OPM broke the rules with its breach cleanup contract, says agency watchdog
A forthcoming inspector general report will delve into how the IG says OPM violated procurement regulations with its $20 million post-breach services award to Winvale.
After news broke that millions of feds had been exposed in a breach at the Office of Personnel Management, OPM was in a rush to get the remediation ball rolling.
Perhaps a bit too much of a rush.
In an Oct. 30 memo to OPM's Acting Director Beth Cobert, made public Nov. 12, OPM Inspector General Patrick McFarland pointed to "significant deficiencies" with OPM's $20 million award to Winvale Group and subcontractor CSID.
"We determined that [OPM's Office of Procurement Operations] did not award the Winvale contract in compliance with the [Federal Acquisition Regulation] and OPM's policies and procedures, which led to the OPO selecting the wrong contracting vehicle," the memo stated.
A full report on the contract issues will be released within the month, an OPM IG spokesperson told FCW.
The Winvale/CSID contract has drawn questions for months, largely because OPM's Blanket Purchase Agreement Request for Quotation for identity protection services was open on FedBizOpps for only 36 hours.
"According to procurement experts, such a short turnaround time is highly unusual and raises suggestions that OPM could have intentionally steered the contract to CSID," wrote Sen. Mark Warner (D-Va.) in a June letter to OPM.
"Winvale responded to a posting on FBO.gov, just like every other contractor that submitted a bid," company spokesman Patrick Hillman said in a statement to Nextgov. "Beyond that, Winvale had no control over or insight into the bidding process."
OPM, for its part, is claiming the problem as its own discovery.
"We proactively identified an error with the Winvale contract, raised it with the OIG, and then took action to address this issue at no additional cost to the taxpayer," said OPM spokesman Sam Schumach. "Once the IG report is published, we will provide a formal response."
The Winvale/CSID contract covered credit monitoring and other services for the 4.2 million feds exposed in the first half of the breach revelations. When it came time to award a $133 million remediation contract for the second, larger batch of exposed individuals, OPM took more time and turned to the Defense Department for help.