a Sept. 3 letter, told the inspector general that contractor Imperatis’ assistance is needed because of "the expertise and knowledge they have developed during the design and implementation" of OPM's new consolidated IT environment, known as the "Shell." 

McFarland, that same day, wrote to Cobert that "any involvement" by the contractor "violates federal acquisition regulations,” and stressed that “conflicting statements from OPM officials regarding this contract are extremely concerning, especially the comments that were made under oath before Congress by both former Director Archuleta" and Chief Information Officer Donna Seymour.

House Oversight and Government Reform Committee Chairman Rep. Jason Chaffetz, R-Utah, has called for Seymour's removal from office.

"It’s unsettling that despite a data breach that put the sensitive, personal information of 21.5 million Americans at risk, OPM once again refuses to heed warnings from the IG," he said in a statement Monday. "Ignoring the IG’s warnings largely got them into this mess in the first place. If OPM wants to regain the trust of Congress and the American people, they must make implementing the IG’s recommendations a top priority.” 

McFarland further chided OPM for having “no funding for this effort" to redesign fundamentally flawed security systems and transition up to 400 software applications. The Senate Appropriations Committee rejected the agency's request for $37 million in fiscal 2016 to accelerate the overhaul. 

Cobert responded, "OPM and the OCIO have always been very clear that the undertaking includes factors and costs that will be understood more clearly as the project proceeds."

Another major omission in OPM’s approach: what's known as an IT business case. This document is crucial for financing and managing large, complex system development projects, McFarland said.

The problem with writing one, OPM says, is time and effort required could interrupt the project’s schedule. 

Completing the document "requires anywhere from eight months to a year of research, consultations, discussion, and effort” and “would only serve to stall the critical efforts already underway," Archuleta said in a June 22 response to the emergency audit, before she resigned from the agency. 

She added that OPM is working with the Office of Management and Budget to record all expenditures and needs for budget justification purposes.

Addressing this claim, McFarland said, "I don't see any indication that OPM conferred with OMB." 

The very fact that establishing a business case will require significant time and effort proves the importance of this process, he said. OPM began the massive IT undertaking without inventorying existing systems, evaluating their technical specifications or estimating costs. 

OPM officials on Monday directed reporters to Cobert's reply to the inspector general's latest criticisms. To avoid further misunderstandings, Cobert and McFarland will hold biweekly meetings together, weekly meetings between their senior staffs, and monthly meetings between the IG IT team and her CIO shop, she said in the response, dated Sept. 9.

In addition, OPM now has agreed to produce a business case, as part of the fiscal 2017 budget process.

"Although OPM has been working closely with OMB throughout the development of the project, we agree that there are benefits to preparing a major IT business case, including heightened transparency as well as the value of these established project management processes," Cobert said.

(Image via Mark Van Scyoc/ Shutterstock.com)