2005-01-28

Congressional hearings on the OPM data breach

A partial, incomplete list of the hearings of the U.S. Congress
concerning the OPM data breach discovered in June 2015.




2015-06-16-House-Oversight-Hearing-OPM-Data-Breach
OPM: Data Breach
Full House Committee on Oversight and Government Reform
Hearing Date: June 16, 2015 10:00 am

PURPOSE:

To provide Members an opportunity to gain information on the nature and extent of
the recent U.S. Office of Personnel Management (OPM) data breach.

To discuss federal agency compliance with the Federal Information Security Management Act (FISMA).

BACKGROUND:

On June 4th, OPM announced a data breach and its plan to notify
approximately 4 million individuals whose personally identifiable information (PII) may have been compromised.
OPM’s data center is housed by the U.S. Department of the Interior.

The full extent of the data breach, including who was affected and what information was accessed, is still unknown.

The data may have been unencrypted, making employee information immediately usable if extracted.

Witnesses and testimonies
Name Title Organization Panel
Ms. Katherine Archuleta Director U.S. Office of Personnel Management
Ms. Donna K. Seymour Chief Information Officer U.S. Office of Personnel Management
Dr. Andy Ozment Assistant Secretary, Office of Cybersecurity and Communications, National Program Preparedness Directorate U.S. Department of Homeland Security
Mr. Tony Scott U.S. Chief Information Officer, Office of E-Government and Information Technology U.S. Office of Management and Budget
Ms. Sylvia Burns Chief Information Officer U.S. Department of the Interior
Mr. Michael R. Esser Assistant Inspector General for Audits Office of Inspector General, U.S. Office of Personnel Management



2015-06-24-House-Hearing-Oversight-OPM-Data-Breach-II
OPM Data Breach: Part II
Full House Committee on Oversight and Government Reform
Hearing Date: June 24, 2015 10:00 am

PURPOSE:

To provide Members an opportunity to gain additional information on the security of the U.S. Office of Personnel Management (OPM) information systems and the data it is entrusted to protect.
To examine OPM compliance with the Federal Information Security Management Act (FISMA).

BACKGROUND:

On June 4, OPM announced a data breach and its plan to notify approximately 4 million individuals whose personally identifiable information (PII) may have been compromised.
The full extent of the data breach, including who was affected and what information was accessed, is still unknown.
The Committee held a hearing on June 16, 2015, titled, “OPM: Data Breach.”
In prepared testimony, OPM Director Archuleta stated that
“there was a high degree of confidence that OPM systems related to background investigations of current, former, and prospective Federal government employees, and those for whom a federal background investigation was conducted, may have been compromised.”
During the hearing, OPM Director Archuleta indicated that,
“any federal employee from across all branches of government,
whose organization submitted service history records to OPM, may have been compromised.”

Witnesses and testimonies
Name Title Organization Panel
Katherine Archuleta Director U.S. Office of Personnel Management
Patrick E. McFarland Inspector General U.S. Office of Personnel Management
Donna K. Seymour Chief Information Officer U.S. Office of Personnel Management
Ann Barron-DiCamillo Director U.S. Computer Emergency Readiness Team, U.S. Department of Homeland Security
Eric A. Hess Chief Executive Officer KeyPoint Government Solutions
Rob Giannetta Chief Information Officer USIS




2015-06-25-Senate-Hearing-OPM-Date-Breach
Under Attack: Federal Cybersecurity and the OPM Data Breach
Senate Committee on Homeland Security and Governmental Affair
2015-06-25

Witnesses

The Honorable Katherine Archuleta
Director
Office of Personnel Management

Tony Scott
U.S. Chief Information Officer
Office of Personnel Management

Andy Ozment, Ph.D.
Assistant Secretary, Office of Cybersecurity and Communications
National Protection and Programs Directorate, U.S. Department of Homeland Security

The Honorable Patrick E. McFarland
Inspector General
Office of Personnel Management



2015-07-08-House-Hearing-Science-subcommittee-research-and-technology-and-subcommittee-oversight-hearing-opm-data-breach-tip
Is the OPM Data Breach the Tip of the Iceberg?
Subcommittee on Research and Technology and Subcommittee on Oversight Hearing -
Subcommittee on Research and Technology |
2318 Rayburn House Office Building Washington, D.C. 20515 |
Jul 8, 2015 2:00pm - 4:00 pm

Charter [A very informative document.]

