By Director Archuleta

July 9, 2015

Today, we at the U.S. Office of Personnel Management (OPM) released additional information about a recent cyber incident that affected the background investigation records of current, former, and prospective Federal employees and contractors.  It is critical that all of OPM’s constituents, – most importantly – those who are directly impacted by these breaches receive information in a timely, transparent, and accurate manner.  As I have said before, we take these incidents extremely seriously and, accordingly, are taking a number of steps to address both our cybersecurity and our process going forward.

First, to help ensure the security and integrity of our systems and to assist with the response to recent incidents, I have brought to OPM experts in cyber security and management from both inside and outside of government.  In particular, I have created a new cybersecurity advisor position and will have more information on this in the coming days.  In addition, in recent weeks, we brought to OPM a team of technical experts who have spent countless hours conducting a diligent investigation and a comprehensive review of systems.  Finally, because I believe it is important to hear from a variety of perspectives when addressing dynamic cybersecurity threats, I am consulting with Chief Information Officers and other leading experts from technology firms and other private companies that have experienced their own cyber incidents, to discuss the collective challenges we face and hear their advice.

Second, and as described more fully in today’s press release, OPM will be providing a comprehensive suite of credit and identity theft monitoring and protection services for background investigation applicants and non-applicants whose Social Security Numbers and other sensitive information were stolen.  Individualized notification packages offering these services, with further details on the incident, will be sent in the coming weeks.  We will be incorporating lessons learned and feedback from stakeholders about the notification process just completed for a related cybersecurity incident. 

Third, OPM believes it is important to focus on the service we provide our customers.  To that end, OPM is launching new resource efforts to maintain continued contact with our constituents.  OPM has established an online cybersecurity incident resource center at https://www.opm.gov/cybersecurity to offer information regarding materials, training, and useful information on best cyber practices.  In the coming weeks, OPM will also open a call center to respond to inquiries and give more assistance.  In the interim, individuals are encouraged to visit https://www.opm.gov/cybersecurity.

Fourth, from the beginning of my time as the Director of OPM, I have made cybersecurity a top priority and will continue to do so.  OPM continues to take aggressive action to strengthen its broader cyber defenses and IT systems.  To this end, in June, OPM identified 15 new steps to improve security, leverage outside expertise, modernize its systems, and ensure internal accountability in its cyber practices.  These 15 steps are in addition to 23 actions already taken to strengthen cybersecurity since the beginning of my tenure at OPM.  I have also initiated a comprehensive review of the security of OPM’s IT systems to identify and immediately mitigate any other vulnerabilities that may exist.  That review is ongoing.

Fifth, I realize that OPM’s cyber security efforts must also come in the broader context of the government’s IT systems.  The Federal government, led by the Office of Management and Budget, is taking aggressive actions to continually strengthen its cyber defenses, and all agencies are currently engaged in a 30-day cybersecurity sprint, whereby immediate steps are being taken to further protect information and assets and improve the resilience of Federal networks.  OPM is fully engaged in this effort.

Finally and importantly, OPM will participate, along with our interagency Suitability and Security Performance Accountability Council partners, in a 90 day review of key questions related to information security, governance, policy, and other aspects of the security and suitability determination process, to ensure that it is conducted in the most efficient, effective and secure manner possible.

Cybersecurity incidents are unfortunately not without precedent.  As the President has made clear, cybersecurity is one of the most important challenges we face as a Nation.  In working together across OPM and across the Federal government, I will continue to take aggressive steps to support efforts to improve Federal cybersecurity and to develop new policies and capabilities to identify, defend against, and counter malicious cyber actors.