What Information Is Collected on OPM’s Background Investigation Forms?

Posted: 2:44  am EDT


Via
CRS Insight

The information collected will depend on the applicant’s position and the type of background investigation required. OPM uses three standard forms for background investigations: SF-85, SF-85P, or SF-86 form. The forms are typically submitted electronically using OPM’s Electronic Questionnaires for Investigations Processing (e-QIP) system. OPM had suspended use of e-QIP “for security enhancements,” but re-enabled the system on July 23, 2015.

Data Collected for Non-Sensitive Positions

The eight-page SF-85 is required for applicants to non-sensitive positions (e.g., positions that do not require a security clearance) who require physical access to government facilities and who are in positions with a “low risk” to cause damage to the federal government or national security. The responsibilities of these positions are limited and there is little opportunity to use such positions for personal gain. For this reason, the information collected is relatively limited in scope and includes

  • full name, aliases, and SSN;
  • citizenship information;
  • employment information and addresses for the past five years; and
  • information on use or possession of illegal drugs (including marijuana) in the previous year.

Data Collected for “Positions of Public Trust”

The 11-page SF-85P is required for applicants in “Positions of Public Trust,” (i.e., positions that do not involve access to classified information, but that demand a “significant degree of public trust” due to the level of policymaking or other responsibilities). These positions may involve a “significant risk for causing damage [to the federal government] or realizing personal gain.” In addition to the information listed above, the SF-85P requires

  • identifying information (e.g., height, weight, eye and hair color);
  • military service information;
  • employment information and addresses for the past seven years; schools, if any, attended during the past seven years;
  • name, address, and telephone number of three personal references and immediate family members;
  • criminal arrests and/or convictions for the past seven years (excluding incidents prior to the applicant’s 16th birthday or traffic fines under $150);
  • financial information, including bankruptcies during the past seven years and any delinquent financial obligations;
  • foreign travel during the past seven years; and
  • information on use or possession of illegal drugs (including marijuana) in the previous year and any illegal purchase, sale, or transport of drugs in the previous seven years.

Data Collected for Security Clearances and Other National Security Positions

The 127-page SF-86 form is required for applicants to national security sensitive positions, which includes (but is not limited to) positions that require a security clearance. In addition to the information listed above, the SF-86 requires

  • employment information and home addresses for the past 10 years;
  • schools attended for the past 10 years, including a reference at each school attended;
  • personal information (including SSN) for current spouse or cohabitant;
  • foreign contacts, travels, and/or activities;
  • associations with individuals or groups dedicated to terrorism or the violent overthrow of the U.S. government;
  • details on applicant’s “psychological and emotional health,” including, with certain exceptions, details on treatments during the past seven years;
  • additional information on criminal activities, including convictions or charges involving firearms or explosives;
  • alcohol use in the past seven years that has negatively impacted the applicant’s work, personal relationships, finances, or resulted in “intervention by law enforcement/public safety personnel”;
  • use, possession, or other involvement with illegal drugs (including marijuana) in the past seven years or at any time while holding a clearance;
  • details on the applicant’s financial condition and civil court actions; and improper use of information technology systems.

What Other Records Are Contained in OPM’s Personnel Security Background Investigation Files?

OPM’s systems also include information gathered by investigators during the background investigation process, such as summaries of interviews with the applicant’s family members, co-workers, friends, and neighbors. Additionally, investigators may run credit checks, pull civil and criminal court records, and run checks of state and federal agency records to verify information that the applicant provided on the application.

According to OPM’s most recent Privacy Act Notice, personnel investigation records may also include information provided by other agencies, such as:

  • Internal Revenue Service income tax returns;
  • prior security clearance investigative records; and
  • clearance adjudicative records, including polygraph results, if applicable.

It is unclear from OPM’s news release if these types of investigative records were compromised in the breach.

#

US Embassy El Salvador Warns of Increased Frequency and Intensity of Security Incidents

Posted: 1:45 am EDT

The 2015 Crime and Safety Report from the Regional Security Office released in May this year, notes that crime in El Salvador can run the gamut from credit card skimming to homicide and is unpredictable, gang-centric, and characterized by violence directed against both known victims and targets of opportunity. The effect and threat of violent crime in the capital city of San Salvador, including the neighborhoods in which many U.S. citizens live and work, leads to greater isolation and the curtailment of recreational opportunities. Crimes of every type routinely occur. U.S. citizens are advised to avoid travel into the downtown area of San Salvador “unless absolutely necessary” and travel outside the cities and to Guatemala or Honduras should only be done during daylight hours and with multiple vehicle convoys for safety. Excerpt:

The threat from transnational criminal organizations is prevalent throughout Central America. There is some evidence that the Mexican drug cartel Los Zetas may have infiltrated El Salvador, although only in extremely low numbers. El Salvador has hundreds of gang “cliques,” with more than 20,000 members. Violent, well-armed, U.S.-style street gang growth continues, with the 18th Street (Barrio 18) and MS-13 (“Mara Salvatrucha”) gangs being the largest. Gangs concentrate on narcotics and arms trafficking, murder for hire, carjacking, extortion, and violent street crime. The gangs have collaborated with Mexican drug cartels to carry out murders and have sold the cartels weapons and explosives left over from the war and/or from the military. Recognizing the threat posed by MS-13, the Department of Treasury’s Office of Foreign Assets Control (OFAC) designated the MS-13 a Transnational Criminal Organization (TCO) in their list of Specially Designated Nationals. Gangs and other criminal elements roam freely, targeting affluent areas for burglaries, and gang members are quick to engage in violence when resisted. Many of the gangs are comprised of unemployed youth who do not hesitate to use deadly force when perpetrating crimes.

A contributing factor to crime is the presence of impoverished shanty communities in the midst of high-income residential and higher-end commercial areas in the capital. There are few if any areas immune from violent crime. However, the presence of armed security and the use of security features at homes have proven to be successful in combating home invasions. In 2014, armed robberies continued to be the greatest security threat facing diplomats, tourists, and business persons. Home invasions/burglaries during daylight continue to be prevalent in residential neighborhoods in San Salvador. Some home invasions occur when individuals posing as delivery men or police officers gain access to a home.

Extortion persists as a very common, effective criminal enterprise. Hitting a peak in 2009, the number of extortions has dropped from 4,528 reported cases of extortion in 2006 to 2,480 reported cases in 2014. Many of the extortion calls originate from prisons.

There were 2,480 car thefts and 1,331 carjackings reported in 2014. Not tracked however, are the significant numbers of smash-and-grab-type of auto burglaries pervasive throughout the urban areas of El Salvador.

El Salvador has one of the highest homicide rates in the world, and the Department of State updated the Travel Warning for El Salvador in November 2014 to notify U.S. citizens about travel safety concerns and challenges. Police statistics show an increase in annual homicides during 2014, attributed primarily to the cessation of a controversial 2012 truce between local gangs. Crime statistics showed that the 2014 annual homicide rate — 68.6 per 100,000 inhabitants — was significantly higher than the previous year’s 43.7 per 100,000 rate. In 2014, authorities recorded 3,912 homicides, a 55.7 percent increase from the 2,513 in 2013.

Rape remains a serious concern; in 2013 and 2014, an average of 376 rapes per year were reported. Services for victims of rape are very limited, and many victims choose not to participate in the investigation and prosecution of the crime for fear of not being treated respectfully by the authorities. Many murder victims show signs of rape, and survivors of rape may not report the crime for fear of retaliation.

El Salvador is not a danger post for allowances purposes. It is a 15% COLA and 15% hardship differential  post according to the latest bi-weekly update from state.gov.

The Crime and Safety Report is an annual product of the Regional Security Office (RSO) of every U.S. embassy. Read the full report here.

elsalvador_map_2010worldfactbook_300_1

Image from CIA World Factbook 2010

 

On July 29, the US Embassy in El Salvador issued a security message to American citizens residing in El Salvador on the increased risk of crime and violence in the country:

In recent weeks, there has been an increase in the frequency and intensity of security incidents in El Salvador, including multiple attacks on transportation workers and security forces.  The U.S. Embassy is aware that criminal elements in El Salvador have threatened to escalate the level of violence by attacking hotels, restaurants, shopping malls and other public venues.  The grenade attack at a major hotel on July 25 demonstrates both a will and a capability to carry out such plans.

The Embassy is not aware of any threat specifically directed against U.S. citizens in El Salvador.  However, the violence of recent weeks, coupled with this new information, demonstrates the need for sustained caution and high security awareness at all times. Review your personal security plans, avoid outdoor seating (as at restaurants and bars), and monitor local news stations for updates.  Take appropriate steps to enhance your personal security. Please see the below excerpt from the Travel Warning for El Salvador:

U.S. citizens should remain alert to their surroundings, especially when entering or exiting their homes or hotels, cars, garages, schools, and workplaces.  Whenever possible, travel in groups.  U.S. Embassy security officials advise all U.S. government personnel not to walk, run, or cycle in unguarded streets and parks, even in groups, and recommend exercising only in gyms and fitness centers.  Avoid wearing expensive jewelry, and do not carry large sums of money or display cash, ATM/credit cards, or other valuables.  Avoid walking at night in most areas of El Salvador. Incidents of crime along roads, including carjacking, are common in El Salvador.  Motorists should avoid traveling at night and always drive with their doors locked to deter potential robberies at traffic lights and on congested downtown streets.  Travel on public transportation, especially buses, both within and outside the capital, is risky and not recommended.  The Embassy advises official visitors and personnel to avoid using mini-buses and regular buses and to use only radio-dispatched taxis or those stationed in front of major hotels.

.

.

.

.

.

.

#

No, the FTC is not/not offering money to OPM data breach victims

Posted: 1:07  pm EDT

 

The Federal Trade Commission’s Lisa Weintraub Schifferle, an attorney for FTC’s Division of Consumer and Business Education pens the following warning:

If you’re an OPM data breach victim, you probably know to look out for identity theft. But what about imposter scams? In the latest twist, imposters are pretending to be the FTC offering money to OPM data breach victims.

Here’s how it works: A man calls and says he’s from the FTC and has money for you because you were an OPM data breach victim. All you need to do is give him some information.

Stop. Don’t tell him anything. He’s not from the FTC.

One fake name the caller used was Dave Johnson, with the FTC in Las Vegas, Nevada. There’s not even an FTC office in Las Vegas. The FTC won’t be calling to ask for your personal information. We won’t be giving money to OPM data breach victims either.

That’s just one example of the type of scam you might see. You may get a different call or email. Here are some tips for recognizing and preventing government imposter scams and other phishing scams:

• Don’t give personal information. Don’t provide any personal or financial information unless you’ve initiated the call and it’s to a phone number you know to be correct. Never provide financial information by email.

• Don’t wire money. The government won’t ask you to wire money or put it on a prepaid debit card. Also, the government won’t ask you to pay money to claim a grant, prize or refund.

• Don’t trust caller ID. Scammers can spoof their numbers so it looks like they are calling from a government agency, even when they are not. Federal agencies will not call to tell you they are giving you money.

If you’ve received a call or email that you think is fake, report it to the FTC. If it’s an email that relates to the OPM breach, you also can forward it to US-CERT at phishing-report@us-cert.gov. If you gave your personal information to an imposter, it’s time to change those compromised passwords, account numbers or security questions.

Originally posted here.

#

OPM to Charge Agencies for Credit Monitoring Offered to Federal Employees

Posted: 2:32 am EDT

 

The latest update from “M” on the OPM breach dated July 15, notes that “The State Department never transferred personnel records to the OPM facility. However, if you had other U.S. Government service prior to joining State, you may have had records that were involved.” On the background information breach, it says that “State Department employees’ SF-85 and SF-86 forms (depending on the appointment) were in the OPM system and thus were impacted. However, other background investigation material was not.”

If you have additional questions email DG DIRECT [DGDIRECT@STATE.GOV] or OPM’s new email: cybersecurity@opm.gov

AFSA’s latest update to its membership is dated July 10 and available to read here.

Some developments on the fallout from the data breach:

 

.

.

.

.

.

.

.

.

.

.

#

 

State Dept Authorization Bill Mandates Security Breach Reporting, NSA Consultations –Can PenTest Be Far Behind?

