Page 851 | FedScoop

Feds confident in fight against ransomware

Despite the meteoric rise of ransomware, federal agencies feel they are prepared to handle the threats that come along with the use of the malicious software.

Multiple agencies that spoke with FedScoop said they have not seen a severe uptick in ransomware attacks, and any such attacks can be mitigated with the cybersecurity tools and policies they already have in place.

The first half of 2016 has seen a sharp increase in ransomware — malware that encrypts the contents of a victim’s hard drive or server while hackers demand payment for the decrypt key.

While the vast majority of these attacks have been focused on the public sector, federal agencies have seen evidence of ransomware attacks as well. In response to an inquiry earlier this year from the Senate Homeland Security Committee, the Department of Homeland Security said there had been 321 ransomware incidents reported by 29 different agencies since June 2015. However, not every report was a successful attack, according to the response, and many were stopped by agencies’ security centers.

Additionally, the technology support staff for the House of Representatives issued a warning in May after a congressional staffer fell victim to an attack.

When ransomware did infect the staffer’s computer, “the system was removed from the network and replaced with a new, clean system with minimal impact to the user and agency,” the response said. In the House of Representatives case, third-party email applications like Yahoo Mail were blocked.

Federal agency statistics back up what numerous government officials told FedScoop, highlighting that they have seen cases on ransomware, but they followed standard procedure to mitigate any resulting incidents.

FedScoop spoke to officials at the departments of Commerce, Defense, and Health and Human Services, and the White House’s Office of Management and Budget, who said they either haven’t had any cases of ransomware or have followed internal mitigation processes to remedy the problem.

Several of the agencies pointed to an April blog post from DHS that lists the following criteria for protection against ransomware:

Employ a data backup and recovery plan for all critical information and back up your data on a regular basis, ideally stored offline;
Update software and operating systems with the latest patches;
Restrict users’ ability (permissions) to install and run software applications, and apply the principle of “least privilege” to all systems and services; and
Remind employees to never click unsolicited links in emails.

In the instances when ransomware are spotted, the agencies FedScoop spoke with said that they do not and would never pay ransoms in the event of an attack.

“If an individual were to come to me and say, ‘My computer’s locked for $500,’ I would just take it from them and throw it on top of the pile,” said a security official who spoke on the condition of anonymity to FedScoop. “We would give that person a brand new computer, wipe the old one, back it up and move on.”

More so than ransoms, what worries agency CISOs is the behavior that leads to infecting systems with malware: clicking on links or downloading documents from emails from phishing attempts. According to Leesburg, Virginia-based PhishMe, ransomware is included in 93 percent of phishing emails.

Commerce Department CISO Rod Turk says he has been relying on anti-phishing training to stop a host of threats, including ransomware.

“The best solution for ransomware is good cybersecurity and IT practices,” Turk told FedScoop. “You want people to be able to understand what [attacks] look like. To that extent, hopefully you will be able to stop it right up front.”

However, security firms are finding that criminals are getting so sophisticated with their phishing attempts that training courses may not be enough to stop employees from clicking on errant links.

“A lot of people are saying, ‘Oh, if users weren’t clicking on these files, we wouldn’t have a problem,’” Andy Feit, head of threat prevention marketing at Check Point Software, told FedScoop. “I’ve seen so many examples of where the hacker has done significant research into an organization to understand who is their supplier of certain parts, and sends them an invoice that looks legitimate with a spoofed email. You would never know this isn’t a legitimate email, and then you click on that attachment, and you open a PDF that’s looks entirely safe and even expected to arrive.”

Those targeted emails are arriving more and more. Earlier this year, Symantec found that ransomware attacks in the first quarter of 2016 are coming at quadruple the rate seen last year. In Infoblox’s first quarter Threat DNS Index, the company found a 35-fold increase in newly observed domains created for ransomware.

Additionally, The FBI’s Internet Crime Complaint Center has reported that individuals have filed 7,694 ransomware complaints since 2005, with losses totaling about $58 million — $24 million in just the last year.

In various blog posts, DHS and FBI have shied away from support for paying ransoms, saying payment doesn’t mean systems will be unlocked.

“Paying a ransom doesn’t guarantee an organization that it will get its data back — we’ve seen cases where organizations never got a decryption key after having paid the ransom,” FBI Cyber Division Assistant Director James Trainor said in a blog post.

FedScoop reached out to the FBI multiple times for comment on if agencies have been given their own directives when it comes to ransoms, but the agency did not respond.

