Victims of the Office of Personnel Management’s 2015 cyber breaches who have enrolled in the agency’s free credit monitoring services won’t experience an interruption while the agency re-competes an existing contract.
OPM will temporarily extend its current “MyIDCare” service with ID Experts though June 30, 2019, while the agency re-competes its contract for free identity protection and credit monitoring services to all victims of the two 2015 cybersecurity breaches.
A provision in the 2016 spending omnibus required OPM to provide these services to all breach victims through 2025, but the agency’s existing contract with ID Experts will expire on Dec. 31, 2018.
“Enrolled individuals will continue to receive government-sponsored coverage from ID Experts at no cost for an additional six months,” an OPM spokesman said.
In the meantime, OPM is soliciting quotations from eligible vendors on the General Services Administration’s identity protection services multiple award blanket purchase agreement (BPA), the spokesman said. Because OPM doesn’t expect to finish the re-compete award until this December, the agency is extending existing ID Experts coverage to current enrollees for another six months.
OPM used GSA’s identity protection services BPA back in 2016, the last time the agency solicited bids for this purpose. It signed a two-year, $340 million contract with ID Experts, one of three vendors on the BPA, to provide credit monitoring services to victims of both OPM breaches.
Identity Force and Ladlas Prince are also vendors on the BPA.
OPM’s upcoming solicitation will determine whether the agency continues to use ID Experts or one of the other two vendors on the identity protection services BPA.
OPM has obligated the entire amount of the existing ID Experts contract, according to USA Spending data. The agency didn’t comment on how many breach victims have enrolled in the service to date.
Victims who aren’t currently enrolled but were eligible to receive the free service during the breach aftermath will have an opportunity to enroll in the future, regardless of the outcome of the solicitation, the OPM spokesman said.
OPM’s two cyber breaches in 2015 impacted roughly 21.5 million federal employees, contractors and others.
Federal employee groups and unions said they’ve been asking for more details about OPM’s plans for the contract past this December but hadn’t received any information. When the agency announced its plans for the ID Experts contract back in 2016, OPM said it would need to determine a future procurement strategy through 2025.
“Once again, we find ourselves left with more questions than answers,” Ken Thomas, president of the National Active and Retired Federal Employees (NARFE) Association, said in a statement. “For the past three years, it has been well-known that the current contract providing identify theft protection to those affected expires at the end of 2018. I am disappointed to learn that OPM is only now in the beginning stages of providing the victims protection for the next seven years, as mandated by Congress.”
The National Treasury Employees Union asked acting OPM Director Margaret Weichert for a status update in mid-November. Federal employee groups received information from the agency Thursday afternoon.
OPM said it would continue to update the agency’s cybersecurity resource online, according to a message sent to federal unions.
From the very beginning, OPM’s attempts to protect cyber breach victims were marked by confusion.
The agency quickly signed a contract with Winvale Group to provide credit monitoring services for the 4.2 million victims of OPM’s first breach. The agency’s inspector general said the contract didn’t follow federal acquisition regulations (FAR) and best procurement practices. Winvale wasn’t on GSA’s BPA, point that several lawmakers made when OPM first awarded the $20 million contract just 36 hours after the solicitation was made public.
OPM signed another contract with a different vendor, ID Experts, to cover the 21.5 million victims of the second breach. The agency in late 2016 allowed its Winvale contract to expire and signed a new, two-year agreement with ID Experts to cover all breach victims. Some lawmakers criticized OPM for giving some breach victims one month to sign up for new services in 2016.
The Government Accountability Office last year questioned whether the requirement to provide victims of the 2015 breaches with no less than $5 million in identity theft insurance for at least 10 years is too much.