OPM’s first credit monitoring contract had ‘significant deficiencies,’ says IG

The Office of Personnel Management’s procurement office potentially awarded a credit monitoring contract this summer that didn’t meet federal rules, says the agency’s Inspector General.

In a report issued Oct. 30, OPM IG Patrick McFarland said the Office of Procurement Operations “did not award the Winvale (Group LLC) contract in compliance with the FAR And OPM’s policies and procedures, which led to the OPO selecting the wrong contracting vehicle.”

“While we are unable to determine whether the issues we uncovered are significant enough to have impacted the award of the contract to Winvale Group LLC, and its subcontractor, CSIdentity, it is evident that significant deficiencies existed in the OPO over the contract award process,” the report stated.

Winvale spokesman Patrick Hillmann said in an email to Federal News Radio that “Winvale responded to a posting on FBO.gov, just like every other contractor that submitted a bid. Beyond that, Winvale had no control over or insight into the bidding process.”

Advertisement

Federal News Radio first reported the questions surrounding the contract in June.

The determination was part of the IG’s report on OPM’s fiscal 2015 Top Management Challenges, which looked at external and internal issues that the agency must address if it wants to meet its core mission.

OPM Press Secretary Samuel Schumach said the agency did notify the OIG about the potential mistake.

“We proactively identified an error with the Winvale contract, raised it with the OIG, and then took action to address this issue at no additional cost to the taxpayer,” Schumach said. “Once the IG report is published, we will provide a formal response.”

“I believe that the support of the agency’s management is critical to meeting these challenges and will result in a better OPM for our customer agencies,” McFarland said in a memo to OPM’s acting Director Beth Cobert. “Inclusion as a top challenge does not mean we consider these items to be material weaknesses. In fact, the area of security assessment and authorization is the only challenge included that is currently a material weakness. The remaining challenges, while not currently considered material weaknesses, are issues which demand significant attention, effort, and skill from OPM in order to be successfully addressed.”

Security assessment and authorization fall under internal challenges, along with:

  • Information security governance
  • Data security
  • Information technology (IT) infrastructure improvement project
  • Stopping the flow of improper payments
  • Retirement claims processing
  • Procurement process for benefit programs
  • Procurement process oversight

The environmental challenges identified:

  • Strategic human capital
  • Federal health insurance initiatives

Security assessment, authorization need work

OPM’s IT security has been under congressional and public scrutiny since it announced it had been the victim of  two data hacks that impacted 22 million current and former federal employees, as well as some of their relatives. The contract for credit monitoring, which went to Winvale, addressed the vicitms of the first breach.

Auditors said OPM’s security controls still are struggling.

The IG  said in 2014 his office found that OPM’s program office did not conduct appropriate authorization processes for 11 of 47 major information systems. In 2015, that number doubled to 23 systems without proper cyber authorizations, promoting cybersecurity back to a material weakness.

OPM’s chief information officer granted an extension of authorization for all of OPM’s systems  that had expired through next September, McFarland said, but that extension is not recognized by the Office of Management and Budget.

“Without subjecting its information systems to a routine and thorough security controls assessment, OPM is increasing the risk that IT security vulnerabilities will remain in its environment undetected,” McFarland wrote. “We believe that the volume and sensitivity of OPM systems that are operating without an active authorization continues to represent a material weakness in the internal control structure of the agency’s IT security program.”

And while the OPM CIO is working to reach a point where it has a continuous monitoring program that will eliminate the need for authorizations, the agency’s program has not reached that point, the report found.

While OPM’s security assessment and authorization needs work. The IG pointed out progress the agency had made in the past year to address its information and security.

The agency filled vacant information system security officers positions, is in the process of “centralizing IT security responsibility under the OCIO,” and “implemented systems development lifecycle policies and procedures.”

But the agency “faces enormous hurdles” on its path to overhaul its network infrastructure, the IG report stated.

“The first major challenge that OPM faces is to identify all of the information systems that must be migrated to the Shell [OPM’s new technical environment],” McFarland said. “The second major challenge relates to the complexity of migrating old information systems into a new environment. The third and most critical challenge is the fact that OPM does not have dedicated funding to support this project.”

McFarland’s memo also noted that three challenges from 2014 were removed from the list. Those were the Veterans Employment Initiative, background investigations and improving the federal recruitment and hiring process.

Tackling issues, getting a permanent leader

Rep. Gerry Connolly (D-Va.), a member of the Oversight and Government Reform Subcommittee on Government Operations, in an emailed statement said it was not surprising that information security was a main concern for the IG’s office.

“As this year’s historic data breaches clearly demonstrated, the federal government must be more proactive and vigilant in protecting the personal information of our federal workforce,” Connolly said. “The IG offers constructive recommendations to ensure OPM has the resources it needs to recruit and retain a skilled workforce, to better manage existing IT resources and security tools, and to improve oversight of the contract services being used to respond to the data breaches.”

John Salamone, vice president of of FMP Consulting, and former executive director of the Chief Human Capital Officers Council at OPM, said he was interested in how the memo would impact the presidential nomination of Cobert as permanent director of OPM.

“I think the agency clearly needs a stable leader for the remainder of the administration’s term, so they can try and tackle some of these issues,” Salamone said. “We often forget that OPM is not just a small HR policy office, they are responsible for massive federal programs: federal health insurance, portions of the Affordable Care Act, the security clearance system. When you see these programs on the management challenge list, it is troubling, because they’re massive in scope.”

Read all of Federal News Radio’s coverage of the OPM Cyber Breach.