The General Services Administration (GSA) awarded government-wide Federal Supply Schedule Blanket Purchase Agreements (BPAs) for identity monitoring and data breach response and protection services to three companies in response to the hack of the Office of Personnel Management (OPM).
The BPAs “give federal agencies access to a pool of well-qualified contractors capable of providing the services needed to mitigate potential damage to those affected by data breaches and other personnel security matters,” GSA said in a statement. The contractors awarded access are Bearak Reports, Inc. (doing business as Identity Force), Identity Theft Guard Solutions (doing business as I.D. Experts), and Ladlas Prince, the agency said Sept. 1.
The BPAs will be available to federal agencies for the next five years at an estimated value of $500 million, the agency said.
Under the BPAs, agencies will have access to services including consumer credit reports, address verification reports, credit risk assessments, and identity restoration services involving suspected or actual breaches of sensitive personally identifiable information (PII).
“GSA quickly incorporated emerging government requirements into an ongoing procurement so customer agencies could have access to best-in-class identity protection services faster, easier and for lower cost. Now customer agencies can better protect the government’s most valuable asset–federal employees–from potential damage caused by data breaches and other personnel security matters,” Denise Turner Roth, GSA Administrator, said in a statement.
The BPAs provide two tiers of contractors: Tier 1 includes contractors and contractor teaming arrangement partners (CTAPs) with experience responding to data breaches impacting significant numbers. This includes Bearak Reports (Identity Force) at the CTA lead and CTA member Total Systems Technology Corp. The contractor is Identity Theft Guard Solutions (I.D. Experts).
Tier 2 includes contractors with general experience in providing routine data breach responses. The CTA Lead here is Ladlas Prince and the CTA members are Grove Street Investments LLC and Catapult Technology Ltd.
BPA requirements were developed collaboratively by an interagency team of subject matter experts, GSA said. The requirements “represent a coordinated approach to developing stringent technical requirements and establishing an appropriate acquisition strategy.” The BPAs were competitive between vendors offering business information and data protection services under GSA’s Financial and Business Solutions (FABS) Schedule 520.
Under the BPA system, the Defense Department awarded Theft Guard Solutions LLC (I.D. Experts) a firm-fixed-price contract worth over $133 million for commercially available data breach recovery services in response to the OPM background investigation breach affecting 21.5 million people.
Contract services include credit and identity monitoring services, identity theft insurance, identity restoration services, website services, and call center services.
If all options are exercised, the contract could total nearly $330 million. Work is to be performed in Portland, Ore., and has an expected completion date of December 2018 if all options are used.
Fiscal 2015 operations and maintenance (Navy) funding of $133 million will be obligated at the time of award, the contract announcement said. Naval Sea Systems Command is the contracting authority.
“Once notifications have been received, I hope people will take advantage of the comprehensive identity theft and fraud protection services we are providing to the victims of these crimes,” Beth Cobert, Acting Director of OPM, said in a statement.
The Defense Department will notify the 21.5 million individuals affected by this data breach later in September and continue for several weeks, OPM said in a statement.
Rear Adm. Allie Coetzee, the Defense Department’s principal deputy for defense procurement and acquisition, noted this contract immediately covers individuals with $1 million in insurance and restoration services upon the discovery of further identity or information compromise.
“Individuals who elect to can sign up for three years of credit monitoring and identity theft protection through contractor services,” Coetzee said.
However, some cybersecurity experts are skeptical these services are sufficient.
“No matter how you slice it, $133 million is a staggering figure for a service that in all likelihood will do little to prevent identity thieves from hijacking the names, good credit and good faith of breach victims,” Brian Krebbs, an investigative reporter focusing on cybercrime, said on his news blog.
Krebbs said identity protection services do little to block identity theft, “The most you can hope for from these services is that they will notify you after crooks have opened a new line of credit in your name. Where these services do excel is in helping with the time-consuming and expensive process of cleaning up your credit report with the major credit reporting agencies.”
Other experts pointed out scamming opportunities when the breach notifications go out to affected persons via email.
While notifications are expected to come from dot-mil or dot-gov addresses, “This is by no means a perfect solution. While harder to do, employees could still be tricked by addresses that include mention of ‘mil’ or ‘gov’, but are in fact from spoofed domains,” Damien Hugoo, Director of Product Manager at East Solutions, said in a statement.
Easy Solutions is a security provider that focuses on comprehensive detection and prevention of electronic fraud, the company’s website said.
“It is also reasonable to expect an increase in scams around credit monitoring as the letter will probably include URLs that are prone to pharming and phishing redirection. Additionally, once attackers capture personal information of users being impacted they can certainly blackmail them especially around release of medical history, etc,” Hugoo added.