New Directive: Social Media Info Collection For Security Clearance Background Investigations

Posted: 1:37 am ET
[twitter-follow screen_name=’Diplopundit’ ]

 

On May 12, 2016, the Director of National Intelligence (DNI) authorized the use of social media by official investigators who are conducting background investigations for security clearances.

The directive addresses the collection and use of publicly available social media information during the conduct of personnel security background investigations and adjudications for determining initial or continued eligibility for access to classified national security information or eligibility to hold a sensitive position and the retention of such information. This affects prospective hires and all employees who are subjects of periodic investigations.

The policy says that agencies “may choose to collect publicly available social media information in the personnel security hackground investigation process, which pertains to the covered individual’s associations, behavior and conduct, as long as the information pertains to the adjudicative guidelines for making determinations of initial or continued eligibility for access to classified information or eligibility to hold a sensitive position.”

  • Authorized investigative agencies may collect, usc, and retain publicly available social media information as part of a covered individual’s background investigation and, if collected, shall incorporate the relevant results in the investigative record. The period of coverage for publicly available electronic information will be consistent with the scope of the investigation.
  • Authorized adjudicative agencies may use and retain publicly available social media information when determining initial or continued eligibility of a covered individual for access to classified information or eligibility to hold a sensitive position.
  • Collection of publicly available social media information shall only be conducted after obtaining the signed Authorization for Release of information form of the Standard Form 86, Questionnaire for National Security Positions, which includes notice of the collection of such information.
  • Only publicly available social media information pertaining to the covered individual under investigation shall intentionally be collected. Absent a national security concern, or criminal reporting requirement, information pertaining to individuals other than the covered individual will not be investigated or pursued. Information inadvertently collected relating to other individuals will not be retained unless that information is relevant to a security determination or the covered individual.

The directive says that covered individuals “shall not be requested or required” to provide passwords, log into a private account; or take any action that would disclose non-publicly available social media information. Agencies are also precluded from creating accounts or using existing accounts on social media for the purpose of connecting (e.g., “friend”, “follow”) to a covered individual or enlist the assistance of a third party in order to bypass privacy controls and/or access otherwise non-publicly available social media information.

Read more below or see Collection, Use, and Retention of Publicly Available Social Media Information in Personnel Security Background Investigations and AdjudicationsSecurity Executive Agent Directive 5, May 12, 2016.

Via FAS/Secrecy News:

 

#

Advertisements

OPM Announces Temporary Suspension of the E-QIP System For Background Investigation

Posted: 12:19 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

On June 29, OPM announced the temporary suspension of the online system used to submit background investigation forms.  The system could be offline from 4-6 weeks.  Below via opm.gov:

WASHINGTON, D.C. – The U.S. Office of Personnel Management today announced the temporary suspension of the E-QIP system, a web-based platform used to complete and submit background investigation forms.

Director Katherine Archuleta recently ordered a comprehensive review of the security of OPM’s IT systems. During this ongoing review, OPM and its interagency partners identified a vulnerability in the e-QIP system. As a result, OPM has temporarily taken the E-QIP system offline for security enhancements. The actions OPM has taken are not the direct result of malicious activity on this network, and there is no evidence that the vulnerability in question has been exploited. Rather, OPM is taking this step proactively, as a result of its comprehensive security assessment, to ensure the ongoing security of its network.

OPM expects e-QIP could be offline for four to six weeks while these security enhancements are implemented. OPM recognizes and regrets the impact on both users and agencies and is committed to resuming this service as soon as it is safe to do so.  In the interim, OPM remains committed to working with its interagency partners on alternative approaches to address agencies’ requirements.

“The security of OPM’s networks remains my top priority as we continue the work outlined in my IT Strategic Plan, including the continuing implementation of modern security controls,” said OPM Director Archuleta. “This proactive, temporary suspension of the e-QIP system will ensure our network is as secure as possible for the sensitive data with which OPM is entrusted.”

