The Office of Personnel Management didn't have a decision-making policy in place to help it decide when and how to offer identity theft and credit monitoring services to victims of the 2015 cyber breaches. More than a year later, the agency still doesn't have a plan.