Only 18 million?
I appreciate understatement, but that takes the cake.
A security review that followed the original hack at the US Office of Personnel Management (OPM) has turned up a new, but hopefully-unexploited, vulnerability. The “Electronic Questionnaires for Investigations Processing” system, abbreviated to e-QIP, was found to be vulnerable under the review, and will be taken offline for …
...one response may be for the US government to issue fewer clearances.
Not likely given that clearances are linked to positions and the information employees and contractors are allowed to handle. A more realistic response might be to extend the time between the periodic background checks required to maintain a clearance or to change the way follow-up investigations are run. Of course that might lessen the effectiveness of the process, so not necessarily a great idea either. Perhaps it would be better for the government to get a realistic grasp on the concept of total cost of ownership instead of massaging the data to win elections. Now why don't we have a flying pig icon?
Perhaps US gov should contract all this sort of security related stuff out to a company with a good security record?
"Typewriters and carbon paper. Just remember to dispose of the carbon sheets and the ribbon cassette properly."
That leaves two forms, one immense in pages. The SF85 for general public trust and the SF86 for an actual clearance.
That is what e-Qip was filling out, the SF86. The papers, when printed are labeled SF86.
I know, I did one not all that long ago.
So, I'm quite enraged over this on two parts. One, I'm an information security professional and this is an exhibition of the most mind boggling incompetence imaginable. On the other side, I'm immensely pissed off, as my family's information is in there as well.
They're a bunch of incompetent, myopic, anencephalic arboreal misanthropes and the lot of them, from the junior IA staff to the IAM and DAA should be given the sack.
Preferably, with the sack filled with venomous snakes.
That's the question that seems to stand out.
Are these low level functionaries who are being "security cleared" as a kind of band-aid to mitigate the lack of data security in the systems they are operating - in which case there's a much bigger IT issue lurking round the corner?
Or is the secret "inner state" really that big - in which case perhaps its size is the reason for its vulnerability?
Don't forget: a lot of these jobs will involve access to buildings as well as networks. Even if someone doesn't have clearance to get into the 'secure' room, they could still do something nasty in the canteen where people with all sorts of clearance will visit at some point.
Some work on unclassified networks, but required a clearance for classified threat briefings. Some work on classified networks or sensitive networks and require a classification background investigation one level higher than their duties because of regulations that insist those with such access are of impeccable character.
Even a public trust position requires much of the same background investigation.
>Even a public trust position requires much of the same background investigation.
Why? If someone's dealings in a position of public trust are transparent, you don't need to do background checks because their activities are in full public view and you can trust the public to keep an eye on them.
And if their dealings are covert as a matter of policy or practice, then all background checks do is to ensure public positions are stuffed with people who will do what they're told "because national security, drugs, children....". Now clearly you need some of those people, just as you need a bunch of people who like guns and can be convinced they're serving some higher cause by pointing them at anyone they're told to, but if you have too many, they have a habit of dictating public policy rather than supporting it.