USG Creates New National Background Investigations Bureau (NBIB) After OPM Data Breach

January 26, 2016 By domani spero in Diplomatic Security, Federal Agencies, Govt Documents, Interagency Cooperation, Security, State Department Tags: background investigation, Cyber Security, data breach, Federal Investigative Services, National Background Investigations Bureau, NBIB, OPM, OPM hack

Posted: 12:16 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

Last week, OPM announced a series of changes to modernize and strengthen the way it conduct background investigations for Federal employees and contractors and protect sensitive data. The new bureau will be housed at OPM but will have DOD IT security and operation. It also absorbs OPM’s Federal Investigative Services (FIS). It is described as a new government wide-service provider. It is not clear how this will affect agencies like the State Department who conducted their own separate background investigations in the past.

Below is an excerpt from the OPM announcement:

These changes include the establishment of the National Background Investigations Bureau (NBIB), which will absorb the U.S. Office of Personnel Management’s (OPM) existing Federal Investigative Services (FIS), and be headquartered in Washington, D.C. This new government-wide service provider for background investigations will be housed within the OPM. Its mission will be to provide effective, efficient, and secure background investigations for the Federal Government. Unlike the previous structure, the Department of Defense will assume the responsibility for the design, development, security, and operation of the background investigations IT systems for the NBIB.

Today’s announcement comes after an interagency 90-Day Suitability and Security review commenced last year in light of increasing cybersecurity threats, including the compromise of information housed at OPM, to re-examine reforms to the Federal background investigations process, assess additional enhancements to further secure information networks and systems, and determine improvements that could be made to the way the Government conducts background investigations for suitability, security and credentialing.

This review was conducted by the interagency Performance Accountability Council (PAC), which is chaired by the Office of Management and Budget (OMB) and comprised of the Director of National Intelligence (DNI), the Director of the U.S. Office of Personnel Management, in their respective roles as Security and Suitability Executive Agents of the PAC, and the Departments of Defense (DOD), the Treasury, Homeland Security, State, Justice, Energy, the Federal Bureau of Investigation, and others. It also included consultation with outside experts.

We are proud of the collaborative effort of the interagency team that helped identify these critical reforms. And we are committed to protecting the security of not only our systems and data, but also the Personally Identifiable Information of the people we entrust with protecting our national security.

We also want to thank the men and women of OPM’s Federal Investigative Services for the work they do every day to provide quality background investigations to agencies across Government.

The Administration will establish a transition team that will develop a plan to stand up NBIB and migrate the existing functions of the current Federal Investigative Service to the NBIB, and to make sure that agencies continue to get the investigative services they need during the transition.

For more information about today’s announcement please go to https://www.whitehouse.gov/blog/2016/01/22/way-forward-federal-background-investigations.

OPM Data Breach Victims Get New Verification Site Through DOD, ID Protection Services Through ID Experts

December 2, 2015 By domani spero in Defense Department, Federal Agencies, Govt Documents, Privacy, Security, Security Clearance, Spectacular, Spouses, State Department, Technology and Work, Trends Tags: cybersecurity, data breach, data breach insurance, FS family members, ID Experts, identify theft and fraud protection services, MyIDCare, OPM, OPM hack

Posted: 1:23 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

OPM launches self-check website for hack victims: https://t.co/x7pwhPqe4k pic.twitter.com/AUrubfyDeh

— The Hill (@thehill) December 2, 2015

Just in: @USOPM launches website for #breach victims https://t.co/DA4lS45CKY

— FedScoop (@fedscoop) December 1, 2015

New verification center is opened for potential victims of @USOPM #cyber attack. Details on how it works. https://t.co/Oplkk8I1nG

— Jason Miller (@jmillerWFED) December 1, 2015

OPM’s Cybersecurity Resource Center allows individuals impacted by the hack to sign up for protection services through ID Experts or verify if one is impacted by the data breach through DOD.

OPM says that while it is “not aware of any misuse of your information,” it is offering victims and dependent minor children who were under the age of 18 as of July 1, 2015, credit and identity monitoring, identity theft insurance, and identity restoration services for the next three years “through ID Experts, a company that specializes in identity theft protection.”

