Government audit raises ‘serious concerns’ over proposed federal cybersecurity measures

WASHINGTON — The agency that failed to secure data on millions of federal workers is now being criticized by its own independent watchdog over a plan to modernize its aging computer networks.

In a “flash audit,” issued Wednesday, the inspector general for the Office of Personnel Management raised “serious concerns” about a proposed $91 million computer overhaul, saying it had not followed management guidelines and granted a no-bid contract with a single vendor.

Office spokesman Samuel Schumach said he was looking into the matter and did not have an immediate response.

Office director Katherine Archuleta_a former school teacher who worked on President Barack Obama’s 2012 re-election campaign— told Congress this week that her agency’s computer systems were so old they needed an immediate modernization. The antiquated computer architecture, she asserted, was one reason hackers were able to infiltrate the system and make off with sensitive data on millions of federal workers and security clearance holders.

Inspector General Patrick McFarland said in a report circulated to Congress that he agreed in principle with the idea, but he noted that agency leaders launched the project with crucial questions unanswered, including how much it would cost. He questioned the $91 million estimate by the agency.

“We have serious concerns regarding OPM’s management of this project,” McFarland wrote in the audit, obtained Thursday by The Associated Press. “The project is already underway and the agency has committed substantial funding, but it has not yet addressed several critical project-management requirements.”

He said there was “a high risk that this project will fail to meet the objectives of providing a secure operating environment for OPM systems and applications.”

McFarland’s office had warned for years that OPM’s computer network security was woefully lacking, and his deputy, Michael Esser, told a House oversight committee Tuesday that those failures contributed to the cyberbreach.

Now, the inspector general is saying, the proposed solution could also be a disaster.

“In our opinion, the project management approach for this major infrastructure overhaul is entirely inadequate and introduces a very high risk of project failure,” McFarland wrote.

Many critical agency applications run on OPM’s aging mainframe computers, he wrote, including those that process payments for federal retirees, reimburse health insurance companies for claims and manage background investigations.

“These applications are based on legacy technology and will need to be completely renovated to be compatible with OPM’s proposed new IT architecture.” A much smaller migration of a single system cost $30 million and took two years to complete, he wrote.

OPM estimates that its proposed overhaul will take 18 to 24 months to complete, he wrote. “We believe this is overly optimistic and that the agency is highly unlikely to meet this target.”

McFarland wrote that OPM officials “informed us that the urgent and compelling nature of the situation required immediate action, and this is the reason that some of the required project management activities were not completed.”

He agrees that urgent action was needed, he wrote, but that was not a justification for cutting corners over the life of the project.

“The other phases of the project are clearly going to require long-term effort, and, to be successful, will require the disciplined processes associated with proper system development project management,” he wrote.