Posted: 12:27 am EDT
Updated: 11:23 am PDT

 

Update: A source on the Hill alerted us that the State Authorization bill was offered as an amendment when the NDAA was debated in the Senate last month but it was not voted on and the NDAA passed on June 18 (That would be H.R. 1735 which passed 215 (71-25)  We understand that both chambers are now starting the process to bring the bill to conference in order to resolve differences.  The State Authorization bill, we are told, will not be part of those discussions.  In order for this to move forward, it will either need to be brought to the floor as a stand alone vote or Corker/Cardin could try again to attach it to another piece of legislation. Given that this is the first authorization bill passed by the SFRC in 5 years, and made it through the committee with bi-partisan support, we suspect that the senators will not just easily forget about this. — DS

On June 9, 2015, U.S. Senators Bob Corker (R-Tenn.) and Ben Cardin (D-Md.), the chairman and ranking member of the Senate Foreign Relations Committee, applauded the unanimous committee passage of the Fiscal Year 2016 Department of State Operations Authorization and Embassy Security Act. The SFRC statement says that it has been five years since the Senate Foreign Relations Committee passed a State Department Authorization bill and 13 years since one was enacted into law.  This State Department Authorization bill has been offered as an amendment to the National Defense Authorization Act, which currently is on the Senate floor. It is quite lengthy so we’re doing this in installments.

Below is the section on information technology system security that mandates security breach reporting, as well as making State Dept systems and networks available to the Director of the National Security Agency (NSA) and any other such departments or agencies to carry out necessary tests and procedures.

The State Department’s Consular Consolidated Database (CCD) as of 2011 contains over 137 million American and foreign case records and over 130 million photographs and is growing at approximately 40,000 visa and passport cases every day. If the CCD is compromised, it would be a jackpot for hackers that would make the OPM hack severely pales in comparison.

If this bill passes, will the penetration test by NSA on one of the world’s largest data warehouses finally happen?

Via govtrack:

Section 206.Information technology system security

(a)In general

The Secretary shall regularly consult with the Director of the National Security Agency and any other departments or agencies the Secretary determines to be appropriate regarding the security of United States Government and nongovernment information technology systems and networks owned, operated, managed, or utilized by the Department, including any such systems or networks facilitating the use of sensitive or classified information.

(b)Consultation

In performing the consultations required under subsection (a), the Secretary shall make all such systems and networks available to the Director of the National Security Agency and any other such departments or agencies to carry out such tests and procedures as are necessary to ensure adequate policies and protections are in place to prevent penetrations or compromises of such systems and networks, including by malicious intrusions by any unauthorized individual or state actor or other entity.

(c)Security breach reporting

Not later than 180 days after the date of the enactment of this Act, and every 180 days thereafter, the Secretary, in consultation with the Director of the National Security Agency and any other departments or agencies the Secretary determines to be appropriate, shall submit a report to the appropriate congressional committees that describes in detail—

(1)all known or suspected penetrations or compromises of the systems or networks described in subsection (a) facilitating the use of classified information; and

(2)all known or suspected significant penetrations or compromises of any other such systems and networks that occurred since the submission of the prior report.

(d)Content

Each report submitted under subsection (c) shall include—

(1)a description of the relevant information technology system or network penetrated or compromised;

(2)an assessment of the date and time such penetration or compromise occurred;

(3)an assessment of the duration for which such system or network was penetrated or compromised, including whether such penetration or compromise is ongoing;

(4)an assessment of the amount and sensitivity of information accessed and available to have been accessed by such penetration or compromise, including any such information contained on systems and networks owned, operated, managed, or utilized by any other department or agency of the United States Government;

(5)an assessment of whether such system or network was penetrated by a malicious intrusion, including an assessment of—

(A)the known or suspected perpetrators, including state actors; and

(B)the methods used to conduct such penetration or compromise; and

(6)a description of the actions the Department has taken, or plans to take, to prevent future, similar penetrations or compromises of such systems and networks.

#

Related Post:
S.1635: DOS Operations Authorization and Embassy Security Act, Fiscal Year 2016 – Security Clearance

We’re Hosting a Q&A With FSO Mark D. Perry of CorridorRep.com — Saturday, July 18, 7pm EST

Posted: 2:23 pm EDT
Updated: 8:41 pm EDT
Updated: 12:43 pm EDT

 

On July 7, I did a blogpost about CorridorRep.com, a website owned by Transparency In Government Performance, LLC. (See “Corridor Reputation” Gets a Makeover, And OMG …. It’s Now Online!)

