House Oversight Chairman Jason Chaffetz, R-Utah, is demanding that the Office of Personnel Management turn over all of the documents related to the agency’s cybersecurity practices that were stolen in breaches that were announced this summer.
In a letter sent to the agency on Tuesday, Chaffetz demanded a copy of every security document related to OPM’s systems, in addition to the information security protocols required for those documents. He also asked for the dates that those documents were accessed by hackers who penetrated OPM’s systems this year, and the date that officials with agencies like the Federal Bureau of Investigation and the Department of Homeland Security were notified of the access — if they were at all.
Chaffetz also demanded a “detailed description of each action taken by OPM, its contractors, and agency partners to secure OPM systems following the discovery of the unauthorized access and/or taking of the security documents,” and a copy of all communications from agency officials related to the incident.
The agency has until Sept. 1 to respond.
In testimony before the committee in June, former OPM Director Katherine Archuleta and Chief Information Officer Donna Seymour explained that, in addition to exposing the data of 22 million current and former government employees, the breaches in the agency’s system resulted in the loss of security documents that could be used by hackers to penetrate the agency again. Seymour said the documents were “outdated,” but went on to say that they could be used as a blueprint to infiltrating OPM’s system.
It is the second letter sent by a member of Congress on the topic in a week. Sen. Ron Wyden, D-Ore., sent a letter to the National Counterintelligence and Security Center last Wednesday asking what steps that agency had taken to protect against breaches of federal cyberinfrastructure.
In his letter, Wyden requested to know “what actions the NCSC took prior to” OPM security incidents, “and what the NCSC will be doing to prepare for future attacks that will similarly target personnel and background investigation information.”
The OPM breach resulted in the theft of, among other things, background check information for federal employees with security clearances dating as far back as 1985. The intrusion is alleged to have originated in China and has incited fears that intelligence officials and other federal employees will now be open to blackmail from foreign operatives.
Chaffetz has been vocal in his displeasure with OPM officials in the wake of the breach, leading a successful charge for the removal of Archuleta as head of the agency. This month, he addressed another letter to Acting Director Beth Cobert calling for the removal of Seymour, saying she had failed to engage in “basic cybersecurity best practices” such as encrypting or segmenting sensitive data in spite of “repeated warnings from the OPM inspector general.”
