The Office of Personnel Management fired back June 24 against criticisms that it dropped the ball on guarding the personal and background check information of millions of current and former federal employees.
The agency has released a security action report of all the cybersecurity improvements it has made over the last few years as well as a plan to boost its cybersecurity posture in the future.
Special Report: The OPM Data Breach: What You Need To Know
"Since Director Archuleta arrived at OPM, she has led the agency in taking significant strides to enhance cybersecurity and modernize its IT systems – strides that are in many ways forging new territory and laying groundwork for the rest of government," the report said. "But recently discovered incidents have underscored the fact that there is clearly more that can and must be done."
Archuleta has come under fire from lawmakers in recent days, with several prominent members of Congress calling for her to step down as new details show a data breach much larger than originally thought.
The first widely reported hack took place in December, but was only detected in April when OPM upgraded its cybersecurity tools. A second hack breached the background investigation data gathered on federal employees and others seeking national security clearances.
A 2014 breach of KeyPoint Government Solutions — a contractor used by federal agencies to conduct background checks — gave hackers the credentials needed to access sensitive employee data held by the Office of Personnel Management, the agency director confirmed Tuesday.
The report said that an interagency incident response team reviewing OPM's system has concluded there is no evidence that the intruders remain active on OPM systems. But in response the agency is taking 15 new actions to help bolster future security efforts.
"These adversaries are sophisticated, well-funded, and focused. For that reason, efforts to combat them and improve Federal IT and data security must be constantly improving as well," the OPM report said.
The actions include:
- Completing the deployment of two factor authentication. While OPM has already implemented stronger authentication through the use of smart card log in for its privileged users, it will continue to roll two factor authentication out to all its employees by August 1.
- Expanding continuous monitoring. OPM is working with DHS to implement the Continuous Diagnostics and Mitigation program by March, 2016. OPM will work aggressively to accelerate that schedule and mandate the monitoring of contractor systems wherever feasible.
- Encrypting current systems. OPM will also review all systems to see if any can be encrypted that were not encrypted before. However some systems cannot be encrypted, according to OPM.
The agency will also be hiring a leading cybersecurity expert from outside government who will manage ongoing responses to recent incident and assess long-term changes to OPM's IT infrastructure. The expert will report directly to OPM Director Archuleta.
"OPM will carry out these actions without delay. In addition, OPM is calling on Congress to take swift action to assist in this effort by providing additional resources to modernize OPM's IT systems and ensure continued appropriate oversight of the agency and its contractors," the OPM report said.