OPM’s Post-Breach Contracting Efforts Fall Short Again, IG Says

The Office of Personnel Management inspector general again found flaws in the agency’s contracting for the credit monitoring and ID theft services it provides to the more than 21.5 million current, former and prospective federal employees affected by the 2015 data breaches.

OPM has gone through two different contracts for post-breach protections. The IG found “significant deficiencies” in the contracting process of the first one, a $20 million contract to Winvale Group and subcontractor CSID. When that contract expired, OPM opted for a contract with ID Experts to provide services for three years with a potential value of $330 million.

In a report released Tuesday, auditors found the agency’s Office of Procurement Operations bypassed some of the Federal Acquisition Regulation and the agencies’ purchasing rules for the ID Experts contract.

The IG found 15 areas of noncompliance, such as designating the contracting officer representative after the award, failing to check the System for Award Management and data-entry errors. Auditors also found incomplete or unapproved contractual documents, including the acquisition plan, market research plan and technical evaluation plan.

“Without a complete and accurate history of the actions taken to award the contract, it is impossible to know whether following all of the FAR requirements would have resulted in an award of the credit monitoring and identity theft services contract to someone other than ID Experts,” the report states.

The IG recommended OPM update its procurement policies and strengthen oversight, and the agency agreed with both. In a management response to the report, OPM’s Senior Procurement Executive Juan Arratia wrote the agency is actively updating its procedures and addressing “serious staffing gaps” by adding contract specialists and other analysts.