A $20 Million OPM Contract Violated Federal Contracting Rules

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nationaljournal.com/s/92482/20-million-opm-contract-violated-federal-contracting-rules

The in­spect­or gen­er­al of the Of­fice of Per­son­nel Man­age­ment says a
$20 mil­lion sole-source con­tract to of­fer iden­tity-theft pro­tec­tion
to mil­lions of hacked fed­er­al em­ploy­ees ran afoul of con­tract­ing
reg­u­la­tions.

Of­fi­cials in OPM’s Of­fice of Pro­cure­ment Op­er­a­tions vi­ol­ated the
Fed­er­al Ac­quis­i­tion Reg­u­la­tion and the agency’s own policies in
award­ing a $20.7 mil­lion con­tract to provide cred­it-mon­it­or­ing and
ID-theft ser­vices, ac­cord­ing to a sum­mary of IG find­ings in­cluded in
an Oct. 30 memo to act­ing OPM Dir­ect­or Beth Cobert.

In­vest­ig­at­ors turned up “sig­ni­fic­ant de­fi­cien­cies” in the
pro­cess of award­ing the con­tract to Win­vale Group and its
sub­con­tract­or CSID, OPM IG Patrick Mc­Far­land wrote in the memo, which
was first made pub­lic Thursday.

The IG said his of­fice was un­able to de­term­ine wheth­er the
de­fi­cien­cies were sig­ni­fic­ant enough to af­fect the ac­tu­al
award­ing of the con­tract. However, be­cause of the mis­steps iden­ti­fied
by the IG, OPM’s pro­cure­ment shop se­lec­ted the wrong con­tract­ing
vehicle—or struc­tured deal—through which the con­tract was is­sued. The
con­tract was awar­ded as a blanket pur­chase agree­ment.

The full re­port is ex­pec­ted to be pub­lished in the next month, a
spokes­wo­man for the IG’s of­fice told Nex­t­gov. An OPM spokes­man
de­clined to com­ment on the IG find­ings un­til the fi­nal re­port is
is­sued.

Win­vale spokes­man Patrick Hill­man said in a state­ment provided to
Nex­t­gov: “Win­vale re­spon­ded to a post­ing on FBO.gov, just like every
oth­er con­tract­or that sub­mit­ted a bid. Bey­ond that, Win­vale had no
con­trol over or in­sight in­to the bid­ding pro­cess.”

Demo­crat­ic Sen. Mark Warner of Vir­gin­ia wrote to the former OPM
dir­ect­or in June, rais­ing con­cerns over the two win­ning com­pan­ies’
cus­tom­er-ser­vice per­form­ance and the “highly un­usu­al” quick
turn­around time between when OPM pub­licly pos­ted the so­li­cit­a­tion
and when it made the high-dol­lar award.

OPM on May 28 is­sued a so­li­cit­a­tion for “Pri­vacy Act In­cid­ent
Ser­vices,” a week be­fore dis­clos­ing that per­son­nel re­cords of some
4.2 mil­lion fed­er­al em­ploy­ees had been stolen by hack­ers. The day
after pub­licly re­veal­ing the breach, OPM fi­nal­ized the
mul­ti­mil­lion-dol­lar deal with Win­vale.

Later, OPM dis­closed a much lar­ger breach of fed­er­al em­ploy­ees’
back­ground in­vest­ig­a­tion files. In Septem­ber, fed­er­al of­fi­cials
awar­ded an ini­tial $133 mil­lion con­tract award to provide ID
pro­tec­tion ser­vices to vic­tims of that lar­ger breach for the first
year of an ex­pec­ted three-year agree­ment. The De­fense De­part­ment
handled the pro­cure­ment.

The IG’s memo laid out top man­age­ment chal­lenges at the agency. In
ad­di­tion to pro­cure­ment slipups, the IG re­it­er­ated con­cerns with
the agency’s massive IT in­fra­struc­ture up­grade, which in­volves
mi­grat­ing a num­ber of aging, leg­acy IT sys­tems to a more se­cure
en­vir­on­ment, known as “the Shell.”

The num­ber of OPM in­form­a­tion sys­tems op­er­at­ing without a
se­cur­ity au­thor­iz­a­tion also doubled—from 11 out of 47 in fisc­al 2014
to 23, ac­cord­ing to the IG.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!