#OPMBreach: Back to Paper SF-86s, No More Social Media at OPM, Scary Movie Chinese Edition

Posted: 2:15 pm EDT

.

.

.

.

.

.

 

Related Posts:

 

“M” Writes Update to State Department Employees Regarding OPM Breach

Posted: 1:36 pm EDT

 

It took 18 days before I got my OPM notification on the PII breach. Nothing still on the reported background investigation breach. OPM says it will notify those individuals whose BI information may have been compromised “as soon as practicable.”  That might not happen until the end of July! The hub who previously worked for State and another agency has yet to get a single notification from OPM. We have gone ahead and put a fraud alert for everyone in the family. What’s next? At the rate this is going, will we soon need fraud alerts for the pets in our household? They have names and passports, and could be targeted for kidnapping, you guys!!

And yes, I’ve watched the multiple OPM hearings now, and no, I could not generate confidence for the OPM people handling this, no matter how hard I try. Click here for the timeline of the various breaches via nextgov.com, some never disclosed to the public.

Still waiting for the White House to do a Tina Fey:

you're all fired

via giphy.com

On June 25, the Under Secretary for Management, Patrick Kennedy sent a message to State Department employees regarding the OPM breach. There’s nothing new on this latest State update that we have not seen or heard previously except the detail from the National Counterintelligence and Security Center (NCSC) at http://www.ncsc.gov (pdf) on how to protect personal information from exploitation (a tad late for that, but anyways …) because Foreign Intelligence Services and/or cybercriminals could exploit the information and target you.

Wait, what did OPM say about families? “[W]e have no evidence to suggest that family members of employees were affected by the breach of personnel data.” 

Via the NCSC:

Screen Shot 2015-06-26

no kidding!

Screen Shot 2015-06-26

you don’t say!

Here is M’s message from June 25, 2015 to State employees. As far as we know, this is the first notification posted publicly online on this subject, which is  good as these incidents potentially affect not just current employees but prospective employees, former employees, retirees and family members.

Dear Colleagues,

I am writing to provide you an update on the recent cyber incidents at the U.S. Office of Personnel Management (OPM) which has just been received.

As we have recently shared, on June 4th, OPM announced an intrusion impacting personnel information of approximately four million current and former Federal employees. OPM is offering affected individuals credit monitoring services and identity theft insurance with CSID, a company that specializes in identity theft protection and fraud resolution. Additional information is available on the company’s website, https://www.csid.com/opm/ and by calling toll-free 844-777-2743 (international callers: call collect 512-327-0705). More information can also be found on OPM’s website: www.opm.gov.

Notifications to individuals affected by this incident began on June 8th on a rolling basis through June 19th. However, it may take several days beyond June 19 for a notification to arrive by email or mail. If you have any questions about whether you were among those affected by the incident announced on June 4, you may call the toll free number above.

On June 12th, OPM announced a separate cyber intrusion affecting systems that contain information related to background investigations of current, former, and prospective Federal Government employees from across all branches of government, as well as other individuals for whom a Federal background investigation was conducted, including contractors. This incident remains under investigation by OPM, the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI). The investigators are working to determine the exact number and list of potentially affected individuals. We understand that many of you are concerned about this intrusion. As this is an ongoing investigation, please know that OPM is working to notify potentially affected individuals as soon as possible. The Department is working extensively with our interagency colleagues to determine the specific impact on State Department employees.

It is an important reminder that OPM discovered this incident as a result of the agency’s concerted and aggressive efforts to strengthen its cybersecurity capabilities and protect the security and integrity of the information entrusted to the agency. In addition, OPM continues to work with the Office of Management and Budget (OMB), the Department of Homeland Security, the FBI, and other elements of the Federal Government to enhance the security of its systems and to detect and thwart evolving and persistent cyber threats. As a result of the work by the interagency incident response team, we have confidence in the integrity of the OPM systems and continue to use them in the performance of OPM’s mission. OPM continues to process background investigations and carry out other functions on its networks.

Additionally, OMB has instructed Federal agencies to immediately take a number of steps to further protect Federal information and assets and improve the resilience of Federal networks. We are working with OMB to ensure we are enforcing the latest standards and tools to protect the security and interests of the State Department workforce.

