WASHINGTON – House Science, Space, and Technology Committee Chairman Lamar Smith (R-Texas) today sent letters to Shaun Donovan, director, Office of Management and Budget (OMB), and Beth Cobert, acting director, U.S. Office of Personnel Management (OPM), requesting documents and information relative to foreign nationals’ potential access to OPM data prior to the agency’s public disclosure last year of one of the federal government’s largest cyber breaches.

The request is made in the context of a report released  by the U.S. Government Accountability Office (GAO) last month that reviewed the security controls of  federal agencies’ high-impact systems. GAO’s report notes “the 18 agencies having high-impact systems identified cyber attacks from ‘nations’ as the most serious and most frequently-occurring threat to the security of their systems.” GAO selected four agencies with high impact systems for further review in its report, including the U.S. Office of Personnel Management.

“The identification of foreign nations as one of the most serious cyber threats to agencies underscores concerns that were raised after last year’s OPM breach over the potential access to OPM’s sensitive data by foreign nationals.  According to news reports at the time, it appears that some of OPM’s contractors may have given ‘foreign governments direct access to data long before the recent reported breaches.’  In one instance, an ‘administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China].  Both had direct access to every row of data in every database: they were root,”’ the letters state.

“Additionally, a different team working on the database was led by two employees with passports from the People’s Republic of China.  In other words, an agency that identifies foreign nations as the source of the most serious and frequently occurring threat, either failed to realize that foreign nationals had access to its database, or knew it and failed to correct the situation,” the letters continue.

Today’s letters request information and responses to questions from both OPM, the agency with the data breach and continued cybersecurity concerns, and OMB, the agency with statutory oversight of agencies’ compliance with federal cybersecurity requirements.

The letter to OMB can be found HERE.

The letter to OPM can be found HERE.