Two months after the Office of Personnel Management disclosed the second of two large intrusions into its IT systems, the government announced Tuesday evening that it now has a firm plan to notify the 21.5 million victims involved and has awarded a $133 million contract to provide current and former federal employees with identity protection services.
ID Experts, which is incorporated in Portland, Oregon, as Identity Theft Guard Solutions LLC, won the task order under the governmentwide blanket purchase agreement, which also was awarded Tuesday.
OPM said the terms of the agreement will cover identity protection services for all of the federal employees, contractors and other current and former clearance holders whose personal data was taken during a heist of background investigation records OPM first disclosed in late July.
Official notifications will start to go out by the end of this September, officials said in a conference call with reporters, though they were hesitant to project when the Defense Department will complete the process.
And unlike the earlier contract to notify 4.2 million former and current feds, ID Experts only will handle identity protection services, not data breach notifications. All notifications to all victims of the second OPM breach will be handled directly by DoD and will come via dot-mil email addresses.
“That decision was made at the top levels because we have the infrastructure and the logistics system to accommodate such a massive notification,” said Rear Adm. Althea Coetzee, DoD’s principal deputy director for procurement and acquisition policy. “We believed it would be better managed if one government entity handled it as opposed to it coming from a contractor.”
Identity protection services also will be extended to the dependents of the affected workers, since some of their personal data, including birth dates and Social Security numbers were plainly visible on the security clearance forms that were stolen in the second and much larger of the two cyber thefts from OPM’s systems.
“We were the victims of one of the largest cyber crimes ever carried out against the U.S. government. We’ve been working around the clock to understand the nature of what was taken and to identify the individuals whose data was stolen,” Beth Cobert, OPM’s acting director, said in response to questions about why it’s taken the agency so long to respond to the second breach. “We’ve tried to make sure we put in place a very high-quality contract that doesn’t create any more national security issues than we already had through the data that was stolen. As someone whose own data was stolen as part of this, I understand the frustration people feel. But we want to make sure that we’re doing this right.”
The new contract is a separate arrangement from the one OPM awarded earlier this summer in which 4.2 million federal employees were offered 18 months of identity theft protection in response to the first breach, which involved personnel records but not security clearance forms.
That contract was fraught with problems in its early days, including confusing emails that appeared to some workers as though they might be a phishing scam because they came from the contractor’s own email system, which used a dot-com, top-level domain and conflicted with some agencies’ cybersecurity training, which emphasizes that employees should not click on links in their inboxes from unfamiliar addresses.
The Naval Sea Systems Command administered Tuesday’s task order award, which will pay for identity protection services for up to three years.
Coetzee said agencies have also learned lessons from the notifications that were made under the contract they issued in response to the first data breach. The contractor, CSID, sent notices to most of the victims within a few days, but its call centers weren’t ready for the volume of responses to its call centers.
“When they accepted that work, they were basing their projected call rate on the industry average for data breaches, which says that about 2 to 4 percent of victims will call. The actual rate in that case was upwards of 25 percent,” she said. “Our contractors know that now. They took that into consideration during the request-for-quotations process. They know they’re going to have to accommodate a much larger volume.”
Tuesday’s award came in the form of a task order under a new blanket purchase agreement for identity protection services the General Services Administration announced on the same day.
The awards went to two other companies along with ID Experts — Tuesday’s winner of the huge OPM task order — Identity Force, a unit of Bearak Reports and Ladlas Prince, which teamed with Catapult Technologies will also be eligible to compete for future task orders. GSA estimates the BPA’s value at $500 million over three years.
Tiffany Hixson, who heads GSA’s Federal Acquisition Service’s Region 10, said each of the potential contractors were required to demonstrate that they could meet stringent cybersecurity and privacy requirements that were drawn up by an interagency working group over the last two months.
“In addition to the firm requirements we had in the contract itself, which contractors will have to follow as part of this task order or any other, we also required them to submit formal security plans in advance,” she said. “It wasn’t just a matter of setting a standard they had to perform to, they had to show us how they were going to do that.
Before they were allowed a spot on the BPA, contractors’ information protection plans were vetted by DoD, GSA, the Federal Trade Commission and the Department of Homeland Security, Hixson said.