We will continue to update you as we learn more about the cyber incidents at OPM. OPM is the definitive source for information on the recent cyber incidents. Please visit OPM’s website for regular updates on both incidents and for answers to frequently asked questions: www.opm.gov/cybersecurity. We are also interested in your feedback and questions on the incident and our communications. You can reach out to us at DG DIRECT (DGDirect@state.gov) with these comments.

State Department employees who want to learn additional information about the measures they can take to ensure the safety of their personal information can find resources at the National Counterintelligence and Security Center (NCSC) at http://www.ncsc.gov. The following are also some key reminders of the seriousness of cyber threats and of the importance of vigilance in protecting our systems and data.

Steps for Monitoring Your Identity and Financial Information

  • Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
  • Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year. Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov.
  • Review resources provided on the FTC identity theft website, www.Identitytheft.gov. The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
  • You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call TransUnion® at 1-800-680-7289 to place this alert. TransUnion® will then notify the other two credit bureaus on your behalf.

Read in full here.

#

Social Media Security Screening Is Here: OPM to Make Sole Source Award For Use in Background Investigation

Posted: 1:01 am  PDT

 

Last September, Mike Kelly, the Republican Representative for Pennsylvania’s 3rd congressional district introduced the Enhanced Security Clearance Act of 2014 (HR 5482) aimed at the implementation of enhanced personnel security programs which requires agency programs to “integrate information from government, publicly available, and commercial data sources, consumer reporting agencies, and social media.”

Mr. Kelly told ZDNet, “In particular, the bill will update government background checks to include an applicants’ publicly available electronic data including social media accounts such as Facebook and Twitter.” This bill was introduced on September 16, 2014, in a previous session of Congress, but was not enacted.

Well, the bill may have died but it was only a matter of time before social media content becomes part of the federal background investigation.

The Federal Investigative Services (OPM-FIS) provides investigative products and services for over 100 Federal agencies to use as the basis for suitability and security clearance determinations. OPM provides over 90% of the Government’s background investigations, conducting over two million investigations a year.

On June 17, the Office of Personnel Management, Federal Investigative Service (FIS), PIC Acquisitions Team, published a “Notice of Intent to Sole Source – PAEI Reports” to Social Intelligence, a company headquartered in California.  Social media content is now officially called Publicly Available Electronic Information (PAEI). If we’re reading this correctly, it looks like there already are pilot projects with the same company conducted with the U.S. Army, the Office of Director of National Intelligence (ODNI), the Department of State and the National Reconnaissance Office.

Below is the published notice via fedbiz:

It is the intention of the agency to award a firm-fixed price agreement to Social Intelligence for publicly available electronic information (PAEI) reports. This is not a solicitation for quotations, but rather a notice of the agency’s intent to make a sole source award to Social Intelligence.

The U.S. Office of Personnel Management (OPM) Federal Investigative Services (FIS) seeks to award a firm-fixed price agreement to Social Intelligence who will conduct searches of multiple sources of PAEI in an automated manner and provide complete, accurate, standardized reports to OPM-FIS when searches result in information pertinent to Subjects of Investigation.

OPM-FIS is participating in a set of pilot projects with other federal investigative service providers to evaluate the use of PAEI in the background investigative process. This acquisition will provide 400 PAEI reports over a period of approximately 6-9 months for a sample population of investigations to assess the OPM-FIS operational end-to-end process and relevancy to the investigation along with the effects of quality, costs and timeliness. The vendor must also provide high level training on how to review and analyze the PAEI reports and also provide customer and technical support 24×7 until 400 PAEI reports have been provided to OPM-FIS.

Social Intelligence is the only source that possesses knowledge and expertise obtained through participation in other high level government PAEI pilot projects, to include pilots with the U.S. Army, the Office of Director of National Intelligence (ODNI), the Department of State and the National Reconnaissance Office. Social Intelligence is the only one available whose product will result in a consistent and accurate comparative analysis between results of the OPM-FIS pilot and other government agencies’ pilots. This vendor’s personnel have experience with and have received training on the personnel security process and the thirteen adjudicative guidelines due to participation in previous government pilots. Such experience is required in order to appropriately identify issues containing relevant adjudicative information. Only data that meets the adjudicative guidelines will be collected and retained by OPM-FIS.

