A legislator said he wants the IG to have “unfettered access” to OPM's security clearance system.
Last week, officials at the Office of Personnel Management temporarily pulled the plug on an online tool used to submit background check forms because a security review had turned up an unspecified vulnerability.
Now, a senator who sits on a key Senate subcommittee is pressing the agency’s inspector general to examine other potential vulnerabilities in OPM’s entire security-clearance processing system, known as EPIC.
Jon Tester, D-Mont., wrote to OPM Inspector General Patrick McFarland on July 6, to “express concern about possible key vulnerabilities in the EPIC suite system,” which is operated by OPM’s Federal Investigative Service division.
Tester is a member of the Homeland Security and Governmental Affairs subcommittee that oversees federal management
OPM last week announced it was taking the e-QIP system -- essentially, an online questionnaire -- offline for up to six weeks. In the meantime, the agency is reverting back to pen and paper processing, which could further snare a sometimes yearlong process for federal employees to obtain security clearances.
That move came weeks after OPM announced hackers had infiltrated agency systems and stolen data on millions of federal employees, including sensitive information of employees who had applied for security clearances.
Tester wrote in the letter he’s concerned the entire EPIC system “remains vulnerable despite significant investments into the system.”
In a November 2014 memo to OPM leadership on “top management challenges,” the IG reported the EPIC system had operated without a comprehensive security assessment.
“This vulnerability may have exposed both EPIC suite’s e-QIP system and the entirety of the data housed within it,” Tester said, which contains “incredibly personal information” on million of federal employees who’ve applied for security clearances, including applicants’ history of debt, substance abuse and even sexual behavior.
Tester said he wants the IG to have “unfettered access” to the EPIC system “in order to evaluate potential vulnerabilities during and after OMB’s 30-day review," the letter stated, referring to a 30-day “cybersecurity sprint” mandated by the White House Office of Management and Budget.
The letter also laid out concerns with the potential costs of upgrading OPM systems.
So far, the price tag for updating the entire EPIC system between 2010 and 2015 has run to more than $164 million, according to Tester’s letter. Meanwhile, OPM has requested even more in accelerated funding this fiscal year.
The IG has already raised concerns over OPM’s planned multimillion IT upgrade, issuing a “flash audit” last month that said the agency wasn’t properly budgeting for the improvements.