OPM Inserts IT Security Incident Clause into Investigations Contracts

In quite the ironic twist, the Office of Personnel Management (OPM) has updated all of their contracts with background investigation service providers by inserting or replacing previous clause that address information security incident reporting requirements. A news story posted by NextGov outlined some of the new requirements inserted into OPM contracts that included: reporting any incident to OPM within a half an hour, using a federal smartcard to log-in to computers/databases, and agreeing to allow OPM to inspect their IT systems at any time.

Many agencies and companies are already following these procedures as a part of the implementation of OMB Memo M11-11 issued in 2011 that required federal agencies to use PIV credentials as the common means of authentication for access to that agency’s facilities, networks, and information systems. OPM, however, was late to join this party and as we all know, suffered one of the biggest government data breaches to date.

These new specific clauses and contract language were included in the Request for Proposals (RFP) for investigative fieldwork services released by OPM on January 20, 2016 for industry review and comment. The final RPF is scheduled for release in March 2016. It would be interesting to sort through what industry has to say, especially if any dare to express views on OPM’s handling of their own recent indiscretion (oh, to be a fly on the wall). With the impending transition of national security investigations to the National Background Investigation Bureau, it seems that turmoil and change will continue to affect those who work in or support the background investigation and adjudication processes.