This vendor was deemed a consumer reporting agency (CRA) by the Federal Trade Commission, as defined by the Fair Credit Reporting Act. As of January 2013, the vendor was the only social media background screening company designated as a CRA. This designation is important as the FTC has ruled that CRAs must take reasonable steps to ensure the maximum possible accuracy of the information reported from social media sites. All of the above make Social Intelligence a unique source that would provide the best solution with the least risk to the government for this pilot.

According to its website, Social Intelligence (http://www.socialintel.com) “provides social media data, tools, and reports to commercial and Government organizations. Headquartered in Santa Barbara, Calif., the company has developed a unique suite of products including employment background screenings, insurance claims investigations, corporate due diligence, and Government services. … Social Intelligence was created to provide companies and governmental organizations publicly available online information, while ensuring this data is used appropriately and legally.” It provides the following services:

  • Social Intelligence’s Social Monitoring & Evaluation solutions provide a powerful and cost-effective way to monitor and evaluate an individual’s ongoing online activity across the deep web.
  • Social Intelligence’s groundbreaking research into online identity science and its implications allows companies to confidently rely on social media and internet data. A fully automated capability, Social Intelligence’s proven, proprietary Identity Resolution algorithm identifies, matches, and scores aggregated publicly available online information, the first of multiple steps to solidify data veracity.

On it’s website, the company talks about “the opportunity at hand”  — apparently 64 million people are unscorable by traditional credit scores and 55% of millennials are willing to share their data in exchange for discounts.

#

Burn Bag: Family Members Not Affected by #OPMHack? Here’s the Missing GIF From OPM’s Website

Via Burn Bag:

OPM, in the FAQ section of the CSID website, declares that our family members were “not affected by this breach. The only data potentially exposed as a result of this incident is your personal data.”  Thus, our family members cannot use the credit monitoring and identity theft protection services.  But wait.  My spouse’s name, date of birth, place of birth, passport number, and social security number were listed in my SF-86.  And my SF-86 has been compromised.  So hasn’t my spouse been “affected” by this breach, too?

So far no one has been fired, no one has accepted responsibility for the breach, and the OPM notification letter says, “Nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose.”

via reactiongifs.com

via reactiongifs.com

Related items:

 

ALL Foreign Affairs Agencies Affected By #OPMHack: DOS, USAID, FCS, FAS, BBG and APHIS

Posted: 6:15  pm  PDT

 

AFSA has now issued a notice to its membership on the OPM data breach. Below is an excerpt:

On Thursday June 4, the Office of Personnel Management (OPM) became aware of a cybersecurity incident affecting its systems and data. AFSA subsequently learned that the Personally Identifiable Information (PII) of many current and former federal employees at the foreign affairs agencies have been exposed as a result of this breach.

The most current information provided to AFSA indicates the following: Most current, former and prospective federal employees at ALL foreign affairs agencies have been affected by this breach. That includes the State Department, USAID, FCS, FAS, BBG and APHIS. OPM discovered a new breach late last week which indicates that any current, former or prospective employee for whom a background investigation has been conducted is affected.

In the coming weeks, OPM will be sending notifications to individuals whose PII was potentially compromised in this incident. The email will come from opmcio@csid.comand it will contain information regarding credit monitoring and identity theft protection services being provided to those federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service. All the foreign affairs agencies suggest that those affected should contact the firm listed below. Members of the Foreign Commercial Service may additionally contact Commerce’s Office of Information Security at informationsecurity@doc.gov.

As a note of caution, confirm that the email you receive is, in fact, the official notification. It’s possible that malicious groups may leverage this event to launch phishing attacks.  To protect yourself, we encourage you to check the following:

  1. Make sure the sender email address is “opmcio@csid.com“.
  2. The email is sent exclusively to your work email address. No other individuals should be in the To, CC, or BCC fields.
  3. The email subject should be exactly “Important Message from the U.S. Office of Personnel Management CIO”.
  4. Do not click on the included link. Instead, record the provided PIN code, open a web browser, manually type the URL http://www.csid.com/opm into the address bar and press enter. You can then use the provided instructions to enroll using CSID’s Web portal.
  5. The email should not contain any attachments. If it does, do not open them.
  6. The email should not contain any requests for additional personal information.
  7. The official email should look like the sample screenshot below.
image via afsa.org

image via afsa.org

Additional information has been made available on the company’s website, www.csid.com/opm, and by calling toll-free 844-777-2743 (International callers: call collect 512-327-0705).

