The U.S. government spends millions of dollars on information technology systems designed to prevent cybersecurity attacks, but the attacks still occur. Government agencies are hopeful that the learning curve will improve dramatically, and breaches will be reduced.
In the meantime, what happens to people affected by a breach after an attack succeeds? This year, the federal Office of Personnel Management not only was hit with one of the biggest hack attacks ever, but also was criticized for failing to provide the victims with an adequate response.
Partly as a result of the OPM breach, the U.S. government has initiated a dedicated IT acquisition contract designed to provide quick and effective assistance to those affected by a breach of federal data systems. It has a potential value of US$500 million over a five-year period.
OPM Uses GSA Contract
OPM was one of the first agencies to utilize the acquisition vehicle.
OPM and the U.S. Department of Defense earlier this month awarded a $133.2 million contract to Identity Theft Guard Solutions, doing business as ID Experts, to provide assistance to victims of the OPM breach. The contract includes options that could bring the cumulative value of the acquisition to $329.8 million.
The hack, which OPM discovered in May and reported in June, involved data related to background investigations for federal job applicants. It affected approximately 19.7 million individual applicants and 1.8 million nonapplicants, predominantly spouses or domestic partners of applicants. The incident followed an OPM breach reported in April, which affected 4.2 million people.
The ID Experts services will be provided at no cost to victims whose sensitive information, including Social Security numbers, was compromised in the OPM attack reported in June. ID Experts will provide three years of credit monitoring, identity monitoring, identity theft insurance and identity restoration service to all affected individuals and their dependent minor children.
“We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future,” said Beth Cobert, acting director of OPM.
“Millions of individuals, through no fault of their own, had their personal information stolen, and we’re committed to standing by them, supporting them, and protecting them against further victimization. And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling,” she said.
Pool of Contractors
The OPM-ID Experts contract was awarded as a task order under the recently developed Identity Monitoring, Data Breach Response and Protection Services acquisition vehicle from the General Services Administration.
The GSA vehicle, a blanket purchase agreement, provides a uniform standard for contractor selection and saves each agency from having to develop its own contract for breach impact services. All federal agencies can use contractors GSA selects under the vehicle.
The BPAs give federal agencies access to a pool of qualified contractors that can provide the services needed to help people affected by data breaches and other personnel security matters, GSA said.
“Starting in November 2014, GSA worked with industry as well an interagency working group to develop the procurement’s technical requirements and acquisition strategy,” said Tiffany Hixson, professional services executive for the Federal Acquisition Service, a unit within GSA.
GSA Moved Quickly After OPM Hack
GSA modified the 2014 initiative after the OPM intrusions were reported in 2015.
“GSA quickly incorporated emerging government requirements into an ongoing procurement so customer agencies could have access to best-in-class identity protection services faster, easier and for lower cost,” said GSA Administrator Denise Turner Roth. “Now customer agencies can better protect the government’s most valuable asset — federal employees — from potential damage caused by data breaches and other personnel security matters.”
The GSA vehicle will give federal agencies access to a variety of identity protection services, including consumer credit reports, address verification reports and credit risk assessments, as well as identity restoration services involving suspected or actual breaches of sensitive personally identifiable information, often referred to as “PII.”
Range of Services
Two tiers of contractors are available under the BPAs. The first includes contractors and contractor teaming arrangements, or CTAs, with experience in responding to data breaches that impact populations of significant size. The second tier includes contractors and CTAs with general experience in providing routine data breach responses.
GSA selected ID Experts; Bearak Reports, doing business as Identity Force; Total Systems Technology; and Theft Guard Solutions as first-tier contractors. Second-tier selections were Ladlas Prince, Grove Street Investments and Catapult Technology.
GSA invited vendor contract quotations in early August and got a good response from the vendor community, FAS’ Hixson told the E-Commerce Times.
The vendors selected by GSA will be in a good position market-wise as opportunities under the contract develop, she said. It is unlikely that other vendors will be added to the BPA vehicle in the near future.
“Services offered under the BPA provide a range of both identity monitoring data breach response and protection services for the federal government. If necessary, protection services could be ordered regardless of breach activity,” Hixson pointed out.
Since a significant breach could occur at any time, having a readily available contract vehicle arranged by GSA should enable all units of the federal government to respond appropriately.
BPA Benefits All Agencies
“I think the BPA is a wise idea and the right mechanism for what needs to be done moving forward. It’s unfortunate, but it’s a reality that we live in a world where everyone’s data is at risk, and the BPA’s purpose of filling a recurring government need makes good sense,” said Alexander Major, a federal contracting specialist at Sheppard Mullin.
“The GSA is really in the best position and has the most experience in acquiring and managing government-wide projects, and there is something egalitarian about data being held in any federal agency being handled the same way,” he told the E-Commerce Times.
“Personally identifiable information is still PII, whether it resides at DoD, USDA or DoI. If it’s compromised, people should understand and feel comfortable with the level of mitigation support they receive. So that’s the caveat, the services acquired through the BPA had better be good,” Major said.
Moreover, there is a definite need for federal agencies to prepare better for breaches, and for the impact of intrusions on employees and customers.
“We tell commercial corporations to know their networks and identify their crown jewels so that they can be protected and monitored,” Major said. “Well, when it involves the U.S. government, it seems like everything is the crown jewel. Just getting into to a federal agency’s IT system boosts a cybervandal’s street cred, so the government is, and will continue to be, a very large and viable target.”