OPM tightens contracts in response to hacks

The Office of Personnel Management has been tightening ship in the wake of hacks of two contractors that potentially exposed personal information on almost 75,000 federal employees, including some with security clearances.

The contractors breached were U.S. Investigations Services, which no longer works with OPM as a result of a scandal involving allegedly manipulated worksheets, and KeyPoint Government Solutions, which has taken over for USIS as the lead contractor conducting background investigations on behalf of the federal government.

Since the KeyPoint hack was disclosed in December, OPM has been reviewing contractual language with vendors so the agency has the authority to make sure their cybersecurity meets federal standards.

The agency demands contract clauses that require segregation of the most sensitive data.

"One of the lessons that we learned is that if you have a network where all the data is comingled, it is very difficult to protect the data," OPM CIO Donna Seymour said during an April 22 hearing of the House Oversight and Government Reform Committee. "If the data is well-architected and segregated, you have a better chance of understanding what the adversaries are after and putting better protections around it."

OPM's own networks were hacked in March 2014, around the time of the USIS breach, but information was not stolen from federal systems. The USIS data that was taken was stored in a distributed, modern computing environment, Seymour told the committee. By contrast, the OPM data was stored in a mainframe.

Seymour said the adversaries, who have not been identified by the government, were more accustomed to modern technologies. "Our antiquated technology may have helped us a little bit," she said.

KeyPoint has made changes to its networks at the behest of OPM, and according to Seymour, those changes are being reviewed. OPM has paid attention to its own networks as well, firewalling off the most sensitive system. The agency has also tried to improve training for users to prevent employees and contractors from opening phishing email and clicking on potentially dangerous links.

Federal CIO Tony Scott noted that the government has been inconsistent in instituting contractual requirements to protect federal systems, particularly with regard to the rights of government "to look at and inspect their information security measures" and the time requirements for contractors to report incidents to the appropriate authorities.

The Government Accountability Office has recommended better oversight of federal IT contractors. In an August 2014 report, auditors said agencies were "inconsistent in overseeing assessments of contractors' implementation of security controls." GAO asked for new guidance for agencies to conduct oversight of contractor IT security.

The Office of Management and Budget is preparing guidance in light of recent updates to the Federal Information Security Management Act.