'

​OPM suspends security background investigations to fix new flaw

The Office of Personnel Management has announced that its web-based security background system will be out of service for at least four weeks.

Do you need to get a security clearance for your new job? Don't hold your breath. The U.S. Office of Personnel Management (OPM) announced it is temporarily suspending its Electronic Questionnaires for Investigations Processing (E-QIP) system. This is the web-based program used to complete and submit security background investigation forms.

hacker-data-shadow.jpg

In a statement OPM Director Katherine Archuleta claimed that the E-QIP fix was "not the direct result of malicious activity on this network, and there is no evidence that the vulnerability in question has been exploited."

To date, the OPM has revealed that the personnel records of at leat 18-million current, former, and prospective federal employees were stolen in previous OPM cyberattacks. This is the worst employee security leak in history.

The undescribed E-QIP security hole was found during a comprehensive review of the security of OPM's IT systems. Because of the problem's severity, the OPM has temporarily taken the E-QIP system offline for security enhancements.

Special Feature

Security and Privacy: New Challenges

As big data, the IoT, and social media spread their wings, they bring new challenges to information security and user privacy.

Read More

The OPM expects E-QIP could be offline for four to six weeks while the program is secured. The agency stated that it "recognizes and regrets the impact on both users and agencies and is committed to resuming this service as soon as it is safe to do so. In the interim, OPM remains committed to working with its interagency partners on alternative approaches to address agencies' requirements."

There is no word on whether this fix will attempt to deal with the OPM's fundamental security problems. For example, vital records -- such as social security numbers -- were not being encrypted, because they rested on out-dated mainframe systems that couldn't support encryption.

The OPM has also not addressed how it will provide credit and identity protection plan for exposed employees. An earlier attempt to provide protection failed almost immediately since its very design laid it wide open to phishing attacks.

Despite this gloomy recent history, Archuleta insisted in a statement that "The security of OPM's networks remains my top priority as we continue the work outlined in my IT Strategic Plan, including the continuing implementation of modern security controls. This proactive, temporary suspension of the E-QIP system will ensure our network is as secure as possible for the sensitive data with which OPM is entrusted."

One can only hope that this time the OPM can deliver on its security promises.

Related Stories: