[Infowarrior] - OPM passing hack response costs to agencies

[Richard Forno]

(As one of the article commenters said, "they take their cues from Congress: We F*d up, you're going to pay." --rick)

OPM to federal agencies: We got hacked, but you have to help pay for the response

By Eric Yoder July 21 at 10:23 AM
 
http://www.washingtonpost.com/blogs/federal-eye/wp/2015/07/21/opm-to-federal-agencies-we-got-hacked-but-you-have-to-help-pay-for-the-response/

Federal agencies have been told that they will be expected to pay the costs of responding to the breach of security clearance files affecting more than 21 million federal employees, military personnel and contractor employees.

Such costs will amount to an unplanned obligation that will hit agencies late in the government’s current fiscal year, and agencies should expect to have to absorb further costs in future years as well, according to a memo from the Office of Personnel Management, whose systems were breached.

[Hacks of OPM databases compromised 22.1 million people, federal authorities say]

How much those costs will be is unknown, since OPM has not yet issued a contract to notify those affected by the clearance files breach and to provide them credit monitoring and identity theft services. The breach involves highly personal information on virtually everyone who applied for a security clearance or had one renewed since 2000, and in some cases before.

For a separate breach involving personnel records of some 4.2 million current and former federal employees held for OPM at the Department of Interior, the cost of sending notices and providing services was $21 million. OPM and Interior paid for that contract but cannot afford to cover what could be much higher costs of the next contract, agency officials were told in a briefing late last week.

“Given the limited resources available to OPM at this time to deal with a contract of this size, agencies will be asked to contribute FY 2015 funding to cover the first full year’s costs of credit monitoring and related services / benefits for the second incident involving 21.5M individuals,” acting OPM director Beth Cobert said in a follow-up memo.

The Office of Management and Budget “fully supports the decision for cost sharing across all agencies given these circumstances,” wrote Cobert, who was transferred from her post as OMB deputy director for management after OPM director Katherine Archuleta resigned under pressure related to the breaches and OPM’s response.

In addition to paying costs related to the clearance files breach out of current year funding, the memo said, agencies will be charged higher rates for OPM to process clearance applications on their behalf, retroactive to the start of this fiscal year.

The requirements come late in the fiscal year, which ends Sept. 30, leaving questions regarding how agencies will be able to cover them. Typically, when agencies must meet such requirements they look to administrative costs such as employee awards, training and travel and to general overhead such as office equipment.

Those accounts, which in many cases already are pinched by years of budgetary restrictions, also pay employee salaries. While salaries could not be cut, restrictions on those accounts could translate into pressure to hold down the number of employees.

“My mouth dropped open when I read this. I get the fact that the money has to come from somewhere, but, man, oh man,” said a federal official not authorized to speak on the record on the matter.

Cobert’s memo said that while the total costs won’t be known until the second contract is issued, “OPM is currently working to approximate each agency’s portion of the total number of individuals impacted and we are gaining more information on the anticipated cost per person in the coming week based on requirements.”

In addition to affecting more people than the personnel files breach, the clearance files breach involves far more extensive information that clearance applicants have to disclose, including on any personal financial problems, criminal records, foreign travel and much more. In some cases, it also involves fingerprint records and findings of background investigations.

Further, while the personnel files breach affected persons for whom the federal personnel agency typically would have current contact information, the clearance files breach involves a substantial number of people who worked for contractors, not directly as federal employees. Also, OPM has promised more extensive services, to be provided longer, for those affected by the clearance files breach.

About 3.6 million federal employees affected by the security clearance files breach also were impacted by the personnel records breach; almost all of those affected by that breach already have been notified.

“We understand and appreciate the complexities of this late in FY15 request for funds,” the memo added. “We cannot stress enough the importance and significance of this funding. This funding is critical to ensure that OPM is able to maintain its operational capability in order to allow agencies to continue to fill critical positions and accomplish their missions.”

In addition, agencies will have to help fund costs in at least 2016 and 2017, the memo said.


--
It's better to burn out than fade away.