After The OPM Hack Security Clearances Will Now Be Done By The Pentagon

Uploaded on 2016-02-06 in NEWS-Cybersecurity News, INTELLIGENCE--USA, GOVERNMENT-Defence, FREE TO VIEW

In the continuing aftermath of the massive hack of sensitive records stored by the Office of Personnel Management, the Obama administration announced today it’s shifting the responsibility for conducting background investigations of sensitive personnel to the Defense Department

In the future, files containing personal information on security clearance seekers—the same type of information netted last summer by purported Chinese hackers—will be stored and secured on Pentagon systems, officials say.

OPM is turning over its responsibilities for conducting background investigations to a newly created National Background Investigations Bureau. OPM currently conducts about 95 percent of all checks government-wide, including 600,000 full-scale security clearance investigations each year.

The head of the new office will be appointed by the president and still report to the head of OPM. However, the office’s IT systems will be “designed, built, secured and operated” by the Pentagon, according to a fact sheet released by the administration.

“This approach will leverage DOD’s significant national security, IT and cybersecurity expertise, incorporating security into the fundamental design of the systems, strengthening the security of the data environment, and providing robust privacy protections,” the fact sheet said.

The administration’s forthcoming fiscal 2017 budget request will seek an additional $95 million for IT development, according to the fact sheet.

The new office will have a dedicated senior privacy official “to advance privacy-by-design as the new entity is stood up and new IT systems are developed,” the fact sheet stated.

OPM came under fire last summer after it was revealed the agency’s antiquated IT systems did not allow sensitive data to be encrypted and that lax sign-on controls may have allowed cyber-intruders to penetrate further into the agency’s systems.

The efforts to update the security of the background check process come after a 30-day “cybersecurity sprint” launched by U.S. Chief Information Officer Tony Scott last summer. Agencies were ordered to immediately plug critical cyber vulnerabilities, identify high-value systems and implement more secure sign-on measures.

Since the hack, OPM had been working on a multiyear plan to modernize its IT infrastructure, although those efforts were criticized by the agency’s inspector general for poor planning and unreliable cost and schedule estimates.

There’s no word yet on how quickly the new office will be opened. The administration plans to establish a transition team to work on a migration plan.

The changes were announced in a White House blog post signed by a bevy of top administration officials including Scott, Director of National Intelligence James Clapper, acting OPM Director Beth Cobert, acting Undersecretary of Defense for Intelligence Marcel Lettre and White House Cybersecurity Coordinator Michael Daniel.

Last summer, hackers stole personal records of more than 21.5 million current, former and prospective federal employees and contractors stored on OPM’s systems. After the hack, officials convened a 90-day review of the security clearance process.

Even earlier, US lawmakers has raised concerns about the quality of OPM’s background investigations, citing potential missed red flags in the checks of National Security Agency contractor Edward Snowden and Navy Yard gunman Aaron Alexis.

In 2014, the Justice Department sued USIS, OPM’s largest private background check contractor, for allegedly failing to conduct proper quality reviews of cases. The company settled the case with the government last August, agreeing to forego at least $30 million in payments by the government.

DefenseOne

« 90% of Data Breaches Are Avoidable
US Critical Infrastructure Is At Cyber Risk »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DomainTools

DomainTools

DomainTools is the global leader for internet intelligence and the first place security practitioners go when they need to know.

AntemetA

AntemetA

AntemetA specializes in network infrastructure, security and cloud computing, helping companies transform their Information Systems.

CERT NZ

CERT NZ

CERT NZ supports businesses, organisations and individuals affected by cyber security incidents, and provide trusted and authoritative information and advice.

Cloudentity

Cloudentity

Cloudentity combines Identity for all things with API and Application security in a unique deployment model, combining cloud-transformation and legacy systems.

High Wire Networks

High Wire Networks

High Wire Network’s Overwatch Managed Security Plaform-as-a-Service offers organizations end-to-end protection for networks, data, endpoints and users.

Space ISAC

Space ISAC

Space ISAC is the only all-threats security information source for the public and private space sector.

Cynomi

Cynomi

Cynomi is a leading strategic cybersecurity operations platform that automates cybersecurity knowledge and expertise to empower teams with little to no in-house expertise.

PagerDuty

PagerDuty

PagerDuty is the central nervous system for a company’s digital operations. We identify issues in real-time and bring together the right people to respond to problems faster.

HighGround

HighGround

HighGround offer a Cyber Security Solution for everybody, regardless of skillset, to feel empowered in their security experience in reaching Cyber Resilience.

C/side (cside)

C/side (cside)

At c/side, we're creating the ultimate delivery, performance and detection mechanism for browser-side fetched 3rd party Javascript.

Hudson Rock

Hudson Rock

Hudson Rock’s products — Cavalier & Bayonet — are powered by our cybercrime database, composed of millions of machines compromised by Infostealers in global malware spreading campaigns.

Rebellion Defense

Rebellion Defense

Rebellion Defense is a technology company developing advanced software to ensure mission-critical organizations stay ahead of emerging threats.

OpenZiti

OpenZiti

OpenZiti is the world’s most used and widely integrated open source secure networking platform. OpenZiti provides both zero trust security and overlay networking as pure open source software.

Realm.Security

Realm.Security

Realm.Security is pioneering the creation of an easy-to-implement, simple-to-use security fabric solution that is purpose-built for cybersecurity.

CloudBees

CloudBees

CloudBees is building the world’s first end-to-end automated software delivery system, enabling companies to balance governance and developer freedom.

Pontiro

Pontiro

At Pontiro, we are enabling a new era of data-sharing. Bridging the gap between protected data and valuable insights through the use of cutting edge Homomorphic Encryption.