CHIPS Articles: Report on Cyber Intrusions at OPM

While we disagree with many aspects of the report, we welcome the committee’s recognition of OPM’s swift response to the cybersecurity intrusions and its acknowledgement of our progress in strengthening our cybersecurity policies, and processes. We also appreciate the panel’s willingness to work with us on these important issues and find many of the final recommendations to be useful for OPM and the Federal Government at-large.

It is therefore important to take stock of our progress and outline the course we are charting for the future.

Over the past year OPM has worked diligently with its partners across government and made significant progress to strengthen our cybersecurity posture, and reestablish confidence in this agency’s ability to protect data while delivering on our core missions.

For example:

-- We require those who log into OPM’s systems to use strong multi-factor identification forms. This level of security provides a powerful barrier to our networks from individuals who should not have access.

-- We are in the process of rebuilding and enhancing the web-based application system that individuals use to provide OPM with the information we need to conduct background investigations.

-- We are one of the first agencies in the Federal Government to fully implement the Continuous Diagnostics and Mitigation program developed by the Department of Homeland Security (DHS), as well as DHS’s Einstein 3a. These initiatives allow agencies to detect and prevent cyber attacks before they can reach our systems, and continuously identify cybersecurity threats and vulnerabilities that might arise.

-- We have strengthened our legacy technology systems while developing a new, modern IT infrastructure, which will provide a secure environment for OPM well into the future.

-- We are working with our partners at the Department of Defense who are designing, building, and will operate the IT infrastructure for the new National Background Investigations Bureau, the OPM-based entity that will conduct background investigations for the Federal Government in the future.

These are just a few of the initiatives we have underway, but there is more to this story. At OPM we recognize that cybersecurity is not just about technology – it’s about people. In addition to strengthening our technology, we have added seasoned cybersecurity and IT experts to our already talented team.

OPM has brought on a senior cybersecurity advisor who reports to the Director of OPM. We have hired a new Chief Information Officer as well as a number of new senior IT leaders. And we have centralized our cybersecurity resources under a new Chief Information Security Officer, whose sole responsibility is to take the steps necessary to secure and control access to sensitive information. We also have a strong working relationship with our Office of Inspector General.

The cybersecurity incidents at OPM provided a catalyst for accelerated change within our organization. Throughout this agency, management has embraced cybersecurity as a top priority. I am proud of the way the team at OPM rose to the challenge and appreciate the collaborative spirit with which our partners across government worked - and continue to work – side by side with us each and every day.

We hope Congress will also continue to support our efforts and provide us with the resources we need to continue to strengthen our cybersecurity posture now, and into the future.

In an increasingly interconnected world, the threats we face in the realm of cybersecurity are persistent, sophisticated and constantly evolving. To confront these threats we must remain vigilant in our quest to protect systems and information. At OPM we are committed, we are dedicated, and most importantly we are working tirelessly to continuously enhance the security of our data and fulfill our important mission for the American people.