Security

OPM tightens contracts in response to hacks

The Office of Personnel Management has been tightening ship in the wake of hacks of two contractors that potentially exposed personal information on almost 75,000 federal employees, including some with security clearances.

The contractors breached were U.S. Investigations Services, which no longer works with OPM as a result of a scandal involving allegedly manipulated worksheets, and KeyPoint Government Solutions, which has taken over for USIS as the lead contractor conducting background investigations on behalf of the federal government.

Since the KeyPoint hack was disclosed in December, OPM has been reviewing contractual language with vendors so the agency has the authority to make sure their cybersecurity meets federal standards.

The agency demands contract clauses that require segregation of the most sensitive data.

"One of the lessons that we learned is that if you have a network where all the data is comingled, it is very difficult to protect the data," OPM CIO Donna Seymour said during an April 22 hearing of the House Oversight and Government Reform Committee. "If the data is well-architected and segregated, you have a better chance of understanding what the adversaries are after and putting better protections around it."

OPM's own networks were hacked in March 2014, around the time of the USIS breach, but information was not stolen from federal systems. The USIS data that was taken was stored in a distributed, modern computing environment, Seymour told the committee. By contrast, the OPM data was stored in a mainframe.

Seymour said the adversaries, who have not been identified by the government, were more accustomed to modern technologies. "Our antiquated technology may have helped us a little bit," she said.

KeyPoint has made changes to its networks at the behest of OPM, and according to Seymour, those changes are being reviewed. OPM has paid attention to its own networks as well, firewalling off the most sensitive system. The agency has also tried to improve training for users to prevent employees and contractors from opening phishing email and clicking on potentially dangerous links.

Federal CIO Tony Scott noted that the government has been inconsistent in instituting contractual requirements to protect federal systems, particularly with regard to the rights of government "to look at and inspect their information security measures" and the time requirements for contractors to report incidents to the appropriate authorities.

The Government Accountability Office has recommended better oversight of federal IT contractors. In an August 2014 report, auditors said agencies were "inconsistent in overseeing assessments of contractors' implementation of security controls." GAO asked for new guidance for agencies to conduct oversight of contractor IT security.

The Office of Management and Budget is preparing guidance in light of recent updates to the Federal Information Security Management Act.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.