Acquisition

After breach, OPM ignored contracting requirements in ID monitoring deal

shutterstock image id 1020427639 By Stokkete 

The Office of Personnel Management is suffering recurring headaches from its devastating data  breaches. Not only do information security weaknesses persist at the personnel agency, OPM's inspector general found a series of improprieties with a contract awarded to perform credit monitoring and identity theft in the aftermath of the breach.

The OPM data breach consisted of two breaches -- one that exposed the personnel records of 4.2 million current and former federal employees, and another that exposed the background investigation records of 21.5 million current, former and prospective federal employees. Both events were made public in 2015. There was considerable -- but not complete -- overlap between victims of the two attacks.

In September 2015, OPM, along with the Department of Defense, awarded a contract to Identity Theft Guard Solutions, doing business as ID Experts, to provide free credit and identity monitoring, insurance and identity restoration services.

In a review of the ID Experts contract award that took place in October 2016, OPM's IG found a series of non-compliance issues during the award process, led by the agency's Office of Procurement Operations.

The acquisition plan was not signed by multiple officials whose approval was required, the technical evaluation team did not sign off on the technical evaluation plan and the requirements did not go through the proper contract review board process.

Additionally, elements of the acquisition plan summary could not be supported by the contract file, which lacked a required letter from the agency head and a memo from the agency's chief financial officer.

"Without a complete and accurate history of the actions taken to award the contract, it is impossible to know whether following all of the [Federal Acquisition Regulation] requirements would have resulted in an award of the credit monitoring and identity theft services contract to someone other than ID Experts," the report stated.

In November 2015, OPM's IG pointed to "significant deficiencies" with OPM's $20 million award to Winvale Group and subcontractor CSID, which covered credit monitoring and other services for 4.2 million feds who had their information exposed.

That report recommended OPM update policies and procedures on document approvals and strengthen oversight review controls. OPM concurred with both recommendations.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.