House Oversight and Government Reform Chairman Jason Chaffetz (R-UT) released a staff report titled, The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation, chronicling the Committee’s year-long investigation into how highly personal, highly sensitive data of millions of Americans was compromised by a foreign adversary in 2015. The report outlines findings and recommendations to help the federal government better acquire, deploy, maintain, and monitor its information technology.
As a result of one the Committee’s findings, Chairman Chaffetz sent a letter to the Government Accountability Office (GAO) requesting an opinion on whether the Office of Personnel Management (OPM) violated the Anti-Deficiency Act (ADA) when it accepted services from a company without payment.
Key findings, recommendations and an excerpt from the letter are below:
- The OPM data breach was preventable.
- OPM leadership failed to heed repeated recommendations from its Inspector General, failed to sufficiently respond to growing threats of sophisticated cyber attacks, and failed to prioritize resources for cybersecurity.
- Data breaches in 2014 were likely connected and possibly coordinated to the 2015 data breach.
- OPM misled the public on the extent of the damage of the breach and made false statements to Congress
- Reprioritize federal information security efforts toward zero trust.
- Ensure agency CIOs are empowered, accountable, and competent.
- Reduce use of social security numbers by federal agencies.
- Modernize existing legacy federal information technology assets.
- Improve federal recruitment, training, and retention of federal cybersecurity specialists
Letter to GAO:
“In brief, we believe OPM violated the ADA when the agency retained and deployed CyTech’s software following a product demonstration, and never paid.”
A timeline of the breaches can be found here.