OPM Data Breach - Whitehouse Petition - Help Wanted

Fri Jun 19 17:15:33 UTC 2015

Here is their 2013 budget https://www.opm.gov/about-us/budget-performance/budgets/2013-budget.pdf

Glancing through it they had a 2.1B total appropriation with 90.5M dedicated to salaries and expenses where IT would fall. It appears that their CIO also has a multi-year fund around 70M separately allocated to systems modernization.  One telling issue is that the budget talks about their priorities and within all of their goals around ensuring diversity, treating their employees well, providing good customer service, etc; there is not one mention of IT security.

It is just about setting priorities. 

I would bet you that there are plenty of IDP contracts out there that they could ride on.  This saves them from the entire RFP and evaluation process by simply stating that their needs are equivalent and a usable contract is already in place.  Often in government contracts, support for a fixed period of time is rolled into the purchase price.  This is done because the government often cannot commit dollars in forward years.  So, when you buy your IDP device you pay for five years of support because you know you have the money this year but do not have next year's appropriation yet.  Most government contracts have very sweet support and maintenance options because vendors often differentiate themselves that way without laying down on the up front price and hurting cash flow.  They can bury the hidden costs of supporting the devices and just claim a huge number for sales in their current quarter.

Here is the best analogy I have ever heard about how government contracting really works :

***Paint is peeling on your house.  You use your own authority to buy a can of paint and touch it up with no other approval (your O&M budget)

***You let the peeling paint slide too long and now you need to replace all of your siding.  You got to your wife and she tells you to wait until next spring when you have the money in the budget (department level O&M money)

***You let the peeling paint slide WAY too long and now you need to rip out entire walls and while we are at it we might as well put in an addition.  You got to the bank to get a home improvement loan (congressional line item budgeting).  This is where they have let their systems get too.

Agency heads like to shift blame by going to congress and saying I can't do this because I need a huge appropriation to even start.  The correct question from congress is to ask that agency head why they did not ask for an IT budget that included enough money to support and maintain a secure infrastructure.  They should also ask, what small steps have you taken so far within your own IT budget to address security concerns.  For example,  do you routinely replace desktops over a certain age, is your malware protection software in place and up to date, is your firewall on the latest code release?  If you ran a company would you not fire an IT director that came to you and said "we need to replace all of our network, servers, and PCs because they are all obsolete NOW...TODAY?  Wouldn't you wonder what he had been doing with the O&M budget you give to him every year? 

The truth of this is that most agency heads do not care about IT security, they just do not.  The only exception might be DoD because they are well aware that they have enemies that are looking to take them out and it is their primary responsibility to fight enemies.  Most other agencies don't have the mindset of having a adversary looking at them and don't care because they don't get hurt, the citizen who's data is lost takes the hit.  It might not change things immediately to fire the head of this agency but it does let other agency heads know that if you ignore IT you could lose your job.

Steven Naslund
Chicago IL

>>On Fri, Jun 19, 2015 at 12:12 PM, Naslund, Steve <SNaslund at medline.com> wrote:
>> There is an O&M budget created for the day to day operation and maintenance of IT systems.  This is approved along with your department's budget annually.  If you classify updating equipment as an O&M function (which it routinely >>is) then you have no issues.  You purchase your equipment off pre-existing purchasing agreements in place with your agency or the GSA.  If your purchases exceeds certain threshold or the amount available under your O&M funding, >>then you need to go out and negotiate a project and contract it out.  Trust me I know how this works, I was also a contracting inspector for communications systems during my time with the US Air Force.
>>
>>I'm fairly certain that new IDS purchases, for an org as large as OPM, which would also include project-term Support contracts, isn't going to fit into any pre-approved O&M day to day budget... other than maybe an AF budget :-)

>>-Jim P.