oversight

Results of the OIG's Special Review of the U.S. Office of Personnel Management's Award of a Credit Monitoring and Identify Theft Services Contract to Winvale Group LLC, and its subcontractor, CSIdentity

Published by the Office of Personnel Management, Office of Inspector General on 2015-12-02.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                           UNITED STATES OFFICE OF PERSONNEL MANAGEMENT 

                                                  Washington, DC 20415



  Office of the
Inspector General                                December 2, 2015



      MEMORANDUM FOR BETH F. COBERT

                     Acting Director 


      FROM:	                  PATRICK E. McFARLAND
                              Inspector General

      SUBJECT: 	              Results of the OIG’s Special Review of the U.S. Office of Personnel
                              Management’s Award of a Credit Monitoring and Identify Theft
                              Services Contract to Winvale Group LLC, and its subcontractor,
                              CSIdentity (Report No. 4K-RS-00-16-024)

      The Office of the Inspector General (OIG) recently conducted a special review of the U.S. Office
      of Personnel Management’s (OPM) award of a credit monitoring and identify theft services
      contract to Winvale Group LLC, and its subcontractor, CSIdentity, hereafter referred to as
      Winvale. The purpose of our special review was to determine if OPM’s Office of Procurement
      Operations (OPO) (formerly the Contracting Office) awarded the Winvale contract in
      compliance with the Federal Acquisition Regulation (FAR) and OPM’s policies and procedures.

      We issued our draft special review memorandum to Dean S. Hunter, Director, Facilities, Security
      and Emergency Management (formerly Facilities, Security, and Contracting) and OPO on
      September 22, 2015. OPO’s October 7, 2015, comments on the draft special review were
      considered in preparing this final memorandum and are included as an attachment. For specific
      details on the special review findings, please refer to the “Findings” section of the memorandum.

      This memorandum has been issued by the OIG to OPM officials for resolution of the findings
      and recommendations contained herein. As part of this process, OPM may release the report to
      authorized representatives of the reviewed party. Further release outside of OPM requires the
      advance approval of the OIG. Under section 8M of the Inspector General Act, the OIG makes
      redacted versions of its final reports available to the public on its webpage. We interpret these
      reporting requirements to be applicable to this memorandum.

      To help ensure that the timeliness requirement for resolution is achieved, we ask that OPO
      coordinate with OPM’s Internal Oversight and Compliance (IOC) office to provide their initial
      response to the OIG within 60 days from the date of this memorandum.




 www.opm.gov	                                                                                   www.usajobs.gov
Honorable Beth F. Cobert                                                                         2


IOC should be copied on all responses to this final memorandum on our special review.
Subsequent resolution activity for all report findings should also be coordinated with IOC.
OPO should provide periodic reports through IOC to the OIG, no less frequently than each
March and September. These reports should detail the status of corrective actions, including
documentation to support this activity, until all findings have been resolved.

Please contact me, at (202) 606-1200, if you have any questions, or someone from your staff
may wish to contact Michael R. Esser, Assistant Inspector General for Audits, at                     .

BACKGROUND:

In April 2015, OPM discovered that the personnel data (e.g., full name, birth date, home address,
and social security number) of 4.2 million current and former Federal government employees
had been stolen in a cyber-attack on OPM systems. In order to mitigate the risk of fraud and
identity theft, OPM’s Office of the Chief Information Officer (OCIO) determined that credit
monitoring and identity theft services would be needed to protect the affected individuals, and
that the contract for these services needed to be awarded by June 8, 2015.

On May 25, 2015, the OCIO provided OPO with a statement of work outlining the services
needed, including: notification services; credit monitoring services; identity theft insurance and
recovery services; and project management, hereafter referred to as the “Requirements.” OPO
designated a contracting officer to work with the OCIO in awarding the contract to ensure all
required contracting actions were performed, all parties comply with the terms of the contract,
and the interests of the United States in its contractual relationship are safeguarded.

The contracting officer worked with the OCIO to conduct market research for the Requirements,
which included discussions with a General Services Administration (GSA) representative, as
well as reviewing GSA’s Federal Supply Schedule and Catalog and Product Literature. Based
on the market research, the contracting officer determined that there were a sufficient number of
sources to provide for effective competition on a commercial open market solicitation. The
contracting officer also determined that a blanket purchase agreement (a simplified method of
filling anticipated repetitive needs for supplies or services by establishing “charge accounts” with
qualified sources of supply) was the best contracting vehicle to use for the solicitation and
request for quotes.

On May 28, 2015, the contracting officer posted the solicitation on the Federal Business
Opportunities website, also known as FedBizOpps, with a May 30, 2015 response date for
contractor bids. Three bids were received and the contracting officer and the OCIO performed a
technical evaluation, which included comparing the contractors’ solicitation responses and
reviewing past performance history and quotes for best value. On June 2, 2015, the contracting
Honorable Beth F. Cobert                                                                        3


officer signed a binding agreement with Winvale Group, LLC, who subcontracted with
CSIdentity, also known as CSID, and issued a blanket purchase agreement call order for
$7,792,113.88, not to exceed $20,760,741.63, for 18 months of credit report access and
monitoring and $1 million in identity theft insurance and recovery services for each of the
affected individuals.

