Acquisition

After breach, OPM ignored contracting requirements in ID monitoring deal

shutterstock image id 1020427639 By Stokkete 

The Office of Personnel Management is suffering recurring headaches from its devastating data  breaches. Not only do information security weaknesses persist at the personnel agency, OPM's inspector general found a series of improprieties with a contract awarded to perform credit monitoring and identity theft in the aftermath of the breach.

The OPM data breach consisted of two breaches -- one that exposed the personnel records of 4.2 million current and former federal employees, and another that exposed the background investigation records of 21.5 million current, former and prospective federal employees. Both events were made public in 2015. There was considerable -- but not complete -- overlap between victims of the two attacks.

In September 2015, OPM, along with the Department of Defense, awarded a contract to Identity Theft Guard Solutions, doing business as ID Experts, to provide free credit and identity monitoring, insurance and identity restoration services.

In a review of the ID Experts contract award that took place in October 2016, OPM's IG found a series of non-compliance issues during the award process, led by the agency's Office of Procurement Operations.

The acquisition plan was not signed by multiple officials whose approval was required, the technical evaluation team did not sign off on the technical evaluation plan and the requirements did not go through the proper contract review board process.

Additionally, elements of the acquisition plan summary could not be supported by the contract file, which lacked a required letter from the agency head and a memo from the agency's chief financial officer.

"Without a complete and accurate history of the actions taken to award the contract, it is impossible to know whether following all of the [Federal Acquisition Regulation] requirements would have resulted in an award of the credit monitoring and identity theft services contract to someone other than ID Experts," the report stated.

In November 2015, OPM's IG pointed to "significant deficiencies" with OPM's $20 million award to Winvale Group and subcontractor CSID, which covered credit monitoring and other services for 4.2 million feds who had their information exposed.

That report recommended OPM update policies and procedures on document approvals and strengthen oversight review controls. OPM concurred with both recommendations.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter

Featured

  • Defense
    The Pentagon (Photo by Ivan Cholakov / Shutterstock)

    DOD CIO hits pause on JEDI cloud acquisition

    Dana Deasy set cloud as his office's top priority. But when it comes to the JEDI request for proposal, he's directed staff to "pause" to compile a comprehensive review.

  • Cybersecurity
    By Gorodenkoff shutterstock ID 761940757

    Waging cyber war without a rulebook

    As the U.S. looks to go on the offense in the cyber domain, critical questions remain unanswered around who will take the lead and how clearly to draw the rules of engagement.

  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Deadline extended for Rising Star nominations

    You now have until July 18 to help us identify the early-career innovators and change agents in government IT.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.