Agency-Specific Points of Contact:

If you have additional questions, contact AFSA’s constituency vice presidents and representatives:

Read the full announcement here.

Amidst this never ending round of data breaches, go ahead and read Brian Krebs’ How I Learned to Stop Worrying and Embrace the Security Freeze. The USG is not offering to pay the cost of a credit freeze but it might be worth considering.

Of course, the security freeze does not solve the problem if the intent here goes beyond stealing USG employees’ identities.   If the hackers were after the sensitive information contained in the background investigations, for use at any time in the future, not sure that a credit freeze, credit monitoring and/or ID thief protection can do anything to protect our federal employees.

Security clearance investigations, by their very nature, expose people’s darkest secrets — the things a foreign government might use to blackmail or compromise them such as drug and alcohol abuse, legal and financial troubles and romantic entanglements. (via)

I understand why the USG has to show that it is doing something to address the breach but — if a foreign government, as suspected, now has those SF-86s, how can people protect themselves from being compromised? If this is not about compromising credit, or identities of USG employees but about secrets, credit monitoring and/or ID thief protection for $20 Million will be an expensive but useless response, wouldn’t it?

#

Notifications of Individuals Potentially Affected By #OPMHack on a Rolling Basis From June 8-June 19

Posted: 4:15 am  EDT

 

On May 28, just days before the OPM breach was reported, OPM issued a solicitation for OPM Privacy Act Incident Services. The services required include 1) notification services, 2) credit report access services, 3) credit monitoring services, 4) identity theft insurance and recovery services, and 5) project management services. According to the solicitation, these services will be offered, at the discretion of the Government, to individuals who may be at risk due to compromised Personally Identifiable Information (PII).  The $20,760,741.63 contract for Call 1 was awarded to Winvale Group, LLC (http://winvale.com) on June 2 but was published on fedbiz on June 5, the day after the breach was reported. Call 1 contract includes services to no more than 4 million units/employees.

Here’s what the company says via: http://winvale.com:

Screen Shot 2015-06-15

click for larger view

Excerpted from CSID FAQ:

What systems were affected?

For security reasons, OPM cannot publicly discuss specifics of the systems that might be affected by the compromise of personnel data. Additionally, due to the ongoing FBI investigation, it would be inappropriate to publicly provide information that may impact current work by law enforcement. OPM has added additional security controls to better protect overall networks and systems and the data they store and process.

What personal information was compromised?

OPM maintains personnel records for the Federal workforce. The kind of data that may have been compromised in this incident could include name, Social Security Number, date and place of birth, and current and former addresses. The communication to potentially affected individuals will state exactly what information may have been compromised.

Why didn’t OPM tell affected individuals about the loss of the data sooner?

OPM became aware of an intrusion in April 2015. OPM worked with the DHS’s Computer Emergency Readiness Team (US-CERT) as quickly as possible to assess the extent of the malicious activity and to identify the records of individuals who may have been compromised. During the investigation, OPM became aware of potentially compromised data in May 2015. With any such event, it takes time to conduct a thorough investigation, and identify the affected individuals.

It is important to note that this is an ongoing investigation that could reveal additional exposure; if that occurs, OPM will conduct additional notifications as necessary. Protecting the integrity of the information entrusted to the Office of Personnel Management is the agency’s highest priority.

I did not receive a letter stating that my information was compromised, but feel that I should have. Can you help me?

OPM is aware of the affected data and the networks and the data on which it resides. OPM will begin sending notifications to individuals whose PII may have been compromised on June 8, 2015. These notifications will take place on a rolling basis through June 19, 2015.

What are the risks of identity theft with the information that was compromised?

Receiving a letter does not mean that the recipient is a victim of identity theft. OPM is recommending that people review their letters and the recommendations provided. In order to mitigate the risk of fraud and identity theft, OPM will offer credit report access, credit monitoring and identify theft insurance and recovery services at no cost to them, through CSID®. This comprehensive, 18-month membership includes credit monitoring and $1 million in identity theft protection services.

How long will it take to inform all the potential victims involved in the incident?

OPM will begin conducting notifications to affected individuals using e-mail and/or USPS First Class mail on June 8, 2015 and will continue notifications on a rolling basis through June 19, 2015.

