oversight

Audit of the U.S. Office of Personnel Management's Award of a Credit Monitoring and Identity Theft Services Contract to Identity Theft Guard Solutions, LLC

Published by the Office of Personnel Management, Office of Inspector General on 2018-02-28.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

           OF PERSONNEL MANAGEMENT
   OFFICE OF THE INSPECTOR GENERAL
           OFFICE OF AUDITS




  Final Audit Report
AUDIT OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT’S
 AWARD OF A CREDIT MONITORING AND IDENTITY THEFT
   SERVICES CONTRACT TO IDENTITY THEFT GUARD
                    SOLUTIONS, LLC


             Report Number 4A-OO-00-17-035
                    February 28, 2018
            EXECUTIVE SUMMARY 

Audit of the U.S. Office of Personnel Management’s Award of a Credit Monitoring and Identity
                Theft Services Contract to Identity Theft Guard Solutions, LLC

 Report No. 4A-OO-00-17-035                                                                     February 28, 2018


Why Did We Conduct the Audit?             What Did We Find?

The objective of our audit was to         1. Incomplete Contract File
determine if the Office of Procurement
Operations (OPO) awarded the credit          OPO did not comply with the FAR requirements and OPM’s
                                             policies and procedures in awarding the ID Experts contract.
monitoring and identity theft services
                                             Specifically, we identified the following:
contract to Identity Theft Guard
Solutions, LLC, doing business as ID            x   The acquisition plan, market research plan, technical
Experts, in compliance with the Federal             evaluation plan and various other contractual documents
Acquisition Regulation (FAR) and U.S.               were incomplete and/or unapproved by OPO’s
Office of Personnel Management’s                    management and the Office of the General Counsel;
(OPM) procurement policies and
procedures.                                     x   The System for Award Management was not referenced
                                                    until after the award of the General Services
What Did We Audit?                                  Administration (GSA) order;

                                                x   The Contract Officer’s Representative was not
The Office of the Inspector General has
                                                    designated until after the award of the GSA order;
completed a performance audit of
OPM’s procurement process over the ID           x   The credit monitoring and identity theft services contract
Experts contract. Our audit fieldwork               did not go through OPO’s Contract Review Board
was conducted from March 29 through                 process; and
October 5, 2017, at OPM headquarters,
located in Washington D.C.                      x   There were data entry errors entered into the Federal
                                                    Procurement Data System.

                                          2. Oversight Review Controls Need Strengthening

                                             Based on our audit findings, we have concluded that OPO
                                             needs to strengthen their review controls over the procurement
                                             process.

_______________________
Michael R. Esser
Assistant Inspector General for Audits




                                                     i
	
      ABBREVIATIONS

FAR   Federal Acquisition Regulation
FY    Fiscal Year
GSA   U.S. General Services Administration
OPM   U.S. Office of Personnel Management
OPO   Office of Procurement Operations




                 ii
	
                         TABLE OF CONTENTS


                                                                                                                      Page

       EXECUTIVE SUMMARY ......................................................................................... i
	

       ABBREVIATIONS ..................................................................................................... ii
	

I.     BACKGROUND ..........................................................................................................1
	

II.    OBJECTIVE, SCOPE, AND METHODOLOGY ....................................................4
	

III.   AUDIT FINDINGS AND RECOMMENDATIONS.................................................6
	

       1.    Incomplete Contract File………………………………. .......................................6
	

       2. Oversight Review Controls Need Strengthening ..................................................10
	

       APPENDIX	 The Senior Procurement Executive’s response to the draft report,
                 dated January 4, 2018.

       REPORT FRAUD, WASTE, AND MISMANAGEMENT
                             I. BACKGROUND

This final audit report details the findings, conclusions, and recommendations resulting from our
performance audit of the U.S. Office of Personnel Management’s (OPM) award of a credit
monitoring and identity theft services contract to Identity Theft Guard Solutions, LLC, doing
business as ID Experts. The audit was performed by OPM’s Office of the Inspector General, as
authorized by the Inspector General Act of 1978, as amended.