So even as attackers focus on targets like hospital systems and local police departments for ransom, government information security professionals are confident they have the steps in place to guard against the rising ransomware threat. But that doesn’t mean they are without worry.

“I’m always fearful,” said Turk. “You are always concerned, but you do the best you can to protect yourself.”

Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.

Commerce IT analyst wins Miss USA pageant

Who ever said IT wasn’t glamorous?

Deshauna Barber, the 26-year-old who snagged the Miss USA title Sunday night in Las Vegas, works as an IT business analyst at the Department of Commerce.

Government contractor Triumph Enterprises Inc. confirmed that Barber provides infrastructure and acquisitions systems support to the Department of Commerce’s Office of Acquisition Management.

Barber is responsible for many tasks, including providing “acquisition policy and contract management support; grants management support; [and] acquisition reporting and data analysis support in areas such as policy formulation or analysis, program evaluation and assessment, strategic and business planning, operations research and analysis,” Dina L. Evans, the organization’s human resources director, confirmed in an email to FedScoop.

Evans said Barber was first hired by the company in February 2012 and has also worked on contracts for the Defense Department and Federal Aviation Administration.

The Department of Commerce did not respond to a request for comment by press time.

Competing as Miss District of Columbia, Barber likely impressed judges with her powerful defense of the military allowing women to serve in combat rules. An officer in the Army Reserves, Barber drew on her own experience to make her argument.

“As a woman in the United States Army, I think it was an amazing job by our government to allow women to integrate into every branch of the military,” she said.

She added, “We are just as tough as men. As a commander of my unit, I’m powerful. I am dedicated, and it is important that we recognize that gender does not limit us in the United States.”

Barber holds a bachelor’s degree in business management from Virginia State University and a master’s in management information systems and services from University of Maryland University College.

Her pageant bio also says Barber “loves to dance, hike and enjoy quality time with her family.”

Watch Barber respond to the question about the military opening combat jobs to women:

Contact the reporter on this story via email Whitney.Wyckoff@fedscoop.com, or follow her on Twitter @whitneywyckoff. Sign up for all the federal IT news you need in your inbox every morning at 6:00 here: fdscp.com/sign-me-on.

Report: Malware, stolen IDs top items for sale on dark web

Stolen identities and easily deployable malware are among the items most commonly found for sale on the dark web, according to an as-yet unpublished new report by Virginia-based cybersecurity startup SurfWatch Labs.

According to the report, obtained by FedScoop Monday, the five most common items for sale, are, in no particular order: stolen generic credentials, stolen identities complete with passport and/or financial information, intellectual property sometimes in the form of original source code, supply chain threats and hacking tools.

Supply chain threats, in this context, relate to risks faced by third-party partners and vendors. If, for example, a web hosting provider is compromised, then its customers may also be exposed to attack — even though the stolen data belonged to someone else.

Screenshot from Nucleas marketplace

The dark web is an area of the internet that can only be reached using the anonymous Tor browser, which bounces encrypted traffic around between volunteer nodes on its network, making its origin virtually untraceable. Dark web addresses generally end in .onion, and are famous for hosting criminal marketplaces like the notorious Silk Road, shut down in 2014.

To determine the most popular items for sale, SurfWatch Labs monitored activity on five of the most prominent dark web marketplaces: AlphaBay, Dream Market, HANSA Market, Valhalla and TheRealDeal Market.

In an interview with FedScoop, SurfWatch Labs chief security strategist Adam Meyer said that the report findings were in line with his team’s expectations based on “how malicious actors are operating currently.

“All of these items have become commodities that are easily monetized and it is important to remember that cybercrime is a business, typically one with a high return on little effort … When you peel back the onion layers on the data, you will find that users being loose with their credentials, poor password hygiene in regards to strength and password reuse, operations folks being loose on vulnerability management in their high exposure areas contribute significantly to threat actors being successful,” said Meyer.

Among other interesting hacking tool “products” for sale on the Dark Web, SurfWatch Labs discovered a new way to hack into Apple’s iCloud. The price for this iCloud exploit totals $17,000.

Nucleas marketplace screenshot

“The cybercrime-as- a-service model has segmented the market so that actors can specialize in their own field, whether that is running a botnet, creating exploit kits or stealing credentials. All types of cybercrime tools and services are available — for a price,” the report reads.

Meyer said that stolen credentials are the most popular item purchased and sold on the Dark Web for two reasons. He explained that “a credential opens up the door to many areas.”