According to OPM, the identify thief insurance became effective on September 1, 2015 and the scope of the coverage includes all claims submitted on or prior to December 31, 2018. This insurance covers expenses incurred in restoring identity and is valid for amounts up to $1,000,000 with no deductible.

If you received a notification letter and PIN code from the Office of Personnel Management, OPM has determined that your Social Security Number and other personal information was stolen in a cyber intrusion involving background investigation records. You have to sign up for MyIDCare to access the protection if offers.

OPM has published what its notification letters look like:

If your fingerprints were not compromised, your notification letter will look like this (PDF file) [119.25 KB].
If your fingerprints were compromised, your notification letter will look like this (PDF file) [49.67 KB].

The Federal Government has also set up a verification center to assist individuals who have lost their PIN code or believe their data may be impacted but have not yet received notification letters. If you believe that you were impacted, but have not yet received your notification letter, OPM asks that you wait until mid-December before contacting the verification center. The Federal Government anticipates completing the mailing of notification letters by the end of the second week in December.

To verify by phone, call 866-408-4555 Toll Free; 503-520-4453 International; 503-597-7662 TTY or verify online here through DOD.

The https://opmverify.dmdc.osd.mil verification website offered through the Department of Defense says that its purpose is “To provide breach notification and facilitate the provision of breach mitigation services to individuals affected by the breach of information in the Office of Personnel Management (OPM) background investigation databases.”

DoD will also “use the data to respond to breach verification inquiries received from individuals using the link on OPM’s website that redirects individuals to a DoD website where they can enter their information to find out if they have been affected by this breach. These records may also be used for tracking, reporting, measuring, and improving the Department’s effectiveness in implementing this data breach notification.”

Click here for the Frequents Asked Questions. If you have already enrolled and have questions or concerns about your post-enrollment services, you may call OPM’s 800-750-3004.

Related posts:

No, the FTC is not/not offering money to OPM data breach victims

July 22, 2015 By domani spero in Scams, Security, State Department, Technology and Work, Trends Tags: “phishing” attacks, cybersecurity, data breach, Federal Trade Commission, FTC, impostor scams, OPM, OPM hack, US-CERT

Posted: 1:07 pm EDT
[twitter-follow screen_name=’Diplopundit’ ]

The Federal Trade Commission’s Lisa Weintraub Schifferle, an attorney for FTC’s Division of Consumer and Business Education pens the following warning:

If you’re an OPM data breach victim, you probably know to look out for identity theft. But what about imposter scams? In the latest twist, imposters are pretending to be the FTC offering money to OPM data breach victims.

Here’s how it works: A man calls and says he’s from the FTC and has money for you because you were an OPM data breach victim. All you need to do is give him some information.

Stop. Don’t tell him anything. He’s not from the FTC.

One fake name the caller used was Dave Johnson, with the FTC in Las Vegas, Nevada. There’s not even an FTC office in Las Vegas. The FTC won’t be calling to ask for your personal information. We won’t be giving money to OPM data breach victims either.

That’s just one example of the type of scam you might see. You may get a different call or email. Here are some tips for recognizing and preventing government imposter scams and other phishing scams:

• Don’t give personal information. Don’t provide any personal or financial information unless you’ve initiated the call and it’s to a phone number you know to be correct. Never provide financial information by email.

• Don’t wire money. The government won’t ask you to wire money or put it on a prepaid debit card. Also, the government won’t ask you to pay money to claim a grant, prize or refund.

• Don’t trust caller ID. Scammers can spoof their numbers so it looks like they are calling from a government agency, even when they are not. Federal agencies will not call to tell you they are giving you money.

If you’ve received a call or email that you think is fake, report it to the FTC. If it’s an email that relates to the OPM breach, you also can forward it to US-CERT at phishing-report@us-cert.gov. If you gave your personal information to an imposter, it’s time to change those compromised passwords, account numbers or security questions.

Originally posted here.

