Acting OPM director Beth Cobert appeared before the House Oversight Committee on Feb. 25 in an attempt to outline how the new National Background Investigations Bureau would work.
The committee was not impressed.
For two hours, representatives from both sides of the aisle lambasted Cobert, federal CIO Tony Scott and other officials on the plan to scrap the Federal Investigative Service in favor of a new office to run the government's background investigations apparatus.
Questions of funding, security, investigation criteria and even social media use came to the fore while Cobert and the panel fielded rapid-fire queries from committee members. Here are four of the concerns they raised, and the panel's answers.
1. The structure
The NBIB will be a joint-agency effort managed by OPM, with an IT structure managed by DoD and run by a presidential appointee. This is to ensure the background investigation is protected from cyber attacks like last summer's OPM hack, but committee members were confused about who was accountable for the multi-faceted organization.
Because of the complex inter-agency structure, Rep. Steven Russell, R-Okla., asked Cobert, and DoD CIO Terry Halverson, repeatedly where authority and accountability would fall when it came to the security of NBIB's system.
"Now the Department of Defense is going to have to go through the bureau, who goes through OPM and will talk about it on the [Suitability and Security Clearance Performance Accountability Council]. You may not have that authority [to make final IT decisions]," Russell said.
Halvorsen explained that while the NBIB is an OPM entity, the DoD alone would be responsible for its IT operations.
But Russell wasn't biting and said the current structure of the NBIB creates the potential for a conflict between OPM and DoD, with an unclear authority.
"You've got to have somebody clearly in charge," he said. "Here's my big beef, if the Department of Defense is going to clearly have the greatest level of responsibility to protect these documents, then they had by-golly better have the authority to make it good."
2. Who pays for it?
Funding was another thorny issue for the committee, again due to the complexity of standing up the NBIB. DoD will fund the creation of the NBIB's IT system with $95 million from its 2017 topline budget, but OPM will fund its operations through the fee-for-service model it presently uses.
The distinction was challenged by Russell and Rep. Mark Meadows, R-N.C., who again smelled an emerging conflict between the two agencies since DoD makes recommendations on how much NBIB spends to maintain the IT infrastructure while OPM determines the fees for background checks, which it will charge DoD for the background checks it requests.
"Help me understand, because OPM has a relationship here. So how now that it's your decision, and we are going to pay for it through OPM, how do the two of those work together," Meadows asked Halvorsen.
Halvorsen and Cobert explained that while DoD will pay for setting up NBIB's IT system, OPM would pay for its operation by charging agencies for the background checks they request. The question of funding continued to come up as members asked who would be accountable for managing the new bureau.
"One of the concerns I have is that when you have monies going to OPM versus an outside contractor, if the job is not done correctly, who does that ultimately fall to," Meadows asked.
"The investigative operations will be housed at OPM, I will be accountable," Cobert said.
3. The implementation
The plan to stand-up NBIB hinges on DoD being able to establish its IT system. Cobert said construction of the system is scheduled to begin in October 2016, "though implementation work will remain to be done after this date."
The plan drew skepticism from a few members, including Rep. John Mica, R-Fla., who noted that OPM has a backlog of investigations it has yet to complete under its current system.
"Oh folks, hang on to your shorts on this one," he said. "By the time you get the IT in place and the money you are going to spend and then by the time you get OPM up and running, I mean you can't even get the personnel to do the manual processing of the retirement [benefits]. I think we are headed for another disaster."
Rep. Stephen Lynch, D-Mass., also expressed doubt in the timeline to set up NBIB, calling it "happy talk".
"We've had terrible problems with just getting basic information up and running," he said.
4. The contractors
Rep. Elijah Cummings, D-Md., and Rep. Eleanor Holmes Norton, D-D.C., both took issue with the weakness in contractor security, particularly with Anthem, a Blue Cross and Blue Shield company that provides federal employee benefits and suffered a data breach in December 2014 that exposed personal information.
Norton said she was particularly troubled that contracts with Anthem did not require them to allow the U.S. Computer Emergency Readiness Team to investigate its network once the hack was discovered.
"I can't understand that," she said. "These people are acting in place of the government. Should the people who provide these services, and have the sensitive information, be required to institute equivalent security measures, including having someone equivalent to the government or the government come in to investigate a breach?"
Cobert said that OPM is examining the contract clauses when it comes to investigations and is working contractors on their cybersecurity. The answer didn't please Holmes, who reiterated her call for lifetime identity protection for all federal employees.