CorridorRep.com’s site administrator is Foreign Service Officer Mark D. Perry. (Note: he is not the Mark Perry on LinkedIn). We requested a short bio and here is what he sent us:

Mark D. Perry is a consular-coned Foreign Service Officer who has served overseas in Monterrey, Cairo, and Lima.  He is currently working in a domestic assignment at the Buffalo Passport Agency.  He enjoys chocolate and looking for ways to make life better through the use of technology. Prior to joining the service, he worked in corporate HR for Tyco International, Ltd.

We cannot give you firsthand assessment of the site but readers writing this blog seems split between “this is great, yay!” or this is a terrible idea.

Mr. Perry told us via email that he has been thinking about this idea for years and floated it to a number of trusted friends. “Some said wow this is great and others said you are crazy,” he writes.

Another feedback we got is along the line of — hey, it only took a minute to figure out who runs this site; if he’s not good at protecting himself … what about my information?

We asked Mr. Perry about that and he explained that he created the LLC not to hide his identity, but to provide some additional legal protection.  That is true enough as LLC owners are protected from personal liability for business debts and claims.

We also asked about some readers’ concerns on data security, and here is his response:

I can understand the concerns about data security but I think the potential benefits outweigh these risks. Anything posted here could also be overheard in a cafe or sent by personal email to a friend or already on someone’s Facebook page. All of these are also easy targets for collection. This is nothing new. The site might make it marginally easier but I really do not see much risk in that aspect.

One reader asked about an “opt-out” so we also put that question to Mr. Perry.

[T]here really is not [a] way to prevent someone from  rating you. Preventing someone from being rated would be technically  close to impossible. Anyone can delete or edit the ratings they have  entered for others but could not delete ratings from others about  themselves. Anyone can choose not to visit the site so I guess that is one way one could opt out.

The site itself says that “you now have access to honest 360 reviews.”  One of the screencaps on the site is a section that says “Will work again with You” with the following options:  1) Supervisor, 2) Subordinate, 3) Colleague, 4) Other and 5) All.  We should note that the State Department has been using the 360 degree feedback for years primarily as a placement tool during the assignments process, and as far as we know, not as a developmental tool. See update below.

So think Yelp, Trip Advisor, Amazon and other online rating sites out there, except that the employee is now the rated brand/product.  Or perhaps the closest ones would be the student rating sites for teachers/professors performance.  Online reviews are popular and have grown prevalent in recent years.  There are even online reviews written by ex-convicts!  These online reviews have also grown controversial, of course, with some allegations of manipulation (and some real) orchestrated by companies to trick potential customers. The Harvard Business review last year, however notes that “voracious information-seeking has become deeply ingrained in many consumers, and we can envision no scenario in which they will see traditional marketing as a better provider of product information.”

In some ways, corridorrep.com is probably more like glassdoor.com, a career community that depends on everyone being able to share an inside look at a company they know.  Corridorrep.com depends on everyone being able to share an inside look about each other; it’s success certainly depends on the participation of enough individuals rating each other. Its stated goal is to have 5,000 reviews. Since we posted about the site, the online reviews have gone from 26 to 83, averaging about six reviews a day in the last 9 days.  That’s not a significant number at this time but if the number of posts continue at this rate, we estimate that the site will reach its goal in slightly over a couple of years.  The question now is how many of the Foreign Service’s 13,908 employees are willing to participate? Will Civil Service employees and Foreign Service Nationals, who all have state.gov emails also participate?

We understand that the site has become fairly controversial within the FS community. We are sure there are many more questions out there for corridorrep.com. We have offered to host a Q&A at our forum and Mr. Perry has accepted the invitation.  He will answer your questions on Saturday, July 18, 7pm EST. This forum is set as “open” so non-registered members of the forum and readers of the blog will be able to post questions of interest. You may post your questions ahead of time here: http://forums.diplopundit.net/?forum=457155.

See you at the forum!

Update:  We received the following nugget from an FSO with clarification on current use of 360 at State; our correspondent is not sure if there is a similar process for the Civil Service:

“State’s mandatory leadership and management training that everyone in the Foreign Service has to take each time they are promoted to the next level (at least for promotions to 02, 01 and into the SFS, not sure about below that) has a 360 component. You have to submit 10-15 names to review you anonymously, inlcuding subordinates, peers and bosses (the bosses are not anonymous). The results and comments are shared with you and the FSI instructors and I’ve found it quite useful. You also do one for yourself and seeing the similarities or differences between your self-image of your strengths and weaknesses and how others view you is very instructive.”