Witnesses:
  • Mr. Michael R. Esser, Assistant Inspector General for Audits,
    Office of Personnel Management
    [This is a very worthwhile document.
    An extract from it is below.]
  • Mr. David Snell, Director, Federal Benefits Service Department,
    National Active and Retired Federal Employee Association
  • Dr. Charles Romine, Director, Information Technology Laboratory,
    National Institute of Standards and Technology
  • Mr. Gregory Wilshusen, Director, Information Security Issues,
    U.S. Government Accountability Office



Extract from the submitted testimony of
Mr. Michael R. Esser, Assistant Inspector General for Audits,
Office of Personnel Management
(the emphasis in color is added by the author of the current blog):


1. Information Security Governance

Information security governance is
the management structure and processes
that form the foundation of a successful IT security program.
Although the DHS FISMA reporting metrics
do not directly address security governance,
it is an overarching issue that impacts
how the agency handles IT security and
its ability to meet FISMA requirements,
and therefore we have always addressed the matter
in our annual FISMA audit reports.

This is an area where OPM has seen significant improvement.
However, some of the past weaknesses still haunt the agency today.

In the FY 2007 FISMA report, we identified a material weakness related to
the lack of IT security policies and procedures.
In FY 2009, we expanded the material weakness to include
the lack of a centralized security management structure
necessary to implement and enforce IT security policies.
OPM’s Office of the Chief Information Officer (OCIO)
was responsible for the agency’s overall technical infrastructure
and provided boundary-level security controls
for the systems residing on this infrastructure.
However, each OPM program office
had primary responsibility for managing security controls
specific to its own IT systems.
There was often confusion and disagreement as to
which controls were the responsibility of the OCIO,
and which were the responsibility of the program offices.

Further, the program office personnel responsible for IT security
frequently had no IT security background
and were performing this function
in addition to another full-time role.
For example, this meant that an employee
whose job was processing retirement applications
may have been given the additional responsibility of
monitoring and managing the IT security needs
of the system used to process those applications.

...

However, in FY 2014, we changed the classification of this issue
to a significant deficiency,
which is less serious than a material weakness.
This change was prompted by important improvements
that were the result of changes instituted in recent years by OPM.

...

2. Security Assessment and Authorization

A Security Assessment and Authorization (Authorization)
is a comprehensive process under which
the IT security controls of an information system
are thoroughly assessed against applicable security standards.
After the assessment is complete,
a formal “Authorization to Operate” (ATO) memorandum is signed,
indicating that
the system is cleared to operate in the agency’s technical environment.
The Office of Management and Budget (OMB) mandates that
all major Federal information systems be re-authorized every three years
unless a mature continuous monitoring system is in place
(which OPM does not yet have).
Although, as mentioned,
IT security responsibility is being centralized under the OCIO,
it is still the responsibility of OPM program offices
to facilitate and pay for the Authorization process
for the IT systems that they own.

...

However,
problems with OPM’s system Authorizations have recently resurfaced.
In FY 2014, 21 OPM systems were due for Authorization,
but 11 of those were not completed on time
and were therefore operating without a valid Authorization.
This is a drastic increase from prior years,
and represents a systemic issue of
inadequate planning by OPM program offices
to assess and authorize the information systems that they own.

