From: 1500AM

By Ruben Gomez

The Federal Retirement Thrift Investment Board plans to issue, by Dec. 31, a  request for proposal on a new contract for Thrift Savings Plan data center  services.

The contract will include “very stringent” IT security requirements aimed at  preventing future data breaches, such as one announced two months ago that  affected 123,000 TSP  accounts, said Greg Long, the agency’s executive director, Tuesday before the  Senate Homeland Security and Governmental Affairs subcommittee on Oversight of  Government Management, the Federal Workforce and the District of Columbia.

“We’re in the process of designing the procurement action,” Long said. “We  anticipate rolling that out on the street by the end of this calendar year, and  then awarding next fiscal year.”

In July 2011, hackers accessed  IT systemsat the FRTIB contractor  Serco, Inc. The breach, announced in May, mostly compromised Social Security  numbers. About 43,000 accounts, including subcommittee chairman Sen. Daniel  Akaka’s (D-Hawaii), contained names, addresses, Social Security numbers and  possibly bank routing numbers.

Long did not provide specifics about the contract and why his agency is reopening  it for competition.

“I anticipate that the incumbent typically is a bidder,” he said. “But it will be  a full and open competition. We are seeking robust competition from all parties.”

Shorter data retention schedules might improve privacy

Long said beyond improving network security, agencies can reduce their risks of  security breaches by shortening the retention times for documents containing  personal information.

“Currently, [the law governing FRTIB] does not contain a statute of limitations  for judicial review of a claim for benefits brought by a TSP participant or  beneficiary,” Long said in written testimony.  “This indefinite exposure to potential litigation over benefits forces the TSP to  retain records of benefits paid for an unlimited period of time, even after a  participant’s account balance has been completely disbursed and he or she is no  longer a participant. The absence of a statute of limitations, therefore, results  in an extraordinary record retention burden, which increases the data potentially  available to be accessed through a cyber attack or other data breach.”

The Government Accountability Office also advocates for shorter data retention  periods among FRTIB and other agencies.

“The principle is just, ‘for as long as you need the information, keep it, protect  it. Once that need no longer exists, get rid of it, delete it,” said Greg  Wilshusen, GAO’s director of information security issues.

Akaka introduced the Privacy Act modernization bill  last fall, which would implement the GAO’s  recommendation.

But agency leaders are hesitant to embrace the concept, said Mary Ellen Callahan,  the Homeland Security Department’s outgoing chief privacy officer. “One because  they already have an approved retention period from the National Archives, and you  don’t want to go counter to that. And second, there’s also the question about  whether or not it affects operations if you delete information on a more  subjective standard as Mr. Wilshusen had argued.”