“Depending on the asset you are able to gain entry to with a stolen credential, you can steal more data, commit fraud, enable social engineering efforts and use data to authenticate across to other areas. Couple that with poor user password hygiene and we are making it really easy for an actor to accomplish their goal,” said Meyer.

Publication of the SurfWatch Labs Report — titled “Top 5 Items for Sale on the Dark Web, and What Businesses Can Learn From Them” — comes just two months after Nucleus was shut down.

At one point in time, Nucleus was the second largest dark web marketplace in existence, according to SurfWatch Labs; hosting tens of thousands of listings for a variety of illicit goods and services.

To contact the reporter on this story you can send him an email via chris.bing@fedscoop.com or follow him on Twitter at @Bing_Chris. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at fdscp.com/sign-me-on.

Education Department taps Jason Gray as new CIO

Jason Gray started at the Department of Education as CIO May 31.

The Department of Education has appointed Jason Gray as its new chief information officer. Gray, who officially started in the role May 31, most recently served as associate chief information officer for IT policy and oversight at the Department of Transportation.

Gray fills a void left when former Education Department CIO Danny Harris stepped down in February, after more than 30 years at the department. The department’s deputy CIO, Steve Grewal, who stepped in as interim director, left last month for a similar position at the General Services Administration. Ken Moore has been leading the CIO office in the meantime.

“Jason brings years of experience in the planning, development, delivery, and monitoring of technical solutions that address the needs of his customers in support of their mission,” said James Cole, the Education Department’s general Counsel in a memo obtained by FedScoop. “While Jason has significant experience leading IT organizations, it is his strong track record of creating and maintaining a positive work environment that promotes open communication and high ethical standards that makes him the right choice to lead OCIO.”

During his tenure at the Department of Transportation, Gray oversaw DOT’s $3.5 billion IT portfolio and led efforts to implement the Federal Information Technology Acquisition Reform Act across the department’s operating groups.

Prior to joining DOT, Gray served as a senior adviser in the office advocating for customer benefits at the Department of Veterans Affairs, where he was involved in Veterans Benefits Administration IT-related activities.

Biden launches data portal to back Cancer Moonshot

Vice President Joe Biden helped launch a public genomic data portal Monday in support of his “moonshot” to eradicate cancer.

The National Cancer Institute’s Genomic Data Commons will be used to store, share and analyze genomic and clinical data on tumor sequences — the DNA linked to cancer. GDC will bolster the administration and Department of Health and Human Services’ efforts around the Precision Medicine Initiative, which aims to gather data on patients’ genes, environment and lifestyle to help researchers find better treatments for diseases like cancer.

“This is good news in the fight against cancer,” said Biden, who publicly released the platform Monday at the University of Chicago. “With the launch of this new national resource, anyone can freely access raw genomic and clinical data for 12,000 patients — with more records to follow.”

The Genomic Data Commons will be “a critical step” in opening and bringing together this genomic data, and making it available to researchers and physicians across the country, a White House fact sheet says.

The platform will start with standardized data sets from NCI’s Cancer Genome Atlas and its pediatric equivalent, Therapeutically Applicable Research to Generate Effective Therapies, which together will represent more than 10,000 patients’ genomic and tumor data.

The White House touts the variety of features of GDC at its launch: interactivity; privacy and security controls; ease of search; raw, unprocessed genomic data; various web-based tools, such as advanced visualization and smart search technologies; and openness to accommodate researchers’ cancer data sets from around the world.

“Increasing the pool of researchers who can access data and decreasing the time it takes for them to review and find new patterns in that data is critical to speeding up development of lifesaving treatments for patients,” Biden said.

The vice president spoke in May at the annual Health Datapalooza, appealing to the open health data community to lend its expertise to the Cancer Moonshot initiative.

“Using publicly available Medicare data, innovators like you in this room have launched companies that deliver information about hospital and doctor performance. Emergency medicine doctors are using information on ER visits, wait times and outcomes to help create an app to guide ambulances, and even the public, to the best places for emergency care,” Biden said in May.

“Well folks — why can’t we do the same kind of thing in the battle against cancer?” he questioned. “There’s a load and an enormous amount of data out there, but not readily available. Imagine what you could do to help in the fight against cancer if you had access to the millions of cancer pathologies, genomic sequences, family histories and treatment outcomes.”

Contact the reporter on this story via email at Billy.Mitchell@FedScoop.com or follow him on Twitter @BillyMitchell89. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at fdscp.com/sign-me-on.

