OPM Hack Victims Must Re-Enroll Starting December 1 to Keep Monitoring Services

Posted: 12:37 am ET
[twitter-follow screen_name=’Diplopundit’ ]

 

Some former and current federal employees whose personal data was compromised in the OPM data breach will have to re-enroll starting December 1 to continue receiving monitoring protection from a USG contractor. OPM doesn’t say what will happen to the data, feds and former feds have already submitted to CSID, but folks who have enrolled in that service will no longer have access to their CSID account when that contract expires on December 1. The Government Executive is reporting that as many as 600,000 individuals impacted by the initial hack will need to re-enroll to continue monitoring services through ID Experts. How is it that CSID is not able to port data over to ID Experts? Below from OPM:

OPM is announcing a change to the credit monitoring and identity protection service provider that will affect a subset of individuals impacted by the personnel records cyber incident announced in the summer of 2015. Most impacted individuals will not experience any change to their current coverage, and do not need to take any action, but a subset of individuals will need to re-enroll to continue coverage.

OPM currently uses two different companies to provide credit monitoring and identity protection services free of charge to impacted individuals. Winvale/CSID covers the 4.2 million individuals impacted by the personnel records cyber incident and ID Experts (MyIDCare) covers the 21.5 million individuals impacted by the background investigations cyber incident. As of December 1, coverage under Winvale/CSID will expire.

Credit monitoring and identity protection services from Winvale/CSID expire on December 1, 2016. Once services with Winvale/CSID expire, you will no longer have access to information in your Winvale/CSID account. If you wish to review or print your credit reports or other monitoring information from your Winvale/CSID account, please log in to your account prior to December 1.

As of December 2, 2016 all individuals impacted by either incident will be eligible for coverage through ID Experts (MyIDCare).

According to OPM, individuals currently covered by ID Experts (MyIDCare) will not experience a change in their coverage or service at this time and do not need to take any action. More:

Starting December 1, individuals previously covered by Winvale/CSID will be offered services through IDExperts (MyIDCare). Impacted individuals will also still be automatically covered by identity restoration and identity theft insurance, but you will need to re-enroll with ID Experts (MyIDCare) if you would like to continue to receive monitoring services.

Most of the individuals covered by Winvale/CSID were also impacted by the background investigation records cyber incident. These individuals should already have received a letter from OPM inviting them to enroll in services with ID Experts (MyIDCare) and providing them with a 25-digit PIN code.

If you previously received a notification letter in connection with the background investigation records incident and wish to enroll with ID Experts (MyIDCare) now, you will need to use the 25-digit PIN code provided in this letter. Click here if you have your 25-digit PIN code and wish to enroll now.

If you believe you previously received a notification letter in connection with the background investigation records incident, but no longer have your original notice, you can visit the Verification Center to obtain a duplicate copy by U.S. Postal Service.

If you are in the subset of individuals who were not impacted by the background investigations incident, you will be receiving a new notification letter from OPM via the U.S. Postal service with a 25-digit PIN that you can use to enroll with ID Experts (MyIDCare). We expect to mail the majority of these notifications in November 2016.

Note that OPM makes clear that ID Experts cannot enroll victims without the 25-digit PIN code and cannot provide former/current employees with a PIN code over the phone.

Read more here: https://www.opm.gov/cybersecurity/ and https://www.opm.gov/cybersecurity/personnel-records/.

And while you’re reading how to re-enroll, you might want to read about grafted fingerprints and hackers’ long term intention, because why not?  If the data has not surfaced for sale, we have to wonder what was that hack about?

 

#

 

 

Advertisements

State/OIG Reviews @StateDept Policies and Controls Protecting PII and National Security Data

Posted: 2:03 am ET
[twitter-follow screen_name=’Diplopundit’ ]

 

State/OIG recently posted online its review of the State Department’s policies and controls protecting personally identifiable information (PII) data and national security data. Below is an excerpt:

The Consolidated Appropriations Act, 2016,1 Section 406, Federal Computer Security, requires the Inspector General of each covered agency to submit a report that contains a description of controls utilized by covered agencies to protect sensitive information maintained, processed, and transmitted by a covered system. Specifically, the Consolidated Appropriations Act requires a description of controls utilized by covered agencies to protect two types of data contained within covered systems: personally identifiable information (PII) data and national security data. Information related to national security data is covered in a classified annex to this information report.
[…]
Specifically, Williams Adley selected and reviewed 4 systems from a Department-provided listing of 216 systems (Electronic Medical Records System (eMED), Integrated Personnel Management System (IPMS), Consular Consolidated Database (CCD), and Consular Lookout and Support System (CLASS)) that provide access to PII. In addition, Williams Adley reviewed 2 National Security Systems (NSS) from a Department-provided listing of 60 systems (Chief of Mission and Special Embassy Programs Database (NSDD 38), and Principal Officers Executive Management System (POEMS)).

This report describes the policies and controls used by the Department for five specific topics identified in the Act:

(1) logical access policies and practices;

The review found only two of the six systems reviewed (eMED and IPMS) had system-specific logical access control policies.

(2) logical access controls and multi-factor authentication used;

With respect to why logical access controls or multi-factor authentication are not being used, according to Department officials, two of the six systems (IPMS and one NSS) did not implement multi-factor authentication to govern system-level privileged user access because functional capabilities are not available. According to Department officials, IPMS is currently planning multi-factor implementation, while the one NSS is waiting for the Department to provide the functional capabilities necessary to implement multi-factor authentication to govern privileged user logical access.

(3) the reasons logical access controls or multi-factor authentication have not been used;

With respect to access and multi-factor authentication, Williams Adley found the Department has not fully implemented multi-factor authentication at the entity level; however, it had implemented other logical access compensating controls to govern privileged user access. Four of the six systems reviewed (eMED, CCD, CLASS, and one NSS) had either fully or partially implemented multi-factor authentication to government system-level privileged user logical access. The two systems that did not utilize multi-factor authentication to govern logical access of privileged users (IPMS and one NSS) relied on username and password combinations. Nevertheless, all six systems had some type of logical access controls in place.

(4) information security management practices used for covered systems;

With respect to information security management practices used for covered systems, Williams Adley found the Department uses a federated model to manage software inventory. In addition, the Department has implemented a defense-in-depth information system program. Further, the Department monitors network traffic, detects and responds to incidents, and scans for security compliance and vulnerabilities. However, the Department has only partially implemented a data loss prevention system and has not implemented digital rights management technology.

(5) policies and procedures that ensure information security management practices are effectively implemented by other entities such as contractors.

With respect to policies and procedures that ensure information security management practices are effectively implemented by other entities such as contractors, Williams Adley found the Department has a number of policies related to this topic. The relevant Department policies and procedures are established within the Department’s Foreign Affairs Manual (FAM).

The report notes that the Bureau of Information Resource Management, the Executive Secretariat’s Office of Information Resource Management, and the Bureau of Diplomatic Security, provided comments to a draft of the report. Because the comments were marked sensitive, the comments have been reprinted, in their entirety, in the classified annex of the report (AUD-IT- 16-45A).

The publicly available report is available here: https://oig.state.gov/system/files/aud-it-16-45.pdf

#