Legacy Systems

OPM's sensitive data on feds still not encrypted

Beth Cobert, OPM, official

Acting OPM Director Beth Cobert

More than a year after a hack of Office of Personnel Management systems compromised more than 22 million records, the agency has not been able to encrypt all the sensitive data on 4 million federal employees, including Social Security numbers.

"There are still elements of OPM systems that are difficult to encrypt," acting OPM Director Beth Cobert said during a May 13 hearing of the House Oversight and Government Reform Committee.

Rep. Stephen Lynch (D-Mass.) said he was hearing too much "happy talk" with regard to OPM’s progress in the matter and emphasized that full encryption had yet to be achieved.

Federal CIO Tony Scott said he has been meeting regularly with OPM and Defense Department officials on issues arising from the breach, including the establishment of the National Background Investigations Bureau. The joint OPM/DOD effort to replace the Federal Investigative Services puts DOD in charge of IT operations used in federal employee background checks.

Scott said OPM has been doing "all kinds of work" to improve its security posture, including penetration testing, and has "applied tools to the limits they can, within the limits of current technology." Furthermore, the agency is "leading federal agencies right now in terms of their efforts" in cybersecurity.  OPM, for example, is at the forefront of implementing the Continuous Diagnostics and Mitigation services coordinated by the Department of Homeland Security. 

At the same time, Scott added, "there are things that can't be encrypted because the technology doesn't allow it."

The OPM has a target date of Sept. 30, 2016 to have full encryption on all federal employee data in its systems, agency spokesman Sam Schumach told FCW in an email. In addition, the agency requires two-factor authentication for network logins and uses the Einstein 3A network security system from the Department of Homeland Security to detect potentially malicious activity.

"Although there are technical limitations and challenges posed by our legacy systems, OPM has a technical roadmap to perform the necessary upgrades to these systems in order to support full encryption of federal employee data," Schumach said.

Cobert told the committee that the relationship between the OPM CIO office and the inspector general has improved dramatically. She said she meets with the acting IG on a biweekly basis, and teams have been set up to address technology, procurement and NBIB’s creation.

Cobert's nomination to be OPM director and shed her acting status remains stalled in the Senate. Sen. David Vitter (R-La.) told lawmakers that he will continue the hold on her confirmation vote pending a change in the way Congress is treated under the Affordable Care Act. 

This article was updated May 13 with comment from OPM.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.