But in an email to a Senate Homeland Security Committee staffer, a Federal Retirement Thrift Investment Board official said the agency is not obligated to follow the standards because it is an independent agency.
Greg Long, the board's executive director, testified that the agency did not completely follow the security guidelines before the breach because of a lack of funding.
"I regret to say that the FRTIB did not have a breach notification plan in place prior to 2012. This was due to a lack of resources to develop the plan," he said during a hearing of the Homeland Security Committee's subcommittee on Oversight of Government Management.
But Long testified that the agency found the guidelines "very useful" in responding to the attack.
Federal employees were notified about the attack in May 2012.
Akaka is pushing for an amendment to the Cybersecurity Act, which is currently under consideration by the full Senate, that would require all federal agencies to notify the affected people in the event of a data breach.