Federal agencies have begun submitting proposals for how they will cover the costs of responding to the hack of background investigation data maintained by the Office of Personnel Management, and for some it is coming with a hefty price tag.
Last month, OPM notified agencies it would charge them for their share of the protection services being offered to hack victims, proportional to the number of impacted former and current employees, contractors and applicants connected to each agency. Now that OPM has notified each agency of what they owe for fiscal 2015, agencies must shift funds around to make the required payments.
The Defense Department submitted its reprogramming request to Congress, where it has already received approval from at least the Senate Appropriations Committee’s panel on Defense spending. The plan set aside $132 million to pay for hack victims’ credit and identity monitoring, identity restoration and protection services for dependent children.
More than 40 percent of that sum will come from the Army’s budget, a little more than a quarter from the Air Force and a smaller slice from the Navy. Another 17 percent — about $23 million — will come from Defensewide appropriations.
The Army pointed to reductions in expected cost-of-living adjustments, separation payments and housing allowance payments as the areas from which it will draw funds. The Navy said its money would come from fewer than anticipated reenlistment payments and “successful force shaping efforts” in the Marine Corps, as well as the deferred procurement of 27 robots and other purchases. The Air Force will shift funds away from spending set aside for overseas storm damage. The Defensewide portion of the appropriations will come from a few sources, including the consolidations of several department-run schools.
A House Appropriations Committee aide told Government Executiveother agencies have also submitted their plans, the details of which have not yet been made public.
Many agencies with fewer employees requiring security clearances were less impacted by the breach, and therefore saw smaller charges from OPM. The Veterans Affairs Department, for example, will pay $5.3 million toward the response and will absorb the expense without reprogramming funds.
The initial hack of 4.2 million current and former federal workers’ personnel records came with a $21 million price tag, which OPM absorbed on its own. The second breach, however, affected more than five times as many individuals. That, coupled with the government’s decision to offer a more generous suite of protection services for twice as long — as well as offering services to dependent children whose names were not included in the compromised information — was expected to drive the cost of the second contract far higher.
Naval Sea Systems Command took charge of the hunt for a vendor to provide those services and is expected to announce its selection in the coming days.
Agencies will also be responsible for funding the post-hack services in fiscal years 2016 and 2017, though advanced planning should allow agencies to make those payments without reprogramming funds. They may eventually be on the hook for more funding for the benefits, as the General Services Administration and OPM have said the government could boost the length or quality of the protections it offers.