“Simply put, OPM was not designed to house and protect this sensitive data,” the lawmakers say.
After the massive hack that compromised sensitive information of more than 21.5 million former, current and prospective federal employees, the Office of Personnel Management has no business handling security clearance data, according to two members of Congress.
“We strongly believe that security clearance data -- which has been described as the ‘crown jewels’ -- of our national intelligence should not be protected by OPM, which is neither an intelligence agency nor a defense organization,” Reps. Ted Lieu, D-Calif., and Steve Russell, R-Okla., wrote to David Mader, acting deputy director of management at the Office of Management and Budget.
In their Oct. 7 letter, Lieu and Russell said they, along with the House Oversight and Government Reform Committee on which they serve, were “shocked” to hear during congressional hearings that “for years, OPM leadership had ignored warnings from the inspector general of ‘material weakness’ in data security.”
Although the two legislators said they and the committee had “renewed faith” that OPM could revamp its systems under acting Director Beth Cobert’s leadership, the agency itself shouldn’t house sensitive information.
“Simply put, OPM was not designed to house and protect this sensitive data,” wrote the duo, who have since July been working on legislation to move security clearance data out of OPM.
The lawmakers requested a more secure location to store and safeguard security clearance data, and asked for further review of security clearances that would include evaluating methods such as data segmentation and cryptographic hash functions.
Lieu and Russell both have previously criticized OPM’s role in handling security. Russell said the massive hack was “akin to gross negligence.”
“We have spent over a half a trillion dollars in information technology, and are effectively throwing it all away when we do not protect our assets,” he said in a July 9 statement. “OPM has proven they are not up to the task of safeguarding our information, a responsibility that allows for no error.”
His Republican colleague and committee member said the breach was “likely preventable,” and posited that “OPM still does not prioritize cybersecurity.”
Both lawmakers say their personal information was stolen in the hack.