The IRS did not have to award Equifax a $7 million sole-source contract in late September, weeks after the credit monitoring company revealed a massive data breach that exposed the records of 145 million Americans, according to the Government Accountability Office.
In a statement to Nextgov, GAO spokesman Chuck Young rebuked the explanation given before a House Ways and Means subcommittee Tuesday by Jeffrey Tribiano, the IRS’ deputy commissioner for operations support. Tribiano told Congress the IRS was forced to award the tax fraud prevention contract to Equifax—which held the previous contract—because it was set to expire on Sept. 29.
The IRS had rebid the contract and awarded it to Experian Information Solutions in July, however, Equifax protested the decision with the GAO, which will issue its decision to deny, dismiss or sustain the protest by Oct. 16.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Tribiano said the IRS “either had to stop service” or “do a bridge contract with Equifax until GAO decides on the protests and we move forward.”
Young, citing federal contracting law, said the IRS could have begun work with Experian under the new contract if they determined the contract was critical to U.S. interests.
“While the Competition in Contracting Act of 1984—which is the source of GAO’s statutory authority to resolve protests—prevents the IRS from moving forward with performance of a contract while a protest is pending, Congress provided IRS (and all agencies) with the authority to proceed should the agency determine that performance of the contract ‘is in the best interest of the United States,’ or that there are ‘urgent and compelling circumstances that significantly affect interests of the U.S.’” Young said.
“Congress gave agencies, like IRS in this case, the tools to move forward under appropriate situations. They appear to be electing not to use it,” Young added.
Equifax’ former CEO Richard Smith testified before several Congressional committees this week, revealing lax security practices at the company. A slew of lawmakers criticized the IRS for the decision to award Equifax the important contract, including Rep. John Ratcliffe, R-Texas, who chairs the House Homeland Security Subcommittee on Cybersecurity. Ratcliffe suggested the Homeland Security Department use the same authorities it used to ban Kaspersky products to cancel Equifax’s contract with the IRS.
Where From Here?
Equifax will continue being paid by the IRS for the duration of the bridge contract for the same identity management services it provided under its prior contract. It is unclear from contracting documents whether the IRS specified a timeline for the contract’s conclusion.
In any case, GAO will make a decision on the Equifax bid protest by Oct. 16. If GAO sustains the Equifax protest, it will recommend appropriate corrective action, according to Deniece Peterson, director of Deltek’s Federal Market Analysis. In this scenario, the IRS could re-evaluate proposals or begin with a new, amended solicitation, which would extend the duration of the bridge contract the IRS signed on Sept. 29.
If GAO dismisses or denies the protest, Equifax could still profit by assisting the IRS “in transitioning to a new contractor,” Peterson said.