Watchdog: Govt’s plan to secure networks at ‘high risk’ of failure

The Office of Personnel Management’s (OPM) independent watchdog is raising doubts about the agency’s much-touted plan to bolster its security in the wake of a data breach that exposed up to 14 million people’s information.

In a “flash audit” circulated to members of Congress this week, the agency’s inspector general said the OPM’s proposed $91 million update of its networks is poorly budgeted, poorly managed and relies on a no-bid contract to a single vendor.

{mosads}“In our opinion, the project management approach for this major infrastructure overhaul is entirely inadequate and introduces a very high risk of project failure,” wrote Patrick McFarland, the inspector general, in the audit, first reported by The Associated Press.  

OPM Director Katherine Archuleta promoted the plan during a congressional hearing this week, noting it was one of her first priorities after becoming agency head roughly 19 months ago.

She told lawmakers that the agency’s system is so outdated — with parts dating back to 1985 — that the OPM was not able to properly encrypt or secure its networks.

The antiquated networks allowed hackers to infiltrate the system before officials had time to lock it down, she said.

The OPM inspector general has agreed with this assessment in reports dating back to 2007. In November, McFarland recommended shutting down 11 of the agency’s 47 computer systems because they were insecure.

Archuleta told Congress the agency kept the systems running to avoid lapses in retirement benefits and employee paychecks, insisting the agency had a long-term strategy to right the ship.

But in his audit, McFarland questioned that long-term strategy. The $91 million estimate seems low, he said, and the predicted 18- to 24-month timeline is unrealistic.

“We believe this is overly optimistic and that the agency is highly unlikely to meet this target,” he wrote.

McFarland said his office was told that OPM officials had sped up some processes because the “urgent and compelling nature of the situation required immediate action, and this is the reason that some of the required project management activities were not completed.”

But the agency is only hindering itself in the long run by avoiding due diligence on budgeting and oversight, the inspector general concluded.

“The other phases of the project are clearly going to require long-term effort, and, to be successful, will require the disciplined processes associated with proper system development project management,” McFarland wrote.