OPM’s Cybersecurity Modernization Efforts May Point to Broader Challenges

In a recent announcement, OPM announced that the Electronic Questionnaires for Investigations Processing (e-QIP) system that they use to “facilitate the processing of standard investigative forms used when conducting background investigations for Federal security, suitability, fitness and credentialing purposes” has been taken off-line for security updates.

Federal Computer Week covered the story, which mentions the cybersecurity report that OPM released outlining 23 steps it was taking to improve its cyber-defenses. Step number 19 in the OPM report mentions that their IT modernization spending from fiscal year (FY) 2014 to 2015 nearly tripled from $31 million to $87 million and that their FY 2016 budget requests an additional $21 million to further these efforts. That got me curious to look at OPM’s FY 2016 IT budget and supporting documentation.

One observation about OPM’s IT budget submission for FY 2016 is the apparent disconnect between what it is sending the Office of Management and Budget (OMB). The total IT budget and funding lines reported in their IT Portfolio on the IT Dashboard comes in at $127.5 million for FY 2016. (The IT Porfolio has been commonly known as the Exhibit 53.) However, OPM’s FY 2016 IT Business Cases (commonly known as an Exhibit 300), which provides background and justification for an agency’s individual major IT investments, adds up to more than 2-3 times the total IT budget amount from their IT Portfolio. (See table below.)

Some of the major investment lines agree between OPM’s IT Portfolio and Business Cases, which is what you would expect as part of an overall budget submission. But several Business Cases are either omitted from the overall IT Portfolio or list radically different funding amounts, resulting in the total funding discrepancy. A full 30 of the 74 investment lines in OPM’s IT portfolio have zero budgets for spending data for the last 3 fiscal years. So OPM’s primary FY 2016 IT budget artifacts are internally inconsistent from the onset. Two especially confusing examples are the two EPIC business cases shown above which have zeroes for budget data in the IT Portfolio.

OPM’s IT budget doesn’t appear to explicitly mention the e-QIP system and the closest systems I could find that address this area were the two EPIC initiatives. According to the budget, the EPIC Operations and Maintenance (O&M) investment keeps the production environment operational and ensures agencies have sufficient investigation information to make credentialing, suitability, and/or security clearance determinations. The EPIC Transformation investment is the transformation of the current EPIC O&M production environment to ensure continued service for agencies to have information to make credentialing, suitability, and/or security clearance decisions. Both EPIC budgets have been declining from FY 2014 to FY 2015 and are slated to be flat in FY 2016.

We are unlikely to have much in the way of timely visibility into OPM’s spending to improve their systems and related cybersecurity except what they are willing to communicate on their Web site or through the media. Contracted spending will take months to hit the Federal Procurement Data System.

While the events surrounding these focused modernization efforts is beyond unfortunate, maybe one outcome will be improved IT budget reporting and internal consistency.