SCOPE AND METHODOLOGY:

We performed our review from July 1 through August 11, 2015, at OPM’s headquarters in
Washington, D.C.; OPM’s offices in Boyers, Pennsylvania; and GSA’s headquarters in
Washington, D.C. The scope of our review covered the contracting process over the
Winvale contract.

To accomplish the review, we:
       	 Held meetings with the contracting officer for the Winvale contract, the Senior
          Procurement Executive, the Director of OPO, the Director of OPO’s Policy and
          Procurement Innovations, and a GSA representative;
       	 Reviewed the FAR and OPM’s small business policy; and,
       	 Reviewed and analyzed the acquisition plan, marketing plan, solicitation, request for
          quotes, system for award management documentation, performance evaluation, and
          other documentation within the contract file to ensure compliance with the FAR and
          OPM’s policies and procedures.

FINDINGS:

Based on our analysis, we determined that in order to meet the OCIO’s June 8, 2015,
Requirements due date, the contracting officer failed to comply with FAR requirements and
OPM policies and procedures in awarding the Winvale contract. Specifically, we identified five
areas of noncompliance with the FAR and OPM’s policies and procedures as described below.

  I.   Incomplete Statement of Work

       The contracting officer is responsible for ensuring that program offices provide a
       performance work statement that describes the required results in clear, specific, and
       objective terms and includes measurable outcomes.

       FAR 37.602(b) states:

               Agencies shall, to the maximum extent practicable-
Honorable Beth F. Cobert                                                                         4


              (1) Describe the work in terms of the required results rather than either “how” the
              work is to be accomplished or the number of hours to be provided (see
              11.002(a)(2) and 11.101);

              (2) Enable assessment of work performance against measurable performance
              standards;

              (3) Rely on the use of measurable performance standards and financial incentives
              in a competitive environment to encourage competitors to develop and institute
              innovative and cost-effective methods of performing the work.

       We determined that the performance work statement for this contract award included the
       scope, period and place of performance, background, and performance objectives.
       However, the performance work statement was missing measurable performance
       standards and the method of assessing contractor performance. Therefore, the
       contracting officer did not ensure the performance work statement met the FAR
       requirements.

       OPO’s Response:

       OPO concurs with this finding. “OPO will apply performance based contracting
       mechanisms to suitable requirements to the maximum extent practicable, as referenced in
       the Federal Acquisition Regulation (FAR) subpart 37.6.”

 II.   Inadequate Market Research

       Failure to Use a Small Business Specialist

       The contracting officer is responsible for collecting and analyzing information about
       capabilities within the market to satisfy agency needs, also known as market research.
       Further, FAR 19.202-1 states that “[t]he contracting officer shall provide a copy of the
       proposed acquisition package to the Small Business Acquisition procurement center
       representative at least 30 days prior to the issuance of the solicitation.” Supplementing
       the FAR, OPM’s small business review policy states that “All acquisitions over $150,000
       must be reviewed and approved by the [small business specialist] prior to synopsis in
       FedBizOpps.”

       In the market research report for the Winvale contract, the contracting officer stated that
       the Requirements were reviewed with a small business specialist in OPM’s Office of
       Small and Disadvantaged Business Utilization (OSDBU), and checked the box on the
       market research report to indicate this was done. Upon further review with the OSDBU,
Honorable Beth F. Cobert                                                                           5


      it was determined that the contracting officer did not involve a small business specialist
      in the market research.

      We determined that the contracting officer inappropriately concluded that the market
      research was sufficient and did not require further analysis by a small business specialist.

      OPO’s Response:

      OPO concurs with this finding. “OPO has been actively working with the OPM Office of
      Small and Disadvantaged Business Utilization (OSDBU) to update and implement
      additional guidance to clarify roles and responsibilities.”

      Inconclusive Determination on the use of GSA’s Federal Supply Schedule

      GSA’s Schedules Program serves as the catalyst for billions of dollars in Federal
      spending, helping to meet procurement needs for eligible users, including all branches of
      Federal, State, and Local government through applicable programs. Specifically, GSA’s
      Federal Supply Schedule (hereafter GSA Schedule) provides Federal agencies with a
      simplified process for obtaining commercial supplies and services. The FAR encourages
      Federal agencies to use the GSA Schedule.

      FAR 8.402 states, “For administrative convenience, an ordering activity contracting
      officer may add items not on the [GSA Schedule] (also referred to as open market items)
      to a [GSA Schedule] blanket purchase agreement (BPA) or an individual task or delivery
      order only if … (3) The items are clearly labeled on the order as items not on the [GSA
      Schedule].”

      The contracting officer’s market research report states that “[while the GSA Schedule]
      offered similar services, the available schedule contracts did not contain the full scope of
      OPM requirements which could be satisfied through a commercial open market
      solicitation.”

