GSA delays contract for services to protect OPM hack victims

Editor’s note: This story was updated on Friday, July 31, 2015, at 10:15 a.m., to reflect that Naval Sea Systems Command, not the General Services Administration, will issue an RFQ for services to help victims of the breach of the Office of Personnel Management’s background-investigation database early in the week of Aug. 3, according to a message that GSA sent Friday to potential bidders. The story includes additional comments from the Professional Services Council.

It could be September before victims of the hack of the Office of Personnel Management’s security clearance database can sign up for free credit monitoring and identity-theft protection services through the government.

The General Services Administration has pushed back the timetable for awarding a contract for those services. According to a message it sent potential bidders Friday, the Naval Sea Systems Command will issue a request for quotes early next week. At the same time, GSA will issue an RFQ for a governmentwide blanket purchase agreement.

In a letter that GSA sent companies earlier this week, it gave no mention of NAVSEA’s involvement. In what it termed a “best effort” schedule, it set a goal of Aug. 12 for quotations. It expected to issue a final award by Aug. 21. That’s one week later than what GSA estimated in a similar letter last week. Now, it’s not clear if the move to NAVSEA will delay the contract even further.

Whichever company is eventually selected will need “a couple of weeks” to prepare to enroll the 21.5 million people impacted by the breach, said Kevin Lancaster, CEO of Winvale. OPM hired Winvale, and its partner company CSID to notify and provide similar services to the 4.2 million victims of the breach of its personnel database.

Advertisement

“It’s hard to believe that, from the first time they notified the public to the time they offer services, it will be two months,” he said.

The government has not reached out to individuals affected by the breach of OPM’s security clearance database. The Professional Services Council, which represents some contractors whose employees hold security clearances, has appealed to OPM for immediate action.

“This is an unacceptable delay in notifications to and protection for these affected individuals,” wrote PSC President Stan Soloway in a letter to OPM Acting Director Beth Cobert. “Furthermore, these contractors and other affected individuals should be treated the same as the 4.1 million federal employees/former federal employees covered by the first data breach, who were notified within days of being affected and provided protections immediately.”

Soloway urged Cobert to use an existing contract to offer 18 months of credit monitoring and identity protection coverage to those affected by the security clearance database hack until the government concludes a longer-term agreement. That would match what OPM has offered to victims of the first data breach. But the agency has said that it would offer more extensive coverage to those affected by the hack of the security clearance database because of the detailed nature of the forms compromised. Congress has debated extending that coverage to 10 years or longer.

Previously, it was thought that Winvale may not be among the prime contract award winners. GSA initially restricted the procurement to certain companies on its Multiple Award Schedule 520 Financial and Business Solutions (FABS) or Schedule 00CORP Consolidated Services. Winvale is not among those.

But in the notice sent to contractors July 28, GSA opened up the bidding to more than 3,600 additional vendors, including Winvale, to be prime contract holders.

Winvale and its subcontractor, CSID, have been roundly criticized for providing sluggish customer service to individuals affected by the personnel database breach. Yet, in an interview with Federal News Radio, Lancaster and CSID head Joe Ross attributed the delays to choices made by OPM and other agencies involved in the effort. For example, OPM decided to publicize the call center’s toll-free number.

“There are so many different hands in this breach response: OPM, DoD, DHS. Every agency was impacted by this breach,” Lancaster said at the time. “We got into a position — probably about a week and a half in — where there was a void in sending emails. And then, in a 36-hour period, we had to send 1.2 million emails.”

Since then, call center wait times have dropped dramatically. Lancaster said he had hoped to have a chance to bid on the new contract.

Now he said, “We are looking at all of our options, including partnerships.”

GSA is awarding the contract for services related to the OPM breach at the same time that it awards a five-year blanket purchase agreement for a range of identity- and credit-monitoring services, an indication that the government expects more breaches to come.

The draft RFQ issued to industry earlier in July called for project management, notification, call center, identity monitoring, identity theft insurance and independent risk assessment services.  GSA said contractors must be able to provide all of the services, which is one reason why the agency is expanding who is qualified to bid on the contract.

In the draft RFQ, GSA said eligible companies must offer at least three examples of recent contracts they’ve held for similar services. They must have offered support to at least 20 million individuals through one of those contracts.

In the notice sent to vendors today, GSA expanded the contractors eligible to include those on Schedule 70, special item number 132-51, IT professional services, which lists more than 3,600 vendors including Winvale.

GSA is encouraging contractor teaming arrangements in order to satisfy all RFQ requirements.

“Contractors who do not have all related FABS SINs (either the FABS 16 through 20, or 00CORP 16 through 20) in their MAS contracts must form a CTA to cover all the SINs contemplated in the procurement to include GSA Schedule IT70 SIN 132-51 contract holders,” GSA wrote in the notice to industry.

Read all of Federal News Radio’s coverage of the OPM Cyber Breach.