GSA, Navy issue identity protection solicitations for OPM hack victims
The more than 21 million people affected by the recent breach of a federal background investigations database can find some solace as the contract for services to protect their identities was issued late Tuesday.
The General Services Administration and the Naval Sea Systems Command, or NAVSEA, issued requests for quotes to provide identity monitoring data breach response and protection services on behalf of the federal government and the Office of Personnel Management. OPM announced in early June that it discovered two vulnerabilities in its systems that it later announced compromised the personal information of 22.1 million current and former federal employees, federal security clearance investigations applicants, and those close to them.
Victims of the security clearance database hack have still not been notified. The task order says the winning vendor should send the “bulk of notifications within the first weeks” of the award, which is said to happen Aug. 21.
GSA is issuing a five-year governmentwide blanket purchase agreement for 11 protection and response services, while NAVSEA will issue the first task order on that BPA.
Specifically, the BPA will include “data breach analysis services, credit monitoring services, identity monitoring services, identity theft insurance, identity restoration services, as well as website services and call center services,” GSA’s RFQ says. The agency developed those requirements with the help of the Office of Management and Budget, OPM, the Defense Department, the Department of Homeland Security and the Federal Trade Commission.
In the first task order, NAVSEA is looking to procure three years of services for the 21.5 million victims of the clearance database and their “dependent minor children,” which is estimated to be another 6.4 million who need protection, bringing the total to about 28 million.
Some of the 4.2 million victims of the first-announced hack were concerned they were targets of a phishing attack when they were asked to visit a nongovernment site to receive their identity protection services. This contract aims to head off similar concerns.
Though “[t]he Contractor shall establish a dedicated, branded website for impacted individuals to enroll,” the solicitation says, “[t]he Government may require the site to link with a .gov web page.”
Awardees on the BPA will be split into two tiers, according to GSA’s solicitation. Contractors selected for Tier 1 “will have experience in responding to data breaches impacting populations of significant size” with a benchmark of “21.5 million individuals,” the 60-page document says. Tier 2 requires “experience in providing a broad range of data breach response services – regardless of size and scope.”
The RFQ will remain open until Aug. 14.