Update to All HHS Staff on OPM Cybersecurity Incidents    

This update was distributed to all HHS staff on July 6, 2015

Dear Colleagues,

I am writing to provide an update on the recent cyber incidents at the U.S. Office of Personnel Management (OPM). OPM is working hard to improve customer service, complete its forensics effort, and to conduct a comprehensive IT systems review. Many of your questions and concerns about these incidents are addressed here.

Personnel Records Incident

First, OPM is working to complete the process of notifying individuals whose personally identifiable information (PII) may have been compromised by the incident involving personnel records announced on June 4th. 

All notices will be sent by letter or e-mail. Notification letters are being sent by first class mail to those individuals from whom an e-mail bounce back message was received.

OPM is offering credit monitoring services and identity theft insurance with CSID, a company that specializes in identity theft protection and fraud resolution. All affected employees are automatically enrolled for a comprehensive, 18-month membership, whether or not they have yet received a notice from OPM.

For more information on the CSID services and for contact information, please visit this HHS Intranet webpage: http://intranet.hhs.gov/security/ossi-cyber-incident.html

We have heard your concerns regarding these notifications and CSID's customer service - and HHS has been working with OPM to improve the quality of your experience. We understand that many of you are concerned about providing PII to CSID to register for this service. OPM has confirmed that it is not possible for CSID to provide credit monitoring services without your Social Security Number, but that you will still receive identity theft protection even if you do not register. 

Background Investigation Incident

Second, regarding the separate but related cyber incident affecting background investigations announced on June 15, we understand that many of you are concerned and are seeking more information. This incident remains under investigation by OPM, the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI). 

The investigators are working to determine the complete list of affected individuals. Once this information is available, OPM will coordinate with agencies to send notifications to those affected individuals as soon as possible, but this will take some time. We expect to provide information regarding affected individuals and our notification process during the week of July 6.

E-QIP Suspension

OPM recently announced the temporary suspension of the e-QIP system, a web-based platform used to complete and submit background investigation forms. The suspension is to enable OPM to implement vulnerability mitigation. 

The actions OPM has taken are not the direct result of malicious activity on its network, and there is no evidence that the vulnerability in question has been exploited. Rather, OPM is taking this step proactively, as a result of its comprehensive security assessment, to ensure the ongoing security of its network. 

OPM expects e-QIP could be offline for four to six weeks while these security enhancements are implemented.  It is unlikely that this situation will affect many current employees. In the unlikely event it does, affected individuals will be contacted directly by their HHS division representative.

Resources for You

OPM also continues to update their Frequently Asked Questions which you can find here: http://www.opm.gov/cybersecurity

We encourage you to review OPM Director Katherine Archuleta's recent blog which also addresses many of these concerns: 

http://www.opm.gov/blogs/Director.

OPM is the definitive source for information on the recent cyber incidents and we will continue to update you as we learn more information.

Personal Safety and Cybersecurity Reminders

The following are also some key reminders of the seriousness of cyber threats and of the importance of vigilance in protecting our systems and data.

Safety of Personal Information Resources from National Counterintelligence and Security Center:

• Employees can find information about the measures they can take to ensure the safety of their personal information at the National Counterintelligence and Security Center (NCSC) at: http://www.ncsc.gov. 

Steps for Monitoring Your Identity and Financial Information

• Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
• Request a free credit report at http://www.annualcreditreport.com/ or by calling 1-877-322-8228.  Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus - Equifax^�, Experian^�, and TransUnion^� - for a total of three reports every year.  Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, http://www.ftc.gov/.
• Review resources provided on the FTC identity theft website, http://www.identitytheft.gov/.  The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
• You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name.  Simply call TransUnion^� at 1-800-680-7289 to place this alert.  TransUnion^� will then notify the other two credit bureaus on your behalf.

Precautions to Help You Avoid Becoming a Victim

• Be suspicious of unsolicited phone calls, visits, or e-mail messages from individuals asking about you, your employees, your colleagues or any other internal information.  If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
• Do not reveal personal or financial information in e-mail, and do not respond to e-mail solicitations for this information. This includes following links sent in e-mail.
• Do not send sensitive information over the Internet before checking a website's security (for more information, see Protecting Your Privacy, http://www.us-cert.gov/ncas/tips/ST04-013).
• Pay attention to the URL of a website.  Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
• If you are unsure whether an e-mail request is legitimate, try to verify it by contacting the company directly.  Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.  Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
• Install and maintain anti-virus software, firewalls, and e-mail filters to reduce some of this traffic (for more information, see Understanding Firewalls, http://www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, http://www.us-cert.gov/ncas/tips/ST04-005; and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007).
• Take advantage of any anti-phishing features offered by your e-mail client and web browser.
• Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI's Internet Crime Complaint Center at http://www.ic3.gov/.
• Additional information about preventative steps by consulting the Federal Trade Commission's website, http://www.consumer.gov/idtheft. The FTC also encourages those who discover that their information has been misused to file a complaint with the commission using the contact information below.

