OPM Rushed to Award $20M Post-Hack Contract -- and Ran Afoul of Federal Contracting Rules, IG Says

In the rush to award a $20 million contract for identity-theft protection services in the wake of a massive data breach, Office of Personnel Management contracting staff violated federal contracting rules, lost track of paperwork and failed to properly secure an independent cost estimate of the contract, according to a newly published review by the agency’s inspector general.

A summary of the IG’s findings was previously included in a memo to acting OPM Director Beth Cobert last month. However, the full report, dated Dec. 2 and posted online today, provides more detail about the shortcuts OPM contracting staff to award the contract.

OPM IG Patrick McFarland said his office was unable to determine whether the deficiencies were significant enough to affect the actual awarding of the contract. However, the missteps his office identified “increased the risk of making an improper award,” he wrote in the new review.  

In addition, OPM contracting officials incorrectly used a blanket purchase agreement to award the contract “and millions of taxpayer dollars were put at risk for waste or loss,” his report concluded.

OPM officials first learned in April sensitive personnel data on some 4.2 million federal employees had been stolen by hackers in a series of cyberattacks on government systems. (A separate but related hack later revealed by the agency also netted background investigations forms on millions more employees.)

The agency’s chief information officer, Donna Seymour, determined the agency would need to offer credit monitoring and identity-theft services to protect hack victims and that the contract for such services would need to be awarded by June 8, according to the IG’s assessment. OPM disclosed the breach to the public June 4.

Contracting officials posted a solicitation at the end of May on the Federal Business Opportunities website seeking responses from companies in just two days. By June 2, an OPM contracting officer had inked a $20.7 million deal with a company called the Winvale Group and its subcontractor CSID to provide 18 months of ID protection services for the millions of federal employees whose personal information had been stolen.

The furious rush to award the contract was self-imposed, McFarland said, and in order to meet the deadline, OPM contracting officials circumvented federal contracting rules.

The selection of a blanket purchase agreement to award the deal ran afoul of procurement rules, because the first purchase order against the contract exceeded a $6.5 million threshold put in place by the Federal Acquisition Regulation.

The contract’s statement of work also lacked key details, and the contracting shop failed to conduct adequate market research, the IG said. Specifically, contracting officials did not properly consult with small business specialists.

Contracting officials never obtained an independent cost estimate from the CIO’s office because awarding the contract within the deadline “took precedence,” according to McFarland. The contracting office also never obtain estimated costs from vendors during market research.

The IG’s review also said the contract file itself is unreliable and incomplete. Paperwork documenting the steps taken by the contracting officer wasn’t filed until after the contract was awarded, the IG said.

“Consequently, there are gaps in the contracting file that can be filled only by the contracting officer’s recollection,” McFarland wrote in the report.

McFarland said his office is “not confident that the contracting file gives a complete and accurate history of the actions taken to award the contract.”

OPM, which concurred with the IG’s other findings, said key documents were filed late but that they “do not concur that this results in an unreliable contract file.”

McFarland’s report doesn’t mention it but the agency also came under withering criticism from Congress over its handling of the data breaches and it’s unclear to what extent that played in to OPM’s desire to fast-track the contract.

Former OPM Director Katherine Archuleta resigned in July. Calls continue in Congress for Seymour, the CIO, to resign.

In a Dec. 10 letter to the acting head of the agency, Rep. Jason Chaffetz, R-Utah, the chairman of the House Oversight and Government Reform Committee, cited the latest IG report and urged Seymour’s “immediate removal,” saying she is “unfit to perform the significant duties for which she is responsible.”

(Image via Mark Van Scyoc/Shutterstock.com)