OPM Director Writes Investigation “Update” on Data Breach on July 4th, 8 p.m. Yawn. Rumble Burble CYA

July 7, 2015 By domani spero in Federal Agencies, Leadership and Management, Legacy, Lessons, Political Appointees, Security, Technology and Work, Trends Tags: cybersecurity, data breach, Katherine Archuleta, OPM, OPM hack, OPM hack timeline 1 Comment

Posted: 3:14 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

Katherine Archuleta who remains OPM director following the drip, drip, drip reports on the OPM data breach wrote a blog post at 8 pm on Saturday, July 4th, updating the “hardworking Federal workforce” on the “Cyberintrustion Investigation.”

The update does not provide any real update on the investigation, except to say they hope to have something this week. Two sentences on the investigation from an eight para message. Oy!

The purpose of the message appears to be — to show that the director is working on a Federal holiday. At 8 pm, too. While you all are celebrating the Fourth of July, the OPM director who is “as concerned about these incidents as you are,” is writing a blog post, and talking about the “tireless efforts” of her team. She wants folks to know that she “shares your anger,” and that she remains “committed to improving the IT issues that have plagued OPM for decades.” She also writes that she is “committed to finishing the important work outlined” in her Strategic IT Plan.

Hey, no one is personally responsible for this breach except the hackers, and it looks like Ms. Archuleta is committed enough that she won’t be going anywhere. No, not even to go back in time.

Image via Canadian Foreign Service Problems

Here’s the part of her message that gave me a nasty headache. She writes, “I encourage you to take some time to learn about the ways you can help protect your own personal information.”

Ay, holy molly guacamole!

May I also encourage OPM to take some time to learn about the ways it can help protect the personal information of Federal employees, job applicants, retirees and contractors, and their family members, because why not? See this timeline:
.

Here are the six hacks that hit OPM and its contractors since April 2013: http://t.co/TAKkxuvMI4 pic.twitter.com/jgPZiwIZwm

— National Journal (@nationaljournal) July 6, 2015

Cybersecurity is already a priority in our lives and work. We’re all in this great mess because it wasn’t a priority for OPM. I certainly welcome more substantive details of this breach but these updates that are nothing more than rumble burble CYA are mighty useless, and they don’t do anything to improve my perception of OPM or its leadership.

Dear White House. Please.Make.Her.Stop.

Via opm.gov

Update on the Cyberintrustion Investigation

Posted 8:00 PM by Katherine Archuleta

As our hardworking Federal workforce enjoys a much-deserved holiday weekend, I want to share a quick update on the ongoing investigation into the recent theft of information from OPM’s networks.

For those individuals whose data may have been compromised in the intrusion affecting personnel records, we are providing credit monitoring and identity protection services. My team has worked with our identity protection contractor to increase staff to handle the large volume of calls, and to dramatically reduce wait times for people seeking services. As of Friday, our average wait time was about 2 minutes with the longest wait time being about 15 minutes.

Thanks to the tireless efforts of my team at OPM and our inter-agency partners, we also have made progress in the investigation into the attacks on OPM’s background information systems. We hope to be able to share more on the scope of that intrusion next week, and in the coming weeks, we will be working hard to issue notifications to those affected.

I want you to know that I am as concerned about these incidents as you are. I share your anger that adversaries targeted OPM data. And I remain committed to improving the IT issues that have plagued OPM for decades.

One of my first priorities upon being honored with the responsibility of leading OPM was the development of a comprehensive IT strategic plan, which identified security vulnerabilities in OPM’s aging legacy systems, and, beginning in February 2014, embarked our agency on an aggressive modernization and security overhaul of our network and its systems. It was only because of OPM’s aggressive efforts to update our cybersecurity posture, adding numerous tools and capabilities to our networks, that the recent cybersecurity incidents were discovered.

I am committed to finishing the important work outlined in my Strategic IT Plan and together with our inter-agency partners, OPM will continue to evaluate and improve our security systems to make sure our sensitive data is protected to the greatest extent possible, across all of our networks.

We are living in an era where cybersecurity must be a priority in our lives at work and at home. I encourage you to take some time to learn about the ways you can help protect your own personal information. There are many helpful resources available on our website.