Can my [family member] also receive services if he/she is part of my file/records?

Your [family member] was not affected by this breach. The only data potentially exposed as a result of this incident is your personal data.

To see the full list of Frequently Asked Questions, click here. This is not dated, and it does not include any information on the potential breach of security clearance data.

If SF-86s are compromised, wouldn’t the breach potentially could also affect family members?

#

1) More Systems Compromised in #OPMHack, 2) A Love Letter to Hackers, and 3) What’s a Credit Freeze?

Posted: 3:29 am  EDT

 

On June 4, OPM released a statement on “a cybersecurity incident” that potentially affected personnel data of current and former federal employees, including personally identifiable information (PII) (see OPM Hack Compromises Federal Employee Records, Not Just PII But Security Clearance Info).  The initial estimate was that the OPM hack affected potentially 4 million employees. On June 12, fedscoop reported that the American Federation of Government Employees (AFGE) believed that the breach may have compromised personal data of as high as 14 million employees.

We understand that the State Department issued a notice to employees concerning the OPM breach on June 4. A second notice dated June 12 (am told this was actually a June 11 notice) was shared with BuzzFeed (see below). Several unnamed State Department employees were quoted in that BuzzFeed article, a tell-tale sign of growing frustration that we can also see from our inbox.

.

.

.

.

.

Excerpt from email sent by Under Secretary of Management Pat Kennedy on June 12 (via BuzzFeed)

This is an update to my previous e-mail of June 4th [repeated at the very end of this message.]

As was communicated last week, the U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed the Personally Identifiable Information (PII) of some current and former Federal employees. This email provides additional information regarding next steps for those affected State Department employees. But, every employee should read this email.

In the coming weeks, OPM will be sending notifications to individuals whose PII was potentially compromised in this incident. The email will come from [DELETED] and it will contain information regarding credit monitoring and identity theft protection services being provided to those Federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service.

As a note of caution, confirm that the email you receive is, in fact, the official notification. It’s possible that malicious groups may leverage this event to launch phishing attacks. To protect yourself, we encourage you to check the following:

1. Make sure the sender email address is [DELETED]

2. The email is sent exclusively to your work email address. No other individuals should be in the To, CC, or BCC fields.

3. The email subject should be exactly [DELETED]

4. Do not click on the included link. Instead, record the provided PIN code, open a web browser then manually type the URL {DELETED]. You can then use the provided instructions to enroll [DELETED].

5. The email should not contain any attachments. If it does, do not open them.

6. The email should not contain any requests for additional personal information.

7. The official email should look like the sample screenshot below.

Additional information has also been made available beginning on June 8, 2015 on the company’s website [DELETED].

Regardless of whether or not you receive this notification, employees should take extra care to ensure that they are following recommended cyber and personal security procedures. If you suspect that you have received a phishing attack, contact your agency’s security office.

In general, government employees are often frequent targets of “phishing” attacks, which are surreptitious approaches to stealing your identity, accessing official computer systems, running up bills in your name, or even committing crimes using your identity. Phishing schemes use e-mail or websites to trick you into disclosing personal and sensitive information.

Oh, man.

Hopefully no one will copy this “recipe” to send folks a fake notification to enroll somewhere else.

On May 28, just days before the OPM breach was reported, OPM issued a solicitation for OPM Privacy Act Incident Services. The services required include 1) notification services, 2) credit report access services, 3) credit monitoring services, 4) identity theft insurance and recovery services, and 5) project management services. According to the solicitation, these services will be offered, at the discretion of the Government, to individuals who may be at risk due to compromised Personally Identifiable Information (PII).  The $20,760,741.63 contract for Call 1 was awarded to Winvale Group, LLC on June 2 but was published on fedbiz on June 5, the day after the breach was reported. Call 1 contract includes services to no more than 4 million units/employees.

Note that the State Department notice dated June 12 says that “email should not contain any attachments (#5). The OPM Services awarded on June 2 includes the following:

3.1.1.2 Contractor email Notification: The Contractor will prepare and send email notifications to affected individuals using read receipts. Emails (or attachments) will appear on Government letterhead, will contain Government-approved language, and will contain the signature of the Government official(s). Emails may contain one or more attachments. Email notification proof(s) will be provided to the Government for approval not later than 48 hours after award of a Call against the BPA. The Government will approve the email notification within 24 hours to enable the Contractor to begin preparation for distribution. The Contractor will require, receipt, track, and manage read receipts for email notifications.