      During an interview with the GSA representative who was contacted by the contracting
      officer during the award process, we were informed that the GSA Schedule could have
      potentially met the Requirements. However, the GSA representative never received the
      specifications of the Requirements. We also noted that two of the four vendors on the
      GSA Schedule submitted a bid on the Requirements, which leads us to believe that the
      GSA schedule was a feasible option through which OPM could have fulfilled the
      Requirements.
Honorable Beth F. Cobert                                                                        6


      The GSA representative did inform the contracting officer that if OPM used the GSA
      Schedule that the contract could have been awarded within two weeks to a month, which
      would have been outside of the OCIO’s self-imposed timeline for awarding the contract.

      We concluded that the contracting officer did not submit the Requirements to the GSA
      representative because an award through GSA would have caused the OCIO’s
      Requirements due date to be missed.

      OPO’s Response:

      OPO concurs with this finding. “In the future, if the [contracting officer (CO)]
      determines GSA schedules do not readily meet agency needs, the CO shall first consider
      whether GSA can modify its contracts timely to support OPM, as compared to the time
      and effort necessary and potential costs savings recognized in procuring the requirement
      in full through another, separate strategy.”

      Lack of an Independent Government Cost Estimate

      Market research also requires the contracting officer to obtain cost estimates for the
      Requirements. FAR 10.002 states that “[m]arket research involves obtaining information
      specific to the item being acquired and should include – the distribution and support
      capabilities of potential suppliers, including alternative arrangements and cost estimates.”
      An independent government cost estimate from the OCIO and estimated costs from
      vendors are meant to assist OPO in selecting the appropriate contract vehicle by
      identifying the estimated resources and the projected costs of those resources a contractor
      will incur in the performance of a contract.

      We were informed by the contracting officer that an independent government cost
      estimate was not requested from the OCIO because meeting the OCIO’s Requirements
      due date took precedence. In addition, we determined that the contracting officer did not
      obtain estimated costs from vendors during market research.

      OPO’s Response:

      OPO concurs with this finding. They state that “Established guidance titled Procurement
      Administrative Lead Time (PALT) and Cut Off Dates for Fiscal Year 2015 dated
      March 18, 2015 was signed by OPM leadership, and reflects the necessity for an
      [independent government cost estimate (IGCE)] in a complete procurement package.
      Additionally, OPO has staffed its office with Cost and Price analysts, never before
      available in OPM, which assist customers with the proper development of IGCEs. The
Honorable Beth F. Cobert                                                                        7


       PALT guidance shall be redistributed within OPM, and OPO cost and pricing support
       made available to customers to the greatest extent practicable to ensuring this
       requirement is successfully met.”

III.   Incomplete Acquisition Plan

       The acquisition plan provides an overall strategy for managing the contract award process
       for the Requirements. FAR 7.103(j) states that the agency head or a designee shall
       prescribe procedures for “[r]eviewing and approving acquisition plans and revisions to
       these plans to ensure compliance with FAR requirements,” including general acquisition
       planning procedures and selecting contract types. Under OPM’s procurement practice,
       the contracting officer prepares the acquisition plan and submits it for approval within
       OPO if the cost estimate for the Requirements is over $150,000.

       We were informed by the contracting officer that the acquisition plan was drafted prior to
       the contract award; however, we were unable to verify when the acquisition plan was
       prepared. Per the contracting officer, in an emergency and other situations in which time
       constraints are placed on the contract award process, as with the June 8, 2015 deadline set
       by the OCIO for the Winvale contract, it is not abnormal for required documents to be
       prepared after the award.

       In addition, we determined that the acquisition plan was not approved by a higher level
       official above the contracting officer prior to the contract award on June 2, 2015. During
       a meeting with OPO, we were informed that contracting staff and officials could not
       determine who was responsible for approving the acquisition plan due to outdated
       policies and procedures, and that the office is in the process of updating its policies and
       procedures.

       OPO’s Response:

       OPO concurs with this finding. “The acquisition plan has since been appropriately
       signed and included in the electronic file, September 1, 2015. Although the formal
       acquisition plan was not documented and signed until after award, it is important to note
       that those actions and procedures documented in the plan were followed to the maximum
       extent practicable before award.

       As further referenced in the recommendation section below, OPO has an established
       schedule for the formal release and briefing of updated review and approval guidance
       which clearly present the acquisition planning documentation requirements and
       associated approval levels.”
Honorable Beth F. Cobert                                                                      8


      OIG Comment:

      Based on OPO’s response to our draft memorandum, we have verified that the Director
      of OPO approved the acquisition plan on September 1, 2015.

IV.   Blanket Purchase Agreement Call Exceeded FAR Limitation

      FAR 13.303-5 states “[t]he limitation for individual purchases for commercial item
      acquisition conducted under Subpart 13.5 is $6.5 million.” Subpart 13.5 governs the
      simplified procedures for the acquisition of certain commercial items, and thus applies to
      this situation.

