“…serious concerns regarding OPM’s management of its new IT project… 

I can’t overstate the importance of project management, particularly with respect to projects as complex and important as this.”

WASHINGTON, D.C. – During the Senate Homeland Security and Governmental Affairs Committee (HSGAC) hearing yesterday entitled, “Under Attack: Federal Cybersecurity and the OPM Data Breach”, U.S. Senator Joni Ernst (R-IA) cited failures due to poor project management as it relates to the Office of Personnel Management (OPM) data breach, and pressed the witnesses on OPM’s management of its new IT improvement project identified by the Inspector General’s flash audit. In addition, Ernst also raised questions over how many more people could have been potentially impacted by the data breach. 

Those testifying before HSGAC included: Katherine Archuleta, Director of the Office of Personnel Management; Tony Scott, U.S. Chief Information Officer of the Office of Personnel Management; Andy Ozment, Ph.D., Assistant Secretary, Office of Cybersecurity and Communications for the National Protection and Programs Directorate, U.S. Department of Homeland Security; and Patrick E. McFarland, Inspector General for the Office of Personnel Management.

In her questioning, Senator Ernst highlighted the Program Management Improvement Accountability Act, which she introduced alongside Sen. Heidi Heitkamp (D-ND), and passed out of committee earlier this week. The bipartisan legislation safeguards taxpayer dollars by holding the federal government accountable to adopt the program management standards, practices and procedures of high-performing, private sector organizations.

In response to Sen. Ernst’s questioning, Committee Chairman Ron Johnson (R-WI) pointed out “we spend $80 billion per year on IT systems in the federal government, so this is a problem of management, it’s a problem of prioritization.”

Click here or on the image below to watch.

TRANSCRIPT:

SENATOR ERNST: Thank you Ranking Member, thank you Mr. Chair, very much. This is a significant data breach, we’ll talk about this all the day, but bottom line: we need to see some action on this immediately. Mr. McFarland, thank you for being here today. We’ve heard in your testimony, we have seen your flash audit alert that was released by your office earlier this month. And in that audit alert, you did highlight your serious concerns regarding OPM’s management of its new IT project, the improvement project. And I can’t overstate the importance of project management, particularly with respect to projects as complex and important as this particular project. In fact, just yesterday, in this committee we did approve a bill introduced by Senator Heitkamp and myself, which will focus on improving program management in the federal government. And I would be interested to learn from you just a little bit more detail about your concerns to OPM’s management of this IT improvement project.

HON. McFARLAND: Yes Senator, I think a good start here and a good example would be the fact that anyone doing a capital asset in the IT world, at least my understanding, and I could be corrected if I’m wrong, by OMB’s regulation, is to do a business plan known as Exhibit 300. That has not been done by OPM, yet I do hear in the last few days, information that OPM and OMB are working very closely together, and I don’t doubt that. But my concern is, something as simple and straightforward as a business plan, if it’s not completed, and we hear it is completed by OPM, and then our documentation that we’ve requested shows that it’s not been done, I’d like to find out - I don’t necessarily want to use this forum for my question, but it goes to the heart of your question, is what has happened with this business plan, has it been done or not?

SENATOR ERNST: And that to me is a significant failure, significant failure that the fact that something so simple as a business plan cannot be produced for this project, which left millions of federal employees and their data at risk. So, Ms. Archuleta, I do want to follow up, because it sounds like now there is a request for additional dollars. And, what we want to ensure is that if the dollars are allocated, that it will actually be put towards this project, and that we do see results, and that it is managed wisely. I can’t say that dollars we’ve put forth so far have been utilized, maybe to the best of taxpayers’ interests. So if you could address that, just give us that assurance that this will be handled. 

HON. ARCHULETA: Thank you, thank you for that question. In his flash audit, the Inspector General recommended that the completion of a major IT business case document for fiscal year 2017, and I actually look forward to discussing with the Inspector General, the practical implications for such a document for fiscal year 2017. We are in an urgent situation. I do understand though his concerns and I’d like to assure him that all of our decisions are being tracked, documented and justified and that we’re working very closely with OMB. As I mentioned earlier, I think that the flash audit discussions need to occur between me and the IG, and we will do that. We have our staffs are meeting next Tuesday, and I’m sure Mr. McFarland and I will meet immediately following. The important thing is that we address his concerns, but I think the other thing is that we move quickly. As Tony and Andy have already described, we are in a very urgent situation, so we need to balance and make sure that we are doing all the things that IG has described, but as well, we understand the urgency of moving forward aggressively.

SENATOR ERNST: I do appreciate that. But this is rather late, and in retrospect, we can’t go and take back the data that has been captured by whoever this person or entity is out there that has gotten into the system – who has breached and gotten this data. One thing that maybe we haven’t discussed yet is the fact that not only do we have millions of federal records, employee records that were breached, but I know when I filled out the applications for security clearances in the military, not only was my personal information on those forms, but I had to list references on those forms. Their information is also included in this. So we not only have millions of federal employees potentially federal employees, but all of their references’ information is there as well. How many more millions of people are we talking about? Have we alerted those people and what’s going to be done to follow up on their information as well?

HON. ARCHULETA: Thank you for that question. It’s an important question and I agree with you totally, I’m as upset as you are at the fact that these documents have been breached. Here’s what we’re doing, as I mentioned in my testimony, and why I cannot give a number right now, look at, for example the background investigation. There is a lot of information in that. Some of that contains if there’s a name, some of that does contain PII, some of it doesn’t. And so as we’re analyzing the type of data is in these files, those are the things we’re looking at. Because we care as deeply as you do that we notify those that have been affected by this, and understand that those who have not been affected by this through even though you may have mentioned them in your efforts, FS86, we’re doing a complete analysis of that, and that’s why I’m very hesitant of that, not to put out a number until we are absolutely sure we have looked at the whole range of possible impact.

SENATOR ERNST: Thank you today for – yes sir.

HON. McFARLAND: Senator, if I may make another point. Is that all right. The funding is a prime example of our concern; it’s all over the board. The situation basically is, in 2015, OPM’s dealing with 32 million dollars, and in 2016, they’re asking for another appropriation of $21,000. In the meantime, DHS is at 5 million, and the other 67 million is going to come, I believe, from what I understand, program areas at OPM. That’s so sporadic, that just doesn’t hold water from our perspective. Funding source ahead of time, for the full program. It’s like playing catch-up and the other part of that is that OPM program offices are going to be tasked to pay for that with our program office funds, for the migration of each of their systems, instead of having a big picture of funding, very clear for everybody. The OMB is very much in favor of having transparency, and this just avoids transparency. It subsumes the money coming from program offices instead of a dedicate source of funding.

SENATOR ERNST: Thank you I think that’s an exceptional point. Thank you for allowing the additional response.

# # #