Congress is still waiting for details requested five months ago from the Office of Personnel Management about an agency data breach that allowed U.S. adversaries to obtain information on 21.5 million federal employees, national security contractors and their families, according to some Republican lawmakers.
During a House hearing Thursday, the Oversight and Government Reform Committee is expected to question a legislative branch liaison from OPM about the holdup and excessive redactions in documents it received.
The earlier letter asked for details on reports a contractor, CyTech, discovered the intrusion during a product demonstration, another majority committee staffer noted. The second letter focused on revelations from June 2015 committee hearings that the attackers stole manuals mapping out OPM’s IT environment. The breach exposed "security documents and systems manuals that could be used by hackers to launch additional attacks on OPM's network,” Committee Chairman Rep. Jason Chaffetz, R-Utah, said in the August 2015 letter.
Members also have complained about a slow trickle of requested information at other agencies, and have invited legislative affairs officials from the departments of Justice, Homeland Security and State, as well as the Office of Management and Budget to Thursday’s hearing.
The staffer told Nextgov the members hope to have a healthy discussion between the executive and legislative branches about the problem of OPM and other agencies failing to produce documents.
In many cases, it is unclear whether an agency is withholding public information out of embarrassment, restricting information that could cause harm if released, or if there are other circumstances preventing disclosure, the staffer said.
Whatever the reasons, the committee is missing information needed to carry out its investigative duties, the aide said.
The panel plans to hold a separate hearing sometime during the first quarter of this year to probe the post-breach conduct of OPM leaders.
In prepared testimony, Jason Levine, OPM director of congressional, legislative and intergovernmental affairs, said, since June 15, "OPM has received and provided responses to every question in six separate document production requests."
Those responses entailed 19 separate packages, including tens of thousands of documents and internal reports, Levine added.
He explained the short-staffed agency is trying to be as responsive as possible, without compromising IT security or confidential personal details.
"OPM has worked as quickly as its infrastructure and resources allow," Levine said, in a copy of the testimony obtained by Nextgov.
In order to respond to volumes of inquiries from Congress for sensitive material, the agency hired more employees, brought in other agency staff on detail, and obtained document management tools, he said. In addition, OPM worked with committee staff to prioritize its requests and send responses on a rolling basis "in order to accommodate the committee’s schedule and oversight interests," Levine said.
Some information was removed to prevent further hacks.
"As a result of the extreme and ongoing sensitivities of information related to OPM’s IT networks, servers and systems, redactions of sensitive system information were made so as not to provide a roadmap of vulnerabilities for potential adversaries and malicious actors,” Levine said. OPM IT security professionals and interagency cyber experts recommended the deletions, he said.
"Additional redactions were also made for reasons of longstanding executive branch confidentiality interests,” Levine said.
A "significant number” of sensitive, unredacted documents were also made available for review, in private, in OPM’s liaison office in a House building, he said.
"At the committee’s request, and after further consultation with OPM IT security professionals and other federal agencies, a number of these documents subsequently have been produced to the committee,” Levine added.
On Wednesday, House oversight committee Democrats did not criticize OPM for delays in receiving requested materials.
“OPM has been regularly producing documents in response to the committee’s requests and cooperating with the committee to provide any outstanding information to assist in the committee’s investigation into the breach,” a minority staff member said in an email.
In June 2015, the agency disclosed a breach of 4.2 million personnel files on current and former federal employees. A month later, OPM announced that perpetrators had executed another, larger hack during the same attack that yielded 21.5 million records on almost every individual who had applied for a clearance to handle U.S. national secrets since 2000, along with their relatives. Director of National Intelligence James Clapper and multiple security researchers have blamed the incident on Chinese cyberspies.
Nextgov has requested comment from OPM.