The Office of Personnel Management’s response to their recent massive breach is once again being challenged by the Inspector General, who warns OPM is not doing enough corrective action to prevent future
It said that as a result, the process to identify existing systems, evaluate their technical specifications, determine requirements, and estimate costs of moving the data into a more secure environment still has not been completed. Nor is there support for OPM’s belief that some the cost of moving the data can be funded through discontinuing obsolete software, it said, calling OPM’s plan to find the rest of the funding from other accounts “inadequate and inappropriate.”
“Without this rigorous effort, we continue to believe that there is a high risk of project failure,” it said.
OPM also had rejected the IG’s recommendation to adopt industry best practices for planning such a project, saying it was following its own policies based on government standards. But the IG said that “based on documentation we have reviewed, we have determined that OPM is not in compliance with either best practices or its own policy.”
It noted that since the first report, former OPM director Katherine Archuleta had resigned under pressure and a Senate committee rejected a bid to add funding for the project even while backing extending the services to the victims. “In such a turbulent environment, there is an even greater need for a disciplined project management approach to promote the best possibility of a successful outcome,” it said.
Knowing how the government responds in these types of situations, I cannot say I am surprised. This sounds like business as usual.