I’m wishing you a safe and relaxing 4th of July weekend.

OPM Hack Victims Must Re-Enroll Starting December 1 to Keep Monitoring Services

November 2, 2016 By domani spero in Federal Agencies, Huh? News, Security, Spectacular, State Department, Technology and Work, Trends Tags: credit monitoring, CSID, cybersecurity, data breach, fingerprints, ID Experts, identity protection, OPM, OPM hack, PII data, Winvale Group LLC 2 Comments

Posted: 12:37 am ET
[twitter-follow screen_name=’Diplopundit’ ]

Some former and current federal employees whose personal data was compromised in the OPM data breach will have to re-enroll starting December 1 to continue receiving monitoring protection from a USG contractor. OPM doesn’t say what will happen to the data, feds and former feds have already submitted to CSID, but folks who have enrolled in that service will no longer have access to their CSID account when that contract expires on December 1. The Government Executive is reporting that as many as 600,000 individuals impacted by the initial hack will need to re-enroll to continue monitoring services through ID Experts. How is it that CSID is not able to port data over to ID Experts? Below from OPM:

OPM is announcing a change to the credit monitoring and identity protection service provider that will affect a subset of individuals impacted by the personnel records cyber incident announced in the summer of 2015. Most impacted individuals will not experience any change to their current coverage, and do not need to take any action, but a subset of individuals will need to re-enroll to continue coverage.

OPM currently uses two different companies to provide credit monitoring and identity protection services free of charge to impacted individuals. Winvale/CSID covers the 4.2 million individuals impacted by the personnel records cyber incident and ID Experts (MyIDCare) covers the 21.5 million individuals impacted by the background investigations cyber incident. As of December 1, coverage under Winvale/CSID will expire.

Credit monitoring and identity protection services from Winvale/CSID expire on December 1, 2016. Once services with Winvale/CSID expire, you will no longer have access to information in your Winvale/CSID account. If you wish to review or print your credit reports or other monitoring information from your Winvale/CSID account, please log in to your account prior to December 1.

As of December 2, 2016 all individuals impacted by either incident will be eligible for coverage through ID Experts (MyIDCare).

According to OPM, individuals currently covered by ID Experts (MyIDCare) will not experience a change in their coverage or service at this time and do not need to take any action. More:

Starting December 1, individuals previously covered by Winvale/CSID will be offered services through IDExperts (MyIDCare). Impacted individuals will also still be automatically covered by identity restoration and identity theft insurance, but you will need to re-enroll with ID Experts (MyIDCare) if you would like to continue to receive monitoring services.

Most of the individuals covered by Winvale/CSID were also impacted by the background investigation records cyber incident. These individuals should already have received a letter from OPM inviting them to enroll in services with ID Experts (MyIDCare) and providing them with a 25-digit PIN code.

If you previously received a notification letter in connection with the background investigation records incident and wish to enroll with ID Experts (MyIDCare) now, you will need to use the 25-digit PIN code provided in this letter. Click here if you have your 25-digit PIN code and wish to enroll now.

If you believe you previously received a notification letter in connection with the background investigation records incident, but no longer have your original notice, you can visit the Verification Center to obtain a duplicate copy by U.S. Postal Service.

If you are in the subset of individuals who were not impacted by the background investigations incident, you will be receiving a new notification letter from OPM via the U.S. Postal service with a 25-digit PIN that you can use to enroll with ID Experts (MyIDCare). We expect to mail the majority of these notifications in November 2016.

Note that OPM makes clear that ID Experts cannot enroll victims without the 25-digit PIN code and cannot provide former/current employees with a PIN code over the phone.

As Many as 600K OPM Hack Victims Must Re-Enroll to Keep Protection Services https://t.co/7USEY2WuTh pic.twitter.com/kKfo1JiQHu

— GovExec (@GovExec) November 1, 2016

Yo! This is nuts! @USOPM changing contract and employees need to re-enroll after hack!? https://t.co/kesHFRDIq5

— Diplopundit (@Diplopundit) November 1, 2016

The #OPM breach report: A long time cominghttps://t.co/qB9E9cQHop #OPMHack #cybersecurity

— Bob Jackson (@1st_infantry) October 18, 2016

And while you’re reading how to re-enroll, you might want to read about grafted fingerprints and hackers’ long term intention, because why not? If the data has not surfaced for sale, we have to wonder what was that hack about?

