The Office of Personnel Management says it will need $37 million in additional funding next year -- a 75 percent increase from current levels -- to continue development of a more secure IT infrastructure.
After the massive hack of background investigation records was revealed last summer, OPM accelerated plans to rebuild its networks into a modern environment, which it calls the “shell.”
At a hearing Monday before the House Appropriations Financial Services and General Government subcommittee, acting OPM Director Beth Cobert said additional funding is “critical” because some custom-coded systems and applications used by the agency are too old to migrate to the new IT environment and have to be reengineered themselves before making the transition.
During the phased rollout of the new “shell” environment, OPM will have to run both old and new systems simultaneously, Cobert said.
"We fundamentally need to build in security by design,” she testified. “To do that, we need to modernize many of these systems. And for many, it is a complicated task, because the systems are large and complex, and the systems are outdated.”
OPM has already spent more than $67 million on the IT upgrade plan, which has at its core a new infrastructure-as-a-service environment bolstered by “new and modern industry-recognized security tools,” according to the agency’s budget request.
During the hearing, appropriators seemed receptive to the funding bump. But last summer, when the revelations of the OPM data breach first came to light, lawmakers rejected an emergency spending increase for IT improvements, slicing the $37 million request back down to the agency’s original ask of $21 million.
Committee Chairman Rep. Ander Crenshaw, R-Fla., also pointed to concerns by the OPM inspector general, expressed in a “flash audit” issued last summer, which said the agency hadn’t properly accounted for the plan, hadn’t completed key planning documents and had improperly awarded contracts to support it.
Cobert told lawmakers OPM submitted all the proper paperwork -- a business case, in federal budget parlance -- last fall. In addition, OPM’s IT shop is meeting with the IG’s office on a regular basis, Cobert said.
Last summer, Patrick McFarland, the former OPM IG, said the agency’s chief information officer, Donna Seymour had withheld information and deliberately deceived auditors. Seymour retired last month after repeated calls for her to step down from Republican members of Congress.
Cobert said Dave Vargas, a senior executive in OPM's IT shop, is currently serving the agency's acting CIO.
Cobert also pledged to provide quarterly updates to Congress on the IT migration plan.
“That's another good way of making sure, you know, that we are being disciplined in how we deliver on our plan and adjust the plan if there are new facts,” she said.
Also complicating matters, however, is a separate plan announced by the Obama administration earlier this year to establish a new bureau within OPM to conduct background investigations. The Defense Department will be tasked with designing and building more secure systems to store the records.
Crenshaw said OPM initially kept Congress in the dark about the plan to create the National Background Investigations Bureau.
"I'm disappointed that it took numerous requests on our part to provide the committee with a 1-hour briefing on the bureau and it only occurred last week,” Crenshaw said.
Crenshaw said he has questions about long-term funding for the proposal and lines of authority between DOD and OPM.
“There's a lot of unanswered questions,” Crenshaw said. “I know this is fast-moving ... but some people would criticize this and say, well, this is just another way the government moves everything around and somehow it's all going to be better.”