OPM’s $20 Million Contract for Post-Hack ID Protection Violated Federal Contracting Rules

Correction: An earlier version of this article incorrectly identified the Winvale contract as a sole-source contract. In fact, the contract was competitively awarded. 

The inspector general of the Office of Personnel Management says a $20 million contract to offer identity theft protection to millions of hacked federal employees ran afoul of contracting regulations.

Officials in OPM’s Office of Procurement Operations violated the Federal Acquisition Regulation and the agency’s own policies in awarding a $20.7 million contract to provide credit monitoring and ID theft services, according to a summary of IG findings included in an Oct. 30 memo to acting OPM Director Beth Cobert.

Investigators turned up “significant deficiencies” in the process of awarding the contract to Winvale Group and its subcontractor CSID, OPM IG Patrick McFarland wrote in the memo, which was first made public today.

The IG said his office was unable to determine whether the deficiencies were significant enough to affect the actual awarding of the contract. However, because of the missteps identified by the IG, OPM’s procurement shop selected the wrong contracting vehicle -- or structured deal -- through which the contract was issued. The contract was awarded as a blanket purchase agreement.

The full report is expected to be published in the next month, a spokeswoman for the IG’s office told Nextgov. An OPM spokesman declined to comment on the IG findings until the final report is issued.

Winvale spokesman Patrick Hillman said in a statement provided to Nextgov: “Winvale responded to a posting on FBO.gov, just like every other contractor that submitted a bid. Beyond that, Winvale had no control over or insight into the bidding process."

Sen. Mark Warner, D-Va., wrote to the former OPM director in June, raising concerns over the two winning companies’ customer service performance and the “highly unusual” quick turnaround time between when OPM publicly posted the solicitation and when it made the high-dollar award.

OPM on May 28 issued a solicitation for “Privacy Act Incident Services," a week before disclosing personnel records of some 4.2 million federal employees had been stolen by hackers. The day after publicly revealing the breach, OPM finalized the multimillion deal with Winvale.

Later, OPM disclosed a much larger breach of federal employees background investigation files. In September, federal officials awarded an initial $133 million contract award to provide ID protection services to victims of that larger breach for the first year of an expected three-year agreement. The Defense Department handled the procurement.

The IG’s memo laid out top management challenges at the agency. In addition to procurement slipups, the IG reiterated concerns with the agency’s massive IT infrastructure upgrade, which involves migrating a number of aging, legacy IT systems to a more secure environment, known as “the Shell.”  

The number of OPM information systems operating without a security authorization also doubled -- from 11 out of 47 in fiscal 2014 to 23, according to the IG.

Nextgov’s Aliya Sternstein contributed to this report.