Agencies caught off guard by OPM’s pay-to-play credit monitoring

Everybody will have to pay for the Office of Personnel Management’s breaches, but it’s not yet clear how OPM will divide up the check.

Beth Cobert, the new acting director at OPM, has issued a memo to federal agencies telling CFOs they’ll need to make room in their budgets to foot the bill for post-breach credit monitoring.

“OPM is currently working to approximate each agency’s portion of the total number of individuals impacted and we are gaining more information on the anticipated cost per person in the coming week based on requirements,” Cobert wrote. “We will send additional information next week as soon as we have an estimate for your agency’s portion of this contract cost; however final costs will not be known until the contract is awarded.”

A senior official at one agency told FCW the memo caught agencies off-guard, as OPM hasn’t been able to break down the impacts of the breaches across government.

“It was a bit surprising because OPM told us after 5+ weeks they couldn't provide us a list of impacted personnel,” the senior official said.

It’s unclear when the memo was sent, but the Washington Post first published it on July 21.

An official at another agency told FCW it was also unclear how OPM planned to assign responsibility for retirees’ credit monitoring, or how feds who worked at multiple agencies throughout their careers would be counted. “Agencies wouldn’t track that,” the official said.

OPM’s contract with identity protection firm CSID could cost nearly $21 million, though that’s only for 18 months of credit monitoring – and many have called for lifetime credit monitoring for affected feds.

As Cobert noted, a contract for monitoring for the 21.5 million victims of the second breach has not yet been announced.

OPM plans to recoup the cost of the so-called first breach, which exposed 4.2 million personnel files, by hiking rates for fiscal 2016 security clearance processing, Cobert wrote, while the agency has a more involved process for recovering the costs associated with the second breach.

“Given the limited resources available to OPM at this time to deal with a contract of this size, agencies will be asked to contribute FY 2015 funding to cover the first full year’s costs of credit monitoring and related services/benefits for the second incident involving 21.5 [million] individuals,” wrote Cobert. “In addition to FY 2015, funding will also be needed in FY 2016 and FY 2017 to extend these services and provide three years of services / benefits.”

OPM will also asses a retroactive “billing adjustment” for the current fiscal year, she said.

Cobert, who came to OPM from the Office of Management and Budget, said, “OMB fully supports the decision for cost-sharing across all agencies.”

OMB did not respond to a request for comment.