The New Direction of OPM’s Cybersecurity

This interview is an excerpt from GovLoop’s recent research guide, The Current State of Government’s Cybersecurity.

In the aftermath of a massive security breach and the resignation of its director, the Office of Personnel Management (OPM) has taken 2016 as an opportunity to re-evaluate internal processes and strengthen its cybersecurity defenses. As part of those efforts, OPM appointed Clifton Triplett as Senior Cyber and Information Technology Adviser. Since taking on this new role in November 2015, Triplett has been charged with strengthening the agency’s cybersecurity posture, advancing its cybersecurity-related goals, and collaborating with a broad spectrum of interagency partners and stakeholders.

In an interview with GovLoop, Triplett shared his current priorities, as well as challenges and opportunities facing OPM in its pursuit of improved IT security.

A New Face at OPM

With experience at some of America’s largest companies and industry leaders in global defense, automotive, Oil & Gas, and telecommunications, Triplett was an ideal fit for the Senior Cyber Adviser position. At the time, it was critical for OPM to have an individual who was familiar with private sector best practices and and able to bolster the agency’s cyber operations. In addition to strengthening interagency and cross-sector partnerships, Triplett’s duties include improving cybersecurity education and awareness.

“My role is to assist with the development of people and processes, and the effective use of technology,” Triplett said. “What I predominantly do is help clear roadblocks, including communications, a lack of understanding, and education. Over the last six months, I’ve been able to increase awareness and understanding across the organization and with our partners.”

Triplett reports directly to the OPM Acting Director and serves as a key advocate for advancing the state of enterprise architecture and cybersecurity, including technology investments, capabilities and services. Working alongside OPM’s acting CIO and the newly appointed CISO, Triplett also supports the ongoing response to past cyber incidents, development of OPM’s plan to mitigate future incidents, and further improvements to best secure OPM’s IT architecture.

OPM’s Progress

Triplett credits partnerships and collaboration as key to addressing cyber threats. He remains optimistic that with such partnerships, the agency will be able to take swift action to protect OPM’s assets and strengthen the resiliency of its networks and systems.

“Upon discovering the breach and the immediate aftermath, OPM was able to work with its federal partners,” Triplett said. “We gain great value from the working relationships we’re able to establish with other agency partners, specifically DHS. Since then, we’ve also been able to work with and gain value from working with other agencies more closely like DoD and DISA.”

OPM is making significant progress and Triplett emphasized how the agency is trying to build on the momentum already underway with these seven areas of focus he had mentioned:

  1. Strong Authentication: OPM has implemented multi-factor authentication across for the agency’s network. With two-factor authentication, the agency can better mitigate potential outside and inside threats by making it more difficult to steal identities or access important information.
  2. Continuous Monitoring: OPM is leading the implementation of DHS’s Continuous Monitoring program. As the first agency to complete the deployment of the DHS toolset defined in the Continuous Diagnostic & Mitigation (CDM) program, OPM is better positioned to identify risks on an ongoing basis, prioritize these risks based on potential impacts, and mitigate accordingly.
  3. Team Organization: “We created this new position [my position] that reports to the director, and I think that has helped sharpen the understanding and focus on our cyber initiatives,” Triplett said. Additionally, OPM established a CISO position with dedicated staff to support cybersecurity efforts. The establishment of this team has resulted in great structure and momentum in the advancement of OPM’s cybersecurity capabilities. “Our people have made a difference!”
  4. Malware: OPM strengthened its focus on combatting malicious code and viruses. As cyber threats increase in sophistication, it’s important for the agency to develop better toolsets to combat hostile threats that could affect entire federal networks.
  5. Data Protection: “We’ve implemented data loss prevention technology, which automatically prevents sensitive information, such as social security numbers or other personally identifiable information, from leaving our network unauthorized,” Triplett said. He added, “This is very powerful for an agency trusted with sensitive information.”
  6. Training: In combatting the shortage in cyber skills and workforce, OPM has spent much time and energy on cybersecurity awareness training for its existing employees, and has further augmented the team with additional talent to assist in mentoring and advancing the overall capabilities of the organization. The agency placed emphasis on training all of its employees to identify malicious threats, with a focus on phishing. The perspective is that cybersecurity awareness should not just be left alone to the IT staff but should also be agency wide.
  7. Encryption: OPM has now fully encrypted its network traffic on all internal networks. This is especially important in helping to keep important information secret and secure so that it does not fall into the wrong hands. 

Priorities Moving Forward

In addition to these seven issue areas, OPM has continued to work to implement its IT Infrastructure Improvement Project to address the agency’s aged infrastructure and strengthen security protections. The project includes a full overhaul of the agency’s technical infrastructure by implementing additional IT security controls and then migrating the entire infrastructure onto a modern operating environment, under an initiative referred to as Shell.

“During the initial stages we bought new equipment, software, and brought in new talent,” Triplett explained. “The equipment has been delivered and configured and we are now beginning to use the equipment in terms of test and development. This is giving us the foundation we need to move some systems on older equipment approaching obsolescence to newer technology and concurrently assist the agency in data center consolidation.”

This is only the tip of the iceberg when it comes to OPM’s plans for improved cybersecurity. Triplett was able to focus the agency on four main near-term priorities – mitigate cyber risk, mitigate operational risk, optimize operating positions in terms of cost and efficiency, and modernize technology and functionality.

Those priorities represent both a need to confront constrained resources and evolve OPM’s thinking on cybersecurity. “Mitigation was obviously important as a first priority, and then migration helped us relieve cost burdens to allow for the acceleration of our modernization programs,” Triplett said. “Right now, we’re seeing the dollar shifting towards cost-optimization, such as virtualization and data center consolidation.”

By standardizing and consolidating its IT infrastructure, OPM can gain greater visibility into its cyber environment, while also decreasing operational and acquisition costs. Triplett hopes that OPM will conclude the consolidation of its data centers and systems over the next couple of years. “We can then really focus on our investment towards the modernization and continuing evolution of our systems,” he said. “Then, we can continue to have the money required to best serve our constituency.”

As with the majority of government agencies, one of OPM’s most significant challenges concerning cybersecurity is budget. In addition to constrained resources, Triplett noted that agencies have a vast number of constantly shifting priorities that compete for those resources. Tight budgets also create fast shifting priorities.

“We have tremendous momentum right now,” Triplett said. “We would not have been able to achieve so much if we didn’t have the full support of our organization, our partners, and Congress. [But] we’re in an environment where the threat continues to evolve at an increasing rate, and therefore, we need to maintain this momentum.”

Triplett’s new position certainly didn’t come without its challenges. Yet while there are many obstacles facing OPM, there are also many new emerging opportunities for the agency in cybersecurity. The agency has been at the forefront in terms of federal leadership in cybersecurity initiatives. With leaders like Triplett, the future of cybersecurity in government seems ever brighter.

Leave a Comment

One Comment

Leave a Reply

Dovell Bonnett

For the last two years I have been on the GSA Scheduled, enrolled in SAM, and have sent numerous emails to people within the OPM about how they can add a Multi-Factor Authentication Enterprise Password Manager to their existing PIV or PIV-I credential (as described in Focus Point 1). But no response. We presented our Power LogOn product to the HHS Cyber Lab and it passed their review (in fact they have deployed it to their own employees), we are FIPS 140-2 verified by InfoGard, and got a FIPS 201 waver by NIST, but still no response.

So how does a SMB get the right OPM people informed so they can start implementing MFA logon within days? If you want to learn more, please visit http://www.access-smart.com/government.