Get that?

Now this. Somebody from State sent us a love letter for the hackers:

Dear Hackers: While you’re in there, please get my travel voucher for $291.46 approved, permanently cripple Carlson Wagonlit so we can stop wasting money on a useless product, and figure out how many special political hires there really are roaming our halls.  Oh and please don’t use my SF-86 info against my parents, it isn’t their fault I was an idiot and gave the government every last bit of info on my entire life.  I’m sure there’s more but it’s the weekend, let’s chat Monday. #LetsActLikeNothingHappened #SeriouslyThoughWTF .

And because the initial report is often understated per abrakadabra playbook hoping the bad news will go away, we’re now hearing this:

Oops, wait, what’s this?

Well, here is part of that email sent from “M” on  June 15, 5:35 pm ET:

“OPM has recently discovered that additional systems were compromised. These systems include those that contain info related to background investigations of current, former, and prospective Federal government employees, as well as other individuals from whom a Federal background investigation was conducted. This separate incident…was discovered as a result of OPM’s aggressive efforts to update its cybersecurity posture… OPM will notify those individuals whose info may have been compromised as soon as practical. You will be updated when we have more info on how and when these notifications will occur.”

So that original OPM estimate of 4 million affected employees is now OBE. That original $20 million contract will potentially go up.

Brian Krebs‘ piece on credit monitoring, the default response these days when a breach happens is worth a read. Basically, he’s saying that credit monitoring services aren’t really built to prevent ID theft (read Are Credit Monitoring Services Worth It?).

What can you do besides the suggestions provided by the State Department and OPM? Brian Krebs suggests a “credit freeze” or a “security freeze” not discussed or offered by OPM. Check out the very informative Q&A here.

 

We  know what else is on our to-do list today.

#

OPM Hack Compromises Federal Employee Records, Not Just PII But Security Clearance Info

Posted: 3:39 am EDT

 

On June 4, WaPo reported that hackers working for the Chinese state breached the computer system of the Office of Personnel Management in December, and that the agency will notify about 4 million current and former federal employees that their personal data may have been compromised.

We should note that OPM’s Federal Investigative Services (OPM-FIS) oversees approximately 90% of all background investigations.

Reuters reported on June 6 that most of the State Department employees had not been exposed to the breach because their data was not housed on the hacked OPM systems. Apparently, only those who had previously been employed by another federal agency may have been exposed, it said. Did you get the notice on the data breach?

It appears, however, that OPM has a requirement that all candidates being offered positions of employment at U.S. government agencies or departments, including at the State Department, are to complete their Questionnaires for National Security Positions (SF-86) on-line via the electronic Questionnaires for Investigations Processing (e-QIP). We don’t know what happens to those completed questionnaires after they are submitted to OPM; are they transferred to the State Department and deleted from OPM servers?

OPM released the following statement:

The U.S. Office of Personnel Management (OPM) has identified a cybersecurity incident potentially affecting personnel data for current and former federal employees, including personally identifiable information (PII).

Within the last year, the OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks.  As a result, in April 2015, OPM detected a cyber-intrusion affecting its information technology (IT) systems and data. The intrusion predated the adoption of the tougher security controls.

OPM has partnered with the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) and the Federal Bureau of Investigation (FBI) to determine the full impact to Federal personnel. OPM continues to improve security for the sensitive information it manages and evaluates its IT security protocols on a continuous basis to protect sensitive data to the greatest extent possible. Since the intrusion, OPM has instituted additional network security precautions, including: restricting remote access for network administrators and restricting network administration functions remotely; a review of all connections to ensure that only legitimate business connections have access to the internet; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of tools that could compromise the network.

As a result of the incident, OPM will send notifications to approximately 4 million individuals whose PII may have been compromised.  Since the investigation is on-going, additional PII exposures may come to light; in that case, OPM will conduct additional notifications as necessary.  In order to mitigate the risk of fraud and identity theft, OPM is offering credit report access, credit monitoring and identify theft insurance and recovery services to potentially affected individuals through CSID®, a company that specializes in these services.  This comprehensive, 18-month membership includes credit monitoring and $1 million in identity theft protection services at no cost to enrollees.

“Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM,” said OPM Director Katherine Archuleta. “We take very seriously our responsibility to secure the information stored in our systems, and in coordination with our agency partners, our experienced team is constantly identifying opportunities to further protect the data with which we are entrusted.”

OPM has issued the following guidance to affected individuals:

•Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.

•Request a free credit report at http://www.AnnualCreditReport.com or by calling 1-877-322-8228.  Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year.  Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, http://www.ftc.gov.

•Review resources provided on the FTC identity theft website, http://www.identitytheft.gov.  The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.

•You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name.  Simply call TransUnion® at 1-800-680-7289 to place this alert.  TransUnion® will then notify the other two credit bureaus on your behalf.

How to avoid being a victim:

•Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information.  If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.

•Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.

•Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.

•Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy, http://www.us-cert.gov/ncas/tips/ST04-013).

•Pay attention to the URL of a website.  Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

•If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly.  Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.  Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).

•Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, http://www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, http://www.us-cert.gov/ncas/tips/ST04-005; and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007).

•Take advantage of any anti-phishing features offered by your email client and web browser.

•Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.

Potentially affected individuals can obtain additional information about the steps they can take to avoid identity theft from the following agencies. The FTC also encourages those who discover that their information has been misused to file a complaint with them.

More:
.

.

.

.

#

Burn Bag: On security clearance … leave it alone or the process will become “more” problematic?

Via Burn Bag:

“We have many EFM clearances – and interim clearances were requested by HR and rejected by DS for all of them – which are still pending. The oldest one is 15 months, the next is 13 months, etc. etc. (we have many). These people will PCS [permanent change of station] and still not have their clearance completed. The only statements from DS – other than implying to leave them alone or the process will become “more” problematic are that USDH [U.S. direct hire] clearances are first in line. Some missions depend on EFMs.”

image via imgur

image via imgur

 #

Related post:
Asking about the security clearance logjam: “Seriously? I suggest we sent her to FLO…” Seriously, let’s not!

Asking about the security clearance logjam: “Seriously? I suggest we sent her to FLO…” Seriously, let’s not!

Posted: 12:46 am EDT

 

According to Diplomatic Security’s FAQ, the general time to process security clearance averages about 120 days. But the Department of State has apparently initiated a goal to render a security clearance decision in 90 days.   We have, however, heard complaints that eligible family members (EFMs) overseas waiting to start on jobs have been caught in a security clearance logjam with some waiting much longer than four months. We’ve also heard rumors that DS no longer issue an interim security clearance.

So we thought we’d ask the Diplomatic Security clearance people. We wanted clarification concerning interim clearances and the backlogs, what can post do to help minimize the backlogs and what can EFMs do if they have been waiting for months without a response.

We sent our inquiry to Grace Moe, the head of public affairs at the Diplomatic Security Service (DSS). We did not get any response. Three days later, we sent a follow-up email to her deputy, and the group’s security clearance mailbox. Shortly, thereafter, an email popped up on my screen from the Security Specialist at DS’s Customer Service Center of the Office of Personnel Security/Suitability:

“Seriously? I suggest we sent her to FLO…”

Somebody suggesting they send Diplopundit to the FLO? Let’s not.    We’re not privy to the preceding conversation on that email trail.  But seriously, a straight forward  inquiry on security clearance should not be pushed over to the Family Liaison Office (FLO) just because it’s related to family members.

So we told DS that we sent the security clearance inquiry to them for a very good reason and that we would appreciate a response unless they want to decline comment.

The lad at the Customer Service Center wrote back with a lame response that they will answer, but he was not sure about our email because it ends with a .net. Apparently, we’re the only one left in the world who has not moved over to dot com.  And he asked if it would be possible to obtain a name from our office.

Whaaaat? The next thing you know, they’ll want a phone date.

We’re sorry to inform you but this Customer Service not only shovels inquiry elsewhere but it also cannot read and see contact names on emails. So days later, Customer Service is still waiting for us to provide them a name that’s already on the email we sent them.  That kind of redundant efficiency is amazing, but we hate to waste any more of our time playing this game.

So we asked a DS insider, who definitely should get double pay for doing the Customer Service’s job. But since the individual is not authorized to speak officially, try not to cite our source as your source when you deal with that DS office.