My @WIRED story about the epic hack that could lead to your fingerprints getting grafted onto someone in Chengdu. https://t.co/fgllpzgCeV

— Brendan I. Koerner (@brendankoerner) October 24, 2016

OPM’s Security Clearance Backlog Now At 500,000+ Govt-Wide

September 9, 2016 By domani spero in Contractors, Diplomatic Security, Federal Agencies, Huh? News, Lessons, Realities of the FS, Security Clearance, Spectacular, Staffing the FS, State Department Tags: Bureau of Diplomatic Security, China, data breach, DS/SI/PSS, Office of Personnel Management, OPM, OPM hack, Security Clearance

Posted: 4:14 am ET
[twitter-follow screen_name=’Diplopundit’ ]

The State Department recently sent an agency-wide message from the Under Secretary for Management which provide timelines for job applicants and employees who are in the process of applying or renewing their security clearances. The Bureau of Diplomatic Security adjudicates security clearances and renewals for all State Department employees but we understand that contractors are mostly processed by the Office of Personnel Management (OPM). The message notes that OPM currently has a backlog of more than 500,000 clearances government-wide.

In terms of length of adjudication, apparently 60% of the Department’s initial Top Secret investigations are completed within six months while 66% of its initial Secret investigations are completed in four months. When compared government-wide, the Department adjudicates security clearances much faster than the government-wide average. So that’s good, except, of course, if you’re the one waiting for it, six months is a loooong time. We don’t know what is the average wait time for the remaining 40% awaiting their TS clearance or the 34% awaiting for their Secret clearance?

But the OPM backlog of more than 500,000 clearances government-wide? Not so good. With a new administration transitioning in next year, waiting for a security clearance may just be like Beetlejuice waiting at the DMV without an appointment.

Via reactiongifs.com

In related news, OPM is also in the news because the House Oversight and Reform Committee released its report yesterday on The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation (read PDF or read below). The report details the exfiltration by two hacking teams of the security background data on 21.56 million individuals, the personnel files of 4.2 million former and current US government employees and the fingerprints for 5.6 million of them.

You will not be surprised to hear that OPM/OIG has warned since at least 2005 that the information maintained by OPM was vulnerable to hackers. US-CERT had also warned the department of a malware operating on its servers in 2012, and again in 2014, CERT warned that a hacker had managed to get information out of the OPM servers. The report notes that the damage could have been mitigated if the security of the sensitive data in OPM’s critical IT systems had been prioritized and secured.

“Despite this high value information maintained by OPM, the agency failed to prioritize cybersecurity." https://t.co/dCv8AadHVh

— The Intercept (@theintercept) September 8, 2016

Read the damning dossier on the security stupidity that let China ransack OPM's systems https://t.co/KM4N6bGAKN

— John McDonald (@trimble2k) September 9, 2016

Congressional report slams OPM on data breach, describes cascading series of blunders https://t.co/M3JO9Z19ng

— briankrebs (@briankrebs) September 7, 2016

Read the report here:

Federal Employees With Stolen Fingerprints From OPM Breach – Now Up to 5.6 Million

September 23, 2015 By domani spero in Career Employees, Disasters, Federal Agencies, Huh? News, Interagency Cooperation, Security, State Department, Technology and Work Tags: cybersecurity, data breach, fingerprint data misuse, identify theft and fraud protection services, OPM, OPM hack 4 Comments

Posted: 12:05 pm EDT
Updated: 6:39 pm PDT
[twitter-follow screen_name=’Diplopundit’ ]

OPM now admits that the fingerprints of 5.6m federal employees were stolen by hackers http://t.co/4ffDbltGSy

— WIRED (@WIRED) September 23, 2015

Here is the official statement from OPM dated September 23, 2015:

As part of the government’s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analyzing impacted data to verify its quality and completeness. During that process, OPM and DoD identified archived records containing additional fingerprint data not previously analyzed. Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million. This does not increase the overall estimate of 21.5 million individuals impacted by the incident. An interagency team will continue to analyze and refine the data as it prepares to mail notification letters to impacted individuals.