GAO: CIOs underestimating IT investment risks

Agency CIOs are apt to underestimate the risk of failure in their IT investments, a congressional watchdog discovered in a new audit.

The Government Accountability Office reviewed 95 federal IT investments across 17 agencies and found that in just 22 of those projects did the risk rating match those listed by CIOs on the federal IT Dashboard. In 60 of the cases, or about 65 percent of the time, GAO’s rating was a degree of higher risk than what the CIOs had listed, and, in 13 cases, GAO’s review found lower risk than the CIO reported.

Agency CIOs are required by the Office of Management and Budget to update the risk ratings of IT investments every month, to provide transparency for the notoriously risky projects. The Federal IT Acquisition Reform Act codified these requirements in December 2014.

This variation often occurs, the GAO authors wrote, because despite OMB’s standard set of investment evaluation factors — risk management, requirements management, contractor oversight, historical performance, human capital and an option for other concerns — to consider, CIOs act with subjectivity based on the specific operational circumstances of their agencies, missions and corresponding investments.

(GAO)

“According to OMB’s guidance, CIO ratings ‘should reflect the CIO’s assessment of the risk and the investment’s ability to accomplish its goals,'” the report says. “Such assessments of risk inherently involve a great deal of human judgment.”

For instance, the Defense Department CIO’s office told auditors DOD’s major investments are “inherently high risk,” and therefore the ratings are “assessments of relative risk implemented within this risk baseline.” So while DOD might not see an investment as particularly risky compared to the rest of its portfolio, another agency probably wouldn’t report it the same.

The Department of Homeland Security, on the other hand, overestimated the risk with its Continuous Diagnostics and Mitigation program, GAO believes.

GAO acknowledged that “in many cases, agency CIOs could have more information than we examined in our assessments.”

Other factors likely played into the discrepancies, GAO reported. For example, many of the agencies’ failed to update the IT Dashboard monthly — particularly in the first month of the review, April 2015 — or complete the ratings process in less than a month’s time.

Likewise, GAO found that many agencies did not focus their reviews on active risks. This triggers “additional questions about the degree to which information reported on the Dashboard provides full and accurate information about an investment’s risk,” GAO reported.

“While agencies’ consideration of active risk is not explicitly called for by OMB’s guidance, this represents a gap in the agencies’ processes that is understating the amount of risk reflected in the Dashboard’s CIO ratings.”

This isn’t the first time GAO has reported inaccuracies in the IT Dashboard since its creation in 2009.

In a December 2013 report, GAO found that of 80 reviewed investments, “53 of the CIO ratings were consistent with the investment risk, 20 were partially consistent, and seven were inconsistent.”

Another report from 2012 observed that “six agencies rated a majority of investments listed on the IT Dashboard as low or moderately low risk” from June 2009 through March 2012, and two agencies — DOD and the National Science Foundation — rated no investments as high or moderately high risk.

Read the full report here.

Agencies get hard deadlines to meet software policy

The Office of Management and Budget is bearing down on agencies to consolidate their software licenses.

OMB’s Office of Federal Procurement Policy issued final guidance Thursday on the administration’s software licensing policy, which, released in draft form last December, calls for agencies to consolidate and eliminate redundant software licenses. The guidance is in line with category management, a strategy to make the buying and managing of commoditized goods and services in the federal government more efficient and unified by grouping similar products into categories.

The new guidance calls for agencies to take on “a more centralized and collaborative software management approach,” and when possible, buy licenses using governmentwide agreements, like the one recently negotiated with geospatial IT firm Esri.

“It’s really kind of moving toward holding agencies accountable for their purchasing and management,” U.S. Chief Acquisition Office Anne Rung told FedScoop of the draft guidance in December 2015.

Rung, in a White House blog Thursday, wrote that the ESCT expects to see $1.5 million in savings from the Esri deal by the close of fiscal year 2016 and will look to negotiate two more governmentwide software agreements by the year’s end.

“We have a really fragmented and inefficient marketplace, particularly around software,” Rung said, and there’s countless Government Accountability Office documentation detailing the $9 billion in poor spending on software licenses among more than 50,000 transactions.

“We buy and manage in a very decentralized manner, we struggle to create accurate inventories — so we don’t know what we own — we often purchase unneeded capabilities, and we’re not sharing information across government like pricing terms,” she said.