In fiscal year (FY) 2015, OPM experienced two separate cyber-attacks, affecting personnel
records and background investigation records. Personally identifiable information (e.g., full
name, birth date, home address, and social security number) of current, former, and prospective
Federal government employees, contractors, and others was stolen in the cyber-attacks on OPM
systems.

Personnel Records Incident

OPM discovered that the personnel data of 4.2 million current and former Federal government
employees had been stolen. To mitigate the risk of fraud and identity theft using the stolen
personnel data, OPM’s Office of the Chief Information Officer determined that credit monitoring
and identity theft services were needed to protect the affected individuals. OPM awarded a
contract to Winvale Group, LLC, on June 2, 2015, who subcontracted with CSIdentity, to
provide credit monitoring services and identity theft protection for the affected individuals.

Background Investigation Records Incident

OPM also discovered that 21.5 million background investigation records of current, former, and
prospective Federal employees and contractors had been stolen. All but approximately 600,000
individuals who were impacted by the personnel records incident were also impacted by the
background investigation incident. Again, to mitigate the risk of fraud and identity theft, OPM
used the Department of the Navy to award a contract to ID Experts to provide identity theft
protection services for the affected individuals and their minor dependents. On March 15, 2016,
the Department of the Navy transferred the binding agreement to OPM to perform administrative
responsibilities (e.g., making contractor payments and ensuring the contractor was meeting
contractual terms and conditions).




                                             1                     Report No. 4A-OO-00-17-035 

Contracting Requirements and Timeline

On December 18, 2015, the U.S. Congress enacted the “Consolidated Appropriations Act,
2016,” which requires OPM to provide complimentary identity protection coverage to affected
individuals. Specifically, the Act states coverage should be effective for a period of not less than
10 years and includes not less than $5,000,000 in identity theft insurance. In addition, the
U.S. Office of Management and Budget issued Memorandum (OMB) 16-14, “Category
Management Policy 16-2: Providing Comprehensive Identity Protection Services, Identity
Monitoring, and data Breach Response,” which requires, with limited exceptions, Federal
agencies that need identity protection services to use the Government-wide blanket purchase
agreements under the U.S. General Services Administration’s Federal Supply Schedule1.

OPM’s credit monitoring and identity theft services contract with the Winvale Group, LLC was
scheduled to end on December 1, 2016. In anticipation of this, OPM conducted an analysis and
determined that “approximately 600,0002” individuals impacted by the personnel records
incident were also impacted by the background investigation records incident. Therefore, to
comply with the Congressional mandate, OPM needed to obtain additional credit monitoring and
identity theft services for those affected individuals.

On August 29, 2016, OPM’s Office of the Director provided the Office of Procurement
Operations (OPO) with a statement of work outlining the required services, including: transition-
in services; notification and address validation services; website services; call center services;
credit monitoring services; identity theft insurance and recovery services; and project
management, hereafter referred to as the “Requirements.” OPO designated a Contracting
Specialist to work with the Office of the Director in awarding the contract to ensure all required
contracting actions were performed, all parties complied with the terms of the contract, and the
interests of the United States in its contractual relationship were safeguarded.

The Contracting Specialist worked with the Office of the Director to conduct market research for
the Requirements, which included researching the U.S. General Services Administration’s
(GSA) Federal Supply Schedule and issuing a request for information to vendors. The market
research determined that there were capable vendors within the Federal Supply Schedule’s
blanket purchase agreement to perform the Requirements.

On September 8, 2016, the Contract Specialist issued the request for quotes package to vendors
identified on the Federal Supply Schedule with a September 26, 2016, response due date. Three
responses were received and the Technical Evaluation Panel Voting Members performed the

1
  The Federal Supply Schedule provides Federal agencies with a simplified process for obtaining commercial supplies and services at prices 

associated with volume buying. 

2
  OPM’s ID Experts contract, OPM10117F0001, “2016.08.29-Performance Work Statement-v.7.0.” 

                                                                  2                                Report No. 4A-OO-00-17-035 

technical evaluation, which included comparing vendors’ request for quotes responses, reviewing
past performance history, and analyzing quotes for the best value. On October 28, 2016, the
Contracting Officer signed a blanket purchase agreement with ID Experts and issued a call order
for $4,323,338, not to exceed $9,066,9483, for credit report access and monitoring and $5 million
in identity theft insurance and recovery services for each of the affected individuals until
December 31, 2018.

