The U.S. Office of Personnel Management (OPM) improperly handled a nearly $21 million contract awarded to a company to protect the identities of millions of victims of a cyber attack on the federal agency.
CNN first reported that a new report from the agency’s inspector general concluded that OPM violated federal contracting regulations when it awarded a contract to a company called CSID to offer identity protection services to 4.2 million current and former federal workers who were affected by a breach of the agency’s computer systems announced in June.
According to the inspector general report, OPM violated federal regulations in several ways with the contract by "having an incomplete performance work statement, failing to obtain an independent government cost estimate, having an incomplete acquisition plan, and conducting inadequate market research."
"As a result, the wrong contracting vehicle was utilized in awarding the [CSID] contract, the [Federal Acquisition Regulation] blanket purchase agreement call limit was exceeded, and millions of taxpayer dollars were put at risk for waste or loss," the inspector general wrote.
OPM agreed with almost all points made in the report and said that the agency will properly follow federal regulations in the future.
CSID endured scrutiny for the services it provided to victims of the hack, with individuals complaining about hours-long waits on the company’s call center line, web site crashes, and incorrect information on their accounts.
When selecting a contractor to provide identity theft protection to more than 21 million Americans affected by a second breach of the agency announced in July, OPM did not choose CSID. The cost of that contract, awarded to Identity Theft Guard Solutions, is projected to cost $330 million, according to NextGov.
Following the announcement of the second breach, OPM director Katherine Archuleta was forced to resign. House Oversight Committee Chairman Jason Chaffetz (R., Utah) responded to the latest inspector general report by demanding that the Obama administration fire the agency’s chief information officer.
"I write once again to augment my concerns that Ms. Donna Seymour, chief information officer for the Office of Personnel Management, is unfit to perform the significant duties for which she is responsible," Chaffetz wrote in a letter to the White House. "It is troubling that yet another IG report has found that Ms. Seymour failed to effectively fulfill her duties."
Previous inspector general reports have exposed deficiencies in OPM’s information security procedures.