A Consular Officer also sent us the following details on the use of 360s at State/CA:

The Bureau of Consular Affairs also uses 360s as a development tool. Its CBAT program collects 360s for bidders and shares the report of the assessors’ input with the bidder. There are fewer questions than on the leadership training 360s mentioned above, but the CBAT does ask “would you work with this employee again?” and offers free text fields for assessors to say whatever they want. In general, the new (2 years old) CBAT process has been received pretty well, although I think some officers have been surprised by frank feedback.  And on the leadership training you mentioned, that is also open to Civil Service employees. I think it is mandatory at GS-13/14/15.

#

 

Related posts:

 

 

21.5 Million Americans Compromised, OPM’s Ms. Archuleta Still Not Going Anywhere

Posted: 1:36 am  PDT

Excerpt via opm.gov:

OPM announced the results of the interagency forensic investigation into the second incident.  As previously announced, in late-May 2015, as a result of ongoing efforts to secure its systems, OPM discovered an incident affecting background investigation records of current, former, and prospective Federal employees and contractors.  Following the conclusion of the forensics investigation, OPM has determined that the types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.  Some records also include findings from interviews conducted by background investigators and fingerprints.  Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.

While background investigation records do contain some information regarding mental health and financial history provided by those that have applied for a security clearance and by individuals contacted during the background investigation, there is no evidence that separate systems that store information regarding the health, financial, payroll and retirement records of Federal personnel were impacted by this incident (for example, annuity rolls, retirement records, USA JOBS, Employee Express).

This incident is separate but related to a previous incident, discovered in April 2015, affecting personnel data for current and former Federal employees.  OPM and its interagency partners concluded with a high degree of confidence that personnel data for 4.2 million individuals had been stolen.  This number has not changed since it was announced by OPM in early June, and OPM has worked to notify all of these individuals and ensure that they are provided with the appropriate support and tools to protect their personal information.

Analysis of background investigation incident.  Since learning of the incident affecting background investigation records, OPM and the interagency incident response team have moved swiftly and thoroughly to assess the breach, analyze what data may have been stolen, and identify those individuals who may be affected.  The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases.  This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.  As noted above, some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints.  There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM’s systems.

If an individual underwent a background investigation through OPM in 2000 or afterwards (which occurs through the submission of forms SF 86, SF 85, or SF 85P for a new investigation or periodic reinvestigation), it is highly likely that the individual is impacted by this cyber breach. If an individual underwent a background investigation prior to 2000, that individual still may be impacted, but it is less likely.

So, are we supposed to wait for another credit monitoring offer from OPM’s partners for this BI hack, after already being offered credit monitoring for the personnel data compromised in an earlier breach?

Yes. Wonderful.

Ms. Archuleta should do the right thing and resign.

Part of OPM’s public response to these breaches has been to protect the director’s record at the agency.  While she remains in charge, I suspect that the fixes at OPM will also include shielding the director from further damage. News reports already talk about OPM’s push back. Next thing you know we’ll have “setting the record straight” newsbots all over the place.

While it is true that Ms. Archuleta arrived at OPM with legacy systems still in operation, these breaches happened under her watch. Despite her protestation that no one is personally responsible (except the hackers), she is the highest accountable official at OPM.  Part and parcel of being in a leadership position is to own up to the disasters under your wings.  Ms. Archuleta should resign and give somebody else a chance to lead the fixes at OPM.

via reactiongifs.com

via reactiongifs.com

.

.

.

.

.

.

.

OPM Director Writes Investigation “Update” on Data Breach on July 4th, 8 p.m. Yawn. Rumble Burble CYA

Posted: 3:14 am  EDT

 

Katherine Archuleta who remains OPM director following the drip, drip, drip reports on the OPM data breach wrote a blog post at 8 pm on Saturday, July 4th, updating the “hardworking Federal workforce” on the “Cyberintrustion Investigation.”

