OPM to Fully Do Away with Passwords for Network Access – In 2 Years

OPM CIO Donna Seymour

OPM CIO Donna Seymour Susan Walsh/AP

Today, all OPM employees need a smart card for network access, but not for all users outside of the agency.

Following one of the most devastating government data breaches ever revealed, the Office of Personnel Management is on track to replace password logins with two-step identification for accessing agency networks in two years, according to new goals set by the Obama administration.

Suspected Chinese espionage artists allegedly used a contractor's passcode to break into records on 21.5 million current and prospective national security employees, along with their relatives. 

While mandated to control network access with digital smart cards since 2004, only 1 percent of OPM computer users needed something more than a password to sign on as of September 2014, according to the White House. 

Meanwhile, hackers gnawed at OPM's networks from 2013 until the agency discovered the breach in April.

By a year from now, about 50 percent of federal personnel will be using "personal identity verification," or PIV, smart cards to sign onto OPM systems.  

Today, all OPM employees need a smart card for network access, but not all users outside of the agency do, OPM Chief Information Officer Donna Seymour said in an update on security goals.

"By the end of FY 2017," which is Sept. 30 of that year, "OPM will enforce multifactor authentication for 100 percent of all PIV-enabled users," along with some sort of two-step verification for 80 percent of users who do not have PIV cards, Seymour said. 

OPM first detected an intrusion while deploying real-time "continuous monitoring" sensors, software and cyber analysts to track network controls. The agency, along with most of the government, missed the September 2012 deadline for activating that layer of protection.

Going forward, "OPM will expand continuous diagnostic capabilities by increasing the network sensor capacity, automating sensor collections, and prioritizing risk alerts," Seymour said.

By the end of the second quarter of fiscal 2016, the agency will have installed four new monitoring controls for managing vulnerabilities and secure configurations, along with managing software and hardware inventories.

The agency will be able to monitor 95 percent of its IT assets on via dashboard by next October, Seymour said. 

Some House members have described her IT security improvements as too little too late. Oversight and Government Reform Committee Chairman Jason Chaffetz, R- Utah, along with 17 other GOP representatives called for Seymour’s removal in June. He wrote a letter to acting OPM Director Beth Cobert in August reiterating the need to replace her.

But U.S. Chief Information Officer Tony Scott, who oversees agency cyber policies, reportedly strongly backs Seymour’s efforts to fix security flaws.