The majority of the 21.5 million current and former federalemployees, including some with the NCUA, whose data was compromisedas a result of the catastrophic Office of Personnel Managementbreach should be notified that they were affected byThanksgiving.

The government is currently soliciting bids for government-wideidentity monitoring data breach response and protection services.Bids are due on Friday for blanket purchase agreements, which areestimated to cost $500 million and cover fallout from previousincursions and faster responses for future cyberattacks.

While the five-year blanket purchase agreements include multiplecontractors, a single provider must deal with the aftermath of themost recent OPM data breach. That contractor will have 12 weeksfrom the awarding date (on or close to Aug. 21) to send outmillions of notifications. It will also offer identity protectionservices to affected individuals at no cost.

In June and July, the OPM discovered two separate but relatedcybersecurity breach incidents, which it blamed on Chinesehackers and impacted the personal data of current and formerFederal government employees, contractors and others.

After the first breach, announced in June, the OPM reportedlyspent more than $20 million for identity protection firm CSID tonotify affected individuals and provide them with identityprotection services. Government personnel, however, complained ofwebsite crashes and multi-hour call center waiting times to getbasic information about affected areas and how to sign up for the18 months of complimentary credit monitoring services that wereoffered.

When a second breach, announced in July, turned out to be fivetimes bigger than the first, the government took a differentapproach. However, it took weeks to develop contract requirements,and the victim notification process was delayed.

“Taking this much time to notify government employees that theirvery confidential, personal information was stolen is extremelydetrimental for two reasons,” Stu Sjouwerman, founder/CEO of theClearwater, Fla.-based Knowbe4, said. “First, trust in ourgovernment's ability to protect data in general and in the futureis badly damaged, and second, it leaves open a criminal window ofopportunity to misuse this data that is way too long.”

This time around, the chosen credit monitoring firm will have tohandle more than five times as many victims. Services will includea range of protection from basic credit reporting to in-depthidentity monitoring, as well as identity theft insurance and arestoration program for identity theft victims.

The new contract, which provides data breach response servicesfor three years to individuals impacted by the recent OPMincidents, also specifically requires that contractors' call centerwait times do not exceed an average of 10 minutes.

The General Services Administration, Defense Department and OPMasked Naval Sea Systems Command, a division that normally dealswith high-dollar contracts, to put out a request for a quote frominterested bidders. The eventual contract award will be a madethrough an interagency collaborative process involving GSA, OPM andthe Office of Management and Budget, officials said.

“As with any breach, time is of the essence, and this is nodifferent,” Ondrej Krehel, founder/principal of the New YorkCity-based cybersecurity intelligence firm LIFARS, explained. “Theproblem though, is that it could potentially be quite a whilebefore everything is shored up, and if it even makes the deadline.This is a major problem with cybersecurity, most people take the'I'll never be hacked' security approach. By the time they findout, they'll already be months behind and then they still haveinvestigation and remediation to handle.”

This time frame, Krehel cautioned, can be exacerbated when noplans or existing contracts are in place, and when the breachedorganization has to scramble to make deals instead of acting on itright away.

“Even reactive solutions need to be put proactively in place,”he said.