Oversight

OPM broke the rules with its breach cleanup contract, says agency watchdog

Wikimedia image: U.S. Office of Personnel Management seal.

After news broke that millions of feds had been exposed in a breach at the Office of Personnel Management, OPM was in a rush to get the remediation ball rolling.

Perhaps a bit too much of a rush.

In an Oct. 30 memo to OPM's Acting Director Beth Cobert, made public Nov. 12, OPM Inspector General Patrick McFarland pointed to "significant deficiencies" with OPM's $20 million award to Winvale Group and subcontractor CSID.

"We determined that [OPM's Office of Procurement Operations] did not award the Winvale contract in compliance with the [Federal Acquisition Regulation] and OPM's policies and procedures, which led to the OPO selecting the wrong contracting vehicle," the memo stated.

A full report on the contract issues will be released within the month, an OPM IG spokesperson told FCW.

The Winvale/CSID contract has drawn questions for months, largely because OPM's Blanket Purchase Agreement Request for Quotation for identity protection services was open on FedBizOpps for only 36 hours.

"According to procurement experts, such a short turnaround time is highly unusual and raises suggestions that OPM could have intentionally steered the contract to CSID," wrote Sen. Mark Warner (D-Va.) in a June letter to OPM.

"Winvale responded to a posting on FBO.gov, just like every other contractor that submitted a bid," company spokesman Patrick Hillman said in a statement to Nextgov. "Beyond that, Winvale had no control over or insight into the bidding process."

OPM, for its part, is claiming the problem as its own discovery.

"We proactively identified an error with the Winvale contract, raised it with the OIG, and then took action to address this issue at no additional cost to the taxpayer," said OPM spokesman Sam Schumach. "Once the IG report is published, we will provide a formal response."

The Winvale/CSID contract covered credit monitoring and other services for the 4.2 million feds exposed in the first half of the breach revelations. When it came time to award a $133 million remediation contract for the second, larger batch of exposed individuals, OPM took more time and turned to the Defense Department for help.

About the Author

Zach Noble is a former FCW staff writer.

Featured

  • Cybersecurity
    Boy looks under voting booth at Ventura Polling Station for California primary Ventura County, California. Joseph Sohm / Shutterstock.com

    FBI breach notice rules lauded by states, but some want more

    A recent policy change by the FBI would notify states when their local election systems are hacked, but some state officials and lawmakers want the feds to inform a broader range of stakeholders in the election ecosystem.

  • paths (cybrain/Shutterstock.com)

    Does strategic planning help organizations?

    Steve Kelman notes growing support for strategic planning efforts -- and the steps agencies take to keep those plans relevant.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.