GAO: DoD not fully planned for the cybersecurity controls needed to protect NBIS and legacy systems. Image: vs148/Shutterstock.com
By: FEDweek StaffNearly a decade after a breach of a database containing information from background checks on federal employees and others, the government still is using some of the systems that were hacked and still needs to shore up the security and privacy protections in those systems and in systems developed since then, the GAO has said.
A GAO witness made those statements at a House hearing on actions taken since the breaches of a background investigation database then maintained by OPM and a separate OPM database of federal employee personnel files. Together, the records of some 22 million people—including in some cases highly sensitive personal and financial information and fingerprints—were captured.
In the aftermath, the then-OPM director resigned, the government started providing free credit monitoring services to federal employees, and responsibility for conducting background checks and maintaining those records was shifted to DoD.
“The 2015 breaches of OPM legacy systems demonstrated the damage that increasingly sophisticated cyber threats can cause,” but DoD “has not fully planned for the cybersecurity controls needed to protect NBIS and legacy systems or fully implemented privacy controls,” said Alissa Czyz, GAO director of defense capabilities management.
DoD had not fully defined and prioritized those requirements in any of the six systems GAO reviewed, had not ensured that users had the required training and certification, and had not established an oversight process to ensure that gaps are identified and remedied, she said.
She further noted that full migration to the replacement IT system—the National Background Investigation Services—has been delayed several times beyond its initial goal of completion in 2019, and that DoD still “does not yet have a reliable schedule and cost estimate” for the transition. Of five metrics GAO cited for scheduling, DoD had only “minimally met” each, and of five for cost estimates, it had only minimally met four and had not at all met the other.
David Cattler, who recently took over as director of the Defense Counterintelligence and Security Agency, said deployment of the NBIS system is “unacceptably late” and described a number of initiatives he has started, adding “We aim in the current plan to have the legacy system sunsetted no later than fiscal ’28.”
Shutdown Meter Ticking Up a Bit
Judge Backs Suit against Firings of Probationers, but Won’t Order Reinstatements
Focus Turns to Senate on Effort to Block Trump Order against Unions
TSP Adds Detail to Upcoming Roth Conversion Feature
White House to Issue Rules on RIF, Disciplinary Policy Changes
Hill Dems Question OPM on PSHB Program After IG Slams Readiness
See also,
How Do Age and Years of Service Impact My Federal Retirement
The Best Ages for Federal Employees to Retire
