The Office of Personnel Management is assessing whether it needs more funding to deal with the massive data breach it reported earlier this month, and says it will make any new request for money to Congress by the end of this week.
“We are analyzing right now with OMB and … my CFO to determine … what the request might look like, and I hope to be able to get back to you by the end of the week,” OPM Director Katherine Archuleta told a Senate Appropriations subcommittee on Tuesday.
It’s not immediately clear whether Congress will be in the mood to give OPM more cash. Since the breach was announced on June 4, several members have noted that OPM had been warned for years that it’s data wasn’t safe, which could make it harder for members to justify more funds for the troubled agency.
In the Tuesday hearing, subcommittee chairman John Boozman, R-Mont., said the federal government spends billions on information technology, while hackers still penetrated many of OPM’s systems, and IT update projects run the risk of being mismanaged and coming in over budget.
“The government spends approximately $82 billion annually on information technology,” he said. And yet, he sees example after example of “initiatives with ongoing costs that grow year after year without demonstrating effective results or sufficient security.”
“All too often large, complex IT projects drag on for years, outlasting the administration that initiated them and the employees responsible for managing them,” he continued.
Sen. Chris Coons, D-Del., was more sympathetic that OPM might need more funding, and noted that OPM has already requested another $21 million for ongoing IT updates. “We have to understand that without that funding, the investments of the past two years cannot be meaningful completed,” he said.
Archuleta said that OPM in 2014 and 2015 “committed nearly $70 million towards shoring up our IT infrastructure” and requested “another $21 million above 2015 funding levels to further support the modernization of our IT infrastructure, which is critical to protecting data from the persistent adversaries we face.”
But Tony Busseri, CEO of Route 1, Inc., a federal government IT security contractor, said that neither OPM, nor any other federal agency, needs to ask for millions and millions of new funding to implement highly secure technology that protects sensitive data from falling into the wrong hands.
“Just spending more money” is not the right approach, he said. “OPM doesn’t need more money to get better security. You don’t need more capital to be compliant.”
Following current security protocols and directives already issued, such as Homeland Security Presidential Directive 12, and utilizing more cost effective technology with better security can help any agency save millions, Busseri said.
Archuleta told the Senate panel Tuesday that notifying a few million current and former government workers whose personal information was compromised is costing OPM between $19 million and $21 million. But that cost was only expected to reflect notifications to about 3 million workers, not the 18 million workers and family members whose data may have been stolen.