Federal experts believe that, as of now, the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves. Therefore, an interagency working group with expertise in this area – including the FBI, DHS, DOD, and other members of the Intelligence Community – will review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.

As we have stated previously, all individuals impacted by this intrusion and their minor dependent children (as of July 1, 2015) are eligible for identify theft and fraud protection services, at no cost to them. In conjunction with the Department of Defense, OPM is working to begin mailing notifications to impacted individuals, and these notifications will proceed on a rolling basis.

OPM and our partners across government are working to protect the safety and security of the information of Federal employees, service-members, contractors, and others who provide their information to us. Together with our interagency partners, OPM is committed to delivering high-quality identity protection services to impacted individuals. The interagency team will continue to review the impacted data to enhance its quality and completeness, and to monitor for any misuse of the data. The U.S. Government will continue to evaluate the coverage being provided and whether any adjustments are needed in association with this incident.

Sigh. Grrr. Sigh. Grrr. Sigh. Grrr. Sigh. Grrr.

Updated:

5.6m fingerprints were stolen in the OPM’s data breach. What will they be used for? http://t.co/yAKP1YxksH @ldignan pic.twitter.com/WeqvElz7Xn

— ZDNet (@ZDNet) September 23, 2015

OPM Says 5 Times More Federal Employees Had Fingerprint Data Stolen in Hack Than First Believed http://t.co/OCGNjwJjEB

— Nextgov (@Nextgov) September 23, 2015

OPM Spends $133 Million on Credit Monitoring, Still No Credit Freeze

September 4, 2015 By domani spero in Contractors, Federal Agencies, Huh? News, Security, Spectacular, State Department, Technology and Work Tags: data breach, ID Experts, Identity Theft Guard Solutions LLC, identity thief protection, OPM 2 Comments

Posted: 12:34 am PDT
[twitter-follow screen_name=’Diplopundit’ ]

On September 1, OPM announced the $133M contract for identity thief protection and credit monitoring services for the 21.5 million individuals affected by the massive OPM breach that includes security clearance data. Our go-to expert on this says that “perhaps the agency should be offering the option to pay for the cost that victims may incur in “freezing” their credit files, a much more effective way of preventing identity theft.” Excerpt from Krebs on Security:

The only step that will reliably block identity thieves from accessing your credit file — and therefore applying for new loans, credit cards and otherwise ruining your good name — is freezing your credit file with the major credit bureaus. This freeze process — described in detail in the primer, How I Learned to Stop Worrying and Embrace the Security Freeze — can be done online or over the phone. Each bureau will give the consumer a unique personal identification number (PIN) that the consumer will need to provide in the event that he needs to apply for new credit in the future.

Here is part of the OPM announcement:

The U.S. Office of Personnel Management (OPM) and the U.S. Department of Defense (DoD) today announced the award of a $133,263,550 contract to Identity Theft Guard Solutions LLC, doing business as ID Experts, for identity theft protection services for 21.5 million individuals whose personal information was stolen in one of the largest cybercrimes ever carried out against the United States Government. These services will be provided at no cost to the victims whose sensitive information, including Social Security numbers, were compromised in the cyber incident involving background investigations.

“We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future,” said Beth Cobert, Acting Director of the Office of Personnel Management. “Millions of individuals, through no fault of their own, had their personal information stolen and we’re committed to standing by them, supporting them, and protecting them against further victimization. And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”

ID Experts will provide all impacted individuals and their dependent minor children (under the age of 18 as of July 1, 2015) with credit monitoring, identity monitoring, identity theft insurance, and identity restoration services for a period of three years. This task order was awarded under GSA’s Blanket Purchase Agreements (BPA) for Identity Monitoring, Data Breach Response and Protection Services which GSA awarded today.