OMB also issued M-16-14, “Category Management Policy 16-2: Providing Comprehensive
Identity Protection Services, Identity Monitoring, and Data Breach Response,” to heads of
departments and agencies on July 1, 2016, for procuring Identity Monitoring Data Breach
Response Services. However, we found that OPO did not follow the steps in M-16-14 when
awarding the Credit Monitoring and Identity Theft Services Contract.

PREVIOUS OFFICE OF THE INSPECTOR GENERAL REPORTS

On December 2, 2015, the Office of the Inspector General issued a report on OPM’s Award of a
Credit Monitoring and Identity Theft Services Contract to Winvale Group LLC, and its
subcontractor, CSIdentity. Based on our analysis, we determined that in order to meet the Office
of the Chief Information Officer’s June 8, 2015, Requirements due date, the Contracting Officer
failed to comply with the Federal Acquisition Regulation (FAR) requirements and OPM’s
policies and procedures in awarding the Winvale contract. We issued two recommendations to
OPO, which are still open.




3
    Rounded to the nearest dollar.
                                            3                     Report No. 4A-OO-00-17-035 

II. OBJECTIVE, SCOPE, AND METHODOLOGY

OBJECTIVE

The objective of our audit was to determine if OPO awarded the credit monitoring and identity theft
services contract to ID Experts in compliance with the FAR and OPM’s procurement policies and
procedures.

The recommendations included in this final report address the objective.

SCOPE AND METHODOLOGY

We conducted this performance audit in accordance with generally accepted government
auditing standards as established by the Comptroller General of the United States. These
standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to
provide a reasonable basis for our findings and conclusions based on our audit objective.

The scope of our audit covered OPO’s procurement process over the ID Experts contract. We
performed our audit from March 29 through October 5, 2017, at OPM headquarters, located in
Washington, D.C.

To accomplish our audit objective noted above, we:

   x	 Held meetings with the Contracting Officer for the ID Experts contract, the Director of
      OPO, the Director of the Office of Small and Disadvantaged Business Utilization, and the
      Director of OPO’s Policy and Procurement Innovations;

   x	 Reviewed the FAR and OPM’s small business policy; and

   x	 Reviewed and analyzed the acquisition plan, marketing research plan, request for quotes,
      the System for Award Management documentation, technical evaluations, basis for
      award, and other documentation within the contract file to ensure compliance with the
      FAR and OPM’s policies and procedures.

In planning our work and gaining an understanding of the internal controls over OPO’s
procurement process, we considered, but did not rely on, OPM’s internal control structure to the
extent necessary to develop our audit procedures. These procedures were mainly substantive in
nature. We gained an understanding of management procedures and controls to the extent
necessary to achieve our audit objective. The purpose of our audit was not to provide an opinion

                                             4		                    Report No. 4A-OO-00-17-035 

on internal controls, but merely to evaluate controls over the procurement process for the ID
Experts contract.

Our audit included such tests and analysis of OPO’s procurement process, including documented
policies and procedures, the ID Experts contract file, and other applicable information, as we
considered necessary under the circumstances. The results of our testing indicate that with
respect to the items reviewed, OPO needs to improve its policies, procedures, and controls over
the procurement process. In conducting our audit, we did not utilize any computer-generated
data, nor did we select any samples for testing.




                                             5                     Report No. 4A-OO-00-17-035 

III. AUDIT FINDINGS AND RECOMMENDATIONS

 The sections below detail the results of our audit of OPM’s award of a credit monitoring and
 identity theft services contract to ID Experts.