Identity Theft Clearinghouse

Federal Trade Commission

600 Pennsylvania Avenue, NW

Washington, DC 20580

https://www.identitytheft.gov/

1-877-IDTHEFT (438-4338)

TDD: 1-202-326-2502

If you have questions or comments regarding the content above, please contact the sponsoring organization listed. If you have accessibility issues with any of the linked content in this e-blast, please notify ASPA/DCD (http://wcdapps.hhs.gov/AccessibilityAssistance/).

*Please note you are receiving this e-mail because you are using an e-mail account supported by the Department of Health and Human Services. HHS News cannot remove you from this e-mail list. 

Please do not respond to this e-mail. If you have questions or comments regarding the content above, please contact the sponsoring organization listed. If you would like to submit a message for HHS News dispersal, please email [email protected]. Thank you.  

How to Enroll

The NED courses are posted on the CIT Training site where visitors can view availability for any class and receive a confirmation immediately after registering. The catalog of NED classes is posted at: http://training.cit.nih.gov/coursecatalog.aspx under "General Seminars." 

When you see a course you want to take, just click on the course name (listed in the right column of the table). You will be taken to the HHS Learning Management System (LMS) where you can register for the course online.

To log on to the HHS Learning Management System, you can use either your PIV card and PIN or your NIH credentials. If you experience any difficulties accessing the LMS, please contact the CIT Training Program at 301-594-6248 or send an e-mail to: [email protected].   

In light of the recent revelations about the hacking of government personnel records maintained by OPM, DPSAC and the HSPD-12 Program Office would like to offer this brief review of a critical component of the privacy course, namely, protecting an individual's Personally Identifiable Information, commonly referred to as PII.

Below is a definition of PII as well as a few examples of PII, some of which may surprise you. If you would like to review the NIH Privacy Awareness course, you can log on to the NIH Security Training site at:

http://irtsectraining.nih.gov/ 

The following FAQs, which first appeared in the June 24, 2015 DPSAC News, have been modified slightly for clarification purposes in response to inquiries from DPSAC News readers.  

Foreign national contractors require special attention when they are converting to an FTE or are renewing their PIV card.

Due to limitations in the HHS smart card management system, AOs need to be aware that renewing the badge of a foreign national currently in possession of a PIV card or reclassifying a foreign national with a PIV card from contractor to FTE results in the immediate revocation of the PIV card.
    

The National Institute of Standards and Technology (NIST) has updated its technical specifications and guidance for the next generation of "smart" identity cards used by the federal government's workforce. The new specifications add enhanced security features to verify employees' and contractors' identities, as well as new capabilities that work with mobile devices and media such as smart phones.

Federal employees and contractors use Personal Identification Verification (PIV) Cards for secure access to government facilities and computers. The PIV Card features a microchip with the employee's photo, PIN, fingerprint information and other details.

The next generation PIV Card can be used with mobile devices, enabling federal employees to connect securely to government computer networks from such devices. This feature is in addition to the Derived PIV Credential as specified in Guidelines for Derived Personal Identity Verification (PIV) Credentials, issued in December 2014. The card provides stronger identity assurance for federal workers to enter many government facilities and use computers at those locations.

The revised Federal Information Processing Standard 201-2 of 2013 sets the stage for the new generation of PIV Cards by specifying new technologies for the strong authentication credential and provides enhanced support for mobile devices based on lessons learned from federal agencies.

NIST has issued updates to two key documents that lay out the technical details identified in FIPS 201-2 for government PIV Cards:

• Interfaces for Personal Identity Verification (Special Publication 800-73-4), governs the PIV Card's credentials: how the credentials are stored on the PIV Card and how to retrieve and check them. The update provides additional ways to authenticate, or prove, the cardholder's identity. One method, called on-card biometric comparison, helps preserve a cardholder's privacy because the individual's fingerprint data never leave the card.
  
  A new specification protects wireless communications between the PIV Card and mobile device when the cardholder uses authentication, signature or encryption services with a mobile device. Another new security feature prevents a cardholder from changing the PIN to one that is too short.
   
• The revised publication, Cryptographic Algorithms and Key Sizes for Personal Identity Verification (Special Publication 800-78-4), provides the technical cryptographic details needed to maintain the security of the next-generation PIV Card.