OPM mishandled contract for identity protection services, IG says
A report from the Inspector General’s office took it to task for the way OPM awarded a contract to a firm charged with providing identity protection services to those affected by the hacks.
The Office of Personnel Management (OPM) got hammered yet one more time for breaches that laid the agency low earlier this year as a report from the Inspector General's office took it to task for the way it awarded a contract to a firm charged with providing identity protection services to those affected by the hacks.
The IG said when OPM selected Winvale Group LLC, and CSIdentity, its subcontractor, the agency was not in compliance with federal acquisition regulation (FAR). The report noted that, among other things, the scope of work was incomplete and blanket agreement dollar limits were exceeded, which meant “millions of taxpayer dollars were put at risk for waste or loss.” In addition, the agency conducted inadequate market research with the contract officer failing to “involve a small business specialist” at the agency as required.
OPM concurred with the bulk of the IG's findings. The inspector general recommended that the agency immediately update its policies and procedures and implement controls so that it is in lockstep with FAR.
On release of the report, Rep. Jason Chaffetz (R-Utah), Chairman of the House Oversight Committee, renewed his call for OPM chief information officer (CIO) Donna Seymour to resign. In a letter to OPM Acting Director Beth F. Cobert, Chaffetz wrote, "The record is clear that six months the American people first learned about OPM's spectacular failure at security sensitive personal information, change is needed in the Office of the Chief Information Officer."