OPM Hack Response May Set Up Years of Future IT Modernization Contracts

Published: July 08, 2015

Cloud ComputingCybersecurityOPM

In response to the compromise of its networks and systems the Office of Personnel Management (OPM) has taken several efforts to heighten the security of its systems, including a rapid $93 million move to migrate to a new cloud-based distributed network environment. Yet, this is likely only the beginning of the efforts it will take to transform OPM’s networks and systems to their desired end state.

In the weeks following the acknowledgement of a network hack that effectively spurred a government-wide cybersecurity “sprint,” OPM has been under a lot of scrutiny for its cybersecurity and IT management. One account reports that OMP had no trained, experienced, or dedicated cybersecurity people overseeing the agency’s IT security. As a result, OPM has been taking numerous steps in an attempt to improve its security posture on multiple levels, including imposing new restrictions that block employee internal access to popular websites like Gmail and Facebook.

One of the most urgent efforts in the OPM response is a $93 million initiative to migrate the agency's entire antiquated infrastructure into a completely new distributed network environment they’re calling "the Shell,” hosted in two commercial data centers. It has also been reported that OPM is now looking to hire at least four new senior IT project managers to help with the migration.

As OPM is marching forward, their Inspector General’s office issued a “flash audit” expressing the strong likelihood of failure at the worst and extreme cost and/or schedule overruns at the least. The OIG’s caution is due, in part, because none of OPM’s legacy applications – many of which are core to its operations – will be allowed to migrate to the new Shell environment unless they are rebuilt to be compatible with all the new security and operating features of the new architecture. Their OIG has called them out on not effectively planning for this in the rush to stand up the Shell. In a previous post, I noted that OPM’s FY 2016 IT budget artifacts appear to be internally inconsistent, so this may be an ongoing challenge at the agency. It’s hard to tell.

Whatever the planning challenges, the hurdle of migrating legacy applications to newer, more secure, and more cloud-enabled operating environments should not be underestimated. Nor can agencies circumvent the hard work and expense it will require. At the latest NIST Cloud Computing Forum and Workshop, federal CIO Tony Scott compared modernizing legacy systems with updated attributes, security, etc. to duct-taping air bags onto a classic Mustang automobile. It’s expensive, hard to do, and often ineffective.

By the OPM OIG’s account, it will take years and tens (maybe hundreds) of millions of dollars to renovate these legacy systems to make them compatible with OPM's proposed new IT architecture. (One look at DoD’s numerous legacy system modernization efforts should be enough to tell you this.)

If OPM can muster the IT budget (and whatever additional “special assessments” it can from its major program offices) to follow through on its plans – not to mention gathering the IT management and technical skills it needs to shepherd the efforts – then we may see some fairly lucrative IT contracts come out of this for several years to come.