Contract to Notify and Protect OPM Hack Victims Now Out

Vendors who win the job of protecting the identities of 21.5 million victims of the largest known federal data breach will have to let the government inside their own databases, according to new contracting papers.

The obligation to give up some confidentiality follows allegations that a background check contractor hacked during a related incident stonewalled cyber forensics investigators.

"The contractor shall support security onsite inspections by the government at any location where protected information is collected, stored or used," states a solicitation released late Tuesday.

The company also must provide federal personnel with "network drops," as well as recent and past "vulnerability scans."

The much-anticipated competition to vie for the work of notifying and safeguarding individuals affected by the Office of Personnel Management hack kicked off late Tuesday. The monumental hack, the larger of two OPM intrusions, was disclosed mid-June. The government was scheduled to issue a solicitation on its eBuy service last week.

About 40 pages of contracting materials posted late Tuesday address several of the lapses that contributed to complaints about a first round of notifications sent to victims of the smaller hack. Once the new contract is awarded, postal letters and emails are expected to reach victims within the next three months. However, the government expects "the bulk" of messages will be delivered "within first weeks of the task order award,” the documents state. 

About a year before OPM revealed the two hacks, background check provider USIS detected a corporate network intrusion that excised files on more than 31,000 employees at the Department of Homeland Security, the National Geospatial-Intelligence Agency and the U.S. Capitol Police. That infiltration, a separate one at background investigator KeyPoint, and the OPM breaches are all suspected to be part of a coordinated espionage campaign perpetrated by Chinese-government-backed hackers.

There is a dispute over whether the government or USIS cut short a DHS scan of the company’s networks.

OPM has testified to Congress that USIS only let DHS inspect two subnetworks that were breached, not the entire network. One of the firm’s attorneys said the company "invited" DHS to review its systems.

In June, the agency revised contractor cybersecurity policies to, going forward, write in provisos that ensure the government can access contractor systems in the event of a data incident.

During the first OPM breach notification period, the 4.2 million victims were instructed to enroll on a dot-com website, maintained by service provider CSID, not a dot-gov site. The commercial Web address raised questions about the legitimacy of the government-offered services.

Now, the government has come up with a compromise allowing the chosen vendor to use its own website -- behind an official dot-gov website.

“The contractor shall establish a dedicated, branded website for impacted individuals,” the contracting specifications state. “The government may require the site to link with a dot.gov Web page.” 

Affected government employees, individuals who applied for clearances to see U.S. secrets, and, in some cases, their families have already had their privacy invaded once.

The batch of data the hackers cribbed in this larger intrusion includes not just Social Security numbers, but also the findings of interviews conducted by background investigators, as well as 1.1 million fingerprints. The names and birth dates of employees' and applicants' children also were taken.

Some former feds hit by the smaller hack, who enrolled with CSID, reported receiving robocalls, for the first time ever, which were related to information they had provided during registration. CSID officials said any calls from solicitors enrollees received were simply a coincidence. OPM officials said they immediately addressed the issue with the business to ensure CSID understood agency customers were not to be upsold.

The new contract stipulates that personal information should not “be used for marketing of any kind” and should not “be sold or transferred unless approved in writing."

(Image via dencg/ Shutterstock.com)