JON TESTER, ee United States Senate . July 6, 2015 ‘The Honorable Patrick McFarland Inspector General Office of Personnel Management 1900 E Street, NW Room 6400 Washington, DC 20415-1100 Dear Inspector General McFarland: I write to express my concern about possible key vulnerabilities in the EPIC suite system within the Office of Personnel Management’s Federal Investigative Service (OPM-FIS). On June 29, OPM promised to re-evaluate its Electronic Questionnaires for Investigations Processing (e- QIP) and has taken it offline for a period of four to six weeks. I am concerned, however, that the larger suite of products under which e-QIP is housed, known as “EPIC,” remains vulnerable despite significant investments into the system. Therefore, I request that you further investigate potential vulnerabilities of the EPIC suite during and after the planned 30-day review by the Office of Management and Budget (OMB), and issue recommendations to OPM in order to secure its suite of programs. According to your office’s “Fiscal Year 2014 Top Management Challenges” memorandum to OPM Director Archuleta, the EPIC system has operated without a comprehensive assessment that declares that a system’s security controls are meeting the security requirements of that system. This vulnerability may have exposed both EPIC suite's e-QIP system and the entirety of the data housed within it. In particular, such a breach would expose elements from the Standard Form-86 (SF-86s) completed in the course of investigating the millions of current and former candidates for security clearance. This form includes incredibly personal information, including a candidate’s level of debt, history of substance abuse, and sexual behaviors. In June, OMB ordered agencies to take immediate action over 30 days to enhance the security of their systems and data. Yet, as your office’s June 17 flash audit made clear, it is ctitical for OPM to first institute management best practices and identify the full scope and cost of IT security upgrade projects. In the case of the EPIC suite upgrades, it is necessary for OPM to conduct proper and thorough planning of system upgrades, consult with multiple vendors, and develop its systems and software to obtain proper Authorization. Given that the total estimated costs of updating the EPIC suite from fiscal years 2010-2015 was more than $164 million, itis troublesome that IT systems management best practices appear not to have been in place. It is ctitical that your office remain diligent in its oversight of the EPIC suite, particularly in light of the $23 million Fiscal Year 2015 Acceleration Option request from OPM. Bozeraan eure (406) 586-4450 (406) 723-2277 « Great F 1406) 52-95 (408) 448-5401 (4) 257-260 Buunes IMissoura‘The Honorable Patrick McFarland July 6, 2015 Page 2 While itis not yet clear how many individuals’ background investigations for security clearances were exposed by the breach, itis important that future such instances do not occur, It is important that the OIG have unfettered access to the EPIC suite in order to evaluate potential vulnerabilities during and after OMB"s 30-day review. [tis also important that the OIG oversee that management best practices are maintained as OPM provides a work-around for application processing as e-QIP remains offline. With the O1G’s comprehensive oversight of such projects and OPM’s implementation of IT systems management best practices, | am hopeful that future such breaches can be avoided altogether. look forward to working with you to address these problems and am happy to provide any assistance as needed. pr Jon Tester United States Senator