Fixing FISMA, blaming … someone, and another lawsuit

Lawmakers blast agency cyber security failings, demonstrate some of their own technological illiteracy and make a big stink without actually pinning down someone to blame.

Welcome to another Office of Personnel Management breach hearing.

A July 8 House Science, Space and Technology subcommittee hearing investigated the human, technological and regulatory issues surrounding the massive OPM breaches that have exposed the highly sensitive personal information of at least 4.2 million current and former feds -- and potentially millions more in the public and private sectors.

Noticeably absent: the OPM higher-ups who were grilled in prior hearings.

FISMA, and the question of responsibility

"Too many federal agencies like OPM fail to meet the basic standards of cyber security, and no one is being held accountable," said Rep. Lamar Smith (R-Texas).

Smith slammed OPM director Katherine Archuleta, who was not present at the hearing, for her continued assertions that no one at OPM is "personally responsible" for the breaches.

"That is not believable," Smith said. "In fact, it's an insult to the American people who pay [Archuleta's] salary."

Michael Esser, OPM's assistant inspector general for audits, noted that only three of 29 recommendations from OPM's 2014 Federal Information Security Management Act (FISMA) audit had been addressed by the agency, and said OPM has demonstrated a "continuing disregard" for FISMA's "Authorization to Operate" (ATO) process.

Eleven of the 21 OPM systems due for ATOs in FY14 did not get them, Esser noted.

An ATO memo is "simply a piece of paper," Esser admitted, but it represents a critical security assurance process that OPM has long neglected.

"There are currently no consequences for failure to meet FISMA standards, or operate systems without authorizations, at either the agency level or the program office level," Esser testified. "There are no directives or laws that provide for penalties for agencies that fail to meet FISMA requirements."

"How do we make FISMA effective?" asked Rep. Dan Lipinski (D-Illinois). "Who should be, who can be the enforcer when it comes to the federal government?"

"One possibility is [the Office of Management and Budget]," Esser responded.

Esser recommended that, for now, OPM institute program office-level sanctions for FISMA non-compliance.

Gregory Wilshusen, director of Information Security Issues at the Government Accountability Office, offered another approach. "It's clearly the responsibility of the head of each agency to implement the appropriate security recommendations," he noted, saying FISMA is plain enough in saying that within each agency, the agency head is ultimately liable for security shortcomings.

Retreading the same ground

Many questions posed by lawmakers had been asked before, and the answers from witnesses were the same.

Would encryption have helped protect data? Not necessarily, and encryption is difficult to impossible on some legacy systems, witnesses said.

Are OPM's (and other agencies') tech problems an issue of resources, or of management? Throwing more money at agencies wouldn't necessarily help -- management has plenty of room to improve, witnesses said.

Several lawmakers and experts made the point that effective cyber security will require more training of American workers, which prompted a query.

"I'm a little confused, I visit high schools and they're having hackathons and they're considered positive things," chimed in Rep. Suzanne Bonamici (D-Oregon). "Is hacker a negative connotation or is it a positive?"

Wilshusen and others explained that yes, hackathons can develop "good" hackers who help test systems for weaknesses.

Seymour missing

Along with Archuleta, OPM's CIO was also missing from the hearing.

"I want you to know we invited OPM CIO Donna Seymour," Rep. Barbara Comstock (R-Va.) told the hearing's audience. "She declined the committee's invitation citing other commitments."

An OPM spokesperson declined to specify what those other commitments were.

Rep. Ralph Abraham (R-La.) expressed "disappointment" in Seymour's absence, and Rep. Gary Palmer (R-Ala.) came close to accusing Seymour of lying about the scope of the breaches.

"Ms. Seymour did not want to testify before this committee," Palmer said as he shared the story of two of his staff members, neither whom had filled out an SF-86 nor served in the executive branch, receiving OPM breach notification letters.

OPM officials have been accused of "mask[ing]" the severity of the exposure by defining the breaches as two separate events -- the first impacting personnel files, the second impacting security clearances -- and initial reports indicated that Hill staffers had not been exposed in the breach.

That second assertion has since been disproven with numerous staffers receiving notification letters. (The SF-86 form, which is used by background-check applicants to detail their finances, work history, foreign travel and close associations, can include personal information about applicants' family members and other personal references.)

Another lawsuit

The July 8 hearing came as another federal employee union filed suit against OPM.

The National Treasury Employees Union's lawsuit asks the Northern California District Court to:

• Declare that OPM's failure to improve cyber security was an unconstitutional act;
• Order OPM to pay for lifetime credit-monitoring services and identity-theft protection for NTEU members;
• Order OPM to take all the necessary steps to heighten its IT security program and protect NTEU members' data from falling into the hands of hackers in the future; and
• Prevent OPM from collecting personal information from NTEU members electronically or requiring them to submit such data in an electronic form until the court is satisfied with the agency's cyber security upgrades.

The American Federation of Government Employees filed a class action lawsuit last month that named OPM, Archuleta, Seymour and compromised contractor KeyPoint Government Solutions as defendants.

NTEU's suit names only Archuleta as a defendant.

NTEU's suit also differs from the AFGE suit by claiming OPM violated the Constitutional rights of those exposed in the breach, citing the Fifth Amendment.

"I believe that OPM should be supporting the maximum relief and protection possible and they should take responsibility for this breach and use all the resources of the federal government to put a plan in place and make sure a catastrophic event of this nature doesn't happen again," NTEU president Colleen Kelley told reporters on a call announcing the suit. "And I don't see this happening. And that's been very frustrating."

In the July 8 hearing, David Snell of the National Active and Retired Federal Employee Association echoed the call for lifetime credit monitoring.

"We have a lot of distrust out there, a lot of folks are scared," Snell said of current and former feds, noting that even those who have not received notifications of data exposure are asking, "Can I trust the fact that I didn't get notice, or is this a problem?"

And the true scope of the breach?

"We only know what's being reported out of OPM, and it's not very much," Snell said. "It's not very helpful."

GAO's Wilshusen called for agencies to implement critical patches and multi-factor authentication and resolve known vulnerabilities, per the 30-day sprint federal CIO Tony Scott announced last month.

But with the sprint ending soon, Wilshusen cautioned agencies not to let their guards down.

"Cyber security…is not a sprint, it's a marathon," he said. "It needs to be going on a continuous basis."

FCW editorial fellow Bianca Spinosa contributed to this report.