Category Management Policy 16-2

EXECUTIVE

OFFICE

THE

PRESIDENT

OFFICE

MANAGEMENT

AND

BUDGET

WASHINGTON

, D. C.

20503

July 1, 2016

M-16-14

MEMORANDUM

FOR

THE

HEAD

Fi.

DEPARTMENTS AND AGENCIES

FROM:

Anne E.

Rung

United States ·

fAc

sition Officer

SUBJECT: Category Management Policy 16-2: Providing Comprehensive Identity

Protection Services, Identity Monitoring,

and

Data

Breach Response

This memorandum updates a longstanding Office

Management and Budget (OMB)

policy, first implemented in 2006, to maximize federal agency use

a government-wide

solution for acquiring identity protection services when needed. This memorandum requires,

with limited exceptions, that when agencies need identity protection services, agencies address

their requirements by using the government-wide blanket purchase agreements (BP As) for

Identity Monitoring Data Breach Response and Protection Services awarded by the General

Services Administration (GSA), referred to below as the "IPS BP As."

For the past decade, GSA has offered commercial credit monitoring services through

government-wide BPAs established under its Federal Supply Schedules (FSS) Program. When

the BP As were launched, OMB instructed agencies to review the pricing and terms and

conditions

the BP As in addition to any other credit monitoring services they may be

considering in their market research and notify OMB prior to making an award outside

the

BPAs.

Last year, GSA partnered with other agencies

requirements for new BP As to ensure

that all agencies have access to a pool

best qualified contractors capable

providing a

comprehensive range

identity protection services, including credit monitoring. For details on

the IPS BP As, including task order instructions, offered services, authorized users, order dollar

value limitations, the inclusion

agency specific terms, and ordering periods, visit

www.gsa.gov/ipsbpa.

Taking advantage

the IPS BP As ensures agencies can meet their needs for expeditious

delivery

best-in-class solutions from pre-approved and vetted companies at competitive

pricing and reduced administrative costs. For these reasons, the IPS BP As shall be treated as a

preferred source for Federal agencies when agencies have a need for credit monitoring, breach

response, and identity protection services. Consistent with category management principles,

GSA, as the contract manager, will work with an interagency team to periodically review and

refresh, as appropriate, the contract terms and requirements to ensure the BP As continue to

reflect the best identity protection practices and agencies' needs.

See OMB Memorandum M-07-04, Use

Commercial Credit Monitoring Services Blanket Purchase Agreements.

The following steps, which are effective immediately, are designed to ensure agency use

the IPS BP As to the maximum extent practicable:

Review the ranee

services offered under the JPS BPAs:

the agency has an existing

vehicle that overlaps with the BP As and is planning to exercise an option, or is planning

to issue a new contract that could overlap with the BP As, take the additional steps

described below.

2. Existing contracts:

Analysis

alternatives: As part

deciding whether to exercise an option under

an existing agency contract, and in accordance with Federal Acquisition

Regulation (FAR) 17.207, the agency shall analyze terms/conditions, pricing,

performance, fees and savings under the agency contract relative to the IPS

BP As. The agency may also consider the impact on an incumbent small business

contractor.

b) Sharing

final analysis:

the agency exercises the option, it shall provide the

final analysis to GSA and OMB at the following URL:

https://community.max.gov/x/CoELQ.

c) Agency approvals:

an agency proceeds with exercising

option under an

existing agency contract, the agency shall ensure the final analysis has been

approved by the Senior Agency Official for Privacy (SAOP) and any other

officials as identified

internal agency policies.

d) Sharing

prices paid and other contract information:

the agency exercises the

option, it shall submit, using the URL provided above:

(i) a copy

the option and underlying contract vehicle and,

(ii) at the end

the option period, prices paid under the option.

3. Planned procurements:

Analysis

alternatives: Agencies that are considering a different vehicle to

provide identity protection services shall develop an analysis

alternatives that

compares the planned vehicle to the IPS BP As in terms of: scope, period

performance, terms and conditions, pricing, performance, administrative costs

(cost

full-time equivalent employees supporting award and administration

the vehicle vs. the fees that would be paid to use the IPS BP As) customer

satisfaction

(if

the organization has previously managed a similar vehicle), and

small business impact,

any. The analysis should also highlight any unique

features and/or requirements. Finally,

the agency is planning an inter-agency

contract, its evaluation should include a market analysis and a description

the

agency's suitability for managing the vehicle.

b) Sharing

analysis:

the agency proceeds with its own vehicle, it shall:

(i) provide the final analysis to GSA and OMB at the URL identified above; and

(ii)

the anticipated value

the vehicle exceeds the simplified acquisition

threshold (SAT), the agency shall share a draft

the analysis with the

Category Manager for Professional Services and OMB at

https://community.max.gov/x/CoELQ for a five (5) business day review

period to offer input on the analysis.

c) Agency approvals:

If,

after considering any input from the Category Manager,

the agency decides to proceed with its own vehicle, it shall ensure the final

analysis has been approved in accordance with internal agency policies.

minimum, the analysis shall be approved

the SAOP and,

ifthe

vehicle has an

anticipated value above the SAT,

the agency's Senior Procurement Executive.

d) Sharing

prices paid and other contract information:

the agency proceeds

with its own vehicle, the agency shall submit using the URL provided above:

(i) a copy

the contract vehicle; and,

(ii) at the end

the base and each option period, prices paid under the contract

vehicle.

Agencies that require contractors to provide identity protection services, or a subset

thereof, as part

the security or safeguarding requirements in their contract are exempt from

this guidance. However, pursuant to

FAR

Part 51.1 Contractor Use

Government Supply

Sources, agencies may at their discretion authorize government contractors under cost-

reimbursement contracts and fixed price contracts for protection

security classified

information and related security equipment to use GSA sources, including the IPS BP As, when

determined to be in the best interest

the government. Additionally, agencies may seek a

deviation pursuant to

FAR

Subpart 1.4 to address other situations where contractor access to the

IPS

As would be beneficial.

By implementing the process described above, the government will serve the needs

impacted individuals, programs, and operations by leveraging the government's robust buying

power abilities to provide cost-effective, best-in-class solutions. Agencies are encouraged to

contact GSA and OMB with any potential questions or concerns regarding the implementation

included instructions.

For further questions regarding this memorandum, please contact Iulia Manolache in the

OMB's

Office

Federal Procurement Policy at [email protected] or (202) 395-7318.