The federal office at the center of the biggest government hack in history is releasing 15 new steps intended to shore up its security.
The tighter security measures come as the Office of Personnel Management faces intense criticism over the hack, which has left as many as 18 million people vulnerable. OPM's chief was grilled at a congressional hearing on Tuesday.
The OPM actions include pledges to complete the implementation of security features, such as two-factor authentication and encryption.
The agency will also increase consultation with the inspector general and outside cybersecurity experts, and boost oversight and accountability mechanisms.
“OPM has already taken a number of aggressive steps over the past 18 months to increase its cybersecurity capabilities and modernize its critical IT systems,” said the report, which noted that investigators believe the intruders have been kicked out of the system. “But there is clearly more that can and must be done to meet evolving cyber threats.”
OPM Director Katherine Archuleta has battled critiques from all sides that her agency has been slow to address its numerous security shortcomings in the wake of two data breaches that might have affected up to 18 million people.
China is thought to be responsible for the digital theft.
Lawmakers have berated the agency head for failing to heed numerous warnings from the agency's inspector general, who has issued numerous reports in recent years raising red flags about the agency’s unprotected system.
Notably, the watchdog released a report in November recommending that 11 of the agency’s 47 computer systems be shut down because they were not meeting security standards. The OPM has insisted it couldn’t turn off these systems without risking gaps in worker benefits and paychecks.
More recently, the inspector general circulated a “flash audit” to members of Congress, which roundly chided a long-term OPM modernization plan meant to address the inspector general’s concerns. The inspector general called the proposal overly optimistic, poorly budgeted and poorly managed.
Archuleta said she understood the concerns during a Tuesday Senate hearing, her first of three hearings this week. “All of our decisions are being tracked, documented and justified.”
Responding to these poor assessments, the OPM on Wednesday morning issued its newest set of security upgrades, many of which carry specific timelines.
By July 15, the agency will complete a review of where else it can add encryption to its system, a particular sticking point for the security community in the wake of the hack. Archuleta has insisted encryption would not have prevented the hackers from making off with the data.
By Aug. 1, the agency has vowed to have full deployment of two-factor authentication, meaning anyone accessing the system will need to verify themselves with a smart card in addition to their login information.
The OPM will also hire its cybersecurity adviser by that date. The person in this role will oversee the ongoing response to the multiple data breaches and help implement the overarching system modernization plan.
In the coming weeks, the OPM will also hold a workshop with outside cybersecurity experts to assess what other security steps might be necessary.
And by the end of this week, the agency will notify Congress of particular areas where it believes extra funds could help quicken the security overhaul.
The OPM fiscal 2016 budget already includes a request for $32 million more than the enacted level in fiscal 2015, most of which is dedicated to IT upgrade initiatives.
Finally, the new steps included a number of “accountability” measures to address concerns that the agency has insufficiently documented its reform efforts, including monthly reviews, bi-annual cybersecurity training for employees and contractors, and a response protocol for future breaches.
“OPM stores more personally identifiable information (PII) and other sensitive records than almost any other federal agency,” the report said. “This is a tremendous trust placed in the agency by the millions of current and former federal employees, and one that OPM must continually earn through constant vigilance.”