 1.		 Incomplete Contract File

    OPO did not comply with the FAR requirements and OPM’s policies and procedures in
    awarding the ID Experts contract. While reviewing the contract file and supporting
    documentation, we identified the following instances of non-compliance:

            x	 The acquisition plan did not contain the Contracting Officer and Director of OPO’s
               approval signatures.

            x	 The Contracting Officer, the Director of Acquisition Policy and Innovation, and the
               Office of the General Counsel did not review the acquisition plan until October 30,
               2016, which was after the award of the GSA order on October 28, 2016. The
               reviews should have occurred prior to the award of the ID Experts contract to ensure
               FAR compliance.

            x	 The acquisition plan was missing the rationale as to why firm fixed price was the
               best contract type for the Requirements.

            x	 The acquisition plan summary for “Inherently Governmental” and “Budget and
               Funding” could not be supported by the contract file. The contract file was missing
               (1) a letter from the Agency Head or designee stating that the Requirements are not
               inherently governmental and (2) a memorandum from OPM’s Office of the Chief
               Financial Officer stating that $5.9 million was available for the Requirements.

            x	 The Contract Specialist did not complete the following sections in the market
               research plan: Product or Service Code and North American Industry Classification
               System Code, Independent Government Cost Estimate, Market Research Objectives,
               and Findings and Analysis.

            x	 There was no indication that the “Justification for Use of Options in a Contract”
               form, which identified the determination and findings, went through the appropriate
               review levels as stated in OPO’s policy. In addition, the form was missing approval
               signatures from the Contract Specialist and Contracting Officer.

            x   The technical evaluation plan was missing signatures from the technical evaluation
                team.



                                             6		                     Report No. 4A-OO-00-17-035 

                  x     The Procurement Integrity, Ethics, and Standards of Conduct form for each
                        Technical Evaluation Panel Voting Member was not in the contract file.

                  x     The Source Selection Consensus Report was missing approval signatures from the
                        Technical Evaluation Panel Voting Members.

                  x     The Basis for Award Report was missing certification and approval signatures from
                        the Contracting Officer and OPO’s management.

                  x	 The contracting file indicated that the System for Award Management (SAM.gov)
                     was not referenced until October 29, 2016, which was after the award of the GSA
                     order on October 28, 2016.

                  x	 The Contracting Specialist or Contracting Officer did not validate vendors in the
                     System for Award Management prior to soliciting offers from contractors.

                  x	 The Requirements did not go through OPO’s Contract Review Board process.

                  x	 The Contracting Officer designated the Contracting Officer’s Representative on
                     January 6, 2017, well after the award of the contract on October 28, 2016.

                  x	 There were two data entry errors in the Federal Procurement Data System4.
                     Specifically, the data field for (1) “Date Signed” states “October 27, 2016”;
                     however, it should have been October 28, 2016; and (2) “Funding Office” states
                     “Federal Investigative Services”; however, it should have been the Office of the
                     Chief Financial Officer.

        The following FAR requirements should have been used during the procurement process:

        FAR 7.105 requires acquisition plans to describe the strategies for implementing performance-
        based acquisition methods (e.g., acquisition background and objectives, risks, plan of action,
        inherently governmental functions, and budgeting and funding). Furthermore, FAR 7.103(h)
        states that the agency head or a designee shall prescribe procedures for “Reviewing and
        approving acquisition plans and revisions to these plans” to ensure compliance with FAR
        requirements, including general acquisition planning procedures and selecting contract types.

        FAR 17.205 requires the Contracting Officer to justify in writing the quantities or the term
        under the option, and document the justification in the contract file. In addition, FAR 1.707
        states, “When a [Determination and Findings] is required, it shall be signed by the appropriate

4
    The Federal Procurement Data System provides a comprehensive web-based tool for agencies to report contract actions.

                                                                   7		                                Report No. 4A-OO-00-17-035
     official in accordance with agency regulations.” OPM’s Contracting Policy No. 1.602-1(b)
     also requires the Determination and Findings form to be approved by the Contracting Officer
     and reviewed by the Director of OPO, the Office of General Counsel, and the Director of
     Acquisition Policy and Innovation.

     Furthermore, FAR 9.404 requires each agency to establish procedures to ensure that they are
     not soliciting offers from, awarding contracts to, or consenting to subcontracts with contractors
     whose names are in the System for Award Management5 exclusions. Supplementing the FAR,
     OPO’s procurement process requires the Contracting Officer to verify that the contractor is in
     the System for Award Management before awarding a contract.

