"It signals an end to the 'It will never happen here because we have good IT teams' syndrome," said Costis Toregas, associate director of the Cyber Security Policy and Research Institute at George Washington University.
The General Services Administration, with the help of the Department of Defense, is looking to enter into a five-year "blanket purchase agreement" with multiple contractors. That would allow the government to keep a group of response teams on call for when the data breach hits, and have an agreed-upon pricing structure already in place for when services are needed quickly. The contract winners' services would be available to all federal agencies.
But while the decision to take on the more complex process is an apparent effort to keep the government from having to scramble after it's hit with the next big data breach, it comes with some short-term drawbacks.
For one, developing the requirements for the contract took the government many weeks after the scope of the second breach was announced in July, delaying the notification process for the 21.5 million people it affected.
Although the five-year agreement will include multiple contractors, only one will be chosen to deal with the fallout of the most recent OPM data breach. That contractor will have 12 weeks from the date of the award — likely Aug. 21 — to send the millions of notifications, and will offer identity-protection services to the affected individuals at no cost to them. (Bids are due at 8 p.m. on Friday.)
The identity-protection services will last for three years, and will also be available to affected individuals' dependent minor children, adding 6.4 million to the total number of individuals eligible for service.
Compared to the first round of notifications, which began to go out just days after the agency announced the first breach, the second round of notifications is significantly delayed. The late-August contract award means that by the time notifications begin to be sent, more than a month and a half will have passed since the second breach was announced in July.
Further, the five-year agreement will not be cheap. The government estimates the contract is worth $500 million, but stipulated that its estimate is "not a ceiling" and that the total cost could "exceed this amount without modification to the [contract]."
That's compared to the roughly $20 million cost of sending more than 4 million notifications and covering approximately 1 million individuals who signed up for identity-protection services after the first data breach. Acting OPM Director Beth Cobert asked federal agencies last month to pitch in to help fund the cost of the services.
The personnel agency was criticized after its first data breach for how its contractor, CSID, handled the notification and sign-up process. Notification emails and letters arrived in fits and starts, and lawmakers complained that their constituents were subjected to long wait times when they called in to a public hotline for more information.