#OPMBreach: Back to Paper SF-86s, No More Social Media at OPM, Scary Movie Chinese Edition

Posted: 2:15 pm EDT
[twitter-follow screen_name=’Diplopundit’ ]

.

.

.

.

.

.

 

Related Posts:

 

Advertisements

OPM Hack Compromises Federal Employee Records, Not Just PII But Security Clearance Info

Posted: 3:39 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

On June 4, WaPo reported that hackers working for the Chinese state breached the computer system of the Office of Personnel Management in December, and that the agency will notify about 4 million current and former federal employees that their personal data may have been compromised.

We should note that OPM’s Federal Investigative Services (OPM-FIS) oversees approximately 90% of all background investigations.

Reuters reported on June 6 that most of the State Department employees had not been exposed to the breach because their data was not housed on the hacked OPM systems. Apparently, only those who had previously been employed by another federal agency may have been exposed, it said. Did you get the notice on the data breach?

It appears, however, that OPM has a requirement that all candidates being offered positions of employment at U.S. government agencies or departments, including at the State Department, are to complete their Questionnaires for National Security Positions (SF-86) on-line via the electronic Questionnaires for Investigations Processing (e-QIP). We don’t know what happens to those completed questionnaires after they are submitted to OPM; are they transferred to the State Department and deleted from OPM servers?

OPM released the following statement:

The U.S. Office of Personnel Management (OPM) has identified a cybersecurity incident potentially affecting personnel data for current and former federal employees, including personally identifiable information (PII).

Within the last year, the OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks.  As a result, in April 2015, OPM detected a cyber-intrusion affecting its information technology (IT) systems and data. The intrusion predated the adoption of the tougher security controls.

OPM has partnered with the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) and the Federal Bureau of Investigation (FBI) to determine the full impact to Federal personnel. OPM continues to improve security for the sensitive information it manages and evaluates its IT security protocols on a continuous basis to protect sensitive data to the greatest extent possible. Since the intrusion, OPM has instituted additional network security precautions, including: restricting remote access for network administrators and restricting network administration functions remotely; a review of all connections to ensure that only legitimate business connections have access to the internet; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of tools that could compromise the network.

As a result of the incident, OPM will send notifications to approximately 4 million individuals whose PII may have been compromised.  Since the investigation is on-going, additional PII exposures may come to light; in that case, OPM will conduct additional notifications as necessary.  In order to mitigate the risk of fraud and identity theft, OPM is offering credit report access, credit monitoring and identify theft insurance and recovery services to potentially affected individuals through CSID®, a company that specializes in these services.  This comprehensive, 18-month membership includes credit monitoring and $1 million in identity theft protection services at no cost to enrollees.

“Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM,” said OPM Director Katherine Archuleta. “We take very seriously our responsibility to secure the information stored in our systems, and in coordination with our agency partners, our experienced team is constantly identifying opportunities to further protect the data with which we are entrusted.”

OPM has issued the following guidance to affected individuals:

•Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.

•Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228.  Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year.  Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov.

•Review resources provided on the FTC identity theft website, www.identitytheft.gov.  The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.

•You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name.  Simply call TransUnion® at 1-800-680-7289 to place this alert.  TransUnion® will then notify the other two credit bureaus on your behalf.

How to avoid being a victim:

•Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information.  If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.

•Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.

•Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.

•Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy, http://www.us-cert.gov/ncas/tips/ST04-013).

•Pay attention to the URL of a website.  Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

•If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly.  Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.  Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).

•Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, http://www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, http://www.us-cert.gov/ncas/tips/ST04-005; and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007).

•Take advantage of any anti-phishing features offered by your email client and web browser.

•Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.

Potentially affected individuals can obtain additional information about the steps they can take to avoid identity theft from the following agencies. The FTC also encourages those who discover that their information has been misused to file a complaint with them.

More:
.

.

.

.

#

Asking about the security clearance logjam: “Seriously? I suggest we sent her to FLO…” Seriously, let’s not!

Posted: 12:46 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

According to Diplomatic Security’s FAQ, the general time to process security clearance averages about 120 days. But the Department of State has apparently initiated a goal to render a security clearance decision in 90 days.   We have, however, heard complaints that eligible family members (EFMs) overseas waiting to start on jobs have been caught in a security clearance logjam with some waiting much longer than four months. We’ve also heard rumors that DS no longer issue an interim security clearance.

So we thought we’d ask the Diplomatic Security clearance people. We wanted clarification concerning interim clearances and the backlogs, what can post do to help minimize the backlogs and what can EFMs do if they have been waiting for months without a response.

We sent our inquiry to Grace Moe, the head of public affairs at the Diplomatic Security Service (DSS). We did not get any response. Three days later, we sent a follow-up email to her deputy, and the group’s security clearance mailbox. Shortly, thereafter, an email popped up on my screen from the Security Specialist at DS’s Customer Service Center of the Office of Personnel Security/Suitability:

“Seriously? I suggest we sent her to FLO…”

Somebody suggesting they send Diplopundit to the FLO? Let’s not.    We’re not privy to the preceding conversation on that email trail.  But seriously, a straight forward  inquiry on security clearance should not be pushed over to the Family Liaison Office (FLO) just because it’s related to family members.