The U.S. Government, through the Department of Defense, will notify those impacted beginning later this month and continue over the next several weeks. Notifications will be sent directly to impacted individuals.

OPM (Mis)Spends $133 Million on Credit Monitoring in Wake of Breach http://t.co/uCKRq5IJ2G

— briankrebs (@briankrebs) September 2, 2015

The government will actually spend $330 million to protect victims of the #OPMhack: http://t.co/q7bV7fJK16 pic.twitter.com/EjUYXIQdWi

— Nextgov (@Nextgov) September 3, 2015

Millions hit by personal data hack still have not been told http://t.co/bZxHvUQ48o pic.twitter.com/ZOMymIy8sA

— Reuters Business (@ReutersBiz) September 2, 2015

@USOPM why are you not adding credit freeze cost/protection for victims of the OPM hack?

— Diplopundit (@Diplopundit) September 4, 2015

Heard that? Crickets.

What Information Is Collected on OPM’s Background Investigation Forms?

August 3, 2015 By domani spero in Federal Agencies, Govt Documents, Security, Security Clearance, Spectacular, State Department, Technology and Work, Trends Tags: cybersecurity, data breach, National Security Positions, Non-Sensitive Positions, OPM, OPM hack, Positions of Public Trust, Security Clearance

Posted: 2:44 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

Via CRS Insight

The information collected will depend on the applicant’s position and the type of background investigation required. OPM uses three standard forms for background investigations: SF-85, SF-85P, or SF-86 form. The forms are typically submitted electronically using OPM’s Electronic Questionnaires for Investigations Processing (e-QIP) system. OPM had suspended use of e-QIP “for security enhancements,” but re-enabled the system on July 23, 2015.

Data Collected for Non-Sensitive Positions

The eight-page SF-85 is required for applicants to non-sensitive positions (e.g., positions that do not require a security clearance) who require physical access to government facilities and who are in positions with a “low risk” to cause damage to the federal government or national security. The responsibilities of these positions are limited and there is little opportunity to use such positions for personal gain. For this reason, the information collected is relatively limited in scope and includes

full name, aliases, and SSN;
citizenship information;
employment information and addresses for the past five years; and
information on use or possession of illegal drugs (including marijuana) in the previous year.

Data Collected for “Positions of Public Trust”

The 11-page SF-85P is required for applicants in “Positions of Public Trust,” (i.e., positions that do not involve access to classified information, but that demand a “significant degree of public trust” due to the level of policymaking or other responsibilities). These positions may involve a “significant risk for causing damage [to the federal government] or realizing personal gain.” In addition to the information listed above, the SF-85P requires

identifying information (e.g., height, weight, eye and hair color);
military service information;
employment information and addresses for the past seven years; schools, if any, attended during the past seven years;
name, address, and telephone number of three personal references and immediate family members;
criminal arrests and/or convictions for the past seven years (excluding incidents prior to the applicant’s 16th birthday or traffic fines under $150);
financial information, including bankruptcies during the past seven years and any delinquent financial obligations;
foreign travel during the past seven years; and
information on use or possession of illegal drugs (including marijuana) in the previous year and any illegal purchase, sale, or transport of drugs in the previous seven years.

Data Collected for Security Clearances and Other National Security Positions

The 127-page SF-86 form is required for applicants to national security sensitive positions, which includes (but is not limited to) positions that require a security clearance. In addition to the information listed above, the SF-86 requires

employment information and home addresses for the past 10 years;
schools attended for the past 10 years, including a reference at each school attended;
personal information (including SSN) for current spouse or cohabitant;
foreign contacts, travels, and/or activities;
associations with individuals or groups dedicated to terrorism or the violent overthrow of the U.S. government;
details on applicant’s “psychological and emotional health,” including, with certain exceptions, details on treatments during the past seven years;
additional information on criminal activities, including convictions or charges involving firearms or explosives;
alcohol use in the past seven years that has negatively impacted the applicant’s work, personal relationships, finances, or resulted in “intervention by law enforcement/public safety personnel”;
use, possession, or other involvement with illegal drugs (including marijuana) in the past seven years or at any time while holding a clearance;
details on the applicant’s financial condition and civil court actions; and improper use of information technology systems.

