A $20 Million OPM Contract Violated Federal Contracting Rules

The contract was meant to offer identity-theft protection following a massive data breach earlier this year.

Office of Personnel Management Inspector General Patrick McFarland testifies at a June 25 Senate hearing on federal cybersecurity and the OPM data breach. (AP Photo/Susan Walsh)
Jack Moore, Nextgov
Add to Briefcase
Jack Moore, Nextgov
Nov. 12, 2015, 5:11 p.m.

The in­spect­or gen­er­al of the Of­fice of Per­son­nel Man­age­ment says a $20 mil­lion sole-source con­tract to of­fer iden­tity-theft pro­tec­tion to mil­lions of hacked fed­er­al em­ploy­ees ran afoul of con­tract­ing reg­u­la­tions.

Of­fi­cials in OPM’s Of­fice of Pro­cure­ment Op­er­a­tions vi­ol­ated the Fed­er­al Ac­quis­i­tion Reg­u­la­tion and the agency’s own policies in award­ing a $20.7 mil­lion con­tract to provide cred­it-mon­it­or­ing and ID-theft ser­vices, ac­cord­ing to a sum­mary of IG find­ings in­cluded in an Oct. 30 memo to act­ing OPM Dir­ect­or Beth Cobert.

In­vest­ig­at­ors turned up “sig­ni­fic­ant de­fi­cien­cies” in the pro­cess of award­ing the con­tract to Win­vale Group and its sub­con­tract­or CSID, OPM IG Patrick Mc­Far­land wrote in the memo, which was first made pub­lic Thursday.

The IG said his of­fice was un­able to de­term­ine wheth­er the de­fi­cien­cies were sig­ni­fic­ant enough to af­fect the ac­tu­al award­ing of the con­tract. However, be­cause of the mis­steps iden­ti­fied by the IG, OPM’s pro­cure­ment shop se­lec­ted the wrong con­tract­ing vehicle—or struc­tured deal—through which the con­tract was is­sued. The con­tract was awar­ded as a blanket pur­chase agree­ment.

The full re­port is ex­pec­ted to be pub­lished in the next month, a spokes­wo­man for the IG’s of­fice told Nex­t­gov. An OPM spokes­man de­clined to com­ment on the IG find­ings un­til the fi­nal re­port is is­sued.

Win­vale spokes­man Patrick Hill­man said in a state­ment provided to Nex­t­gov: “Win­vale re­spon­ded to a post­ing on FBO.gov, just like every oth­er con­tract­or that sub­mit­ted a bid. Bey­ond that, Win­vale had no con­trol over or in­sight in­to the bid­ding pro­cess.”

Demo­crat­ic Sen. Mark Warner of Vir­gin­ia wrote to the former OPM dir­ect­or in June, rais­ing con­cerns over the two win­ning com­pan­ies’ cus­tom­er-ser­vice per­form­ance and the “highly un­usu­al” quick turn­around time between when OPM pub­licly pos­ted the so­li­cit­a­tion and when it made the high-dol­lar award.

OPM on May 28 is­sued a so­li­cit­a­tion for “Pri­vacy Act In­cid­ent Ser­vices,” a week be­fore dis­clos­ing that per­son­nel re­cords of some 4.2 mil­lion fed­er­al em­ploy­ees had been stolen by hack­ers. The day after pub­licly re­veal­ing the breach, OPM fi­nal­ized the mul­ti­mil­lion-dol­lar deal with Win­vale.

Later, OPM dis­closed a much lar­ger breach of fed­er­al em­ploy­ees’ back­ground in­vest­ig­a­tion files. In Septem­ber, fed­er­al of­fi­cials awar­ded an ini­tial $133 mil­lion con­tract award to provide ID pro­tec­tion ser­vices to vic­tims of that lar­ger breach for the first year of an ex­pec­ted three-year agree­ment. The De­fense De­part­ment handled the pro­cure­ment.

The IG’s memo laid out top man­age­ment chal­lenges at the agency. In ad­di­tion to pro­cure­ment slipups, the IG re­it­er­ated con­cerns with the agency’s massive IT in­fra­struc­ture up­grade, which in­volves mi­grat­ing a num­ber of aging, leg­acy IT sys­tems to a more se­cure en­vir­on­ment, known as “the Shell.”  

The num­ber of OPM in­form­a­tion sys­tems op­er­at­ing without a se­cur­ity au­thor­iz­a­tion also doubled—from 11 out of 47 in fisc­al 2014 to 23, ac­cord­ing to the IG.

Aliya Sternstein contributed to this article.
What We're Following See More »
North Korea Continuing Missile Program At Secret Sites
7 hours ago

"North Korea is moving ahead with its ballistic missile program at 16 hidden bases ... identified in new commercial satellite images." The images suggest that North Korea has "offered to dismantle a major launching site — a step it began, then halted — while continuing to make improvements at more than a dozen others that would bolster launches of conventional and nuclear warheads."

Democrats Plan to Probe Payments to Clifford, McDougal
7 hours ago

"When the Democrats take control of the House in January and gain subpoena power, they plan to probe the president's role in payments to two women who alleged during the 2016 campaign that they had affairs with" the president. "Democratic members on the committee have already begun digging into the president's involvement, according to [an] aide. In September, the committee requested documents from the Trump organization."

Staff Director for House Intel Committee Passes Away
7 hours ago

Damon Nelson, the staff director for the House Intelligence Committee, died unexpectedly after a brief illness, according to a statement from Chairman Devin Nunes. Nelson and Nunes first met in high school, and Nelson worked for the congressmen since his freshmen term 15 years ago. He started "as his legislative director in 2003 before becoming his deputy chief of staff. When Nunes became chairman of the Intelligence Committee in 2015, Nelson went to work for him there, becoming staff director a year later."

Appeals Court Asks for Briefings on Acting AG
3 days ago
Linda Sanchez Won't Run for Caucus Chair
4 days ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.