Before Breach, OPM Requested Millions of Dollars to Upgrade Network Security


OPM's request budgeted funds to "implement and sustain" network upgrades.

Months before the Office of Personnel Management's most recent data breach, the agency had requested an additional $32 million for the 2016 fiscal year -- much of which was slated for strengthening network security, budget justification shows. 

"As a proprietor of sensitive data -- including personally identifiable information for 32 million federal employees and retirees -- OPM has an obligation to maintain contemporary and robust cybersecurity controls," OPM Director Katherine Archuleta wrote in the 2016 budget document. "The infiltration of our network last year underscores the importance of these investments." 

On Thursday, OPM announced a previously undisclosed breach may have compromised personal information of about 4 million current and former federal employees. The agency said the breach occurred last December but wasn't detected until April. 

OPM's 2016 budget request, released in February, proposed an additional $21 million in funding to "implement and sustain agency network upgrades" first initiated in fiscal 2014 and "security software maintenance to ensure a stronger, more reliable and better protected OPM network architecture." Updating the network and maintaining it would "ensure that OPM’s system does not revert to antiquity and insecurity."

In its budget justification, OPM outlined measures it planned to take to fortify its networks -- maintenance for a security operations center that could provide real-time server monitoring, support for stronger firewalls, systems to track security log information to be analyzed in the event of cyberattacks, renewal of database encryption and masking software licenses as well as additional staff to monitor network security, among others.  

According to a February report to Congress on the Federal Information Security Management Act, OPM has been among the lowest cybersecurity spenders in the federal government. That could, of course, be a function of its relatively small size. OPM employed about 5,000 workers and received about $240 million in total funding in 2014.

In the 2014 fiscal year, OPM spent just $7 million total on cybersecurity -- the only agencies to spend the same or less were the Environmental Protection Agency, also spending $7 million, and the Small Business Administration, which spent $5 million. The Defense Department, by comparison, spent $8.9 billion; the Department of Homeland Security spent $1.3 billion.

Within its total cyber spending, OPM spent only $2 million on preventing malicious attacks; only EPA and SBA spent less, with $1 million each. OPM also only spent $5 million on detecting, analyzing and mitigating intrusions; only SBA and the Labor Department spent less, $4 million and $3 million, respectively.

(Image via Hermin/