This is an update to the DoD workforce regarding the U.S. Office of Personnel Management (OPM) reported cybersecurity incident affecting its systems and data that may have compromised the Personally Identifiable Information (PII) of current and former Federal civilian employees. OPM is in the second week of notifying the roughly four million federal civilians whose PII may have been compromised. This incident affects current and former Federal, including DoD, civilian employees.
As we informed you on 11 June 2015, affected personnel are automatically enrolled in identity theft insurance through CSID, a company that specializes in identity theft protection and fraud resolution; no additional action by affected personnel is necessary.
Optionally, free credit monitoring services for 18 months will be provided upon registration with CSID by the affected individual. Full details are available on the OPM Website (www.opm.gov) under the homepage banner that says "Important Information about the Recent Cybersecurity Incident."
CSID, on behalf of OPM, has resumed email notifications to DoD Employees on Monday , 15 June 2015 using these improved operational and security procedures. For those individuals who had already received a notification by the initial e-mail process, OPM selected those individuals who had not used their PIN to re-notify them under the improved process.
For those who activated their PIN in their initial notification e-mail, OPM is not re-notifying these individuals. The official email notifications to employees will come from opmcio@csid.com as a text email. The CSID email will contain information for the employee about the incident, what protection is being provided, and instructions for employees to register for the credit monitoring. This is the part that has changed — with better security practices:
-- The employee is not able to click on an embedded link in the email. They must enter the URL ( https://www.csid.com/opm) manually in their web browser to go the benefits enrollment site.
-- On the enrollment site, there is improved security and procedures in validating the employees for their benefits.
-- Employees can also go to the OPM government web site where they will find instructions and link to the CSID web site.
-- If an email is undeliverable, CSID will automatically generate a first class letter notification using the home of record address on file.
CSID and OPM are scheduled to complete the emailing of notifications by 22 June 2015.
Many of you have exercised cybersecurity best practices during the course of this notification process, and we thank you for your diligence and patience. We will keep the DoD workforce informed on notifications pertaining to this incident via email, the OPM website, www.defense.gov website and official DoD email delivery.
Should you have any questions on this matter, you may contact Mary P. Fletcher, Chief, Defense Privacy and Civil Liberties Division, at mary.p.fletcher4.civ@mail.mil or 703-571-0090.
David Tillotson
Assistant Deputy Chief Management Officer
& Senior Agency Official for Privacy
Department of Defense