The new IT systems storing background investigation forms on millions of federal employees and contractors will use encryption to camouflage sensitive data. Parts of the system may be disconnected from the Internet. And Defense Department software engineers will follow a modular approach to designing the new systems to make them more adaptable as cyberthreats evolve.
That’s according to DOD and other administration officials, who discussed the new efforts to protect security clearance data during a Jan. 22 call with reporters.
The Obama administration last week announced an overhaul of the background investigation process, in the continuing fallout from a massive hack last summer of background investigation records stored by the Office of Personnel Management.
The administration plans to shift the responsibility for conducting the checks to a new entity within OPM to be called the National Background Investigations Bureau. The Pentagon will be responsible for securing the new office’s IT systems.
Undersecretary of Defense for Intelligence Marcel Lettre promised “modern, cutting-edge” tools, noting DOD has had “substantial experience” developing secure systems that incorporate both commercial and government-developed cyberdefense and -detection tools.
"We intend to apply the best practices that we've been able to develop here on the Department of Defense side to bring the best cyberdefenses to bear over the course of the development of the next-generation of the enterprise IT architecture,” he said during the press call.
The new Pentagon-designed and -managed system will be overseen by DOD chief information officer's office, Terry Halvorsen and his deputy CIO for cybersecurity, Richard Hale. Execution of the project will be handled by the Defense Information Systems Agency.
OPM’s security practices were heavily criticized last summer when it was revealed the agency’s aging IT systems did not allow sensitive data to be encrypted. However, encryption may not have made that much of a difference, OPM officials contended, because the hackers were equipped with privileged-user credentials.
Hale said DOD would learn from OPM’s mistakes.
"We will use encryption everywhere that it's appropriate,” he said during the conference call. “So, we will have encryption of data at rest and while it's moving around in the new system."
DOD planners may also decide to air gap parts of the new system -- remove all connections to the public Internet.
DOD has started “applying a pretty rigorous process for looking at what information needs to stay online,” Hale added. “What information can be stored offline or stored in a more private place so that it's not accessible from the Internet?”
OPM security officials had previously said there was no practical way to air gap security clearance data on their interconnected systems, because the agency routinely shares other data across the government. Jeff Wagner, OPM's director of security operations, also told Nextgov last October that yanking offline the system would mean reverting back to an inefficient paper-based process.
It’s still unclear when the new clearance system will be operational. OPM, which has been working closely with DOD since it discovered the hack, is in the process of standing up a transition team, according to the officials
The administration is planning to request $95 million to develop the new system, but that new funding won’t kick in -- if approved by Congress -- until the start of the new fiscal year in September. For the rest of fiscal 2016, funding for the new system will come from OPM’s existing IT budget, said U.S. Chief Information Officer Tony Scott.
Last month, Congress approved $21 million for IT security upgrades at OPM.
Scott said development of the system will follow a “modular” or agile method -- breaking up the massive project into discrete pieces or capabilities that can be rolled out more quickly than under a big-bang “grand design” method.
The aim "is to develop systems that are more adaptable over time as various business process need to change or as, in this case, different cyberthreats may emerge,” Scott said.
“So, what you will see is an approach that focuses on adaptability, both in the application itself but (also) with DOD's advanced capabilities, the ability to respond and adapt over time as different threats and challenges occur," he continued. "That's built in to the model, here. And I think represents a very significant difference in terms of the approach that we're taking to this system."
Having DOD handle cybersecurity of a civilian agency could augur a new trend, said Michael Daniel, the White House cybersecurity coordinator.
The new Pentagon-run system is “actually representative of changes that we know that we need to make more broadly across the federal government in how we're provisioning our cybersecurity across all of the civilian agencies,” he said. “And so we see this as really pointing toward the future of how we're going to have to do business for cybersecurity across the federal government."