The update does not provide any real update on the investigation, except to say they hope to have something this week. Two sentences on the investigation from an eight para message. Oy!

The purpose of the message appears to be — to show that the director is working on a Federal holiday. At 8 pm, too. While you all are celebrating the Fourth of July, the OPM director who is “as concerned about these incidents as you are,” is writing a blog post, and talking about the “tireless efforts” of her team. She wants folks to know that she “shares your anger,” and that she remains “committed to improving the IT issues that have plagued OPM for decades.” She also writes that she is “committed to finishing the important work outlined” in her Strategic IT Plan.

Hey, no one is personally responsible for this breach except the hackers, and it looks like Ms. Archuleta is committed enough that she won’t be going anywhere. No, not even to go back in time.

Here’s the part of her message that gave me a nasty headache. She writes, “I encourage you to take some time to learn about the ways you can help protect your own personal information.” 

Ay, holy molly guacamole!

May I also encourage OPM to take some time to learn about the ways it can help protect the personal information of Federal employees, job applicants, retirees and contractors, and their family members, because why not? See this timeline:
.

.

Cybersecurity is already a priority in our lives and work. We’re all in this great mess because it wasn’t a priority for OPM.  I certainly welcome more substantive details of this breach but these updates that are nothing more than rumble burble CYA are mighty useless, and they don’t do  anything to improve my perception of OPM or its leadership.

Dear White House. Please.Make.Her.Stop.

*

Via opm.gov

As our hardworking Federal workforce enjoys a much-deserved holiday weekend, I want to share a quick update on the ongoing investigation into the recent theft of information from OPM’s networks.

For those individuals whose data may have been compromised in the intrusion affecting personnel records, we are providing credit monitoring and identity protection services. My team has worked with our identity protection contractor to increase staff to handle the large volume of calls, and to dramatically reduce wait times for people seeking services. As of Friday, our average wait time was about 2 minutes with the longest wait time being about 15 minutes.

Thanks to the tireless efforts of my team at OPM and our inter-agency partners, we also have made progress in the investigation into the attacks on OPM’s background information systems. We hope to be able to share more on the scope of that intrusion next week, and in the coming weeks, we will be working hard to issue notifications to those affected.

I want you to know that I am as concerned about these incidents as you are. I share your anger that adversaries targeted OPM data. And I remain committed to improving the IT issues that have plagued OPM for decades.

One of my first priorities upon being honored with the responsibility of leading OPM was the development of a comprehensive IT strategic plan, which identified security vulnerabilities in OPM’s aging legacy systems, and, beginning in February 2014, embarked our agency on an aggressive modernization and security overhaul of our network and its systems. It was only because of OPM’s aggressive efforts to update our cybersecurity posture, adding numerous tools and capabilities to our networks, that the recent cybersecurity incidents were discovered.

I am committed to finishing the important work outlined in my Strategic IT Plan and together with our inter-agency partners, OPM will continue to evaluate and improve our security systems to make sure our sensitive data is protected to the greatest extent possible, across all of our networks.

We are living in an era where cybersecurity must be a priority in our lives at work and at home. I encourage you to take some time to learn about the ways you can help protect your own personal information. There are many helpful resources available on our website.

I’m wishing you a safe and relaxing 4th of July weekend.

#

#OPMBreach: Back to Paper SF-86s, No More Social Media at OPM, Scary Movie Chinese Edition

Posted: 2:15 pm EDT

.

.

.

.

.

.

 

Related Posts:

 

OPM Hit By Class Action Lawsuit, and Those Phishing Scams You Feared Over #OPMHack Are Real (Corrected)

Posted: 7:16 pm  EDT

 

The largest federal employee union, the American Federation of Government Employees, filed a class action lawsuit today against the Office of Personnel Management, its director, Katherine Archuleta, its chief information officer, Donna Seymour and Keypoint Government Solutions, an OPM contractor.
.

.

.
A couple of weeks ago, we thought that the “recipe” from the OPM email notification sent to potentially affected employees via email might be copied by online scammers.

.

 

Today, the United States Computer Emergency Readiness Team (US-CERT), part of part of DHS’ National Cybersecurity and Communications Integration Center (NCCIC) issued an alert on phishing campaigns masquerading as emails from the Office of Personnel Management (OPM) or the identity protection firm CSID.

#