Rep. Elijah Cummings (D-Md.) said the Office of Personnel Management’s contract award to Winvale and CSID for credit monitoring services doesn’t smell right.
Cumming is one of several lawmakers now questioning OPM’s process and decision to award the $21 million deal.
Wednesday during the House Oversight and Government Reform Committee’s second hearing on the OPM data breach in a week, four different lawmakers questioned why the award happened so quickly — the request for quote was on the street for only 36 hours — why did OPM choose Winvale and CSID and whether this was a good decision.
Rep. Gary Palmer (R-Ala.) referred to Sen. Mark Warner’s (D-Va.) letter about the contract award.
“He raises a question here about how quickly this contract was awarded to CSID. You didn’t go through this normal process, and it was awarded in 36 hours, I think is what Sen. Warner says. Was it intentionally steered to CSID?” Palmer asked OPM Director Katherine Archuleta and OPM chief information officer Donna Seymour.
Archuleta said the contract was not steered to CSID and it was awarded through a “fair and competitive process.”
Seymour said an OPM contracting officer made selection of Winvale and CSID.
“Did you evaluate the management of CSID?” Palmer asked.
Seymour responded, “I did evaluate both the technical and the cost proposals.”
Palmer re-asked his question, “Did you evaluate the people who run the company?”
“I had resumes for the key personnel that they provided in the proposal,” Seymour said.
Palmer made an accusation that one of the members of the board of CSID is under investigation by the Justice Department and the Securities and Exchange Commission for his involvement losing money while running a hedge fund.
But Patrick Hillman, a spokesman for CSID, said Palmer is way off base and was referring to a different person with the same name, Owen Li, who is on CSID’s board of directors.
“This is a reckless case of mistaken identity. The Owen Li that works for Investcorp is a British citizen who has never worked for or been involved with Canarsie Capital. We are working aggressively to ensure Owen’s integrity is protected in the face of these erroneous accusations,” Firez El Amine, head of corporate communications for Investcorp. said in a statement.
GSA didn’t meet OPM’s needs
The other issue that came up at the hearing is why OPM didn’t use the blanket purchase agreement created by the General Services Administration after the 2006 Veterans Affairs Department data loss.
Committee chairman Jason Chaffetz (R-Utah) pressed Seymour on this question.
“We did consult with GSA schedules on this. There were some requirements that we wanted to include on our contract that were not available on the schedule,” Seymour said. “De-duplication of services was one of them. What we were trying to do at OPM was set up a contract vehicle that we could use in the future for any additional breaches, whether it’s one or two, we wanted to set up a vehicle that would not cause us to pay or offer the same services to affected individuals at the same time. That is not something the GSA schedule afforded us the opportunity to do, even after we talked to the schedule holder at GSA.”
Seymour’s answer didn’t satisfy Chaffetz.
“I’m just telling you, this reeks,” he said. “And for any contract to go out that fast, and I understand the gravity of the situation, you are going to deviate from that and then they immediately go out to a subcontractor, I’d encourage you get back to Sen. Warner, Mr. Palmer as well as this committee.”
Chaffetz asked for OPM to send its response to Warner’s letter to the Oversight committee as well.
Now despite these assurances from OPM, Inspector General Patrick McFarland said his office now is going to look into the contract and award process.
In the second of three hearings this week, a few more details and clarification came out about the breaches.
Archuleta pushed back against reports that say 18 million current and former federal employees, contractors, congressional staff and others may be impacted by the second breach.
“It is my understanding that the 18 million refers to a preliminary, unverified and approximate number of unique Social Security numbers in the background investigations data,” she said. “It is a number that I am not comfortable with at this time because it does not represent the total number of affected individuals. The Social Security number portion of the analysis is still under active review. We do not have a more definitive number. There may be an overlap between the individuals affected in the background incident and the personnel incident. We are working deliberately to determine if individuals who have not had their Social Security numbers compromised, but may have other information exposed should be considered individuals affected by this incident. For these reasons, I cannot yet provide a more definitive response on the number of individuals affected on the background investigations data intrusion.”
32 million at risk?
Chaffetz pressed Archuleta for more information about the number of people impacted. He showed the committee a letter Archuleta sent to the Senate Appropriations Committee.
“As a proprietor of sensitive data including personally identifiable information for 32 million federal employees and retirees, OPM has an obligation to maintain contemporary and robust cybersecurity controls. You wrote that in February,” Chaffetz said. “Are you here to tell me that information is all safe? Or, is it potentially 32 million records that are at play here?”
Archuleta responded that OPM continues to review the number and scope of the breach.
Chaffetz asked again, “It could be as high as 32 million? Is that right?”
Archuleta demurred again in giving an answer. Chaffetz pressed further asking for a range versus a specific number.
“We know it’s a minimum of 4.2 million, but it could be as high as 32 million?” he asked.
Archuleta said, “I’m not going to give you a number that I’m not sure of.”
Archuleta didn’t commit to a timeline to release the details of the second breach in terms of how many were impacted.
Additionally, a few other new pieces of information also came out during the hearing.
Contractor credential lost on OPM’s network
At the Senate Appropriations Committee hearing on Tuesday, OPM said one of the main ways the hackers got into its network was by getting the user credential of an employee of KeyPoint Government Solutions. KeyPoint is a vendor provider security clearance services to OPM.
Wednesday, KeyPoint CEO Eric Hess said the employee lost or had his or her credential stolen while working on OPM’s network versus it happening through the company’s network.
Tuesday, Archuleta told lawmakers that no PII was taken in the initial March 2014 cyber attack that OPM suffered. But Wednesday, Seymour revealed that while no personal information was lost, OPM did lose some technical and architecture manuals.
Lawmakers tried to make a big deal out of this, but toward the end of the almost four-hour hearing,
Ann Barron-DiCamillo, the director of the Homeland Security Department’s U.S. Computer Emergency Readiness Team (US-CERT) said those documents weren’t a big deal in the overall scheme of things.
During the contentious hearing, Chaffetz expressed frustration over the lack of information from OPM and, once again, called on Archuleta and Seymour to resign.
Rep. Gerry Connolly (D-Va.) cautioned against calling for anyone to resign. He said this is a larger issue than just the challenges and shortcomings of OPM.