Acquisition

After breach, OPM ignored contracting requirements in ID monitoring deal

shutterstock image id 1020427639 By Stokkete 

The Office of Personnel Management is suffering recurring headaches from its devastating data  breaches. Not only do information security weaknesses persist at the personnel agency, OPM's inspector general found a series of improprieties with a contract awarded to perform credit monitoring and identity theft in the aftermath of the breach.

The OPM data breach consisted of two breaches -- one that exposed the personnel records of 4.2 million current and former federal employees, and another that exposed the background investigation records of 21.5 million current, former and prospective federal employees. Both events were made public in 2015. There was considerable -- but not complete -- overlap between victims of the two attacks.

In September 2015, OPM, along with the Department of Defense, awarded a contract to Identity Theft Guard Solutions, doing business as ID Experts, to provide free credit and identity monitoring, insurance and identity restoration services.

In a review of the ID Experts contract award that took place in October 2016, OPM's IG found a series of non-compliance issues during the award process, led by the agency's Office of Procurement Operations.

The acquisition plan was not signed by multiple officials whose approval was required, the technical evaluation team did not sign off on the technical evaluation plan and the requirements did not go through the proper contract review board process.

Additionally, elements of the acquisition plan summary could not be supported by the contract file, which lacked a required letter from the agency head and a memo from the agency's chief financial officer.

"Without a complete and accurate history of the actions taken to award the contract, it is impossible to know whether following all of the [Federal Acquisition Regulation] requirements would have resulted in an award of the credit monitoring and identity theft services contract to someone other than ID Experts," the report stated.

In November 2015, OPM's IG pointed to "significant deficiencies" with OPM's $20 million award to Winvale Group and subcontractor CSID, which covered credit monitoring and other services for 4.2 million feds who had their information exposed.

That report recommended OPM update policies and procedures on document approvals and strengthen oversight review controls. OPM concurred with both recommendations.

About the Author

Chase Gunter is a former FCW staff writer.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.