In 2014, the Office of the Inspector General (OIG) urged the Office of Personnel Management (OPM) to shut down computer systems which were operating without a current security authorization. OIG specifically warned the breach of some of the systems could have “national security implications.”
In the audit report published November 12, 2014, OIG found that 11 out of 47 computer systems operated by OPM did not have current security authorizations. Furthermore, the affected systems were “amongst the most critical and sensitive applications owned by the agency.”
Two of the unauthorized systems are described in the report as “general support systems” which contained over 65 percent of all OPM computer applications. Two other unauthorized systems were owned by Federal Investigative Services, the organization which handles background investigations in connection with government security clearances. OIG warned bluntly, “any weaknesses in the information systems supporting this program office could potentially have national security implications.”
Because of the volume and sensitivity of the information involved, OIG recommended OPM “consider shutting down systems that do not have a current and valid Authorization.” But OPM declined, saying, “We agree that it is important to maintain up-to-date and valid ATOs for all systems but do not believe that this condition rises to the level of a Material Weakness.”
Over the past week, media reports have revealed that hackers believed to be working out of China gained access to OPM systems containing personal data on as many as 14 million current and former government employees. Some reports suggest this may include up to 2.9 million highly detailed security clearance forms, including those of NSA and CIA agents. These is precisely the data OPM was warned could have national security implications if breached.
Tuesday morning, the House Oversight Committee held hearings on the OPM data breach. When asked about the warnings from OIG, OPM Director Archuleta said, “The recommendation to close down our systems came after the adversaries were already in our network.” Chairman Chaffetz responded by pointing out that OPM didn’t know the breach had occurred until April of this year, nearly six months after OPM was urged to shut the system down.
Chaffetz hammered Archuleta on her decision not to heed OIG’s warning, saying, “He recommended shutting it down last year and you, you made a conscious decision to not do that. You kept it open. The information was vulnerable and the hackers got it.”