The guidance officially creates an Enterprise Software Category Team, or ECST, which will be in charge of the governmentwide software acquisition category, and look to promote model software agreements and strike more governmentwide deals. Led by the General Services Administration, the Defense Department and OMB, the team will issue guidance within the next 120 days on the best software buying practices for agencies.

With the publication of the final guidance, OFPP has keyed in on some more rigid deadlines agencies must adhere to in the move — like that they are immediately forbidden from entering contracts that prohibit that sharing of prices, terms and conditions with other agencies.

In the next 45 days, agencies must appoint a software manager responsible for overseeing commercial software agreements and licenses. The policy clarifies that this does not apply to custom-developed software.

By Sept. 30, that software manager and the CIO must compile a baseline inventory of the agency’s software. The policy emphasizes that agencies should look to use software management technologies, like software asset management tools and continuous monitoring as a service, to automate the maintenance of this inventory.

Starting Nov. 30, and every quarter going forward, agencies will have to report savings to OMB associated with improved software license management.

These are all requirements set forth in the original draft guidance but with updated official deadlines agencies must adhere to.

This policy is one of three OMB has issued in recent months — it also issued guidance on the buying of computer workstations and mobile technologies — leveraging category management to help the federal government rein in its spending on IT.

Social Security Administration charged with hiding bad audit

The Social Security Administration — an institution that last year provided roughly $930 billion in payments to about 67 million Americans — is under fire for what one GOP lawmaker calls a concerning gap in its cybersecurity defenses.

Now the SSA is pushing back against the claims from House Oversight and Government Reform Committee Chairman Rep. Jason Chaffetz, R-Utah, telling FedScoop that the agency has made progress over the year since DHS auditors discovered vulnerabilities via a penetration test.

In short, the SSA is more secure today than the House Oversight and Government Reform Committee suggests, according to SSA Chief Information Security Officer Marti Eckert.

Last week, agency officials were grilled during a lengthy hearing led by Chaffetz and Rep. Will Hurd, R-Texas.

SSA inspector general Gale Stallworth Stone has said that agency officials failed to fully share a crucial 2015 DHS auditor’s report until just last week, though it was originally conducted about nine months ago.

“It just seems to us, it comes across, that you were hiding something from the inspector general,” Chaffetz told SSA chief Carolyn Colvin at the hearing.

Eckert, on the other hand, said in an interview with FedScoop that the SSA briefed the inspector general last year — shortly before the penetration testing was concluded.

The testing, done by external DHS contractors, is designed to measure the effectiveness of the agency’s cyber defenses — of increasing importance in a post-OPM breach world.

“OIG officials were briefed on the DHS report in 2015. However, we were just recently provided the full report, and we are carefully evaluating DHS’s concerns. Oversight of SSA’s information systems and internal controls is a top OIG priority,” inspector general spokesman Andrew Cannarsa wrote in an email.

Importantly, the auditor’s report showed that once testers were inside the system, they were able to gain access to personally identifiable information.

“The DHS team was able to escalate privileges once they were inside your system and take control of your entire system. That’s a big deal,” Hurd said during the hearing Thursday.

He later added, “I’ve said this a hundred times. This is not an issue of technology, this is an issue of leadership.”

Hurd’s direct commentary on SSA’s leadership comes at a time when CIO Robert Klopp and acting administrator Carolyn Colvin have publicly and continuously advocated for increased funding to invest in innovative cybersecurity technologies.

FedScoop reached out to Hurd’s office for comment, but they did not provide a response.

Tanium, a Silicon Valley-based end point detection cybersecurity firm that services the SSA, also declined to comment for this story.

Eckert said she couldn’t comment on the results of recent and ongoing penetration tests, but felt “rewarded” by the results of these simulated attacks.

She also said that the SSA did nothing “suspicious,” and that Chaffetz’s suggestions to the contrary — that her agency withheld a damning report — are unequivocally false.

“If we had been doing anything suspicious then why would we have turned over the report to the committee in the first place?” Eckert asked rhetorically.

Last week, Klopp told the committee: “As far as we know, no one — without help from us — has ever come into the agency, entered and penetrated in and exfiltrated data out.”

Director of Technical Operations in the Office of Information Security Dirk Wiker said the SSA encouraged DHS auditors further into the system to better understand deficiencies and other cyber risks.

Eckert echoed Wiker’s statement, saying that these penetration tests are supposed to be educational and not a benchmark on performance — “security is a continuous process … we’re progressively becoming more integrated into other processes of the agency.”