Anyway, we were told that it is not/not true that DS no longer issue interim clearances.  Apparently, what happens more frequently is that HR forgets to request an interim clearance when it makes the initial request. So you paperwork just goes into a big pile. And you wait, and wait, and wait.  So if you’re submitting your security paperwork, make sure you or your hiring office confirms with HR that they have requested an interim clearance.

We were going to confirm this with HR except that those folks appear to have an allergic reaction to our emails.

In any case, the logjam can also result from the FBI records checks. If the FBI has computer issues, that, apparently, can easily put tens of thousands of cases behind because without the results of the FBI check, “nothing can be done.” There’s nothing much you can do about that except pray that the FBI has no computer issues.

We also understand that the Office of Personnel Security/Stability or PSS is backed up because of a heavy case load. “Posts seem to be requesting clearances with reckless abandon.”  We were cited an example where an  eligible family member (EFM) works as a GSO housing coordinator. The EFM GSO coordinator has access to the same records as the local staff working at the General Services Office but he/she gets a security clearance.

The Bureau of Human Resources determines whether a Department of State position will require a security clearance, as well as the level required, based upon the duties and responsibilities of the position. So in this example, HR may determine that the EFM GSO housing coordinator needs a clearance because he/she knows where everybody lives – including people from other agencies.  Again, that same information is also accessible to the  Foreign Service Nationals working as locally employed staff at GSO and HR.

Not sure which EFM jobs do not require a security clearance.  We understand that HR routinely asks for it when hiring family members.  Of course, this practice can also clog up the process for everyone in the system.  Routinely getting a clearance is technically good because an EFM can take that security clearance to his/her next job.  The Department of State will revalidate a security clearance if (1) the individual has not been out of federal service for more than 2 years and (2) if the individual’s clearance is based on an appropriate and current personnel security clearance investigation.  So the next time an EFM gets a job in Burkina Faso or back in Foggy Bottom, the wait won’t be as long as the clearance only requires revalidation.

And there is something else. Spouses/partners with 52 weeks of creditable employment overseas get Executive Order Eligibility, which enables them to be appointed non-competitively to a career-conditional appointment in the Civil Service once they return to the U.S. A security clearance and executive order eligibility are certainly useful when life plunks you back in the capital city after years of being overseas.

There is no publicly available data on how many EFMs have security clearances. But we should note that EFMs with security clearance are not assured jobs at their next posts. And we look at this as potentially a wasted resource (see below). EFMs who want jobs start from scratch on their security package only when they are conditionally hired. So if there’s an influx of a large number of new EFMs requesting security clearance, that’s when you potentially will have a logjam.

Back in 2009, we blogged about this issue (some of the numbers below are no longer current):

We have approximately 2,000 out of 9,000 family members who are currently working in over 217 missions worldwide.  Majority if not all of them already have, at the minimum, a “Secret” level clearance. And yet, when they relocate to other posts, it is entirely possible that they won’t find work there. The average cost to process a SECRET clearance has been reported to run from several hundred dollars to $3,000, depending on individual factors. The average cost to process a TOP SECRET clearance is between $3,000 and about $15,000, depending on individual factors. Given that most FS folks spend majority of their lives overseas, the $3,000 for a Secret clearance process for EFMs would be way too low. But let’s assume that all the EFMs currently working only have a Secret level clearance – at $3,000 each that’s still 6Million USD right there. Even if only 500 of them lost their jobs due to regular reassignment, that’s 1.5M USD that’s not put to effective use.

So here’s the idea – why can’t we create an EFM Virtual Corps? The EFMs who are already in the system could be assigned a specialization based on prior work experience within the US Mission. When not employed at post, their names could be added to the EFM Virtual Corps, a resource for other posts who require virtual supplementary or temporary/ongoing support online. Their email and Intranet logon should be enabled to facilitate communication while they are on a float assignment and their reporting authority should be a straight line to a central coordinator at Main State and a dotted line to the Management Counselor at post.  I know, I know, somebody from HR probably have a ready list of reasons on why this can’t be done, but – how do we know if this works or not if we don’t try? The technology is already available, we just need organizational will and some, to make this work.

Here’s our related post on this topic: No Longer Grandma’s Foreign Service. You’re welcome to post this on the leadership site behind the State Department firewall. Hey, the somebodies already post our burn bag entries there, so why not this one?

 #