#

Meanwhile, on June 22, AFSA sent a letter to OPM Director Katherine Archuleta with the following requests:

Screen Shot 2015-06-29

via afsa.org (click for larger view)

 

On June 25, AFSA is one of the 27 federal-postal employee coalition groups who urge President Obama to “immediately appoint a task force of leading agency, defense/intelligence, and private-sector IT experts, with a short deadline, to assist in the ongoing investigation, apply more forceful measures to protect federal personnel IT systems, and assure adequate notice to the federal workforce and the American public.”  (read letter here: AFSA Letter sent in conjunction with the Federal-Postal Coalition |June 25, 2015 | pdf)

#

“M” Writes Update to State Department Employees Regarding OPM Breach

Posted: 1:36 pm EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

It took 18 days before I got my OPM notification on the PII breach. Nothing still on the reported background investigation breach. OPM says it will notify those individuals whose BI information may have been compromised “as soon as practicable.”  That might not happen until the end of July! The hub who previously worked for State and another agency has yet to get a single notification from OPM. We have gone ahead and put a fraud alert for everyone in the family. What’s next? At the rate this is going, will we soon need fraud alerts for the pets in our household? They have names and passports, and could be targeted for kidnapping, you guys!!

And yes, I’ve watched the multiple OPM hearings now, and no, I could not generate confidence for the OPM people handling this, no matter how hard I try. Click here for the timeline of the various breaches via nextgov.com, some never disclosed to the public.

Still waiting for the White House to do a Tina Fey:

you're all fired

via giphy.com

On June 25, the Under Secretary for Management, Patrick Kennedy sent a message to State Department employees regarding the OPM breach. There’s nothing new on this latest State update that we have not seen or heard previously except the detail from the National Counterintelligence and Security Center (NCSC) at http://www.ncsc.gov (pdf) on how to protect personal information from exploitation (a tad late for that, but anyways …) because Foreign Intelligence Services and/or cybercriminals could exploit the information and target you.

Wait, what did OPM say about families? “[W]e have no evidence to suggest that family members of employees were affected by the breach of personnel data.” 

Via the NCSC:

Screen Shot 2015-06-26

no kidding!

Screen Shot 2015-06-26

you don’t say!

Here is M’s message from June 25, 2015 to State employees. As far as we know, this is the first notification posted publicly online on this subject, which is  good as these incidents potentially affect not just current employees but prospective employees, former employees, retirees and family members.

Dear Colleagues,

I am writing to provide you an update on the recent cyber incidents at the U.S. Office of Personnel Management (OPM) which has just been received.

As we have recently shared, on June 4th, OPM announced an intrusion impacting personnel information of approximately four million current and former Federal employees. OPM is offering affected individuals credit monitoring services and identity theft insurance with CSID, a company that specializes in identity theft protection and fraud resolution. Additional information is available on the company’s website, https://www.csid.com/opm/ and by calling toll-free 844-777-2743 (international callers: call collect 512-327-0705). More information can also be found on OPM’s website: www.opm.gov.

Notifications to individuals affected by this incident began on June 8th on a rolling basis through June 19th. However, it may take several days beyond June 19 for a notification to arrive by email or mail. If you have any questions about whether you were among those affected by the incident announced on June 4, you may call the toll free number above.

On June 12th, OPM announced a separate cyber intrusion affecting systems that contain information related to background investigations of current, former, and prospective Federal Government employees from across all branches of government, as well as other individuals for whom a Federal background investigation was conducted, including contractors. This incident remains under investigation by OPM, the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI). The investigators are working to determine the exact number and list of potentially affected individuals. We understand that many of you are concerned about this intrusion. As this is an ongoing investigation, please know that OPM is working to notify potentially affected individuals as soon as possible. The Department is working extensively with our interagency colleagues to determine the specific impact on State Department employees.