So we told DS that we sent the security clearance inquiry to them for a very good reason and that we would appreciate a response unless they want to decline comment.

The lad at the Customer Service Center wrote back with a lame response that they will answer, but he was not sure about our email because it ends with a .net. Apparently, we’re the only one left in the world who has not moved over to dot com.  And he asked if it would be possible to obtain a name from our office.

Whaaaat? The next thing you know, they’ll want a phone date.

We’re sorry to inform you but this Customer Service not only shovels inquiry elsewhere but it also cannot read and see contact names on emails. So days later, Customer Service is still waiting for us to provide them a name that’s already on the email we sent them.  That kind of redundant efficiency is amazing, but we hate to waste any more of our time playing this game.

So we asked a DS insider, who definitely should get double pay for doing the Customer Service’s job. But since the individual is not authorized to speak officially, try not to cite our source as your source when you deal with that DS office.

Anyway, we were told that it is not/not true that DS no longer issue interim clearances.  Apparently, what happens more frequently is that HR forgets to request an interim clearance when it makes the initial request. So you paperwork just goes into a big pile. And you wait, and wait, and wait.  So if you’re submitting your security paperwork, make sure you or your hiring office confirms with HR that they have requested an interim clearance.

We were going to confirm this with HR except that those folks appear to have an allergic reaction to our emails.

In any case, the logjam can also result from the FBI records checks. If the FBI has computer issues, that, apparently, can easily put tens of thousands of cases behind because without the results of the FBI check, “nothing can be done.” There’s nothing much you can do about that except pray that the FBI has no computer issues.

We also understand that the Office of Personnel Security/Stability or PSS is backed up because of a heavy case load. “Posts seem to be requesting clearances with reckless abandon.”  We were cited an example where an  eligible family member (EFM) works as a GSO housing coordinator. The EFM GSO coordinator has access to the same records as the local staff working at the General Services Office but he/she gets a security clearance.

The Bureau of Human Resources determines whether a Department of State position will require a security clearance, as well as the level required, based upon the duties and responsibilities of the position. So in this example, HR may determine that the EFM GSO housing coordinator needs a clearance because he/she knows where everybody lives – including people from other agencies.  Again, that same information is also accessible to the  Foreign Service Nationals working as locally employed staff at GSO and HR.

Not sure which EFM jobs do not require a security clearance.  We understand that HR routinely asks for it when hiring family members.  Of course, this practice can also clog up the process for everyone in the system.  Routinely getting a clearance is technically good because an EFM can take that security clearance to his/her next job.  The Department of State will revalidate a security clearance if (1) the individual has not been out of federal service for more than 2 years and (2) if the individual’s clearance is based on an appropriate and current personnel security clearance investigation.  So the next time an EFM gets a job in Burkina Faso or back in Foggy Bottom, the wait won’t be as long as the clearance only requires revalidation.

And there is something else. Spouses/partners with 52 weeks of creditable employment overseas get Executive Order Eligibility, which enables them to be appointed non-competitively to a career-conditional appointment in the Civil Service once they return to the U.S. A security clearance and executive order eligibility are certainly useful when life plunks you back in the capital city after years of being overseas.

There is no publicly available data on how many EFMs have security clearances. But we should note that EFMs with security clearance are not assured jobs at their next posts. And we look at this as potentially a wasted resource (see below). EFMs who want jobs start from scratch on their security package only when they are conditionally hired. So if there’s an influx of a large number of new EFMs requesting security clearance, that’s when you potentially will have a logjam.

Back in 2009, we blogged about this issue (some of the numbers below are no longer current):

We have approximately 2,000 out of 9,000 family members who are currently working in over 217 missions worldwide.  Majority if not all of them already have, at the minimum, a “Secret” level clearance. And yet, when they relocate to other posts, it is entirely possible that they won’t find work there. The average cost to process a SECRET clearance has been reported to run from several hundred dollars to $3,000, depending on individual factors. The average cost to process a TOP SECRET clearance is between $3,000 and about $15,000, depending on individual factors. Given that most FS folks spend majority of their lives overseas, the $3,000 for a Secret clearance process for EFMs would be way too low. But let’s assume that all the EFMs currently working only have a Secret level clearance – at $3,000 each that’s still 6Million USD right there. Even if only 500 of them lost their jobs due to regular reassignment, that’s 1.5M USD that’s not put to effective use.

So here’s the idea – why can’t we create an EFM Virtual Corps? The EFMs who are already in the system could be assigned a specialization based on prior work experience within the US Mission. When not employed at post, their names could be added to the EFM Virtual Corps, a resource for other posts who require virtual supplementary or temporary/ongoing support online. Their email and Intranet logon should be enabled to facilitate communication while they are on a float assignment and their reporting authority should be a straight line to a central coordinator at Main State and a dotted line to the Management Counselor at post.  I know, I know, somebody from HR probably have a ready list of reasons on why this can’t be done, but – how do we know if this works or not if we don’t try? The technology is already available, we just need organizational will and some, to make this work.

