Legacy Systems

OPM's sensitive data on feds still not encrypted

Beth Cobert, OPM, official

Acting OPM Director Beth Cobert

More than a year after a hack of Office of Personnel Management systems compromised more than 22 million records, the agency has not been able to encrypt all the sensitive data on 4 million federal employees, including Social Security numbers.

"There are still elements of OPM systems that are difficult to encrypt," acting OPM Director Beth Cobert said during a May 13 hearing of the House Oversight and Government Reform Committee.

Rep. Stephen Lynch (D-Mass.) said he was hearing too much "happy talk" with regard to OPM’s progress in the matter and emphasized that full encryption had yet to be achieved.

Federal CIO Tony Scott said he has been meeting regularly with OPM and Defense Department officials on issues arising from the breach, including the establishment of the National Background Investigations Bureau. The joint OPM/DOD effort to replace the Federal Investigative Services puts DOD in charge of IT operations used in federal employee background checks.

Scott said OPM has been doing "all kinds of work" to improve its security posture, including penetration testing, and has "applied tools to the limits they can, within the limits of current technology." Furthermore, the agency is "leading federal agencies right now in terms of their efforts" in cybersecurity.  OPM, for example, is at the forefront of implementing the Continuous Diagnostics and Mitigation services coordinated by the Department of Homeland Security. 

At the same time, Scott added, "there are things that can't be encrypted because the technology doesn't allow it."

The OPM has a target date of Sept. 30, 2016 to have full encryption on all federal employee data in its systems, agency spokesman Sam Schumach told FCW in an email. In addition, the agency requires two-factor authentication for network logins and uses the Einstein 3A network security system from the Department of Homeland Security to detect potentially malicious activity.

"Although there are technical limitations and challenges posed by our legacy systems, OPM has a technical roadmap to perform the necessary upgrades to these systems in order to support full encryption of federal employee data," Schumach said.

Cobert told the committee that the relationship between the OPM CIO office and the inspector general has improved dramatically. She said she meets with the acting IG on a biweekly basis, and teams have been set up to address technology, procurement and NBIB’s creation.

Cobert's nomination to be OPM director and shed her acting status remains stalled in the Senate. Sen. David Vitter (R-La.) told lawmakers that he will continue the hold on her confirmation vote pending a change in the way Congress is treated under the Affordable Care Act. 

This article was updated May 13 with comment from OPM.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/Shutterstock.com)

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.