OPM’s new email system sparks questions about cyber compliance
On Friday, an email landing in employees’ inboxes from the address hr@opm.gov told recipients that it was a “test of a new distribution and response list” and asked them to reply “YES” to it. Many workers noted on a federal employee Reddit forum that they suspected it was a phishing email and reported it to their IT departments. A second test email went out on Saturday, according to email metadata obtained by Nextgov/FCW.
But just days before President Donald Trump’s inauguration, OPM did not have the capability to send a mass email of that scale, according to a person familiar with the matter. To send mass emails, the agency had used govDelivery, a cloud communications service provided by public sector IT company Granicus, a different person familiar said.
The govDelivery contract had restrictions on the volume of emails available to send without incurring added costs, and the agency would not have been able to reach 2.3 million people, the approximate number of all civilian federal employees, the second person added. Both people were granted anonymity to be candid about the sensitive nature of OPM’s email policies.
A lawsuit filed by unnamed federal employees in Washington, D.C. on Monday alleges that OPM violated the E-Government Act of 2002 by failing to conduct and publish required Privacy Impact Assessments before deploying the new email arrangement to collect the responses from government employees.
The plaintiffs also raise concerns about third-party involvement, linking the system to billionaire Elon Musk, a close ally of the new Trump administration that has vowed to overhaul government spending priorities via the Department of Government Efficiency, or DOGE.
The lawsuit references a Reddit post tied to a purported anonymous OPM employee, alleging that federal agencies were instructed to send employee information to OPM’s new Chief of Staff Amanda Scales, whose career history includes working for Musk’s company xAI. Musk visited OPM for unknown reasons on Friday, people familiar with the matter told Nextgov/FCW.
The Monday suit also argues that government employees “will face a reasonably foreseeable risk that their [personally identifiable information] will be unlawfully obtained from these unknown systems,” and seeks to halt the system’s use until OPM complies with privacy requirements.
An OPM spokesperson did not return requests for comment asking about the lawsuit and how the email system was implemented.
A major OPM breach discovered in 2015 exposed the personal records of some 22 million current and former federal employees and their families. The incident forced the government to rethink its security culture, including how and where federal employees’ data is accessed.
“It is deeply troubling to see what appears to be a complete disregard of information security and privacy practices as required by federal law, such as [the Federal Information Security Modernization Act of] 2014. The administration’s actions have the potential to leave government data vulnerable to exfiltration and compromise,” said one former government technology official who spoke on the condition of anonymity to be candid about the nature of the email system.
FISMA mandates that government agencies and their contractor clients implement robust security measures to protect sensitive government data, including employee information.
During the Biden administration, OPM had explored capabilities to send individual emails to all employees in the federal government, but it was ultimately not deemed feasible because it would have cost upwards of hundreds of thousands of dollars to deploy, said Jack Miller, a former agency communications director.
“If they’re spending hundreds of thousands on a few email blasts, that’s an incredible waste of taxpayer money. Maybe DOGE should look into that,” he told Nextgov/FCW via text message.
Editor's note: This article has been updated to correct the date the lawsuit was filed.
]]>