What Other Records Are Contained in OPM’s Personnel Security Background Investigation Files?

OPM’s systems also include information gathered by investigators during the background investigation process, such as summaries of interviews with the applicant’s family members, co-workers, friends, and neighbors. Additionally, investigators may run credit checks, pull civil and criminal court records, and run checks of state and federal agency records to verify information that the applicant provided on the application.

According to OPM’s most recent Privacy Act Notice, personnel investigation records may also include information provided by other agencies, such as:

Internal Revenue Service income tax returns;
prior security clearance investigative records; and
clearance adjudicative records, including polygraph results, if applicable.

It is unclear from OPM’s news release if these types of investigative records were compromised in the breach.

OPM to Charge Agencies for Credit Monitoring Offered to Federal Employees

July 22, 2015 By domani spero in Federal Agencies, Foreign Service, FSOs, Huh? News, Security, Security Clearance, Spectacular, State Department, Technology and Work, Trends Tags: AFSA, background investigation, credit monitoring, cybersecurity, data breach, data breach insurance, fingerprints, OPM, OPM hack, Under Secretary for Management

Posted: 2:32 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

The latest update from “M” on the OPM breach dated July 15, notes that “The State Department never transferred personnel records to the OPM facility. However, if you had other U.S. Government service prior to joining State, you may have had records that were involved.” On the background information breach, it says that “State Department employees’ SF-85 and SF-86 forms (depending on the appointment) were in the OPM system and thus were impacted. However, other background investigation material was not.”

If you have additional questions email DG DIRECT [DGDIRECT@STATE.GOV] or OPM’s new email: cybersecurity@opm.gov

AFSA’s latest update to its membership is dated July 10 and available to read here.

Some developments on the fallout from the data breach:

OPM to Charge Agencies for Services Offered to Hack Victims http://t.co/n3U64ikPqy pic.twitter.com/cqws9hoJ6u

— GovExec (@GovExec) July 21, 2015

Agencies caught off guard by OPM’s pay-to-play credit monitoring http://t.co/DJuhaGgCJg — Blogs of War (@BlogsofWar) July 21, 2015

Reading between the lines, OPM didn’t have data breach insurance. Do all fed agencies self-insure for cyber? http://t.co/SnmPpj4uCe

— Christopher Soghoian (@csoghoian) July 21, 2015

U.S. Army alert called OPM emails “phishing scam,” delaying aid to military hacking victims http://t.co/NOqj3TjefE pic.twitter.com/2PgoKCil7v — Jana Winter (@janawinter) July 21, 2015

We told you so: OPM data breach reveals poor data security and weak legal protections. It’s time to revisit: https://t.co/Uyt1sghWUv

— EFF (@EFF) July 19, 2015

.@Fedscoop traces the history of the recent data breaches at #opm http://t.co/2LviyOeYzD #opmhack @USOPM pic.twitter.com/Ta1opHrP66 — FedScoop (@fedscoop) July 18, 2015

Why the “biggest government hack ever” got past the feds http://t.co/X1IBJmLb8t

— Diplopundit (@Diplopundit) July 22, 2015

OPM won’t recover from the massive data breach until most retire, from @DanielVerton http://t.co/GFlx4MXtUP @usopm opmhack #cybersecurity

— FedScoop (@fedscoop) July 17, 2015

How Much Damage Can Hackers Do With a Million Fingerprints From the OPM Data Breach? http://t.co/Y3pEbJrpOg pic.twitter.com/gCXPic2TY2 — GovExec (@GovExec) July 14, 2015

New OPM Chief Calls Anxious Lawmakers to Share Her ‘Enthusiasm’ for Fixing Agency http://t.co/Hc30eAfJQR pic.twitter.com/N8MjXaZAy3

— GovExec (@GovExec) July 15, 2015

There’s a lot that’s laughable in the line govt gave WaPo on why they’re not retaliating v. China on OPM hack. https://t.co/p9b9itaHqY — emptywheel (@emptywheel) July 22, 2015

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: