Lawmaker turns up heat on OPM CIO after cyber contract missteps

The chairman of a powerful House committee is once again calling for the resignation of the Office of Personnel Management’s chief information officer — this time for failing to ensure the agency followed the rules when it awarded a contract for identity and credit monitoring for cyber breach victims.

Rep. Jason Chaffetz (R-Utah), chairman of the Committee on Oversight and Government Reform, sent a letter Thursday to OPM acting Director Beth Cobert, urging the removal of Donna Seymour for failing “to effectively fulfill her duties.”

“The record is clear that six months after the American people first learned about OPM’s spectacular failure at securing sensitive personal information, change is needed in the Office of the Chief Information Officer,” Chaffetz said in his letter.

Chaffetz’s call for Seymour’s removal comes one week after OPM’s Office of Inspector General released its findings of a special review of OPM’s procurement office, and its awarding of a credit monitoring contract this summer to Winvale Group LLC, and its subcontractor, CSIdentity.

Advertisement

In a statement to Federal News Radio, OPM Press Secretary Sam Schumach said the agency agreed with the chairman’s determination that OPM’s IT infrastructure “needs to be continuously improved and updated now and into the future,” but pushed back against Chaffetz’s call for Seymour to be fired.

“Since Donna Seymour’s arrival at OPM in late 2013, OPM has undertaken an aggressive effort to upgrade the agency’s cybersecurity posture, adding numerous tools and capabilities to its various legacy networks,” Schumach said. “These improvements were instrumental in helping Donna and her team identify the recent cybersecurity incidents. Since these incidents were discovered, OPM, under the direction of Ms. Seymour and now in partnership with OPM’s new cybersecurity advisor, has continued to build upon our efforts to strengthen our broader cyber defenses and information technology systems, in partnership with experts throughout the federal government, and the private sector.”

Risking millions of taxpayer dollars

The IG’s special review is a more complete version of an issue mentioned in the office’s fiscal 2015 Top Management Challenges, which looked at external and internal issues that the agency must address if it wants to meet its core mission. At the time, auditors determined the procurement office had potentially awarded a contract that didn’t meet federal rules, but this month’s report went into more detail.

“While we are unable to determine if these areas of noncompliance would have resulted in the award of the contract to a party other than Winvale, it is evident that significant deficiencies excited in OPO’s (Office of Procurement Operations) management of the contract award process,” the IG report stated in its conclusion. “OPO’s circumvention of FAR requirements increased the risk of making an improper award by having an incomplete performance work statement, failing to obtain an independent government cost estimate, having an incomplete acquisition plan and conducting inadequate market research, including the failure to consult with a small business specialist. As a result, the wrong contracting vehicle was utilized in awarding the Winvale contract, the FAR blanket purchase agreement call limit was exceeded, and millions of taxpayer dollars were put at risk for waste or loss.”

OPM concurred with all but one finding regarding the unreliability of the contract file.

“Although the formal market research, acquisition plan and SAM [System for Award Management] printout were not documented and signed until after award, it is important to note in this instance that the actions and procedures documented therein were followed to the maximum extent practicable before award and have since been finalized and are located in the complete electronic file,” OPO stated in its response.

The IG’s office replied that while the file might now be up to date, at the time, decisions were made based on incomplete and incorrect information.

In a statement from Winvale, the company said it responded to the posting on FBO.gov “just like every other contractor that submitted a bid.”

“Beyond that, Winvale has no control over or insight into the bidding process or the OIG report,” the company stated.

The company does maintain statistics on enrollment on its site, which is available to the public. As of Dec. 10 about 1.1 million individuals of the first wave of 4.2 million cyber victims had enrollment in the program. About 25 percent of that 1.1 million were enrolled in credit and identity monitoring.

‘Something got messed up’

Federal News Radio first reported the questions surrounding the contract in June. In the 1.5 days the solicitation was on the street, OPM issued three amendments and made the award on June 5 to Winvale Group of $20.7 million for “privacy act incident services.”

Schumach said the contract award “was done on an expedited basis to provide protection to millions of Americans who were affected by the breach of personnel records.”

“OPM worked to acquire these commercially available services under a competitive procurement action to provide the best value to the government,” Schumach said. “Although the OIG’s report describes several areas where the procurement process could have been improved — some of which were proactively raised by OPM to OIG — the OIG did not find that these issues affected the outcome of the award. OPM has worked proactively with the OIG to address and correct deficiencies as they were identified, including those identified by OPM prior to the OIG’s engagement. As indicated in the report, OPM has already implemented certain administrative corrective actions under the contract where appropriate, and finalized several new policies and procedures to address the findings.”

Debra D’Agostino, founding partner of the Federal Practice Group, said it was likely the pressure of the public eye, along with the need to address the threat, that spurred the speedy contract award.

“I suspect that mistakes were made by the contracting officers because they were under tremendous pressure to meet these deadlines,” D’Agostino said. “I have represented federal employees who have faced adverse actions from doing things in the violation of FAR (the Federal Acquisition Regulation). It’s not the kind of thing you can be fast and loose with: Your ‘I’s’ are supposed to be dotted, your ‘T’s’ are supposed to be crossed.”

But as someone who usually represents “the little guy,” D’Agostino said, it’s not unreasonable to place the blame at the top, where the pressure normally originates.

“I can’t believe the contracting officers intentionally violated [the FAR],” she said. “Some GS-13 contracting officer isn’t going to screw that up. That would have been on the front page of the papers. I’m sure they were under this tremendous pressure. I mean, it’s hard to say responsibility shouldn’t sit at the top, as opposed to having these poor contracting officers fired.”

That’s not to say that blame can’t be shared.

The breach was announced in April, with a contract award deadline of June 8. The statement of work didn’t come out until May 25.

“What happened between April and May,” D’Agostino asked.

That short time frame, coupled with both external and internal pressure, she said, “it’s not shocking something got messed up.”

Read all of Federal News Radio’s coverage of the OPM Cyber Breach.