After The OPM Hack Security Clearances Will Now Be Done By The Pentagon

In the continuing aftermath of the massive hack of sensitive records stored by the Office of Personnel Management, the Obama administration announced today it’s shifting the responsibility for conducting background investigations of sensitive personnel to the Defense Department

In the future, files containing personal information on security clearance seekers—the same type of information netted last summer by purported Chinese hackers—will be stored and secured on Pentagon systems, officials say.

OPM is turning over its responsibilities for conducting background investigations to a newly created National Background Investigations Bureau. OPM currently conducts about 95 percent of all checks government-wide, including 600,000 full-scale security clearance investigations each year.

The head of the new office will be appointed by the president and still report to the head of OPM. However, the office’s IT systems will be “designed, built, secured and operated” by the Pentagon, according to a fact sheet released by the administration.

“This approach will leverage DOD’s significant national security, IT and cybersecurity expertise, incorporating security into the fundamental design of the systems, strengthening the security of the data environment, and providing robust privacy protections,” the fact sheet said.

The administration’s forthcoming fiscal 2017 budget request will seek an additional $95 million for IT development, according to the fact sheet.

The new office will have a dedicated senior privacy official “to advance privacy-by-design as the new entity is stood up and new IT systems are developed,” the fact sheet stated.

OPM came under fire last summer after it was revealed the agency’s antiquated IT systems did not allow sensitive data to be encrypted and that lax sign-on controls may have allowed cyber-intruders to penetrate further into the agency’s systems.

The efforts to update the security of the background check process come after a 30-day “cybersecurity sprint” launched by U.S. Chief Information Officer Tony Scott last summer. Agencies were ordered to immediately plug critical cyber vulnerabilities, identify high-value systems and implement more secure sign-on measures.

Since the hack, OPM had been working on a multiyear plan to modernize its IT infrastructure, although those efforts were criticized by the agency’s inspector general for poor planning and unreliable cost and schedule estimates.

There’s no word yet on how quickly the new office will be opened. The administration plans to establish a transition team to work on a migration plan.

The changes were announced in a White House blog post signed by a bevy of top administration officials including Scott, Director of National Intelligence James Clapper, acting OPM Director Beth Cobert, acting Undersecretary of Defense for Intelligence Marcel Lettre and White House Cybersecurity Coordinator Michael Daniel.

Last summer, hackers stole personal records of more than 21.5 million current, former and prospective federal employees and contractors stored on OPM’s systems. After the hack, officials convened a 90-day review of the security clearance process.

Even earlier, US lawmakers has raised concerns about the quality of OPM’s background investigations, citing potential missed red flags in the checks of National Security Agency contractor Edward Snowden and Navy Yard gunman Aaron Alexis.

In 2014, the Justice Department sued USIS, OPM’s largest private background check contractor, for allegedly failing to conduct proper quality reviews of cases. The company settled the case with the government last August, agreeing to forego at least $30 million in payments by the government.

DefenseOne

« 90% of Data Breaches Are Avoidable
US Critical Infrastructure Is At Cyber Risk »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Illumio

Illumio

Illumio delivers adaptive security for every computing environment, protecting the 80% of data center and cloud traffic missed by the perimeter.

Idemia

Idemia

Idemia is a global leader in security and identity solutions.

ES2

ES2

ES2 is a consulting organisation specialising in Enterprise Security and Solutions Services.

Capsule8

Capsule8

Capsule8 is the only company providing high-performance attack protection for Linux production environments.

Arctic Wolf Networks

Arctic Wolf Networks

Arctic Wolf Networks delivers the industry-leading security operations center (SOC)-as-a-service that redefines the economics of cybersecurity.

PatrOwl

PatrOwl

Automate your SecOps with PatrOwl, and start defending your assets efficiently.

INE

INE

INE is a premier provider of Technical Training for the IT industry.

RegScale

RegScale

RegScale helps organizations comply in real-time with multiple compliance requirements (NIST, CMMC, ISO, SOX, etc), scalable to meet the needs of the entire enterprise.

Infostream

Infostream

Infostream is a leading integrator of Digital Transformations Solutions (DTS); Public, Private, and Hybrid Cloud; Cybersecurity; Data Integrity; DevOps, DevSecOps, and Infrastructures.

Node4

Node4

Node4 provide advanced, cloud-led digital transformation solutions, delivered with technical expertise, innovation and exceptional service to drive your business forwards.

Resolvo Systems

Resolvo Systems

Resolvo is provides comprehensive security assessment and testing services in Asia.

Verisign

Verisign

Verisign is a Global Leader in Domain Names & Internet Security, providing protection for websites and enterprises around the world.

Avalon Cyber

Avalon Cyber

Arm your organization in the fight against cyberattacks by partnering with the experts at Avalon Cyber.

Lasso Security

Lasso Security

Lasso Security is a pioneer cybersecurity company ensuring comprehensive protection for businesses leveraging generative AI and other large language model technologies.

ZeroGPT

ZeroGPT

ZeroGPT.com stands at the forefront of AI detection tools, specializing in the precise identification of ChatGPT-generated text.

Alpha Echo

Alpha Echo

Specialising in security advice and enterprise-wide Cyberworthiness, Alpha Echo helps Australia deliver on cyber outcomes at a military grade level.