OPM needs data management for background checks
On the cusp of absorption by a brand-new agency, Federal Investigative Services is searching for electronic records support.
WHAT: A draft request for proposals for the support of the centralized records unit at the Office of Personnel Management’s Federal Investigative Services.
WHY: FIS will soon be folded into a Pentagon-designed security clearance organization called the National Background Investigations Bureau, but it needs support to maintain the clearance process in the meantime.
In a draft RFP issued Feb. 10, OPM is seeking a contractor to help manage the flow of background investigation data at its Boyers, Pa., facility. The contract will cover scheduling interviews and reviews, managing data and coordinating with other agencies’ databases to evaluate individuals, including those of the IRS and FBI.
Perhaps more interesting than the solicitation itself is the list of security requirements that apply to OPM contracts in the wake of the massive hack that rattled the agency. The draft RFP notes that a slew of standard IT clauses were updated in April 2015. Specifically, anything that looks like an attempted hack, breach or other information security incident must be reported to OPM's situation room within 30 minutes of detection. In addition, all IT functions must be certified as being compliant with IPv6 and dual-stack IPv4/IPv6.
Although the contractor will be limited to using OPM’s vetted hardware and its Investigative Enterprise Systems “or any future OPM system that is directly associated with the investigative process,” the draft RFP states that technology changes will probably alter the scope of the contractor’s work, and officials are open to cloud storage solutions.
Contractors will need to use a slew of best security practices: personal identity verification cards (supplied by OPM), FIPS-140 encryption and continuous monitoring (also via OPM). Sharing PIV cards among contract employees will result in disabled accounts and the denial of access to OPM systems.
The contractor will also need to get a Federal Risk and Authorization Management Program third-party assessment organization to size up its security and privacy controls. Furthermore, the contractor’s information system security officers and information security specialists must have Certified Information Systems Security Professional status within six months of the contract award.
Comments on the draft are due by 3 p.m. EST on Feb. 22. OPM said the final RFP will likely be released in March.
Click here to read the draft RFP.