Legacy Systems

OPM's sensitive data on feds still not encrypted

Beth Cobert, OPM, official

Acting OPM Director Beth Cobert

More than a year after a hack of Office of Personnel Management systems compromised more than 22 million records, the agency has not been able to encrypt all the sensitive data on 4 million federal employees, including Social Security numbers.

"There are still elements of OPM systems that are difficult to encrypt," acting OPM Director Beth Cobert said during a May 13 hearing of the House Oversight and Government Reform Committee.

Rep. Stephen Lynch (D-Mass.) said he was hearing too much "happy talk" with regard to OPM’s progress in the matter and emphasized that full encryption had yet to be achieved.

Federal CIO Tony Scott said he has been meeting regularly with OPM and Defense Department officials on issues arising from the breach, including the establishment of the National Background Investigations Bureau. The joint OPM/DOD effort to replace the Federal Investigative Services puts DOD in charge of IT operations used in federal employee background checks.

Scott said OPM has been doing "all kinds of work" to improve its security posture, including penetration testing, and has "applied tools to the limits they can, within the limits of current technology." Furthermore, the agency is "leading federal agencies right now in terms of their efforts" in cybersecurity.  OPM, for example, is at the forefront of implementing the Continuous Diagnostics and Mitigation services coordinated by the Department of Homeland Security. 

At the same time, Scott added, "there are things that can't be encrypted because the technology doesn't allow it."

The OPM has a target date of Sept. 30, 2016 to have full encryption on all federal employee data in its systems, agency spokesman Sam Schumach told FCW in an email. In addition, the agency requires two-factor authentication for network logins and uses the Einstein 3A network security system from the Department of Homeland Security to detect potentially malicious activity.

"Although there are technical limitations and challenges posed by our legacy systems, OPM has a technical roadmap to perform the necessary upgrades to these systems in order to support full encryption of federal employee data," Schumach said.

Cobert told the committee that the relationship between the OPM CIO office and the inspector general has improved dramatically. She said she meets with the acting IG on a biweekly basis, and teams have been set up to address technology, procurement and NBIB’s creation.

Cobert's nomination to be OPM director and shed her acting status remains stalled in the Senate. Sen. David Vitter (R-La.) told lawmakers that he will continue the hold on her confirmation vote pending a change in the way Congress is treated under the Affordable Care Act. 

This article was updated May 13 with comment from OPM.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.