NOTE: This was originally posted on LinkedIn.
The following is the text of a letter that was sent to Sens. Ben Cardin and Barbara Milkulski. A copy was also sent to Rep. Chris VanHollen.
As I watched the reporting of the interaction between House Oversight and Reform Committee and OPM Director Katherine Archuleta and OPM CIO Donna Seymour, I realized that no matter how many times government officials are scolded by members of congress, there will remain no consequences for the OPM’s issues.
Drums will beat loudly. Members of congress will talk with the president, and even yell through the press, requesting Archuleta and Seymour be fired. At some point, a president’s aid will ask them to resign. Then what happens? Archuleta and Seymour take jobs in the private sector and the government has a situation that still has to be resolved.
Minimally, the hack of OPM has demonstrated that someone violated the Privacy Act of 1974 and the Federal Information Security Act of 2002 (FISMA) but what are the penalties for what appears to be a willful violation of Federal law? The Privacy Act has criminal penalties that make the illegal disclosure a misdemeanor and with a fine of up to $5,000 that amounts to an expensive parking ticket. (5 U.S.C. § 552a(i))
There are NO criminal penalties for anyone responsible for ignoring or violating FISMA.
The only way to make sure anyone who is managing federal government information assets responsible for the security of those assets is to make the violation of these laws come with significant consequences.
Aside that the entire Federal Information Policy (44 U.S.C. Chapter 35) is in dire need of modernization, one thing that Congress can do now is to add criminal penalties for violating the law. It is reasonable to leave the individual disclosure of a single or small number of records a misdemeanor. However, the mass loss of data such as what was experienced by OPM should be a felony. The person(s) charged with the crime would be those who are responsible for providing the authority to operate (ATO) for the system that was attacked.
In order to determine who is responsible, it is necessary to update FISMA to provide parameters as to who is required to sign the ATO certification. Additionally, FISMA should also promote the Chief Information Security Officer (CISO) to the same level as the Chief Information Officer. The CIO, CISO, and head of the agency would be responsible for the ATO certification and be the subject of criminal penalties if they egregiously ignore information security and it leads to a successful attack on federal assets.
During my career as working as a contractor and an FFRDC to the Federal government, I have seen too many corners cut that have led to issues with no consequences for the federal managers that are supposed to have responsibility but do not exercise that responsibility. Even in my current position, there are no consequences for willfully violating FISMA or other agency policies. It is time for Congress to provide more enforcement to the law in order to better protect information assets that the people are entrusting the Federal government to protect.