In the wake of a massive data breach that exposed the security clearance background investigations of millions, the Office of Personnel Management is looking to federal agencies to help them cover the costs of credit monitoring.
“Given the limited resources available to OPM at this time to deal with a contract of this size, agencies will be asked to contribute FY 2015 funding to cover the first full year’s costs of credit monitoring and related services / benefits” for the incident, wrote acting OPM director Beth Cobert in a memo obtained by the Washington Post.
OPM has not yet selected a contractor to provide credit monitoring services following the background investigation breach. It has already come under fire for an initial contract awarded in response to breached federal personnel records, with many federal employees opting out of coverage for fears their data isn’t being protected by the company.
The passing of the breach costs onto agencies means many agencies will be using end-of-fiscal-year dollars covering additional security clearance costs, rather than spending it on employee professional development or office equipment. OPM has provided no information on how much the credit monitoring service will cost, but it will be significant. The CSID contract awarded following the federal breach was for $20 million, and covered just over four million affected personnel. With the number of individuals impacted by the background investigation breach being five times as large (and the data infinitely more sensitive), agencies should expect a hefty price tag.
Is it worth it?
Some lawmakers are already asking if credit monitoring services are worth the cost. A bi-partisan group of six House leaders sent a letter to the Government Accountability Office July 20 asking the government to provide details about the need for credit monitoring services as well as the effectiveness of various plans.
The Senate is also debating what steps to take following the breach, including how much money should be added to OPM’s coffers. Two amendments related to the OPM breach were recently introduced by the Senate Appropriations Committee. A bill to provide no less than 10 years of identity and credit monitoring and $5 million in liability protection for affected individuals passed. A separate bill to provide OPM $37 million for emergency IT updates failed.
“The more we learn about what happens at OPM, the more we learn that it’s not just the old systems that were breached, but the new systems also. More money will not solve the management problem either and, let’s be honest, this appears primarily to be a management problem,” said Sen. John Boozman (R-Ark.). “I can’t support the amendment at the present time.”
OPM – Open for Business?
In the wake of the breaches and the news that agencies will be expected to front millions in breach-response costs, many are asking if OPM should ‘own the investigation business any more. The intelligence agency already conducts its own background investigations. Speculation is that more agencies may look to bring their security clearance processes in-house. OPM may also see a financial hit for some of the optional services they provide. Those changes may prove to be good for the security of the security clearance process in the long term. But they may be very bad for reciprocity efforts.