     FAR 1.602-1 states, “No contract shall be entered into unless the contracting officer ensures
     that all requirements of law, executive orders, regulations, and all other applicable procedures,
     including clearances and approvals, have been met.”

     FAR 1.602-2 also states, “Contracting officers are responsible for ensuring performance of all
     necessary actions for effective contracting, ensuring compliance with the terms of the contract,
     and safeguarding the interests of the United States in its contractual relationships.” This
     includes designating and authorizing in writing and in accordance with agency procedures, a
     Contracting Officer’s Representative on all contracts and orders.

     FAR 4.603 requires OPO to update the Federal Procurement Data System with the contract
     action6 data.

     In addition, the following internal policies and procedures were relevant to the procurement
     process:

     OPM’s Contracting Policy No. 1.602-1(b), Review of Contractual Documentation – Addendum,
     states that for Requirements that meet thresholds of $2 million to $50 million, the acquisition
     plan requires review from the following: the Contracting Officer’s Representative, the Director
     of Acquisition Policy and Innovation, the Office of the General Counsel, and the Division
     Director and the Director of OPO. In addition, the acquisition plan requires the approval
     signature from the Contracting Officer and the Director of OPO.




5
  The System for Award Management is the official U.S. Government system that combines federal procurement systems and the Catalog of Federal
Domestic Assistance into one new system.
6
  FAR 4.601 states “Contract action means any oral or written action that results in the purchase, rent, or lease of supplies or equipment, services, or
construction using appropriated dollars over the micro-purchase threshold, or modifications to these actions regardless of dollar value.”

                                                                     8                                    Report No. 4A-OO-00-17-035
OPM’s Attachment 2, Contract Review Board Matrix, requires the Contracting Specialist and
Contracting Officer to complete the market research plan to document and summarize the
efforts taken to identify the capabilities, practices, and standards of the commercial market.

OPO’s technical evaluation and decision process requires the Contracting Specialist to prepare
a technical evaluation plan. The technical evaluation plan outlines the factors the Technical
Evaluation Panel Voting Members will take into consideration when assessing vendors’
responses to the request for quotation requirements. The Technical Evaluation Panel Voting
Members are responsible for completing the following items: “Procurement Integrity, Ethics,
and Standards of Conduct” form; source selection training administered by the Contract
Specialist; and technical evaluation workbooks for each vendor that submitted a response.
Upon completion of these items, the Contract Specialist prepares a Source Selection Consensus
Report and the Basis for Award Report.

Lastly, OPO’s Director of Acquisition Policy and Innovation stated that the designation of the
Contracting Officer’s Representative should be done prior to the award of the contract.

Based on our review of the ID Experts contract file and a statement made by an agency
employee that was involved with the contract award, OPO bypassed some of the FAR
requirements and OPM’s policies and procedures to award the credit monitoring and identity
contract.

Without a complete and accurate history of the actions taken to award the contract, it is
impossible to know whether following all of the FAR requirements would have resulted in an
award of the credit monitoring and identity theft services contract to someone other than ID
Experts.

Recommendation 1

We recommend that OPO immediately update its policies and procedures, to include but not be
limited to, guidance for checking the System for Award Management, contract document
approvals for the market research plan, and contract file completion to ensure compliance with
the FAR. When completed, contracting staff should be notified of the changes.

OPO’s Response

OPO concurs with the recommendation and they have “been actively updating its
contracting policy and procedural guidance in not only the above referenced areas, but in
support of its entire operation.”


                                         9                       Report No. 4A-OO-00-17-035 

2. Oversight Review Controls Need Strengthening

   Based on our audit findings, we have concluded that OPO needs to strengthen their review
   controls over the procurement process. As described in our finding above, Incomplete Contract
   File, we found (1) the acquisition plan, market research plan, technical evaluation plan and
   various other contractual documents were incomplete and/or unapproved; (2) SAM.gov was not
   referenced until after the award of the GSA order; (3) the Contracting Officer’s Representative
   was not designated until after the award of the GSA order; and (4) the Requirements did not go
   through OPO’s Contract Review Board process.

