OPM Contract Out Now, Vendor Must Give Feds Database Access


On Tuesday, the federal government released its official solicitation for a contractor to alert victims of the Office of Personnel Management data breach and provide them with identity theft protection. The vendor that wins the OPM contract must also give the feds access to its own databases. While the majority of the 21.5 million people affected by the data breach are expected to be notified within a month of the contract’s award, it could take up to 4 months for everyone affected to be alerted. Learn more below.



The OPM contract to alert victims of the OPM data breach and provide them with identity theft protection is out now.


OPM Contract Out Now


The official solicitation for the OPM contract was released on Tuesday. There is expected to be much competition for the contract. The solicitation addressed a number of issues that came up with previous similar contracts. This includes complaints regarding the way a contractor (CSID) handled a previous smaller OPM hack, and complaints from the government concerning actions of a separate contractor (USIS) that was a victim of a data breach about one year prior to the OPM breach.


Previous OPM Breach


A previous OPM data breach had affected about 4.2 million people. They were notified by the contractor CSID, which then instructed them “to enroll on a dot-com website, maintained by CSID, not a dot-gov site. The commercial Web address raised questions about the legitimacy of the government-offered services,” according to NextGov.


The solicitation for the latest breach stipulates that the new contractor may use its own website as long as it is behind an official dot-gov website.


In addition, some victims of the breach received robocalls after registering with CSID. It was the first time they had received these robocalls, and the calls were related to the information they had given at registration. Officials from CSID maintained it was a coincidence, and officials from OPM addressed the issue “to ensure CSID understood agency customers were not to be upsold.”


The new OPM contract states that personal information obtained during registration for identity theft protection cannot be used for marketing and cannot be sold or transferred unless approved in writing.


USIS Breach


USIS is a background check provided that detected an intrusion on its own networks which resulted in the theft of information of more than 31,000 federal employees, including some from the Department of Homeland Security.


DHS sought to conduct its own scan of the USIS networks that were breach. However, this scan was cut short, though the parties involved disagree over whether it was the government or the contractor that cut short the scan. As a result, the new OPM contract is operating under policies that were revised in June, “that ensure the government can access contractor systems in the event of a data incident.”



DHA Group, Inc.

An award-winning management consulting and contracting firm primarily serving federal, civilian and defense agencies, DHA group supports clients’ mission-critical work by delivering expert professional services. Follow us on social media on FacebookLinkedInTwitter or Google+.

Tags: ,