      The contracting officer issued a blanket purchase agreement call order on June 2, 2015, in
      the amount of $7,792,113.88. During a meeting with the contracting officer, we were
      informed that this call exceeded the FAR blanket purchase agreement limitation of
      $6.5 million for individual purchases of a commercial item acquisition.

      On July 15, 2015, OPO provided us with a synopsis of their internal review of the
      Winvale contract. OPO acknowledged that “[d]ue to OPM’s need to deliver services in
      accordance with the required schedule the Contracting Officer (CO) moved forward with
      the procurement without receiving an independent government cost estimate (IGCE)
      from the program office. In the absence of an IGCE, the CO developed a procurement
      strategy based on his prior experience purchasing similar services at a lower quantity
      using commercial simplified acquisition procedures under FAR Parts 12 and 13. Because
      the services being secured under the awarded [blanket purchase agreement] and Call
      Order are driven by the total quantity of impacted personnel and because that total
      quantity had increased due to ongoing breach investigation it is recognized that the
      requirement[s] exceed the expanded FAR 13.5 Test Program threshold.”

      On August 3, 2015, OPO modified the blanket purchase agreement to change the
      contracting vehicle to a basic ordering agreement, which does not have a purchasing
      threshold limitation on procured services. We were informed by OPO that the change
      added no additional cost to the agreement.

      OPO’s Response:

      OPO concurs with this finding.
Honorable Beth F. Cobert                                                                                              9


    V.   Unreliable Contract File

         FAR 4.801 states that “[t]he documentation in the files (see 4.803) shall be sufficient to
         constitute a complete history of the transaction for the purpose of— (1) Providing a
         complete background as a basis for informed decisions at each step in the acquisition
         process; (2) Supporting actions taken; (3) Providing information for reviews and
         investigations; and (4) Furnishing essential facts in the event of litigation or
         congressional inquiries.”

         Further, FAR 4.1103 states that “the contracting officer— [s]hall verify that the
         prospective contractor is registered in the [System for Award Management1].”
         Supplementing the FAR, OPO’s contracting process calls for the contracting officer to
         verify that the contractor is in the System for Award Management before awarding a
         contract.

         We were unable to obtain an accurate history of the actions taken by the contracting
         officer because key documents, specifically, the market research plan, acquisition plan,
         and System for Award Management support, were not prepared until after the contract
         award. During our review we identified the following issues:

             1.	 The market research plan contained erroneous information, such as the
                 contracting officer’s indication that a small business specialist was consulted, and
                 that the GSA Schedule could not meet the OCIO’s Requirements. (See finding II,
                 Inadequate Market Research, on pages 4 and 5 for details)

             2.	 The contracting file indicated that the System for Award Management was not
                 referenced until June 22, 2015, which is after the award of the blanket purchase
                 agreement call on June 2, 2015.

             3.	 The acquisition plan was incomplete at the time of the award. Consequently,
                 there are gaps in the contracting file that can be filled only by the contracting
                 officer’s recollection. (See finding III, Incomplete Acquisition Plan, on page 7 for
                 details).

         Due to these issues, we are not confident that the contracting file gives a complete and
         accurate history of the actions taken to award the contract.




1
 The System for Award Management is the official U.S. Government system that combines federal procurement systems and the
Catalog of Federal Domestic Assistance into one new system.
Honorable Beth F. Cobert                                                                           10


       OPO’s Response:

       OPO partially concurs with this finding. “We concur that the market research report,
       acquisition plan, and systems for award management (SAM) print out were not formally
       documented and placed in the file until after award, however we do not concur that this
       results in an unreliable contract file. Although the formal market research, acquisition
       plan and SAM printout were not documented and signed until after award, it is important
       to note in this instance that the actions and procedures documented therein were followed
       to the maximum extent practicable before award and have since been finalized and are
       located in the complete electronic file. The electronic file associated with the award is
       complete and reliable, and constitutes the official record for which any future contracting
       actions or decisions must be based. It is always the best practice to document and
       finalize contractual documents contemporaneously, rather than to memorialize the actions
       of the procurement team after award of the contract. OPO will continue to work with
       program offices in identifying requirements in a timely manner, cognizant of PALT
       estimates so that this can occur to the maximum extent practicable.

       Additionally, as further referenced in the recommendation section below, the SPE [Senior
       Procurement Executive] within OPO prepared a memorandum regarding complete and
       accurate contract files. The memorandum was broadcasted on October 1, 2015 to the
       OPO team in its entirety and emphasized the importance of following FAR subpart 4.8
       and appropriately maintaining a well-documented contract file, where those documents
       are prepared and approved at or before the associated milestone/decision point and not
       after it.”

       OIG’s Reply:

       Even if the contract file has now been completed, months after contract award, decisions
       were made and actions taken during the process of awarding the contract with incomplete
       and erroneous information due to OPO’s failure to keep the contract file up-to-date. This
       increases the risk of mistakes being made, the very thing that the FAR contract file
       requirements were designed to avoid. Indeed, FAR 4.801 specifically states that the
       purpose of these requirements is to provide “a complete” background as a basis for
       informed decisions at each step in the acquisition process.

