US OPM takes vulnerable background investigation portal offline

The US Office of Personnel Management announced on Monday that it has temporarily suspended the E-QIP (Electronic Questionnaires for Investigations Processing) system, a web-based platform used to complete and submit background investigation forms.

The decision was made after a review of the security of OPM’s IT systems revealed the existence of a serious vulnerability, and the system was taken offline in order to remediate it.

“The actions OPM has taken are not the direct result of malicious activity on this network, and there is no evidence that the vulnerability in question has been exploited,” the OPM stated, and added that the system will be back online (along with security enhancements) in four to six weeks.

“OPM recognizes and regrets the impact on both users and agencies and is committed to resuming this service as soon as it is safe to do so. In the interim, OPM remains committed to working with its interagency partners on alternative approaches to address agencies’ requirements,” they concluded.

Reuters reports that some agencies are apparently thinking about starting to submit on paper the forms usually fed into E-QIP.

What is sure to happen is that the processing time of security clearance applications will increase, and this can affect the agencies’ operations.

“During Ars’ investigation of the OPM breach, we discovered that an Internet-facing web page associated with access to E-QIP was running on Adobe JRun 4, a Java web application server that Adobe ended extended support for last year. The server was running in the hosting facility of an application service provider, and not on OPM’s own network,” noted Ars Technica’s Sean Gallagher.

“It’s not known if that login server is part of the flaw discovered by OPM during its security checks, but it is indicative of the overall state of OPM’s background investigation information systems—a modernization project, called EPIC Transformation, was re-baselined and rebooted last year after four years of effort.”

Also, according to The Daily Beast, five years ago US intelligence agencies refused to merge a database containing classified personnel records of intelligence agency employees with one of OPM’s databases. They were worried about their employees’ privacy and security.

Despite this, three years later, the two databases were apparently linked, and remain connected to this day. Whether this means that both were compromised in the latest hacks is currently unconfirmed.