A 10-year, US$103 million contract for a security incident response center at the US Department of Veterans Affairs (VA) had to be aborted after less than three years because of funding problems caused by bad planning and administration.
Instead of yielding a state-of-the-art security readiness and response capability, the contract became "an open checkbook" that resulted in the award of nearly two dozen noncompetitive task orders, inflated prices, overpayments and unaccounted-for equipment purchases totaling US$35 million.
Those are just some of the findings of an audit by VA Inspector General George Opfer into the planning, award and administration of the Central Incident Response Capability (CIRC) contract awarded to the Veterans Affairs Security Team LLC (VAST) in July 2002. VAST was incorporated as a Texas-based limited liability corporation one week before the contract was awarded. The now-defunct company was owned by several small businesses led by Washington-based SecureInfo.
According to Opfer's report, much of the problems with the US$102.7 million CIRC contract had to do with the addition of requirements for a Managed Security Services (MSS) component. While there appears to have been adequate acquisition planning for the CIRC requirements, there is no evidence of similar planning for MSS requirements, the report said. In fact, it is still unclear when the decision was made to include MSS requirements in the CIRC contract. There is also no documentation to show that the VA's program office considered at any point whether it would make sense to award separate contracts.
"We found that deficiencies in the planning, solicitation, evaluation of proposals, award and administration of the contract for MSS resulted in uncontrolled spending, overpayments and illegal contracting actions that resulted in the ultimate demise of the contract due to lack of funding," Opfer said in his report.
One modification -- made three months after the contract was awarded to VAST -- added new language that changed the MSS component from a firm fixed-price contract to a so-called Indefinite Delivery Indefinite Quantity contract. "The modification allowed VA to issue task orders to fill requests from field facilities and Office of Cyber Security for MSS at additional cost," Opfer said in his report. The VA began issuing such task orders in August, shortly after the contract was signed -- even though the contract change that legitimized such orders was not made until October, the report said.
Under the original pact awarded to VAST in 2002, US$82.9 million was earmarked for recurring labor costs over 10 years, with the remaining US$19.8 million meant for equipment and supply costs. But because of the task orders, the potential value of the contract shot up from US$102.7 million to about US$250 million. Though this sort of a "cardinal change" was prohibited, it was still approved by the VA's Office of General Counsel. That approval came one day after counsel asked for an opinion on the modification by the officer in charge of the contract, Opfer noted in his report.
"This made the contract an open checkbook in that it resulted in the award of 22 noncompetitive task orders valued at approximately US$48.6 million, with little assurance of price reasonableness and no planned funding," the report said. At least 17 of the task orders were out of scope and thus prohibited changes under the original contract, Opfer said in his report.
A lack of clarity surrounding the modifications may have resulted in VAST being overpaid about US$3.8 million for MSS services it never delivered and an additional US$4.7 million in duplicate payments. On top of that, the VA also spent about US$35 million on equipment and supplies, but has no record of what the equipment is or where it may be. Because the VA revised the tasks that were the basis of the original award -- and sought new proposals from VAST -- it wound up paying about US$6.76 million more than had been earmarked for the original contract in the first year.
As a result of the errors, the VA managed had spent about US$91.8 million in less than three years when the plug was pulled.
Opfer's report also blasted the VA's vendor selection process. Little due diligence appears to have been put into evaluating vendor qualifications and ensuring that the prices being quoted were reasonable.
For instance, the CIRC contract was specifically meant for small businesses, which VAST was not, Opfer said. VAST, in its original response to the VA contract, described itself as a joint venture involving six small businesses teamed with three large businesses -- Compaq, Signal and SAIC. Such an association should have automatically disqualified VAST as a small business, the report said.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.