CONCLUSION

While we are unable to determine if these areas of noncompliance would have resulted in the
award of the contract to a party other than Winvale, it is evident that significant deficiencies
existed in OPO’s management of the contract award process.
Honorable Beth F. Cobert                                                                         11


OPO’s circumvention of FAR requirements increased the risk of making an improper award by
having an incomplete performance work statement, failing to obtain an independent government
cost estimate, having an incomplete acquisition plan, and conducting inadequate market research,
including the failure to consult with a small business specialist. As a result, the wrong
contracting vehicle was utilized in awarding the Winvale contract, the FAR blanket purchase
agreement call limit was exceeded, and millions of taxpayer dollars were put at risk for waste or
loss.

RECOMMENDATIONS

Recommendation 1

We recommend that OPO immediately update its policies and procedures, to include but not be
limited to, guidance for contract document approvals, emergency acquisitions, and contract file
completion to ensure compliance with the FAR. When completed, contracting staff should be
notified of the changes.

OPO’s Response:

OPO concurs with this recommendation.

“In response to the findings of an independent assessment and the ongoing OIG audit, OPO is
already in the process of updating contracting policy and procedural guidance in the above
referenced areas, including document review and approval levels, emergency and/or highly
visible efforts, and complete and accurate contract files. Several have already been developed,
reviewed, and approved through the SPE, Director of Contracts, Office of General Counsel
(OGC), and Labor Relations. Specifically, review and approval, warrant refresh, and contract
review board (CRB) guidance are to be implemented as follows:

            Guidance              Operational           Operational              Formal
                                   Broadcast              Briefings           Implementation
       Review & Approval         October 5, 2015      October 14, 15, 16,       October 19,
             Levels                                         2015                   2015
        Warrant Refresh            October 12,         October 21, 2015         October 29,
                                      2015                                         2015
     Contract Review Board         October 26,        November 4, 5, 6,        November 9,
                                      2015                 2015                    2015

Specifically pertaining to the appropriate construction of a complete and reliable contract file, the
Senior Procurement Executive (SPE) within OPO has prepared a memorandum which was
Honorable Beth F. Cobert                                                                        12


broadcasted on October 1, 2015 to the OPO team in its entirety. This memorandum reminds
contracting officials of the importance of following FAR subpart 4.8 and in maintaining a well-
documented contract file, where those documents are prepared and approved at or before the
associated milestone/decision point and not thereafter.”

Recommendation 2

We recommend that OPO implement controls to ensure that each contract is in compliance with
the FAR requirements and contracting actions are documented and approved prior to contract
award.

OPO’s Response:

OPO concurs with this recommendation.

“Throughout fiscal year 2015 OPO has focused on building its oversight infrastructure and
addressing serious staffing gaps through the addition of operational contract specialists and also
experienced procurement analysts and cost and pricing analysts. These additions will ensure
OPO continues to move progressively towards a well-established, consistent oversight and
compliance program.

Immediately going forward OPO has a deliberate plan to implement a CRB process, detailed
above under Recommendation #1, which provides oversight and compliance controls, including
document reviews by the Director of Contracts, OGC, Acquisition Policy, customer, and
operational contracting personnel at critical milestones in the procurement process.
Additionally, as referenced above under Recommendation #1, SPE has broadcasted a
memorandum which emphasizes the importance of following FAR subpart 4.8 and in
maintaining a well-documented contract file, where those documents are prepared and approved
at or before the associated milestone/decision point and not thereafter. In addition to the above
guidance and communication, additional resources shall ensure OPO continues enhancing the
quality of the contracting work product.”

Attachment

cc: Kiran Ahuja
    Chief of Staff

   Robin E. Jacobsohn 

   General Counsel 

Honorable Beth F. Cobert                                            13


   Grant Schneider
   Senior Advisor


   Special Counsel/Senior Advisor, Office of the General Counsel

   Angela Bailey
   Chief Operating Officer

   Mark W. Lambert
   Associate Director, Merit System Accountability and Compliance

   Janet L. Barnes
   Director, Internal Oversight and Compliance


   Acting Chief, Policy and Internal Control
                                                                                              Attachment




                               UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
                                              Wasbjngtoo, DC 20415

 fadlitits, Srcurily a.nd
Erne.rr.e..cy f\-S.n~c-~ n l
           And
 omt.oe of Pr()('urtiiiCDt
       Optr.ttioiU

                                                                               October 7, 2015


           MEMORANDUM FOR                 :\I!ICHAEL R. ESSER
                                          Assistant Inspector General for Audits


           FROM:                          DEANS. HUNTER        a ~c::;;;:--'1:-:f~
                                                              ~and
                                          Director, Facilities.               Emergency
                                                                                          4
                                                                                          .......-·'--­

                                          Management                      ~



                                          Senior Procurement Executi.we, Office of
                                          Procurement Operations          '



           SUBJECT:                  Draft- Results of the OIG's Special Review of the U.S. Office of
                                     Personnel Management's Award of a Creclit Monitoring and
                                     Identify Theft Scrv;ces Contract to Winvale Group LLC. and its
                                     subcontractor, CSidentity


           Thank you for providing us the opportunity to respond to the Office of the Inspector
           General (OIG) dtaft report, Draft- Resulrs ofthe OJG's Special Review ofthe U.S. Office
           of Personnel Ma11agement~s Award ofa Credit Monitoring and ldemify Theft Sen·ices
           Conrract to Winvole G1·oup LLC. and its subcontractor. CS!dentity. dated September 22,
           2015.