Here’s our related post on this topic: No Longer Grandma’s Foreign Service. You’re welcome to post this on the leadership site behind the State Department firewall. Hey, the somebodies already post our burn bag entries there, so why not this one?

 #

Dear Future D/MR Heather Higginbottom — Your Third Priority Up Close With Prospective Savings

— Domani Spero

We would guess from the kind of email we get that a good number of our readers are not newbies or prospective employees of the State Department.  But every now and then, we’d hear from folks interested in joining the Foreign Service.  Recently, we heard from a prospective employee informing us that there are 600 individuals currently waiting on the State Department “Register.”

“Some have even lost their jobs after having Diplomatic Security show up to interview their supervisors and coworkers, only to be timed off the register for lack of hiring.”

Of course, being on the Register does not guarantee that you will be given a firm offer of employment.  But it means that 600 people have taken and passed the Foreign Service Officer Test (FSOT), have submitted their Personal Narratives, have passed the QEP and taken the Oral Assessment, have completed the required clearances: Medical and Security, have gone through the  Final Review Panel and are waiting on The Register, the rank-ordered list of successful candidates, sorted by career track.

Here is careers.state.gov:

“You should be aware that your placement on the Register does not guarantee an appointment as a Foreign Service Officer, for the number of appointments depends on the needs of the Foreign Service. Your rank-order on the Register is dynamic. People with higher scores will be placed above you regardless of when they are placed on the Register. Likewise, you will be placed above candidates with lower scores, regardless of how long they have been on the Register. Your name may stay in the Register for a maximum of 18 months. After that, your name will be removed. You may decline the first offer of employment. If you decline a second offer, your name will be removed from the Register. “

Screen Shot 2013-12-08

But … but… the State Department makes no mention that invitation to join the Foreign Service not only depends on the “needs of the Foreign Service” it also depends on funding from Congress.

Below is an extract from FY2014 State and Foreign Operations Budget Request:

The Administration’s FY2014 request seeks to grow its Human Resources account (under Diplomatic & Consular Programs) by 5% over its FY2012 level, to a total of $2.60 billion. While the Administration’s FY2014 request indicates that it plans 186 new positions at the Department of State altogether, 151 of these would be funded by consular fees and devoted to meeting increasing visa demand. The remaining 35 new positions (30 Foreign Service, 5 Civil Service) for which State seeks appropriated funding would be focused on the high priorities of the “rebalance” to Asia, and to staffing the Secretary’s Office of the Coordinator for Cyber Issues. As a point of comparison, the State Department requested appropriated funding for 121 new positions in its FY2013 request, and for 133 in its FY2012 request.

It is not clear from the justification above if the 186 new positions are FSOs or Limited Career Appointees (LNAs) tasked to handle visa work in selected places around the globe (Brazil, China, Mexico).  But what is clear is given the budget constraints, officials at the State Department know that their authority to hire new employees is severely restricted.

And yet, the FSOT continue to be administered multiple times a year.  Interviews continue to be conducted. The selection process continue to chug along as usual resulting in a glut of candidates waiting on the Register.  A good number of these individuals will most probably time out after 18 months.

So we asked a former State Department official who previously worked at BEX if this makes sense.  And got a royal scolding. Like, “what planet are you living in, girl?” Apparently, it’s what they do “free from reality” according to our source.

“It means little if there are 10 or 10,000 on the register. Also, all those people in HR and DS have to be kept busy, so they march on.”

That’s a little harsh, right?

But look,  if 600 people are sitting on the Register, that’s 600 candidates ready to hire.  Which also means the State Department had already paid for the medical examination of these individuals.  In addition, it had already conducted “a comprehensive background investigation, in cooperation with other federal, state, and local agencies, and has determined each candidate’s suitability for appointment to the Foreign Service and for a Top Secret security clearance.”

According to the GAO, the fiscal year 2012 base price for a top secret clearance investigation conducted by OPM is $4,005 and the periodic reinvestigation is $2,711.  For the State Department, the Bureau of Diplomatic Security’s Office of Personnel Security and Suitability, conducts all national agency and credit history checks in support of their investigations. Diplomatic Security investigators located worldwide also conduct all other investigative leads, which includes local law enforcement checks. While there is no readily available data on the TS clearance adjudications for State, it has been suggested elsewhere that the the average cost to process a TS clearance is between $3,000 and about $15,000, depending upon individual factors.

If we take the lower figure, $6,700 X 600 = $4,020,000.

If we take the upper figure, $15,000 X = $9,000,000.

The actual cost of processing the TS clearance for 600 candidates sitting on the Register is probably somewhere in the middle.  Add the medical clearance cost for the candidates and family members and you got quite a pile of money there.

If we only hire a third from that pool of candidates, how much money have we wasted?

President Obama recently announced the nomination of Heather Higginbottom, the new Counselor in the Office of the Secretary of State to be the third Deputy Secretary of State for Management and Resources. During her November confirmation hearing, Ms. Higginbottom told the Senate that her third priority, if confirmed, will be management, reform, and innovation.

Well, here’s one place to start.

* * *