BreachExchange mailing list archives
A $20 Million OPM Contract Violated Federal Contracting Rules
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 13 Nov 2015 15:36:56 -0700
http://www.nationaljournal.com/s/92482/20-million-opm-contract-violated-federal-contracting-rules The inspector general of the Office of Personnel Management says a $20 million sole-source contract to offer identity-theft protection to millions of hacked federal employees ran afoul of contracting regulations. Officials in OPM’s Office of Procurement Operations violated the Federal Acquisition Regulation and the agency’s own policies in awarding a $20.7 million contract to provide credit-monitoring and ID-theft services, according to a summary of IG findings included in an Oct. 30 memo to acting OPM Director Beth Cobert. Investigators turned up “significant deficiencies” in the process of awarding the contract to Winvale Group and its subcontractor CSID, OPM IG Patrick McFarland wrote in the memo, which was first made public Thursday. The IG said his office was unable to determine whether the deficiencies were significant enough to affect the actual awarding of the contract. However, because of the missteps identified by the IG, OPM’s procurement shop selected the wrong contracting vehicle—or structured deal—through which the contract was issued. The contract was awarded as a blanket purchase agreement. The full report is expected to be published in the next month, a spokeswoman for the IG’s office told Nextgov. An OPM spokesman declined to comment on the IG findings until the final report is issued. Winvale spokesman Patrick Hillman said in a statement provided to Nextgov: “Winvale responded to a posting on FBO.gov, just like every other contractor that submitted a bid. Beyond that, Winvale had no control over or insight into the bidding process.” Democratic Sen. Mark Warner of Virginia wrote to the former OPM director in June, raising concerns over the two winning companies’ customer-service performance and the “highly unusual” quick turnaround time between when OPM publicly posted the solicitation and when it made the high-dollar award. OPM on May 28 issued a solicitation for “Privacy Act Incident Services,” a week before disclosing that personnel records of some 4.2 million federal employees had been stolen by hackers. The day after publicly revealing the breach, OPM finalized the multimillion-dollar deal with Winvale. Later, OPM disclosed a much larger breach of federal employees’ background investigation files. In September, federal officials awarded an initial $133 million contract award to provide ID protection services to victims of that larger breach for the first year of an expected three-year agreement. The Defense Department handled the procurement. The IG’s memo laid out top management challenges at the agency. In addition to procurement slipups, the IG reiterated concerns with the agency’s massive IT infrastructure upgrade, which involves migrating a number of aging, legacy IT systems to a more secure environment, known as “the Shell.” The number of OPM information systems operating without a security authorization also doubled—from 11 out of 47 in fiscal 2014 to 23, according to the IG.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- A $20 Million OPM Contract Violated Federal Contracting Rules Audrey McNeil (Nov 17)