The latest rebuke from the Office of Personnel Management inspector general criticizing the agency's rush to award a breach protection contract in early June is being used to renew calls for OPM CIO Donna Seymour's resignation.
In the wake of revelations about the first major breach of OPM networks — affecting some 4.2 million people — the rush to get a credit monitoring and fraud protection contract in place led to significant violations of the federal acquisition regulation, according to a new IG report released Dec. 10.
Report: Results of OIG Special Review of Credit Monitoring Contract
The full report follows an Oct. 30 memo briefly outlining the IG's initial findings.
Specifically, the lack of market research included:
- Failure to work with the Office of Small and Disadvantaged Business Utilization (OBDBU) to identify possible small business options — despite claiming this had been done;
- Failure to fully consider the use of the General Services Administration's Federal Supply Schedule — despite FSS officials stating that the program has products that could have met the requirements, just outside the OCIO's timeframe; and
- Failure to conduct independent cost estimates for the requirements, citing the impending deadline.
This misstep was rectified in early August, when OPM modified the BPA to a basic ordering agreement.
"While we are unable to determine if these areas of noncompliance would have resulted in the award of the contract to a party other than Winvale, it is evident that significant deficiencies existed in [the Office of Procurement Operations] management of the contract award process," wrote IG Patrick McFarland. "As a result, the wrong contracting vehicle was utilized in awarding the Winvale contract, the FAR blanket purchase agreement call limit was exceeded and millions of taxpayer dollars were put at risk for waste or loss."
"It is troubling that yet another IG report has found that Ms. Seymour failed to effectively fulfill her duties," Chaffetz said in a Dec. 10 letter to OPM Acting Director Beth Cobert. "The record is clear that six months after the American people first learned about OPM's spectacular failure at securing sensitive personal information, change is needed in the Office of the Chief Information Officer."
Former OPM Director Katherine Archuleta resigned shortly after it was revealed that a second breach compromised records on more than 21.5 million Americans, however, Seymour has yet to yield to calls for her to step down.
"This is not a case where we can fire our way to success," Scott told Federal Times in August. "People want to hold folks accountable — and that's good. But the people who are responsible left a long, long time ago," he said in reference to the former officials that built OPM's current infrastructure.
"We agree with Chairman Chaffetz that OPM's IT infrastructure needs to be continuously improved and updated now and into the future," OPM Press Secretary Sam Schumach told Federal Times in response to the letter. "Since these incidents were discovered, OPM, under the direction of Ms. Seymour and now in partnership with OPM's new cybersecurity adviser, has continued to build upon our efforts to strengthen our broader cyber defenses and information technology systems."
Schumach also noted Seymour has spent 37 years in public service, during which time she has received numerous awards and accolades.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