Although the majority of our FISMA audit work
is performed towards the end of the fiscal year,
it already appears that
there will be a greater number of systems this year
operating without a valid Authorization.
In April,
the CIO issued a memorandum that granted
an extension of the previous Authorizations
for all systems whose Authorization had already expired,

and for those scheduled to expire through September 2016.
Should this moratorium on Authorizations continue,
the agency will have up to 23 systems
that have not been subject to a thorough security controls assessment.
The justification for this action was that
OPM is in the process of modernizing its IT infrastructure
and once this modernization is complete,
all systems would have to receive new Authorizations anyway.

While we support the OCIO’s effort to modernize its systems,
this action to extend Authorizations is contrary to OMB guidance,
which specifically states that
an “extended” or “interim” Authorization is not valid. [Emphasis in original.]
Consequently, these systems are still operating without a current Authorization,
as they have not been subject to the complete security assessment process
that the ATO is intended to represent.
We believe that this continuing disregard of the
importance of the Authorization process
is an indication that the agency has not historically,
and still does not, prioritize IT security.

There are currently no consequences for failure
to meet FISMA standards,
or operate systems without Authorizations,
at either the agency level or the program office level.
The OIG simply reports our findings in our annual FISMA audit,
which is delivered to OPM and then posted on our website.
OMB receives the results of all FISMA audits,
and produces an annual report to Congress.
There are no directives or laws that provide for penalties
for agencies that fail to meet FISMA requirements.

...



OPM’s official statement on this issue claims that
the agency is acting proactively by shutting down the e-QIP system.
However, the current security review ordered for this system
is a direct reaction to the recent security breaches.
In fact,

the e-QIP system contains vulnerabilities
that OPM knew about, but had failed to correct for years.
As part of the system’s Authorization process in September 2012,
an independent assessor identified 18 security vulnerabilities
that could have potentially led to a data breach.
These vulnerabilities were scheduled to be remediated by September 2013,
but still remain open and unaddressed today.


Unfortunately, the overdue remediation of known vulnerabilities for e-QIP
is only a single example of a more widespread problem at OPM.
Both our FY 2012 and FY 2013 FISMA reports indicated that
out of OPM’s 47 major information systems,
22 had known vulnerabilities with remediation activity greater than 120 days verdue.
In FY 2014, the number grew to 38.

...



Wilshusen, GAO, excerpt from testimony of:

[page 3]
[T]he Federal Information Security Modernization Act of 2014 (FISMA) ...
among other things, authorizes DHS to
  1. assist the Office of Management and Budget (OMB) with overseeing and monitoring agencies’ implementation of security requirements;
  2. operate the federal information security incident center; and
  3. provide agencies with operational and technical assistance, such as that for continuously diagnosing and mitigating cyber threats and vulnerabilities.

The act also reiterated the 2002 FISMA requirement for the head of each agency to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of the agency’s information or information systems.

In addition, the act continues the requirement for federal agencies to develop, document, and implement an agency-wide information security program.
The program is to provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

...

[page 13]
Until federal agencies take actions to address these challenges
[listed above in the original document]—
including implementing the hundreds of recommendations we and inspectors general have made—
federal systems and information will be at an increased risk of compromise
from cyber-based attacks and other threats.

...

[page





2015-07-15-House-Hearing-Oversight-Cybersecurity:-The-Department-of-the-Interior
Cybersecurity: The Department of the Interior
Subcommittee on Information Technology
Subcommittee on Interior
Hearing Date: July 15, 2015 2:00 pm 2154 Rayburn HOB

HEARING PURPOSE:
•To explore the Department of the Interior’s (DOI) role in the recent U.S. Office of Personnel Management (OPM) data breach.
•To review the DOI Inspector General’s (IG) recent investigative reports.

HEARING BACKGROUND:
•DOI housed the OPM personnel file database that was recently breached.
•DOI IG recently conducted penetration tests of select DOI bureaus.
•The tests found 3,000 vulnerabilities.
•A lack of inventory of IT resources and no network segmentation between publicly facing websites and internal websites were identified as areas of high concern.

Witnesses and testimonies
Ms. Sylvia Burns Chief Information Officer U.S. Department of the Interior
Ms. Mary Kendall Deputy Inspector General U.S. Department of the Interior