It is an important reminder that OPM discovered this incident as a result of the agency’s concerted and aggressive efforts to strengthen its cybersecurity capabilities and protect the security and integrity of the information entrusted to the agency. In addition, OPM continues to work with the Office of Management and Budget (OMB), the Department of Homeland Security, the FBI, and other elements of the Federal Government to enhance the security of its systems and to detect and thwart evolving and persistent cyber threats. As a result of the work by the interagency incident response team, we have confidence in the integrity of the OPM systems and continue to use them in the performance of OPM’s mission. OPM continues to process background investigations and carry out other functions on its networks.

Additionally, OMB has instructed Federal agencies to immediately take a number of steps to further protect Federal information and assets and improve the resilience of Federal networks. We are working with OMB to ensure we are enforcing the latest standards and tools to protect the security and interests of the State Department workforce.

We will continue to update you as we learn more about the cyber incidents at OPM. OPM is the definitive source for information on the recent cyber incidents. Please visit OPM’s website for regular updates on both incidents and for answers to frequently asked questions: www.opm.gov/cybersecurity. We are also interested in your feedback and questions on the incident and our communications. You can reach out to us at DG DIRECT (DGDirect@state.gov) with these comments.

State Department employees who want to learn additional information about the measures they can take to ensure the safety of their personal information can find resources at the National Counterintelligence and Security Center (NCSC) at http://www.ncsc.gov. The following are also some key reminders of the seriousness of cyber threats and of the importance of vigilance in protecting our systems and data.

Steps for Monitoring Your Identity and Financial Information

  • Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
  • Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year. Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov.
  • Review resources provided on the FTC identity theft website, www.Identitytheft.gov. The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
  • You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call TransUnion® at 1-800-680-7289 to place this alert. TransUnion® will then notify the other two credit bureaus on your behalf.

Read in full here.

#

Burn Bag: Family Members Not Affected by #OPMHack? Here’s the Missing GIF From OPM’s Website

Via Burn Bag:

OPM, in the FAQ section of the CSID website, declares that our family members were “not affected by this breach. The only data potentially exposed as a result of this incident is your personal data.”  Thus, our family members cannot use the credit monitoring and identity theft protection services.  But wait.  My spouse’s name, date of birth, place of birth, passport number, and social security number were listed in my SF-86.  And my SF-86 has been compromised.  So hasn’t my spouse been “affected” by this breach, too?

So far no one has been fired, no one has accepted responsibility for the breach, and the OPM notification letter says, “Nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose.”

via reactiongifs.com

via reactiongifs.com

Related items:

 

ALL Foreign Affairs Agencies Affected By #OPMHack: DOS, USAID, FCS, FAS, BBG and APHIS

Posted: 6:15  pm  PDT
[twitter-follow screen_name=’Diplopundit’ ]

 

AFSA has now issued a notice to its membership on the OPM data breach. Below is an excerpt:

On Thursday June 4, the Office of Personnel Management (OPM) became aware of a cybersecurity incident affecting its systems and data. AFSA subsequently learned that the Personally Identifiable Information (PII) of many current and former federal employees at the foreign affairs agencies have been exposed as a result of this breach.

The most current information provided to AFSA indicates the following: Most current, former and prospective federal employees at ALL foreign affairs agencies have been affected by this breach. That includes the State Department, USAID, FCS, FAS, BBG and APHIS. OPM discovered a new breach late last week which indicates that any current, former or prospective employee for whom a background investigation has been conducted is affected.

In the coming weeks, OPM will be sending notifications to individuals whose PII was potentially compromised in this incident. The email will come from opmcio@csid.comand it will contain information regarding credit monitoring and identity theft protection services being provided to those federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service. All the foreign affairs agencies suggest that those affected should contact the firm listed below. Members of the Foreign Commercial Service may additionally contact Commerce’s Office of Information Security at informationsecurity@doc.gov.

