The Perfect Storm: OPM e-QIP Shutdown vs OMB Smartcard Requirements
Last week the Office of Personnel Management made a decision to shut down the e-QIP application used to process 90% of Federal government background investigations for 4-6 weeks. At the same time, due to the data breach which allowed hackers access to OPM investigative records through a laptop that was only user ID/password protected, the Office of Management and Budget has now pushed for all Federal agencies to comply with an HSPD-12 requirement first rolled out in 2005 that mandated agencies upgrade their IT infrastructures to meet Federal Identity Credentialing and Access Management (FICAM) standards. The result of these two events is “the perfect storm” in which compliance with investigative requirements for issuance of a smart identification card and the inability to submit background investigations has left agencies in quite a predicament.
In 2011 OMB issued Memorandum 11-11 that detailed five steps agencies must take to make secure ID cards work on their computer networks and physical access control systems. As a part of that issuance process, per Federal Information Processing Standard (FIPS-201) requirements, a smartcard or common access card (CAC) cannot be issued to an individual until a fingerprint criminal history check is completed and the minimum level (NACI) of investigation has been scheduled. Because of the e-QIP shutdown, agencies cannot submit and schedule the required background investigation in order to issue a smartcard or CAC. Add this to the pressure being exerted by cybersecurity czars (CIOs) to comply with M11-11, agencies have some serious security and risk mitigation decisions to make.
According to a posting by Federal News Radio, this situation has forced additional guidance from OPM and ODNI who stated that agencies can obtain a hard copy of the applicable investigation application (SF85, SF-85P, and SF-86) for review during the on-boarding process. ODNI did put a qualifier on this interim risk mitigation decision, stating that it would not be used to grant security clearances. Once e-QIP is back up and running, agencies can then have these same applicants submit the same information into e-QIP to initiate the investigation.