Watch the hearing here:

https://www.youtube.com/watch?v=cNO7BihmRXI

New malware aimed at industrial systems found

Researchers at Silicon Valley-based cybersecurity giant FireEye have discovered malware aimed at industrial control systems — only the fourth of its kind.

In a new report, released Thursday, the company details the discovery of the malware, dubbed “Irongate,” last year — saying that it has not been used in actual attacks and that it appears designed to run in a simulation environment rather than on an actual ICS.

“We acknowledge that Irongate could be a test case, proof of concept, or research activity for ICS attack techniques,” the researchers write.

The revelation comes at time when Congress and others are increasingly concerned about the prevalence of cyber threats against vital industries, like the electrical grid, that are controlled by ICSs.

ICS and SCADA systems are special kinds of computer equipment that control industrial plants.

Several of FireEye’s channel distribution partners — companies like Parsons and St.Louis-based Belden — specialize in protecting similar industrial technologies from hackers.

FireEye explains in their report that they do not know who created Irongate or why. There is no evidence to suggest the malware has been used in the real world, according to the report.

Nonetheless, Irongate could be dangerous because it is designed to manipulate data files to alter operations tied to temperature and pressure in the machine controlled by the ICS. In the case of an electrical power plant, this could translate into physical damage to actual hardware.

The Irongate discovery is significant, Mandiant senior manager and researcher Dan Scali told Fedscoop, because it highlights “the significant challenges the industry faces in discovering threats to ICS and effectively detecting attacks on ICS environments.”

FireEye researchers say that Irongate is only the fourth kind of malware to be found that’s designed to work on ICS — the most notable until now being Stuxnet, a computer worm reportedly developed by the United States in tandem with Israel to cripple Iran’s nascent nuclear program.

In an email interview with Fedscoop, Scali went on to say that though Irongate is part of a “small sample size” the growing prevalence of such malware is concerning.

Irongate was found on VirusTotal, a free online service owned by Google and used to scan suspicious computer files and detect malware. The malware had been sitting on the database unalayzed for nearly 2 years, according to FireEye.

“We are witnessing an evolution in the industry’s understanding of ICS threats. Stuxnet proved that cyber attacks could cause physical consequences in the real world. For two or three years after that, we mainly saw researchers get interested in ICS and discovered hundreds of vulnerabilities in ICS technology,” described Scali.

He added, “we are starting to discover malware samples and hear about real incidents that show attackers (or others) are weaponizing those vulnerabilities. Asset owners must be able to monitor their ICS environments for these types of threats.”

OPM resumes hunt for permanent CIO

The Office of Personnel Management is again looking for a CIO to lead the beleaguered agency’s IT modernization efforts after major breaches there compromised the personal information of more than 21 million Americans.

OPM posted the listing to USAJobs.gov Wednesday, searching for a “visionary individual” ready to “continue the progress of strengthening IT security and modernization at OPM.”

“The OPM CIO will lead the agency’s major Digital and IT transformation initiatives, and will have the opportunity to buy, build and deliver the nation’s leading technology and cybersecurity practices and tools to support OPM’s mission requirements,” the listing says.

The agency is currently undertaking a massive IT modernization project, which it calls its Shell environment, to move away from legacy systems and upgrade security features.

The House Appropriations Committee’s Subcommittee on Financial Services and General Government recently approved $37 million — the same the agency requested in the fiscal year 2017 president’s budget request — to build out that environment through fiscal year 2018. The year prior, OPM received $21 million for its IT modernization.

The Shell project, along with the build-out of the National Background Investigations Bureau, will be key focuses of the new CIO, the listing says.

“A key priority for this individual will be to continue the progress of strengthening IT security and modernization at OPM,” it says.

“This individual must be capable of operating within an interagency environment to support the successful establishment of the National Background Investigations Bureau as well as the continued success of OPM’s other core missions and services,” the listing says.

“This position offers an unprecedented opportunity to an individual who has a passion for enabling excellence in human capital management services through the rapid deployment of emerging technology.”

OPM hasn’t had a CIO in an official capacity since Donna Seymour, who held the position when the breach occurred, quit federal service amid the fallout in late February. Since her departure, David Vargas, OPM’s deputy CIO, took over as interim CIO for a brief period, and then U.S. Deputy CIO Lisa Schlosser stepped in March 17 to take a detail as a senior adviser and acting CIO.

[Read more: OPM CIO Donna Seymour retires]

The senior executive service hire will receive a salary of up to $185,100. The listing is open until June 22.