           The response provided herein includes dual signatures which arc representative of the
           recently executed reorganization within OPM, facilities, Security, and Contracting (FSC)
           dated September 20, 2015. Under the reorganization, the Contracting Oftice now
           operates as the Office of Procuren1ent Operations (OPO) reporting to the Oftice of the
           Director through the Chief Operating Officer. This cbange recognizes the critical
           importance of the procurement function within OPM. e levating the ofJice
           commensurate!)' to that of the Office of the Chief Financial Officer and others to ensure
           greater and more direct collaboration with program offices, and visibil ity and compliance
           with procurement related requirements. In addition to a more direct line of
           communication with senior leadership, the reorganization supports a newly structured
           procurement office addressing critical and long standing staffing shortages. OPO now
includes new positions, such as sen ior procurement anaJysls in the Acquisition Policy and
JJUiovation division, to support greater enmhasis on policy and procedure development
and increased oversight.

Included in this response are t he comments, supplementary in i'Onnation. and corrective
actions associated with the OIG Draft Memorandum of Findings dtned September 22.
2015 . Responses arc offered in the order with which t'inding,s were presented in the
referenced OIG Memorandum. In the event any of the responses and/or correct ive
actjons provided herein require further diS(;ussion and/or clarifi cation we will make
o urselves available to you and yolll' team.

We recogniz.e that even the most well run p1·ogrruns be1lefit from external evaluations and
we apprec.iate your input as we continue to enhance our program. Our reSpOnses 10 your
(indings :and n.'Conunendations are provided immediately below.

FINDINGS

Finding #I: Jncompltte Performanct \VorkStatement: Omission of
mt-11$urablt iJcrrormaoce staodards and the mechod of assessing c.ontratmr
pcrformiOnte.

Management Re.spon5e

Concur. The referenced OPM aw-arded data breach agreem.ent could have included well
detlned metrics lbat woul d provide the Contracting OOieer (CO) and Contracting
Officer's Representative (COR) a better mean.."i by which to a.~sess contraclor
performa.occ. OPO worked as a part ofan interagency team, il\cluding the Naval Sea
Systems Command {NAVSEA) and the General Services Administration (GSA) to
ensure perronmmce standards were included, as appropriate, in lhe second data bre-ach
contract awarded by NAVSEA.

OPO will apply performance based comracLing mechanisms 10 suitable requirements to
the maximlUn extent practicable, a.') refere11ced in lhe federal Acquisitioo Rcgulatjon
(FAR) subpart 37.6.

Finding #2: Jna dec:Iunte Mnrket Research: Lacking Smal l Uusint$.5 Spc:ciali~t
lnvoh·ement; Inconclusive Oetenninadon on the use or ~ht F~dcntl Supply
Scbedule (FSS)/Gtneral Servi«-s Admiobtration (GSA); Omi.,.ion of
Independent Covcmmtnc Cost Eslimate.

Management      lt~non~e


Lackiu.g SmaJl Business Specialist Involvement

Concur. Appropriate invol\'emcnt ofthe small business specialisLshould have been
secured during the market research phase of1he OPM d<ua breach requirement Although
this did not occur. small business participation '"'as in ract reaJiz.ed and award was made
to The Winvale Group. l LC. a smaJI business concern that demonstrated prior experience
in this type of work.

OPO has been actively working ,.;th the OPM Office of Small and Disad>'3ntaged
Busin= litilization (OSDBU) to update and implement additiooal guidan<c to clarify
roles and responsibilities.

Determination on the use of the Federal Supply Schedule (FSSVCenenll Servi<-es
Administration (GSA)

Concur. Consideration was made to those avajjablc GSA contracts which included scope
that could suppon the OPM requirements in pan.

In the future, i r the CO determines GSA schedules do not readily meet agency n eeds, the
CO shall first consider- whether GSA can modify its contracts timely to support OPM. as
oomp~ to the time and effort neoe:ssary and potential costs savings recognized in
procuring the requirement in fulllhrough another. separate str.>legy.

Omission of Independent Government Cost Estimate

Concur. An independent govenunent cost estimate ( JGCE) wets not prepared in support
of the OPM data breach requirement and should have accompanied the requirements
package when it was delivered to OPO.

