The federal government is owning up to the modern-day reality that data breaches, no matter the quality of cyberdefenses in place, are inevitable.
With an eye to future hacks, the government is searching for contractors to keep on call — and it's prepared to pay at least half a billion over the next five years to manage post-breach cleanup.
A pair of breaches at the Office of Personnel Management last year affected millions of current, former, and prospective federal employees and their families, and demonstrated the federal government's need to quickly deal with a recurring problem.
After the first breach, which was announced in June, OPM signed a contract with a company called CSID to notify the affected individuals and provide them with identity-protection services. But when a second breach turned out to be more than five times larger in magnitude, the government decided it needed to take a different approach.
Instead of offering another one-off contract, the government is currently soliciting bids for "government-wide identity monitoring data breach response and protection services."
Those services will include everything from basic credit reporting to in-depth identity monitoring — which involves keeping an eye on sketchy corners of the Internet and court records for a victim's name, address, and Social Security number — as well as identity-theft insurance and a program that helps restore a victim's identity in case of fraud.
"It signals an end to the 'It will never happen here because we have good IT teams' syndrome," said Costis Toregas, associate director of the Cyber Security Policy and Research Institute at George Washington University.
The General Services Administration, with the help of the Department of Defense, is looking to enter into a five-year "blanket purchase agreement" with multiple contractors. That would allow the government to keep a group of response teams on call for when the data breach hits, and have an agreed-upon pricing structure already in place for when services are needed quickly. The contract winners' services would be available to all federal agencies.
But while the decision to take on the more complex process is an apparent effort to keep the government from having to scramble after it's hit with the next big data breach, it comes with some short-term drawbacks.
For one, developing the requirements for the contract took the government many weeks after the scope of the second breach was announced in July, delaying the notification process for the 21.5 million people it affected.
Although the five-year agreement will include multiple contractors, only one will be chosen to deal with the fallout of the most recent OPM data breach. That contractor will have 12 weeks from the date of the award — likely Aug. 21 — to send the millions of notifications, and will offer identity-protection services to the affected individuals at no cost to them. (Bids are due at 8 p.m. on Friday.)
The identity-protection services will last for three years, and will also be available to affected individuals' dependent minor children, adding 6.4 million to the total number of individuals eligible for service.
Compared to the first round of notifications, which began to go out just days after the agency announced the first breach, the second round of notifications is significantly delayed. The late-August contract award means that by the time notifications begin to be sent, more than a month and a half will have passed since the second breach was announced in July.
Further, the five-year agreement will not be cheap. The government estimates the contract is worth $500 million, but stipulated that its estimate is "not a ceiling" and that the total cost could "exceed this amount without modification to the [contract]."
That's compared to the roughly $20 million cost of sending more than 4 million notifications and covering approximately 1 million individuals who signed up for identity-protection services after the first data breach. Acting OPM Director Beth Cobert asked federal agencies last month to pitch in to help fund the cost of the services.
The personnel agency was criticized after its first data breach for how its contractor, CSID, handled the notification and sign-up process. Notification emails and letters arrived in fits and starts, and lawmakers complained that their constituents were subjected to long wait times when they called in to a public hotline for more information.
In a media blitz after the first round of notifications was complete, CSID President Joe Ross told the press many of the problems his company ran into were really the government's fault. He said the long call-center wait times, for example, were the result of a decision to make the hotline public, which inundated representatives with calls from people worried they had been affected by the hack.
The new contract — which was developed by a task force staffed by representatives from OPM, DOD, GSA, the Office of Management and Budget, the Department of Homeland Security, and the Federal Trade Commission — specifically requires that contractors' call-center wait times not exceed an average of 10 minutes.
And because several legislative proposals have been put forward that would lengthen the terms of breach-response services or increase the amount of identity-fraud insurance offered to affected individuals, the request for bids was designed with the flexibility to "accommodate legislative or other changes," according to an addendum with answers to frequently asked questions.
But simply having a system in place to easily provide breach victims with monitoring and protection is not enough, Toregas said in an email.
"We need to take seriously the almost total lack of awareness of cyber threats and good cyber hygiene, and organize (sadly after the fact) a way to bring some awareness and knowledge to the American public," he wrote.