After identifying a vulnerability in its background check processing platform, the Office of Personnel Management has suspended operations of the system temporarily to improve its security.
Electronic Questionnaires for Investigations Processing, or E-QIP, is the Web-based system that allows applicants to submit SF-86 background investigation forms. After an initial breach of the agency’s personnel files that compromised the personally identifiable information of more than 4 million federal employees led Director Katherine Archuleta to review OPM IT systems security, investigators discovered a vulnerability in the e-QIP system.
Though the security upgrades come in the wake of the hack, OPM said in a press release this action is “not the direct result of malicious activity on this network, and there is no evidence that the vulnerability in question has been exploited. Rather, OPM is taking this step proactively, as a result of its comprehensive security assessment, to ensure the ongoing security of its network.”
“The security of OPM’s networks remains my top priority as we continue the work outlined in my IT Strategic Plan, including the continuing implementation of modern security controls,” said Katherine Archuleta, the director of OPM who has been called on to resign in the aftermath of the cyber attacks. “This proactive, temporary suspension of the e-QIP system will ensure our network is as secure as possible for the sensitive data with which OPM is entrusted.”
OPM has not yet confirmed the specific number of Americans whose PII was potentially compromised in a second breach of a system said to contain background check information. News reports have said as many as 18 million people could be affected, and Congress believes it could include people listed as references on the forms in addition to the subjects of the investigations.
The e-QIP system should be offline for four to six weeks, OPM said, acknowledging the disruption this will cause for background checks.
“OPM recognizes and regrets the impact on both users and agencies and is committed to resuming this service as soon as it is safe to do so,” the release says. “In the interim, OPM remains committed to working with its interagency partners on alternative approaches to address agencies’ requirements.”
Correction: June 19, 2015 The vulnerability in the e-QIP system is not directly related to the breach of an OPM system containing security clearance files, as an earlier version of this story said.