On June 24, 2015, the Office of Personnel Management (the “OPM”) announced several actions to strengthen its cybersecurity. The 8-page “Actions to Strengthen Cybersecurity and Protect Critical IT Systems” (the “Action Plan”) comes in the wake of the massive cyber theft from OPM’s systems, which has been called one of the largest government hacks in history with the estimated number of affected individuals reaching approximately 18 million.
The Action Plan starts by reciting the “23 concrete steps to improve information security” that the OPM took before discovering the current security incident. These steps included OPM making over $80 million in investments in modernizing its IT security operations, implementing two factor authentication (through the use of smart card log in) for all privileged users who may have access to sensitive information, deploying essential hardware and software tools to secure the network (including tools that mask and redact data), and strengthening oversight of contractors to better manage third party data security risks.
In addition, the Action Plan lays out the following new actions to bolster security and modernize OPM’s IT systems:
- Completing deployment of two factor authentication for unprivileged users as well as privileged users by August 1, 2015;
- Working with the Department of Homeland Security to implement a continuous monitoring program by March 2016;
- Acquiring access to contractor systems for emergency access by the OPM and law enforcement;
- Expanding encryption in databases to the extent feasible (where previously the OPM has stated some of its systems will not work with encryption) by July 15, 2015;
Leveraging Outside Expertise
- Hiring a new cybersecurity advisor by August 1, 2015;
- Consulting with private sector CIOs and cybersecurity experts by holding workshops in the coming weeks;
- Consulting with the Inspector General on a bi-weekly basis;
- Migrating to a new IT network environment capable of significantly increased security controls;
- Assessing the scope of its IT modernization process before the end of the 2015 fiscal year;
- Exploring additional contracting avenues for its modernization project;
- Providing additional recommendations and proposals to the House and Senate appropriations committees by June 26 (information on any such additional recommendations was not immediately available as of press time);
- Initiating monthly reviews by OPM’s Director, the CIO and the new cybersecurity advisor;
- Establishing regular employee and contractor training on a bi-annual basis;
- Documenting incidence response procedures, including how they will work with other Federal agencies; and
- Ensuring compliance with the Federal Information Security Management Act (the “FISMA”).
The Action Plan is the OPM’s response to increasing public criticism that the OPM has failed to secure its systems, and in some cases has failed to comply with the FISMA. Through these actions, the OPM intends to ensure that it has “all the tools it needs to safeguard its systems and protect the men and women that serve the Federal government.” It remains to be seen, however, whether the OPM can distance itself from the current controversy regarding its IT systems.
The full text of the Action Plan is available here.