The Washington PostDemocracy Dies in Darkness

OPM’s watchdog to look into contract to help federal workers after big hack

A federal watchdog testified Wednesday that his office would examine a $20 million contract to provide credit monitoring for federal employees affected by the agency’s massive cyberattack, citing concerns that the contract was awarded unusually quickly.

Along with several members of Congress, Patrick McFarland, the inspector general for the Office of Personnel Management, said during a congressional hearing that he was concerned that the speed of the award — which happened within a week — could mean that it was improperly steered to CSID, the contractor.

During a hearing Wednesday, Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight Committee, also raised concerns because, he said, Owen Li, a member of the company’s board of directors, is under investigation by federal authorities after losing almost all of a hedge fund’s capital.

“Here we have someone who lost millions of dollars, [is] under investigation by the Department of Justice — we’ve got to figure out how in the world how these people get the contract,” Chaffetz said. “I’m not saying he’s guilty, but he’s under investigation. Why should we take the chance?”

But Patrick Hillmann, a spokesman for CSID, said in an e-mailed statement that lawmakers had it wrong. The Li on the company’s board is not the hedge fund manager cited at the hearing, he said.

It is “troubling that baseless allegations supported by sloppy research are being put forth into public debate,” he said, adding that the company would not be distracted by “political matters.”

A spokeswoman for the committee, in a statement Wednesday night, apologized for the error.

“Unfortunately we got our facts wrong during today’s hearing and attributed negative details to the wrong individual,” spokeswoman M.J. Henshaw said. “We strive to be thorough in all that we undertake, but sometimes we get it wrong. We apologize for the error and will ensure that the official record is corrected.”

In a letter to OPM last week, Sen. Mark R. Warner (D-Va.) said that he had concerns about the contract, noting that “such a short turnaround time is highly unusual and raises suggestions that OPM could have intentionally steered the contract to CSID.”

OPM officials denied that allegation at the Wednesday hearing and said that the contract was awarded properly and with due diligence.

McFarland told members of the committee that his office also was concerned about the contract and would be “looking into it.” A spokesperson later said that would entail gathering the facts and determining “what steps would be appropriate.”

Members of Congress also took aim at another contract during Wednesday’s hearing, this one to help OPM secure its computer network after a data breach that potentially exposed the personal information of more than 4 million current and former federal employees.

Chaffetz said he was troubled that the contract was awarded without competition to a company accused of misusing $135 million of taxpayer money. Employees of Imperatis, formerly known as Jorge Scientific, were also recorded apparently drunk and high while working on a U.S. Army contract in Afghanistan.

“These are the recipients of a sole-source contract,” he said. He added that the company may well be capable of the work but added that “when it is a sole-source contract, it does beg a lot of questions. This organization has had a lot of problems in the past.”

An audit by the Office of the Special Inspector General for Afghanistan Reconstruction found that Imperatis could not produce documents to show whether its payments to a subcontractor were justified.

Meanwhile, the OPM inspector general has launched a “flash audit” of the program to overhaul the OPM’s computer network after the cyberattacks, citing “immediate” concerns about the way it is being implemented.

The initiative “will be far more complex than anything OPM has attempted in the past,” McFarland, the OPM inspector general, said Wednesday. He said he was concerned that because of poor preparation, the plan could ultimately make the network less secure and cost taxpayers additional money.

McFarland also questioned why the contract to perform the work was awarded without competition.

Imperatis did not respond to requests for comment.

OPM Director Katherine Archuleta, who has been under fire for weeks from Republicans and some Democrats on Capitol Hill for failing to adequately shore up her agency’s computer security networks in time to possibly prevent the attack, was by turns defensive and contrite during the four-hour hearing.

Asked again whether she or any other senior leaders at her agency should be held responsible for weak cybersecurity that could have led to the attack, she said: “I am more committed than ever to serve the employees of this administration. I accept the responsibilities that are given to the director of the OPM. I have fulfilled those responsibilities to make sure we have the right people in the right place.”

But Chaffetz, who was openly hostile, told her: “I think you’re part of the problem.

“We’ve got a crisis here that is as big as it gets,” he said. “That’s why I think it’s time for you to go.”

He told Donna Seymour, the agency’s chief information officer,“I think you’re in over your head.”