Fixing FISMA, blaming … someone, and another lawsuit

Lawmakers wrestled with the regulatory shortcomings that helped allow the OPM breach to happen as they continued the search for someone to blame. Employee unions, on the other hand, know whom they're blaming.

secured records

Lawmakers blast agency cyber security failings, demonstrate some of their own technological illiteracy and make a big stink without actually pinning down someone to blame.

Welcome to another Office of Personnel Management breach hearing.

A July 8 House Science, Space and Technology subcommittee hearing investigated the human, technological and regulatory issues surrounding the massive OPM breaches that have exposed the highly sensitive personal information of at least 4.2 million current and former feds -- and potentially millions more in the public and private sectors.

Noticeably absent: the OPM higher-ups who were grilled in prior hearings.

FISMA, and the question of responsibility

"Too many federal agencies like OPM fail to meet the basic standards of cyber security, and no one is being held accountable," said Rep. Lamar Smith (R-Texas).

Smith slammed OPM director Katherine Archuleta, who was not present at the hearing, for her continued assertions that no one at OPM is "personally responsible" for the breaches.

"That is not believable," Smith said. "In fact, it's an insult to the American people who pay [Archuleta's] salary."

Michael Esser, OPM's assistant inspector general for audits, noted that only three of 29 recommendations from OPM's 2014 Federal Information Security Management Act (FISMA) audit had been addressed by the agency, and said OPM has demonstrated a "continuing disregard" for FISMA's "Authorization to Operate" (ATO) process.

Eleven of the 21 OPM systems due for ATOs in FY14 did not get them, Esser noted.

An ATO memo is "simply a piece of paper," Esser admitted, but it represents a critical security assurance process that OPM has long neglected.

"There are currently no consequences for failure to meet FISMA standards, or operate systems without authorizations, at either the agency level or the program office level," Esser testified. "There are no directives or laws that provide for penalties for agencies that fail to meet FISMA requirements."

"How do we make FISMA effective?" asked Rep. Dan Lipinski (D-Illinois). "Who should be, who can be the enforcer when it comes to the federal government?"

"One possibility is [the Office of Management and Budget]," Esser responded.

Esser recommended that, for now, OPM institute program office-level sanctions for FISMA non-compliance.

Gregory Wilshusen, director of Information Security Issues at the Government Accountability Office, offered another approach. "It's clearly the responsibility of the head of each agency to implement the appropriate security recommendations," he noted, saying FISMA is plain enough in saying that within each agency, the agency head is ultimately liable for security shortcomings.

Retreading the same ground

Many questions posed by lawmakers had been asked before, and the answers from witnesses were the same.

Would encryption have helped protect data? Not necessarily, and encryption is difficult to impossible on some legacy systems, witnesses said.

Are OPM's (and other agencies') tech problems an issue of resources, or of management? Throwing more money at agencies wouldn't necessarily help -- management has plenty of room to improve, witnesses said.

Several lawmakers and experts made the point that effective cyber security will require more training of American workers, which prompted a query.

"I'm a little confused, I visit high schools and they're having hackathons and they're considered positive things," chimed in Rep. Suzanne Bonamici (D-Oregon). "Is hacker a negative connotation or is it a positive?"

Wilshusen and others explained that yes, hackathons can develop "good" hackers who help test systems for weaknesses.

Seymour missing

Along with Archuleta, OPM's CIO was also missing from the hearing.

"I want you to know we invited OPM CIO Donna Seymour," Rep. Barbara Comstock (R-Va.) told the hearing's audience. "She declined the committee's invitation citing other commitments."

An OPM spokesperson declined to specify what those other commitments were.

Rep. Ralph Abraham (R-La.) expressed "disappointment" in Seymour's absence, and Rep. Gary Palmer (R-Ala.) came close to accusing Seymour of lying about the scope of the breaches.

"Ms. Seymour did not want to testify before this committee," Palmer said as he shared the story of two of his staff members, neither whom had filled out an SF-86 nor served in the executive branch, receiving OPM breach notification letters.

OPM officials have been accused of "mask[ing]" the severity of the exposure by defining the breaches as two separate events -- the first impacting personnel files, the second impacting security clearances -- and initial reports indicated that Hill staffers had not been exposed in the breach.

That second assertion has since been disproven with numerous staffers receiving notification letters. (The SF-86 form, which is used by background-check applicants to detail their finances, work history, foreign travel and close associations, can include personal information about applicants' family members and other personal references.)

Another lawsuit

The July 8 hearing came as another federal employee union filed suit against OPM.

The National Treasury Employees Union's lawsuit asks the Northern California District Court to:

  • Declare that OPM's failure to improve cyber security was an unconstitutional act;
  • Order OPM to pay for lifetime credit-monitoring services and identity-theft protection for NTEU members;
  • Order OPM to take all the necessary steps to heighten its IT security program and protect NTEU members' data from falling into the hands of hackers in the future; and
  • Prevent OPM from collecting personal information from NTEU members electronically or requiring them to submit such data in an electronic form until the court is satisfied with the agency's cyber security upgrades.

The American Federation of Government Employees filed a class action lawsuit last month that named OPM, Archuleta, Seymour and compromised contractor KeyPoint Government Solutions as defendants.

NTEU's suit names only Archuleta as a defendant.

NTEU's suit also differs from the AFGE suit by claiming OPM violated the Constitutional rights of those exposed in the breach, citing the Fifth Amendment.

"I believe that OPM should be supporting the maximum relief and protection possible and they should take responsibility for this breach and use all the resources of the federal government to put a plan in place and make sure a catastrophic event of this nature doesn't happen again," NTEU president Colleen Kelley told reporters on a call announcing the suit. "And I don't see this happening. And that's been very frustrating."

In the July 8 hearing, David Snell of the National Active and Retired Federal Employee Association echoed the call for lifetime credit monitoring.

"We have a lot of distrust out there, a lot of folks are scared," Snell said of current and former feds, noting that even those who have not received notifications of data exposure are asking, "Can I trust the fact that I didn't get notice, or is this a problem?"

And the true scope of the breach?

"We only know what's being reported out of OPM, and it's not very much," Snell said. "It's not very helpful."

GAO's Wilshusen called for agencies to implement critical patches and multi-factor authentication and resolve known vulnerabilities, per the 30-day sprint federal CIO Tony Scott announced last month.

But with the sprint ending soon, Wilshusen cautioned agencies not to let their guards down.

"Cyber security…is not a sprint, it's a marathon," he said. "It needs to be going on a continuous basis."

FCW editorial fellow Bianca Spinosa contributed to this report.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.