The government watchdog for the Office of Personnel Management on Wednesday publicly refuted the agency's claims that it has moved "proactively" to protect the personal data of government workers, and instead said OPM was actually years late in addressing its most recent problem.
Late last month, OPM boasted that it took the initiative to close down its Electronic Questionnaire for Investigations Processing system, or e-QIP. That's the system that processes background checks for federal workers — OPM said it shut the system down after learning of new security problems that might expose even more personal data on federal workers.
"OPM is taking this step proactively, as a result of its comprehensive security assessment, to ensure the ongoing security of its network," OPM's June 29 statement read.
But in a House hearing Wednesday, OPM's Inspector General office said OPM isn't ahead of the curve at all, and instead is far behind it.
"OPM's official statement on this issue claims that the agency is acting proactively by shutting down the [e-QIP] system," Assistant Inspector General Michael Esser told a House Science, Space and Technology subcommittee Wednesday afternoon.
"However, the current security review ordered for this system is a direct reaction to the recent security breaches," he said. "In fact, the e-QIP system contains vulnerabilities that OPM knew about, but had failed to correct for years." Esser was referring to a September, 2012, assessment that was supposed to be corrected by the following September. "These vulnerabilities … still remain open and unaddressed today," he stated.
RELATED: After hacks, OPM turns to paper background checks
In shutting down e-QIP last week and then issuing an interim process that allows government agencies to use paper questionnaires, which still effectively halted all new background investigations, OPM stated: "The actions OPM has taken are not the direct result of malicious activity on this network and there is no evidence that the vulnerability in question has been exploited.
Esser echoed his boss, Inspector General Patrick McFarland, who has been telling congressional panels since last month that he has been warning the agency about technological and cybersecurity problems for years. McFarland has made those points in the several weeks following OPM's announcement that personal data from at least 4.2 million current and former federal workers was stolen.
That number could grow to as many as 18 million or even more — OPM has said it might provide more clarity this week on a more precise figure.
The IG office doesn't believe that embattled OPM Director Katherine Archuleta and her predecessors have addressed their concerns "in the timely fashion that we would like to see them addressed," Esser told the committee during questioning. "Sometimes we feel things that we report don't get the attention that we think they should get," he said.
And issues drag "for years and years and years, and that just shouldn't be," Esser said. He added in his written testimony that OPM has generally failed all around to take heed of the IG's various warnings.
"Unfortunately, the overdue remediation of known vulnerabilities for e-QIP is only a single example of a more widespread problem at OPM," he stated. "[S]ome of the current problems and weaknesses were identified as far back as" fiscal 2007. "We believe this long history of systemic failures to properly manage its IT infrastructure may have ultimately led to the security breaches and loss of sensitive personal data at OPM."
OPM's move to shut down e-QIP last week forced OPM to use a temporary process that will have agencies accept paper questionnaires, a process that has effectively halted all new background investigations.