The Office of Personnel Management has long shouldered the duties of processing and securing background investigations data on potential federal employees, contractors and military personnel. But that’s about to change.
In the wake of the devastating OPM data breach that came to light last year, the Obama administration is gradually shifting investigation duties from OPM’s Federal Investigative Services (FIS) to a new entity that will be supported by the Defense Department.
The new National Background Investigations Bureau (NBIB) will absorb the FIS and all its duties, which today include conducting about 95 percent of the government’s background investigations, 600,000 security clearance investigations and 400,000 suitability investigations annually.
NBIB will be housed within OPM, but DoD will assume responsibility for IT security of the systems and data related to the background investigations. Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, said the NBIB-DoD partnership is a model of what’s to come in the future.
“This is actually representative of changes that we know that we need to make more broadly across the federal government in how we’re provisioning our cybersecurity across all the civilian agencies,” Daniel told reporters during a Jan. 22 conference call. “And so we see this as really pointing towards the future of how we’re going to have to do business for cybersecurity across the federal government.”
But why not move NBIB entirely over to DoD, if the department is better equipped to secure sensitive data and the IT systems for processing investigations? Daniel explained that, “simply moving the organization would not necessarily make for real, significant change. What’s more important is the structural and governance changes, combined with the interagency support that we’ll be getting for the cybersecurity of this system.”
He added that the administration wanted to build on the work and experience OPM has already gained from conducting background investigations, while being mindful not to disrupt current operations as changes are made. The NBIB director will be appointed by the president and report to the OPM director.
Administration officials couldn’t provide a timeline of when the changes will be instituted and over what time period, but Federal Chief Information Officer Tony Scott said to think of the work as an ongoing process, not a series of “one-off activities.”
The next steps include:
- OPM establishing a transition team — comprised of interagency staff — to stand up the new entity without disrupting current operations.
- DoD will work closely with OPM and other customer agencies to identify requirements and design new IT systems to support background investigations. “Work will be done in a modular way and transition over time,” Scott said.
- Current FIS and security agencies will continue to work during the transition to stand up NBIB. To address the current security clearance backlog, OPM is hiring 400 additional investigators, said Acting Director Beth Cobert. Hiring began last September and will continue throughout the year.
The administration made the decision to turn over investigation duties to NBIB and DoD following a 90-day Suitability and Security review launched in the aftermath of the OPM breach. The goal: re-examine and revamp the federal background investigations process, better secure the information networks and data tied to that process, and improve how the government handles background investigations for suitability, security and credentialing.
A lot of the criticism of OPM’s handling of sensitive personnel records was that it didn’t encrypt information. Former OPM Director Katherine Archuleta confirmed that Social Security numbers weren’t encrypted. She said the agency uses legacy systems that are decades old, leaving OPM limited in the security capabilities that can be installed on aging systems.
Richard Hale, DoD’s Deputy CIO for cybersecurity, said DoD will use national security standards to design the new systems that will support federal background investigations. The department has already started using a rigorous process to determine what information needs to stay online and what can be moved offline or to a more private place that is not accessible from the Internet. He noted that data will be encrypted while it’s in transit and when it’s stored and not in use.
The president’s fiscal 2017 will include $95 million in funding to support development of the new systems.
When asked whether the upcoming changes will reduce the likelihood of another OPM-style breach, Daniel had this to say: “In terms of preventing a future cyber incident, what we can do is we can substantially reduce the risk of future cyber incidents by employing all the best practices that we have been learning over the past few years across the federal government on how to defend our networks better,” Daniel said. “You can never reach 100 percent, but we will be striving to reduce the risk to as low a level as we can possibly manage going forward.”