Established guid ance titled Procurement Administrath-e Lwd Time (PACT) and Cut Off
Dotesfor Fiscal Year 1015 dated Marcb 18,2015 was signed by OPM leadership, aod
rc Jlec1s the necessity ror an IGCE in a complete procurement package. Additionally.
OPO has staffed its office with COSt and Price: analysts. never before available in OPM.
w h ich a.<-<iot~ cnsrntnf>'t'!l: \li.·ilh 1hf" P""J"'-'" rit;"vr.lopm<"nt of IGCEs. The PALT guid.anee
shall be redistri buted within OPM. aod OPO cost and pricing suppon made available to
customers to the greatest extent practicable to ensuring this requirement is successful!)·
met.

finding #3: Jncomplck Acquisition Plan: Documentation and Signature nf
Phtn Exu-ut~d After Award.

Managtllll'llf Resooa.se

Concar. The fo rmal acquisition plan required by FAR subpan 7. 1 was not documented.
signed. or pJaced irl the file prior to award. The acquisition plan has since been
appropriately signed aod included in the electronic file, September I , 2015. Although lbc
fonnal acquis-i6on plan was not doc:mnented :.md signed until after award. it is important
to note lhal those actions and procedures documented in the plan were foUowed to the
maximum c:xtcnt practicable betbre award.
A~  ltu1her r~:fcn:nced in the recommetld.at1on section belo\.'". OPO has an estab lished
 ·chcdulc for the fom1a1 release and briefin~ of updated review and appro\·al guidance
which clearly present the acquisilion planning documentation requhements and
associated approval levels.

Findling 1#4; Bb.nket Purcha.'!e Agreement (BI..A) Call              E~~L-dt.-d   r AR
Umitatjoo: BPA Executed In Aerordance witb FAR Subpart 13.5 Exceeded
$6.5M Tbreshold.

Ma ougemeot Respmtu:

C oncur T he threshold within FAR s.ubp.art lJ.5 which ·wa!ll1:"fcrcnccd as the underlying
~uthority used in so liciting and awar'<.iing the tli~c:u!:!scd BPA Call       ' 'US
                                                                         exceeded.

OPO recognized this fulding prior to Lhc: iniliution of the OlG special review and
~m.mcdiatdy analyzed the issue. The CO de,reloped a. ct,.,rrcclion phm and provided it to
the OIG for comment. Further, a dratl hilntetal mod illcation Co execute the correction
plan was also offered to the OIG on Jul)· 28. 2015 for review and c-ommcnl prior to
implementation. The CO deLr:rrnin~d that lhc corrective action taken did nC'It prejudk-t!
mher intel'esled parties and t he bilateral modification was duly executeu on August 8,
2015 • .ut11o additional cost to the Go\lemmenl

Findin g#!'.:- UnreJiable Contract File: Market Re!leareb~ Ac-quisition P'lan,
~od Systems for A.·wanl Mooogement (SAM) llot:umc-ntc:.-d Until Arter
A"·ard.

.M ao_agement lte.sponse

P~t r-tially ('"oncu.r. \Ve concur that the market research repol'l. acquisition [llan. Hml
systems for award management (SAM) pri•ll o ut wen: nut runn<~ll y d~um..:ntcd and
plaecxl in the file ttnti1 after award, howell·er \-Ve du Jtot concur IMI thi~ re:'lUIIs i n an
unreliable contract    me.      A lthoush the formal market resean.:h. ac.quisition plan and SAM
printout were not documented and :signed unlit after award. it is. important to note in this.
instance that 1he actions and procedures documented th1;rcin were followed to the
maxim,um exlenl prncli ~.:able: be: fore uward li.Ild have since been flnaliz.ctl and are located
jn the C.t.lll'J(J~ele e1ec1.ronic ti le. 'Jhe clccb'rnllC fHc 3SS()Ciated with lihe 0.'-\'ard is OOU'I]llele
and reliable. ~:~nd consLi LUI..:s the- offic.ial rceord f.or which any future oontroctin,g actions o r
decisions mu~t be- based. 11 i~ a lways I he best pr-actice to docut11ClH and finalize
contractual documents oontempooraneou. Iy, rother than lo memorial izc chc actions of the
procurement learn aller award of lilt: conlf'"GCI. OPO "vjl] continue to work v.~th program
onices ifl identi fyin~ requirements in a timely manner, cognizant of .P ALT estimate.~ so
lhnt lhis cen occur 1o the maximum extent practicable.

Addit]onaJly. as ftuther referenced 1n the recommcmJ:<~I i un sect.icm hclow, lhc PE \\'ithin
OPO prepared a memoro.ndwn regarding c.omp1ele and au.: unde ~.:ontmcL fi lc."S. The
memo.mndum was broadcas.terl on October I, 2015 lo the OPO team in 11s en tiret)• and
•e mphasized [he importance offollowtng I·'AR s.ubpart 4.8 and appropriately m{lintaining
a wcll-docurnented contract file. where lhose documents arc pn."p..ll"Cti and approved aL or
before the associated n1i lestone/dedsion ro1 nt and not afto:r ic.