As a note of caution, confirm that the email you receive is, in fact, the official notification. It’s possible that malicious groups may leverage this event to launch phishing attacks.  To protect yourself, we encourage you to check the following:

  1. Make sure the sender email address is “opmcio@csid.com“.
  2. The email is sent exclusively to your work email address. No other individuals should be in the To, CC, or BCC fields.
  3. The email subject should be exactly “Important Message from the U.S. Office of Personnel Management CIO”.
  4. Do not click on the included link. Instead, record the provided PIN code, open a web browser, manually type the URL http://www.csid.com/opm into the address bar and press enter. You can then use the provided instructions to enroll using CSID’s Web portal.
  5. The email should not contain any attachments. If it does, do not open them.
  6. The email should not contain any requests for additional personal information.
  7. The official email should look like the sample screenshot below.
image via afsa.org

image via afsa.org

Additional information has been made available on the company’s website, www.csid.com/opm, and by calling toll-free 844-777-2743 (International callers: call collect 512-327-0705).

Agency-Specific Points of Contact:

If you have additional questions, contact AFSA’s constituency vice presidents and representatives:

Read the full announcement here.

Amidst this never ending round of data breaches, go ahead and read Brian Krebs’ How I Learned to Stop Worrying and Embrace the Security Freeze. The USG is not offering to pay the cost of a credit freeze but it might be worth considering.

Of course, the security freeze does not solve the problem if the intent here goes beyond stealing USG employees’ identities.   If the hackers were after the sensitive information contained in the background investigations, for use at any time in the future, not sure that a credit freeze, credit monitoring and/or ID thief protection can do anything to protect our federal employees.

Security clearance investigations, by their very nature, expose people’s darkest secrets — the things a foreign government might use to blackmail or compromise them such as drug and alcohol abuse, legal and financial troubles and romantic entanglements. (via)

I understand why the USG has to show that it is doing something to address the breach but — if a foreign government, as suspected, now has those SF-86s, how can people protect themselves from being compromised? If this is not about compromising credit, or identities of USG employees but about secrets, credit monitoring and/or ID thief protection for $20 Million will be an expensive but useless response, wouldn’t it?

#

1) More Systems Compromised in #OPMHack, 2) A Love Letter to Hackers, and 3) What’s a Credit Freeze?

Posted: 3:29 am  EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

On June 4, OPM released a statement on “a cybersecurity incident” that potentially affected personnel data of current and former federal employees, including personally identifiable information (PII) (see OPM Hack Compromises Federal Employee Records, Not Just PII But Security Clearance Info).  The initial estimate was that the OPM hack affected potentially 4 million employees. On June 12, fedscoop reported that the American Federation of Government Employees (AFGE) believed that the breach may have compromised personal data of as high as 14 million employees.

We understand that the State Department issued a notice to employees concerning the OPM breach on June 4. A second notice dated June 12 (am told this was actually a June 11 notice) was shared with BuzzFeed (see below). Several unnamed State Department employees were quoted in that BuzzFeed article, a tell-tale sign of growing frustration that we can also see from our inbox.

.

.

.

.

.

Excerpt from email sent by Under Secretary of Management Pat Kennedy on June 12 (via BuzzFeed)

This is an update to my previous e-mail of June 4th [repeated at the very end of this message.]

As was communicated last week, the U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed the Personally Identifiable Information (PII) of some current and former Federal employees. This email provides additional information regarding next steps for those affected State Department employees. But, every employee should read this email.

In the coming weeks, OPM will be sending notifications to individuals whose PII was potentially compromised in this incident. The email will come from [DELETED] and it will contain information regarding credit monitoring and identity theft protection services being provided to those Federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service.

As a note of caution, confirm that the email you receive is, in fact, the official notification. It’s possible that malicious groups may leverage this event to launch phishing attacks. To protect yourself, we encourage you to check the following:

1. Make sure the sender email address is [DELETED]

2. The email is sent exclusively to your work email address. No other individuals should be in the To, CC, or BCC fields.

