Govexec.com had an FEHBP related article yesterday concerning a dispute between the OPM Inspector General and an FEHBP carrier that sponsors an HMO plan covering about 4,000 people in California The carrier Health Net is part of a much larger Fortune 500 company Centene. The company balked at the scope of the Inspector General’s information security audit. However, the audit goes beyond a normal audit because the Inspector General wants to conduct its own vulnerability testing on Centene’s system. Vulnerability scans check on whether the software is up to date, among other things. The contract clause quoted in the Inspector General’s report allows OPM to make security recommendations to carriers based on the Government’s FISMA rules (NIST Special Publication 800-53). Rather than conduct its own vulnerability test, why not explain how it would conduct the test and recommend that the carrier use the same approach. That approach is consistent with the contract but much less intrusive. OPM should not be driving carriers away from the FEHBP.