Two members of the US House of Representatives want answers from the US Office of Personnel Management (OPM) over allegations that a server of unknown nature was used last month to access sensitive government data without regard for crucial security and privacy protections.In a letter sent Tuesday to Charles Ezell, acting director of the OPM, an independent agency that manages the US federal civil service, Gerald Connolly, ranking member of the Committee on Oversight and Government Reform, and Shontel Brown, ranking member of the Subcommittee on Cybersecurity, Information Technology and Government Innovation, wrote that on Jan. 24, millions of federal employees received an email from a new email address, hr@opm.gov, stating that it was a test of a new distribution and response list.It went on to say that the email address sent several additional tests before sending a mass email to the federal workforce with the subject Fork in the Road detailing a potentially illegal resignation offer for federal employees.In addition, they wrote, several days prior to the first test, OPM did not have the capability to email a distribution list of this scale. Acquiring such a capability securely and in compliance with federal cybersecurity, privacy, and procurement laws would likely not have been possible in such a short timeframe.Connelly and Brown added that compounding our concerns, other reports suggest that allies of Elon Musk recently installed at OPM have revoked senior career employee access to OPM computer systems containing extremely sensitive information, including the dates of birth, Social Security numbers, home addresses, pay grades, and appraisals of millions of government workers.At best, the letter stated, the Trump administrations actions at OPM to date demonstrate gross negligence, severe incompetence, and a chaotic disregard for the security of our public. At worst, we fear that Trump Administration officials know full well that their actions threaten to break our government and put our citizens at risk of foreign adversaries like China and Russia gaining access to our sensitive data.Its authors wrote that the lack of security and oversight associated with the new email system and data management practices threatens to expose federal workers to personalized social engineering or spear phishing attacks to gain access to government systems. For example, it appears the effort to distribute the mass Fork in the Road email may have subverted cybersecurity controls in the National Oceanic and Atmospheric Administration (NOAA) email system, leading to the agencys 13,000 employees receiving a flood of inappropriate and spam email.While the letter requested records and logs, as well as all emails, documents, and communications relevant planning and execution of the initiative, it also asked that Ezell present the information to the Committee on Oversight and Government Reform on Feb. 14. To date, no such meeting has been scheduled.Computerworld reached out to the OPM press office regarding the letter and was told via email, we do not have a comment on this. Will McDonald, the communications director for Brown, who represents Ohios 11th Congressional District, was also contacted, and he said there has as yet been no response to the letter from OPM.Potential privacy and security riskErik Avakian, security counselor at Info-Tech Research Group said the recent development regarding OPM and the alleged issues regarding an email server being deployed on the agency network and emails being distributed by the agency to federal employees raise potential security and privacy concerns that, if substantiated, could be out of sync with well-defined cybersecurity best practices and privacy regulations.Most important, he said, would be the way in which the system had been deployed onto the federal network, particularly in light of the many existing US federal government-required processes, procedures, and checks a system would need to undergo before receiving green light approval for such a fast-tracked deployment. There could be fast-track processes in place for such instances.However, even in such cases, said Avakian, any deployment of systems or tools would certainly, as best practice, need to be reviewed for security vulnerabilities, and its architecture checked and hardened, at a minimum, to be aligned with the federal security requirements for systems deployed on the network prior to going live.The question would be whether the processes were followed, he said. In any case, there could be quite a checklist of issues regarding Compliance with Cybersecurity Frameworks, Best Practices, and the Federal Governments Memo regarding the Implementation of Zero Trust, to name a few, as well as numerous privacy laws.Aside from asking Ezell to appear at a briefing, the letter also asked that the OPM provide:A list of any information technology equipment installed at OPM between January 21, 2025, and January 24, 2025, and used to support the distribution of the Fork in the Road emails, including a description of how such equipment was procured.A list of the individuals who installed and/or accessed the equipment, including whether they were OPM employees at the time of their installation/access of the equipment and, if so, under what authority they were hired; and what background investigation and clearance processes they underwent as part of the hiring process.What steps were taken to safeguard the privacy of the millions of federal employees included in those databases and repositories.A description of the types of IT assets, software systems, code, or other tools used to collect information.Avakian said that in terms of process and procedures, one question raised was whether the deployment of the email system underwent a Privacy Impact Assessment (PIA) before deployment of such a system on the production network.If not, the omission of the PIA could imply non-compliance with established federal cybersecurity practices and privacy laws such as the E-Government Act of 2002, mandating that all US federal agencies conduct PIAs before implementing systems, particularly those that store or handle Personally Identifiable Information (PII). The PIA, said Avakian, would account for and amount to an example of just one of the assessments a system would need to undergo before deployment. While there is the possibility of OPM to submit a retroactive PIA, it would still position OPMs initial failure to perform this assessment as a significant issue and potential legal hurdle.Mass deferred resignation offer could cause loss of critical expertiseAccording to a release, a letter sent by Connolly and other Democratic members of the oversight committee to President Donald Trump on Monday requested documents and information regarding his deferred resignation offer sent en masse to the federal workforce, and urging him to rescind the offer.They wrote that it would precipitate a mass exodus of the most experienced and capable federal employees, leaving our agencies severely understaffed and incapable of fulfilling their responsibilities. The consequence of this brain drain will be felt by every American.Committee members argued, without the expertise and institutional knowledge that so many federal employees bring to their work, our government will be incapable of responding effectively to national emergencies, serving the American public, or even carrying out routine operations. The resignation offer sets the stage for an unparalleled crisis in our governments ability to deliver for the American people.