   In addition, we have not seen evidence that OPO is adhering to their established review
   controls. Since October 2015, OPO implemented “Review & Approval Levels” and “Contract
   Review Board” guidance, which contains internal review controls for the procurement process.
   Within this guidance, it specifies individuals within OPO (e.g., Director of OPO, Senior
   Procurement Executive, and Director of Acquisition Policy and Innovation) and the Office of
   the General Counsel that are required to review and/or sign contractual documents to ensure
   that contracting actions taken by the Contract Specialist and Contract Officer are in compliance
   with the FAR. See the Table below for an example of the level of review and approvals.

                                  Table: OPO’s Review & Approval Levels Guidance




   Source: OPO’s Contracting Policy No. 1.602-1(b), Review of contractual Documentation - Addendum


                                                            10                               Report No. 4A-OO-00-17-035 

The U.S. Government Accountability Office, Standards for Internal Control in the Federal
Government, dated September 2014, states, “Management designs appropriate types of control
activities for the entity’s internal control system. Control activities help management fulfill
responsibilities and address identified risk responses in the internal control system.” Some
examples of control activities are top-level reviews of actual performance; reviews by
management at the functional or activity level; and appropriate documentation of transactions
and internal control.

Furthermore, the U.S. Government Accountability Office, Standards for Internal Control in the
Federal Government, states, “in evaluating operating effectiveness, management determines if
controls were applied at relevant times during the period under evaluation, the consistency with
which they were applied, and by whom or by what means they were applied. If substantially
different controls were used at different times during the period under evaluation, management
evaluates operating effectiveness separately for each unique control system. A control cannot
be effectively operating if it was not effectively designed and implemented. A deficiency in
operation exists when a properly designed control does not operate as designed, or when the
person performing the control does not possess the necessary authority or competence to
perform the control effectively.”

Based on the review of the contract file and a statement made by an agency employee that was
involved with the contract award, OPO bypassed some of the FAR requirements and OPM’s
policies and procedures to award the credit monitoring and identity contract.

OPO’s adherence to all review and approval guidance will help to (1) increase the likelihood of
FAR compliance; (2) decrease the risk for waste or loss of taxpayer dollars; and (3) provide
reasonable assurance to Congressional constituents and the taxpayers that OPM is procuring
contracts in the best interest of the Federal government.

Recommendation 2

We recommend that OPO implement controls to ensure that each contract complies with the
FAR requirements and internal policies and procedures. This includes, but is not limited to,
documenting and approving all contracting actions prior to contract award, as required by the
“Review & Approval Levels” and “Contracting Policy 1.102(s), Contract Review Board.”

OPO’s Response

OPO concurs with the recommendation. “OPO has increased, where resourcing levels
permit, its oversight and compliance efforts in accordance with Contracting Policies 1.602-


                                         11                      Report No. 4A-OO-00-17-035 

1(b), 1.102(d), and 4.801. … OPO will continue developing, disseminating, and appropriately
overseeing and managing contracting policies and procedures.”




                                       12                     Report No. 4A-OO-00-17-035 

APPENDIX




           Report No. 4A-OO-00-17-035 

Report No. 4A-OO-00-17-035 

Report No. 4A-OO-00-17-035 

Report No. 4A-OO-00-17-035 

       Report Fraud, Waste, and Mismanagement 



                       Fraud, waste, and mismanagement in Government
                      concerns everyone: Office of the Inspector General
                     staff, agency employees, and the general public. We
                        actively solicit allegations of any inefficient and
                     wasteful practices, fraud, and mismanagement related
                       to OPM programs and operations. You can report
                                allegations to us in several ways:



    By Internet: 	        http://www.opm.gov/our-inspector-general/hotline-to-report-fraud-waste-
                          or-abuse


      By Phone: 	         Toll Free Number:                (877) 499-7295 

                          Washington Metro Area:           (202) 606-2423 



       By Mail:           Office of the Inspector General
                          U.S. Office of Personnel Management
                          1900 E Street, NW
                          Room 6400
                          Washington, DC 20415-1100