The Office of Personnel Management is on track to receive a 75 percent budget increase for IT security upgrades at the once-hacked agency.
But a new internal watchdog report finds funding for the troubled project remains an issue in part because of poor planning by the agency. A broader Obama administration plan to shift responsibility for background investigation IT systems to the Pentagon could also put funding for OPM’s “Shell” IT modernization in jeopardy, according to a May 18 report from the OPM inspector general’s office.
The House Appropriations Financial Services and General Government Subcommittee on May 25 approved $37 million -- a $15 million boost -- in total funding for “the operation and strengthening” of OPM’s legacy IT systems as well as the new Shell environment.
The funding bill comes with some strings attached, though. To get all the new funding, OPM officials will have to put together a detailed spending plan reviewed and approved by the White House’s in-house digital fix-it squad, the U.S. Digital Service, as well as the Office of Management and Budget, the Homeland Security Department and OPM’s inspector general.
Such a plan is sorely needed, according to the IG’s new accounting, which finds the agency still lacks a “realistic budget” for the massive upgrade.
“OPM officials have candidly informed us that their cost estimates are ‘best guesses,’” the IG’s latest report stated. “In our opinion, these cost estimates significantly understate the true costs of the project.”
The new audit is the latest in a back-and-forth between the agency and the IG’s office over the status of the IT upgrades. The overhaul was initiated in the wake of a 2014 cyber intrusion and accelerated after OPM revealed last summer that hackers had made off with sensitive background investigations records on more than 21.5 million current and former federal employees and contractors.
Also complicating matters is the administration’s plan to transition the responsibility for conducting background checks to an independent “National Background Investigations Bureau,” and to task the Defense Department with managing and securing the new agency’s IT systems.
The new bureau could pose a problem because, according to the IG’s office, OPM had planned to use money from its revolving fund -- most of which comes from fees charged to other agencies to perform background checks -- “to fund a significant portion of the costs of the project.”
Now that the IT systems undergirding the background investigation process will be under the control of the Defense Department and not part of OPM’s Shell environment, “it would seem that a large portion of the planned funding source will not be available for the project,” the IG reported.
The IG also says it’s a problem OPM is only planning to spend limited amounts of funding on actually modernizing and migrating systems. Between fiscal 2017 through 2020, planning documents indicate, OPM only plans to spend between 20 and 25 percent of its budget on migrating systems. The rest will be spent on securing and maintaining both the existing legacy IT environment and the still-under-construction new Shell environment.
“As these two environments continue to age, the costs of keeping them functional and secure will continue to increase,” the IG’s report noted. “Eventually, maintenance costs could consume OPM’s entire budget for the project, leaving no funding available for modernization and migration.”
The IG calls this a “worst-case scenario,” because both environments would be left less secure, and the agency would be “susceptible to another data breach.”
OPM has addressed some of the IG’s previous recommendations.
After repeated calls by the IG stretching back to last summer, OPM finally agreed to complete critical planning documents -- known as an IT business case -- related to the multimillion-dollar IT security overhaul by the end of September.
But the follow-up IG report says the agency rushed through those documents, skipping several “critical” steps.
The report also noted “some improvement” in developing an inventory of the agency’s legacy systems, including cost estimates for modernizing them.
OPM’s senior cybersecurity adviser, Clifton Triplett, “has developed a framework that we are optimistic can begin to provide OPM with this critical information,” the IG said.
“While this type of analysis should have occurred before heavily investing” in the Shell upgrade project, “we are pleased to see that OPM at least has a framework in place to begin developing true cost estimates for this project,” the IG said.
Earlier this month, the company hired to help OPM build a new IT environment, Imperatis, suddenly quit work on the contract a month early, citing financial distress.