Three companies were awarded governmentwide contracts for identity monitoring and data breach response and protection services Tuesday, with $133 million dedicated to protect those 21.5 million affected by the data breach at the Office of Personnel Management.
OPM and the Defense Department awarded a contract to Portland, Oregon-based ID Experts for identity theft protection, identity monitoring, and data breach response and protection services in the wake of the OPM hack.
The General Services Administration also awarded governmentwide blanket purchase agreements to Framingham, Massachusetts-based Identity Force and Pontiac, Michigan-based Ladlas Prince. Overall, the three contracts will last five years and have an estimated value of $500 million.
Beth Cobert, OPM’s acting director, said individualized notices for those affected by the breach will begin going out by the end of the month and continue into the fall. The contract offers $1 million in identity theft insurance for employees along with free identity restoration services for anyone found to have been a victim of identity theft, with those services kicking in immediately.
“We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future,” Cobert said in a release. “Millions of individuals, through no fault of their own, had their personal information stolen and we’re committed to standing by them, supporting them, and protecting them against further victimization. And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”
Cobert told reporters that OPM has been working with an interagency coalition in the lead up to the award, determining that the suite of services offered by the eventual winners was appropriate to offer for those affected, given the data that was stolen.
GSA’s Tiffany Hixson said in addition to security requirements at the BPA and task order level, the government also required the winning companies to submit security plans as part of their proposal that went in front of GSA, OPM, the Department of Homeland Security, the Federal Trade Commission, and several components of the Defense Department.
“It wasn’t just, ‘hey, here’s the standard,’ to perform to, but they were required to show us how they were going to do that,” Hixson said.
Despite the contract announcement and robust security measures, Cobert said that the government has not seen any evidence that the information stolen has been exploited.
The fallout surrounding the breach has been top of mind in Washington since the first announcement of a hack in June. Since the full tally of damage was announced in July, Congress and the White House have moved to mitigate the holes in the government’s cybersecurity stance. The White House’s Office of Management and Budget issued a 30-day cybersecurity sprint, which resulted in greater adoption of multifactor authentication and the rushed deployment of Einstein 3A, the Department of Homeland Security’s intrusion prevention system.
Katherine Archuleta resigned as OPM director in the breach’s wake, with lawmakers calling for more people inside the agency to step down. Jason Chaffetz, R-Utah, the chair of the House Committee on Oversight and Government Reform issued a letter last month calling for the immediate removal of OPM Chief Information Officer Donna Seymour for her office’s alleged misconduct.