[BreachExchange] OMB: Only one option for breach response contracts

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jul 7 18:45:51 EDT 2016


http://www.federaltimes.com/story/government/cybersecurity/2016/07/06/omb-breach-response-memo/86748464/

As the number of breaches reported in the private and public sector
continue to rise at an exponential rate, customers, employees and citizens
of all types are being offered identity protection and credit monitoring
services at a rate to match.

Federal agencies are no exception and the Office of Management and Budget
wants to ensure any such services being paid for with government funds are
getting the best value for the taxpayer. On July 1, U.S. Chief Acquisition
Officer Anne Rung issued a memorandum to all department heads outlining
exactly how agencies should go about contracting for identity protection
services.

Going forward, all agencies offering identity protection services to
citizens or employees must contract through the General Services
Administration’s Identity Monitoring Data Breach Response and Protection
Services (IPS) blanket purchase agreement (BPA).

“Taking advantage of the IPS BPAs ensures agencies can meet their needs for
expeditious delivery of best-in-class solutions from pre-approved and
vetted companies at competitive pricing,” Rung wrote in the memo. “For
these reasons, the IPS BPAs shall be treated as a preferred source for
federal agencies when agencies have a need for credit monitoring, breach
response and identity protection services.”

The IPS BPA was first launched in 2006 but agencies haven’t always made use
of it.

After news broke of the massive breach of the Office of Personnel
Management’s networks in early June 2015, the agency scrambled to award a
contract for identity protection and credit monitoring.

A contract was awarded to CSID and its parent company, Winvale, however the
quick turnaround resulted in OPM choosing the wrong contract vehicle and
otherwise violating the Federal Acquisition Regulation, according to a
November 2015 inspector general report.

The IPS BPA has since been updated to widen the scope of offerings and
ensure it will be useful for agencies across the federal government, Rung
noted.

Agencies can still use existing, in-house vehicles for these services,
though they have to do a full analysis of the costs and benefits in
consultation with the agency’s category manager.

Contracts for other IT or cybersecurity services that include breach
response and identity protection as an additional subset of the main
contract are exempt, according to the memo.

“By implementing the process described above, the government will serve the
needs of impacted individuals, programs and operations by leveraging the
government's robust buying power abilities to provide cost-effective,
best-in-class solutions,” Rung said. “Agencies are encouraged to contact
GSA and OMB with any potential questions or concerns regarding the
implementation of included instructions.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160707/1855edd5/attachment.html>


More information about the BreachExchange mailing list