RF£0MMENDATIO S

Reeommendlotion #H: We retommel'l.d rha.r OPM 1iS Contracting Oflflce immediate!)·
update its tpolic!les and pro«db r1.~"" to lin dude but not be limited co gui.dance £or
contract do~:umcnt ap;pr-ovals, emergency acqui.sition.s., and contract flle comp]edon
to ensure tomplbnc.c wi't b (bu .fAR. Wh~o completed. c:o:otr:actiog staff sb.ouldi be
fllolliified of tbe chango.



 Concur. Jn rC:sPQnsc to the t1ud.ings o f arJJ independent assess,ment and. the ongoing OIG
 nuclil, OPO is already in the process of updating contracting 'JX}licy nndl procedural
 guidillnc~ in the abo...·e rcfcr~cnccd arc81S, inc] uding document review and approval levels,
 emergenc)' and/or h ighly visibl(;: ciJorts, and oompletc and accurate contract files.
 Several have ~l readt b..:en dr:vehJ]Xd. rt\•ir:wcd. and approved th.r ough the SPE. D irector
.o r ConLr~ls, Office;,; of Gen e-ral Counsc:J (OGC}, aml L abor Rcb:uions. Specifically•
.review a:ud approval, v.r-armnt refresh~ and conu·act revie-w boa11d (CRB) guidance are to
 be implemented as. fol lmvs :

              Gu~danct                   Operational            0 perallonal     B rienu~               Formal
                                          BruadG~st                                               ~mpk:m 1.mtatjoc
   Rc-"' iew &. A.p"r<wal l £vel~      OCJ<!bet 5, 20 I.S       Ocl<lber 14 , I :5, 10. 20 I 5    Oi;Lobcr 19. 20 I 5
         WarranL Rcf~lih               October ll, W I :5          Oct:obc:r 2 1•.20 15           Cktob~:r 29'. 20 m   5
      Contrac:l Rc-viaw Board          Octob1r1r 26, 2{1 15     Noo.-cmbcr i.l. 3 , 6 10 15      l\'lo~· c:mber q :!.0 13


S peci fi~all y pertaining to the appropriate consttuctlon ofa compJe1e and rr:liable cunbw..:l
ti le, the Senior Pn)t: uremenl Ex~utiv~ (SiPlE) "Arithin OPO has picparcd a mr:monmdurn
which was. broadca..'ile.d nn o.. .l nbcr I . 2015 to tile- OPO tca:m in its. !l,!lllire•y. This
memomndum rem inds C(rn.Lracli Ill!; u ITiciu Is of the imporLa_ncc of follo\\~ng FAR subpart
4.8 fit'ld ifl maintainiM.g a we-] 1-doclllmente<..l cc.mtr~~Ct file, when:: thos-e: dO<;umenls ore
prepared and appruvcd a l or bcrnre 1he ass.oci a~ m11-esto nefdet.:isi011 point and not
thereafter·.

Bs...-:,c;tm m:tndationJ#l: Wll noomrn.:ndl tha( OPM•l!!l Contraeting Offic:e timplcmeill&
rennkol!fl;   to en~u:nre that each     COP tr.Jct   is   m~;:ompUaoce wilb the !FAR FeqUlremll"Dfs
and   ~nhihru:di ng :adions         are doeume:ofed and appr-oved prior to cootrad ~waJid.



Concur. Througl'lout fiscal year 2015 OPO lla:s focUS(..-dJ on building its o'•cr.sight
 infra.~tructure a111d addl'essing erlous swil1ng gaps lhrougb Lht- addiLiun of opcrnLimntl
contract spec1a~i:sts and also experienced procun:mr;:nt anw~"ts ~md cost llnd pricing
annlys.ts. Th~e :addilic;ns v.•ill er'li::;.-urc OPO oon,inut:~ to mvvc pnJgre.o.;;sivcly Lo.,.~rds ~
'\1/cll-c:sLablisbed, consi~1r;nt Q¥~~ighm and compi1Mncc- pTOSJi:lffi.
lmmcdintcly &Oi ll{! forwnrd OPO has a dcli bomto Jlia n tO impiCillCOI II (;JW Jll'CX:t:;s,
detailed above under Recommendation # J, which provides oversight and compliance
controls, including document rev iews by U>e Director o r Controcts, OOC. Acquisition
Policy, customer, and opemtiona t contructingpersonncl at critical milestones in the
procurement process. Additionally. as re ferenced above under Recommendation # I, SPE
has bt•oadcnsted n memot·andum which emphasizes tbe importunce of lollowing FAR
subpart 4.8 and io maintaining a well-docwncntcd contract tile, wbere those docwnents
are prcpurcd end approved at or before the associated milestone/decision point and not
thereafter. In addition to the above guidance and conununicotion, additional resoul'ces
shall ensure OPO continues enhancing the quality of the contracting work product.

In conclusion, we apr>re<:iat•ed the opportunity to rcs,po••d
ru>y                     our t·csponsc. please conta,ct




Endosures
       Procu,menc AdmlnlstrotiVI! teod Tlmt /PAtT) and Cue OfjOocesfor Fiscal Ytor
       SPE Broadcosc ond Dlreccor ofCor•trocrs Memorandum, FAR 4.8 Concroct Files