W ith all the focus on the cyber breach affecting anywhere from 4 million to 14 million current and former federal employees, let’s not overlook the simple fact that despite what some would call urgent and compelling needs, the government has rules and regulations that still must be followed.
One shining question mark in this discussion is how the Office of Personnel Management went about awarding its contract for credit monitoring services to Winvale/CSID.
Several media organizations picked up on the fact that OPM made the $20.1 million award to these companies.
But when I looked at the notice on FedBizOpps.gov, several red herrings jumped out. And as I talked to several procurement experts, the questions about whether OPM “wired” the contract to Winvale/CSID only grew.
Insight by GitLab: During this webinar executives from the State Department, U.S. Securities and Exchange Commission, U.S. Patent and Trademark Office and GitLab will discuss how institutionalizing a DevSecOps approach to software development is a journey that must bring together the technology and business sides to change an organization’s culture.
Let’s start with the facts: OPM issued the request for quotes on May 28 at 11:33 a.m. with a response date of May 30 at 11:59 p.m. — roughly this RFQ was open for 36 hours.
In the 1.5 days the solicitation was on the street, OPM issued three amendments and made the award on June 5 to Winvale Group of $20.7 million for “privacy act incident services.”
There are several things that, on the surface, make this contract questionable — starting off with the 36-hour turnaround time for the RFQ.
Several procurement experts say this is typical of a contract being steered toward a specific company.
“I’m all for having rapid awards, but how do you even prepare for a response and pricing without prior knowledge of this,” said Bill Shook, a procurement attorney. “Did they do market research to determine which companies are out there? Now if they are using FAR part 12.6 for streamlined acquisitions for commercial items, they could do it in less than 30 days. But to put the entire solicitation into FedBizOpps, they have to give companies reasonable time to respond. I’m not sure 36 hours to respond is reasonable. I don’t know what the marketplace is for companies that do breach notifications, but there has to be more than one.”
Three other procurement experts, all of whom requested anonymity for various reasons, said on the surface this contract looks suspicious.
One expert pointed out that Winvale is thought of as a company that helps others get on the GSA schedules, prepare proposals and the like, and their GSA schedules are for things such as lab equipment and IT software/services, but there is nothing about credit monitoring, insurance or similar offerings.
The expert says interestingly enough Winvale’s website now says they provide credit monitoring services, but their profile on Bloomberg doesn’t mention it at all.
“By offering comprehensive credit and non-credit identity protection services to those potentially affected, we are able to monitor personal data and alert enrollees of suspicious activity before an identity theft occurs,” said Kevin Lancaster, CEO of Winvale in a statement.
Another procurement expert says if OPM needed to award a contract based on urgency, it could have sole sourced the contract and justified it properly for a total of 12 months.
But OPM made the award for one year with four one-year options, it includes no justification and it wasn’t done through the GSA schedule.
Which brings me to the second major factor why this contract award is questionable — OPM could’ve gone through the General Services Administration, set up a blanket purchase agreement (BPA) and set up these services quickly.
If you remember 2006 when the Veterans Affairs Department went through what many will call the data breach that started it all, GSA created the BPA with three vendors so when data breaches occur, agencies can obtain credit monitoring services quickly and cost effectively.
GSA made three awards under the BPA to Bearak Reports, Equifax Inc. and Experian Consumer Direct.
It’s unclear whether OPM reached out to Equifax or Experian, but they didn’t contact Bearak Reports.
“We did not receive an RFQ for this particular breach from OPM or from any of government agencies regarding this security breach,” said Judith Leary, president of Bearak Reports, in an interview with Federal News Radio. “There potentially are RFQs that we could bid upon with response in 24 hours.”
Leary said if Bearak had known about the OPM RFQ they would’ve have bid on it.
A spokeswoman for Experian offered a nonsensical response to the question if the company bid on the RFQ.
“We are under non-disclosure agreement with clients and potential clients so we do not disclose if we participate in contract bids. For more information, you will have to contact OPM,” the spokeswoman said.
Multiple emails to Equifax seeking comment on the RFQ and information on whether they bid were not returned.
I also reached out to AllClear, the firm providing credit monitoring services to customers of Anthem after the company’s breach that impacted as many as 80 million customers.
“AllClear does not comment on live or active breaches. We are happy to provide comments on a trend or general story at another time,” the AllClear spokeswoman said.
Repeated emails to OPM seeking comment on the contract award, how many bids were received and why they only opened the bidding for 36 hours were not returned. When contacted by Federal News Radio, contracting officer James Thieme said answers were being written and referred all calls back to OPM headquarters.
“The question has to be asked why they thought 36 hours was sufficient time to prepare a price quote for five years,” Shook said. “How did the awardee first learn of RFQ? By looking at FedBizOpps or were they advised it was coming out? The big question is how many other bids did they receive? It’s been a long time since I’ve seen something issued one day and a response due the following day. There is an argument they needed to act quickly, but there is quickly and there also is protecting the fairness in public contracting. Listen, if OPM got four bids, it’s a non-event. If they got one, then that’s very suspicious.”
Patrick Hillmann, a spokesman for CSID, said, “The turnaround time for the decision was well beyond the required timeframe.” Hillmann offered no further details on the contracting process.
The contract award also attracted the attention of at least one member of Congress.
Sen. James Lankford (R-Okla.), chairman of the Homeland Security and Governmental Affairs Subcommittee on Regulatory Affairs and Federal Management, asked for more details about the award to Winvale/CSID from OPM in his June 10 letter about the data breach.
“As the subcommittee performs oversight regarding the cybersecurity breach at OPM, Senator Lankford has concerns that protocols governing procurement awards may not have been followed. This is one of many questions the Senator posed to the OPM Director regarding the data breach and he looks forward to their response,” said DJ Jordan, a spokesman for Lankford in an email to Federal News Radio.