3. The email subject should be exactly [DELETED]

4. Do not click on the included link. Instead, record the provided PIN code, open a web browser then manually type the URL {DELETED]. You can then use the provided instructions to enroll [DELETED].

5. The email should not contain any attachments. If it does, do not open them.

6. The email should not contain any requests for additional personal information.

7. The official email should look like the sample screenshot below.

Additional information has also been made available beginning on June 8, 2015 on the company’s website [DELETED].

Regardless of whether or not you receive this notification, employees should take extra care to ensure that they are following recommended cyber and personal security procedures. If you suspect that you have received a phishing attack, contact your agency’s security office.

In general, government employees are often frequent targets of “phishing” attacks, which are surreptitious approaches to stealing your identity, accessing official computer systems, running up bills in your name, or even committing crimes using your identity. Phishing schemes use e-mail or websites to trick you into disclosing personal and sensitive information.

Oh, man.

Hopefully no one will copy this “recipe” to send folks a fake notification to enroll somewhere else.

On May 28, just days before the OPM breach was reported, OPM issued a solicitation for OPM Privacy Act Incident Services. The services required include 1) notification services, 2) credit report access services, 3) credit monitoring services, 4) identity theft insurance and recovery services, and 5) project management services. According to the solicitation, these services will be offered, at the discretion of the Government, to individuals who may be at risk due to compromised Personally Identifiable Information (PII).  The $20,760,741.63 contract for Call 1 was awarded to Winvale Group, LLC on June 2 but was published on fedbiz on June 5, the day after the breach was reported. Call 1 contract includes services to no more than 4 million units/employees.

Note that the State Department notice dated June 12 says that “email should not contain any attachments (#5). The OPM Services awarded on June 2 includes the following:

3.1.1.2 Contractor email Notification: The Contractor will prepare and send email notifications to affected individuals using read receipts. Emails (or attachments) will appear on Government letterhead, will contain Government-approved language, and will contain the signature of the Government official(s). Emails may contain one or more attachments. Email notification proof(s) will be provided to the Government for approval not later than 48 hours after award of a Call against the BPA. The Government will approve the email notification within 24 hours to enable the Contractor to begin preparation for distribution. The Contractor will require, receipt, track, and manage read receipts for email notifications.

Get that?

Now this. Somebody from State sent us a love letter for the hackers:

Dear Hackers: While you’re in there, please get my travel voucher for $291.46 approved, permanently cripple Carlson Wagonlit so we can stop wasting money on a useless product, and figure out how many special political hires there really are roaming our halls.  Oh and please don’t use my SF-86 info against my parents, it isn’t their fault I was an idiot and gave the government every last bit of info on my entire life.  I’m sure there’s more but it’s the weekend, let’s chat Monday. #LetsActLikeNothingHappened #SeriouslyThoughWTF .

And because the initial report is often understated per abrakadabra playbook hoping the bad news will go away, we’re now hearing this:

Oops, wait, what’s this?

Well, here is part of that email sent from “M” on  June 15, 5:35 pm ET:

“OPM has recently discovered that additional systems were compromised. These systems include those that contain info related to background investigations of current, former, and prospective Federal government employees, as well as other individuals from whom a Federal background investigation was conducted. This separate incident…was discovered as a result of OPM’s aggressive efforts to update its cybersecurity posture… OPM will notify those individuals whose info may have been compromised as soon as practical. You will be updated when we have more info on how and when these notifications will occur.”

So that original OPM estimate of 4 million affected employees is now OBE. That original $20 million contract will potentially go up.

Brian Krebs‘ piece on credit monitoring, the default response these days when a breach happens is worth a read. Basically, he’s saying that credit monitoring services aren’t really built to prevent ID theft (read Are Credit Monitoring Services Worth It?).

What can you do besides the suggestions provided by the State Department and OPM? Brian Krebs suggests a “credit freeze” or a “security freeze” not discussed or offered by OPM. Check out the very informative Q&A here.

 

We  know what else is on our to-do list today.

#