Acquisition

After breach, OPM ignored contracting requirements in ID monitoring deal

The Office of Personnel Management is suffering recurring headaches from its devastating data breaches. Not only do information security weaknesses persist at the personnel agency, OPM's inspector general found a series of improprieties with a contract awarded to perform credit monitoring and identity theft in the aftermath of the breach.

The OPM data breach consisted of two breaches -- one that exposed the personnel records of 4.2 million current and former federal employees, and another that exposed the background investigation records of 21.5 million current, former and prospective federal employees. Both events were made public in 2015. There was considerable -- but not complete -- overlap between victims of the two attacks.

In September 2015, OPM, along with the Department of Defense, awarded a contract to Identity Theft Guard Solutions, doing business as ID Experts, to provide free credit and identity monitoring, insurance and identity restoration services.

In a review of the ID Experts contract award that took place in October 2016, OPM's IG found a series of non-compliance issues during the award process, led by the agency's Office of Procurement Operations.

The acquisition plan was not signed by multiple officials whose approval was required, the technical evaluation team did not sign off on the technical evaluation plan and the requirements did not go through the proper contract review board process.

Additionally, elements of the acquisition plan summary could not be supported by the contract file, which lacked a required letter from the agency head and a memo from the agency's chief financial officer.

"Without a complete and accurate history of the actions taken to award the contract, it is impossible to know whether following all of the [Federal Acquisition Regulation] requirements would have resulted in an award of the credit monitoring and identity theft services contract to someone other than ID Experts," the report stated.

In November 2015, OPM's IG pointed to "significant deficiencies" with OPM's $20 million award to Winvale Group and subcontractor CSID, which covered credit monitoring and other services for 4.2 million feds who had their information exposed.

That report recommended OPM update policies and procedures on document approvals and strengthen oversight review controls. OPM concurred with both recommendations.