Bubblehead Les shared the following news posting this afternoon: Federal Worker PII compromised. PII, for those who don’t know, stands for Personally Identifiable Information. Your birthday, Social Security Number, address, phone number, etc. Sorry to hear, but about four million (thats 4×10^6) federal employees have been compromised across all agencies. Both the Office of Personnel Management (OPM) and the Department of the Interior (DoI) were compromised. OPM, by the way, does about 90% of the federal background checks. Your EPSQ/EQIP/SF-86/Scattered Castles/(unnamed clearance system) information could be at risk. Our illustrious FBI is on the case, according to our ever-diligent DHS.
What bothers me the most is the last paragraph of The Fine Article (TFA):
“Ammon said federal agencies are rushing to install two-factor authentication with smart cards, a system designed to make it harder for intruders to access networks. But implementing that technology takes time.”
Here it comes, wait for it…
The requirement for two-factor authentication has been in place for over ten (that’s one-zero) years. Closer to thirteen years, depending on where you start. This Government Computer News article from 2004 talks about the new requirements for government-wide smart cards, part of two-factor authentication (something you have vs. something you know).
But wait, there’s more!!! DoI published their guidelines for Personal Identity Verification (PIV) in December 2005, to meet Homeland Security Presidential Directive 12 (HSPD-12) and Federal Information Processing Standards 201 (FIPS 201). PIV is the implementation standard for smart cards.
Let’s not stop there – OPM has to protect PII using even more stringent guidelines. See National Institute of Standards and Technology Special Publication 800-122 GUIDE TO PROTECTING THE CONFIDENTIALITY OF PERSONALLY IDENTIFIABLE INFORMATION (PII) dated April 2010. What happened there?
Sorry all’a y’all federal employees. Now, if a Congresscritter’s information were compromised, what would happen? Or do they even get background checks done?
For Bubblehead Les: MESSAGE ENDS
How serendipitous: March 12, 2015, OPM Security Director warns to “Assume you’ve been compromised”.
According to this article from Legal Insurrection, this is not the first time that the Chinese have officially been fingered as targeting our systems, nor the first, second, or even third time that government/contractor personal data has been compromised from government systems.