Click here to skip navigation
An official website of the United States Government.
Skip Navigation

In This Section

Our Director Director's Blog

cyber intrusion

The cybersecurity report issued today by the Republican members of the House Oversight and Government Reform Committee (HOGR) on the cyber intrusions at the U.S. Office of Personnel Management (OPM) does not fully reflect where this agency stands today.

While we disagree with many aspects of the report, we welcome the committee’s recognition of OPM’s swift response to the cybersecurity intrusions and its acknowledgement of our progress in strengthening our cybersecurity policies, and processes. We also appreciate the panel’s willingness to work with us on these important issues and find many of the final recommendations to be useful for OPM and the Federal Government at-large.

It is therefore important to take stock of our progress and outline the course we are charting for the future.

Over the past year OPM has worked diligently with its partners across government and made significant progress to strengthen our cybersecurity posture, and reestablish confidence in this agency’s ability to protect data while delivering on our core missions.

For example:

  • We require those who log into OPM’s systems to use strong multi-factor identification forms. This level of security provides a powerful barrier to our networks from individuals who should not have access.
  • We are in the process of rebuilding and enhancing the web-based application system that individuals use to provide OPM with the information we need to conduct background investigations.
  • We are one of the first agencies in the Federal Government to fully implement the Continuous Diagnostics and Mitigation program developed by the Department of Homeland Security (DHS), as well as DHS’s Einstein 3a. These initiatives allow agencies to detect and prevent cyber attacks before they can reach our systems, and continuously identify cybersecurity threats and vulnerabilities that might arise.
  • We have strengthened our legacy technology systems while developing a new, modern IT infrastructure, which will provide a secure environment for OPM well into the future.
  • We are working with our partners at the Department of Defense who are designing, building, and will operate the IT infrastructure for the new National Background Investigations Bureau, the OPM-based entity that will conduct background investigations for the Federal Government in the future. 

These are just a few of the initiatives we have underway, but there is more to this story. At OPM we recognize that cybersecurity is not just about technology – it’s about people. In addition to strengthening our technology, we have added seasoned cybersecurity and IT experts to our already talented team.

OPM has brought on a senior cybersecurity advisor who reports to the Director of OPM. We have hired a new Chief Information Officer as well as a number of new senior IT leaders. And we have centralized our cybersecurity resources under a new Chief Information Security Officer, whose sole responsibility is to take the steps necessary to secure and control access to sensitive information. We also have a strong working relationship with our Office of Inspector General.

The cybersecurity incidents at OPM provided a catalyst for accelerated change within our organization. Throughout this agency, management has embraced cybersecurity as a top priority. I am proud of the way the team at OPM rose to the challenge and appreciate the collaborative spirit with which our partners across government worked - and continue to work – side by side with us each and every day.

We hope Congress will also continue to support our efforts and provide us with the resources we need to continue to strengthen our cybersecurity posture now, and into the future.

In an increasingly interconnected world, the threats we face in the realm of cybersecurity are persistent, sophisticated and constantly evolving. To confront these threats we must remain vigilant in our quest to protect systems and information. At OPM we are committed, we are dedicated, and most importantly we are working tirelessly to continuously enhance the security of our data and fulfill our important mission for the American people.

 


Yesterday, we began mailing notification letters to the individuals whose personal information was stolen in a malicious cyber intrusion carried out against the Federal Government. Impacted individuals will be notified by OPM via U.S. Postal Service mail. Email will not be used.      

The letters being mailed to those affected by this incident will describe the comprehensive suite of identity theft protection and credit monitoring services that will be provided for at least three years, at no cost, to impacted individuals and to their dependent minor children. An impacted individual is someone whose personal information, including Social Security Number, was stolen.

As we have noted before, those impacted by this breach are already automatically covered by identity theft insurance and identity restoration services. However, the Federal Government is providing additional services that impacted individuals are encouraged to enroll in, free of charge.

The notices will contain a personalized identification number (PIN) number which is necessary to enroll in the covered services. Please note that neither OPM, nor anyone acting on OPM’s behalf, will contact you to confirm any personal information. If you are contacted by anyone asking for your personal information in relation to compromised data or credit monitoring services, do not provide it.

As you know, a very large number of people were impacted by this breach, and the nature of the information involved has national security implications as well. OPM and the Department of Defense have continued to analyze the impacted data to verify its quality and completeness, and in this process, we determined that approximately 5.6 million of the impacted individuals had their fingerprints stolen. If an individual’s fingerprints were taken, this will be noted in their letter. 

While Federal experts believe that, as of now, the ability to misuse fingerprint data is limited, an interagency working group with expertise in this area will review the potential ways adversaries could misuse fingerprint data now, and in the future. This group will also seek to develop potential ways to prevent such misuse. If in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.

All of these factors make it important that we take the time necessary to make sure the notification process is carried out carefully. We’re committed to getting this right. What this means is that, while the notifications are beginning this week, it could take considerable time to deliver them all. 

I understand that many of you are frustrated and concerned, and would like to receive this information soon. My personal data was also stolen in this breach, and I am eager to get my notification letter as soon as possible so that I can sign up for these services. However, given the sensitive nature of the database that was breached – and the sheer volume of people affected – we are all going to have to be patient throughout this notification process.

In the meantime, please check OPM’s online cybersecurity resource center at www.opm.gov/cybersecurity for updates and additional information. This website has valuable suggestions about how to reduce the risk of becoming a victim of cybercrime, has answers to many frequently asked questions, and allows you to sign up for automatic updates. We are continually refreshing the site and will continue to do so as this process unfolds.

OPM and our partners across government are working hard to protect the safety and security of the information of Federal employees, contractors and others who entrust their information to us.

Together with our interagency partners, OPM is committed to delivering high quality identity protection services to the Federal community. We will continue to update you as this process continues. Thank you for your patience, your service to the American people, and your continuing support.

Graphic along with blue background. Filling most the page is the OPM LOGO. Headline: GET PROTECTE. STAY INFORMED. Subhead: CYBERSECURITY RESOURCE CENTER.

Control Panel

Unexpected Error

There was an unexpected error when performing your action.

Your error has been logged and the appropriate people notified. You may close this message and try your command again, perhaps after refreshing the page. If you continue to experience issues, please notify the site administrator.

Working...