The Federal Government Expects to Spend $500M on Post-Hack Benefits by 2020

The federal government spelled out in a request for submissions from contractors how it plans to respond to future hacks of personnel data, a tacit acknowledgment no amount of system security bolstering can effectively prevent breaches from happening altogether.

The General Services Administration on Tuesday evening put forth a request for quotes on a blanket purchase agreement that will help the agency prescreen contractors interested in providing protection services to future hack victims. GSA estimated the value of the forthcoming contracts to be $500 million, but noted the final total could exceed that amount.

“As the nature and complexity of data breaches have evolved during the past five years, governmentwide federal agencies have had increasing requirements for identity monitoring data breach response and protection services,” GSA wrote. “These services are critical to responding to cyber security events, and in mitigating the risk of identity theft or compromised government security and operations.”

GSA developed the RFQ in consultation with the Office of Management and Budget, the Office of Personnel Management, Defense Department, Homeland Security Department and Federal Trade Commission. The breach of 21.5 million individuals’ background investigation data maintained by OPM will serve as the first task order of the BPA. Naval Sea Systems Command released the RFQ for that specific contract Tuesday.

Contractors qualified to submit quotes for the BPA -- which will involve a proposal for the background investigation breach response -- include at least 100 companies in GSA’s “financial and business solutions” schedule. Those contractors are now required to either submit a proposal or explain why they are not doing so.

GSA asked the bidders to provide the agency with details on the companies’ three largest projects involving breaches of personally identifiable information, including social security numbers. Contractors will be placed into two tiers based on their experience with breach responses.

They will also have to detail how they will provide protection services, including business information, credit monitoring, identity theft insurance, identity restoration, a website accessible to breach victims and call centers. Moving forward, GSA expects the BPA to be the “required source” for agencies to contract data breach response and protection services. It will be available for all agencies to use.

GSA had been working on a BPA to deal with hack responses since late 2014, and put out an initial RFQ in April. It canceled that request after the two breaches at OPM, however, saying the needs of the government had changed significantly.

GSA is also requiring contractors to submit a “detailed IT security plan” that includes specifics of their security system architecture.

Submissions for the BPA RFQ are due Aug. 14. NAVSEA anticipates selecting a contractor for the background investigation breach by the end of August. 

(Image via wk1003mike / Shutterstock.com)