[ISN] Faulty contract costs the VA millions

From: InfoSec News (alerts@private)
Date: Wed Mar 28 2007 - 00:01:43 PST


By Chris Adams
McClatchy Newspapers
March 27, 2007

WASHINGTON - The Department of Veterans Affairs backdated a key document 
and violated other rules as it pushed through a $100 million computer 
security contract that resulted in inflated prices and duplicate 
payments, according to a previously undisclosed report.

In the end, the contract turned into "an open checkbook" for various VA 
expenses, and the agency today can't detail the whereabouts of some $35 
million in equipment purchased under the contract, the report by the 
VA's inspector general said.

Indeed, the agency blew through the contract's funds so quickly that the 
VA was temporarily left without proper defenses against computer hackers 
and was forced into a higher "CYBERCON" alert level.

As it responds to concerns about the treatment of veterans served by its 
health care and disability programs, the VA's internal auditor has said 
in recent months that the agency has another significant problem: the 
way it contracts for millions of dollars in supplies and personnel.

With a budget of more than $70 billion and more than 235,000 employees, 
the VA is one of the largest departments in the federal government. But 
the VA inspector general has repeatedly found that the agency doesn't 
follow proper contracting procedures, resulting in "significant dollar 
losses and failed projects," in the words of the most recent report.

Although it disputed some of the inspector general's legal 
interpretations, for the most part the VA accepted the investigator's 
findings and promised to make fixes. In response to questions about this 
report and others, a VA spokesman said that the agency was having 
trouble keeping good workers and that annual turnover in its central 
acquisition office has been more than 60 percent.

"VA is committed to being a good fiscal steward of taxpayer dollars," 
said spokesman Matt Burns, who added that the department is "working 
aggressively to strengthen its acquisition function and correct issues 
identified by the IG." The agency has taken several steps to help 
prevent future problems, he said.

An official for SecureInfo Corp., the company that received the 
contract, disagreed with the inspector general's conclusions. Stewart 
Curley, the chief financial officer, said the VA "at no time during the 
review raised any concerns to us regarding" his company's activities.

He said the company would detail its objections to the inspector general 
in writing.

The Feb. 26 inspector general's report detailed a series of decisions 
between 2002 and 2005 to purchase computer services for what was called 
the "central incident response capability" contract. It's designed to 
help the VA fend off computer hackers.

In 2002 testimony before a congressional subcommittee, a top VA official 
said the agency had conducted a rigorous several-month effort to award 
the contract to a collective bid from several companies joined together 
under the name VAST, for Veterans Affairs Security Team. The lead 
company was SecureInfo, which has offices in Virginia and Texas and 
supplies several government agencies with computer security expertise.

The contract was valued at $103 million. But the inspector general found 
several problems in the VA's decisions, resulting in "uncontrolled 
spending, overpayments and illegal contracting actions."

Among them:

- Although the contract was awarded in July 2002 as a small business 
  set-aside, the inspector general said VAST didn't meet the 
  requirements of a small business. VAST brought together several small 
  and large businesses and had been incorporated in Texas seven days 
  before the contract was awarded. At one time in the contracting 
  process, VAST boasted that it had "180,000 technical professionals" at 
  its disposal, calling into question its status as a small business.

- Even though the VA's in-house lawyer recommended they do so, two VA 
  contracting officials chose not to tell the VA's inspector general 
  that they heard an allegation that somebody was trying to manipulate 
  the contracting process. The allegation didn't involve VAST, said 
  Maureen Regan, who handled the report for the inspector general's 
  office. But not referring the allegation to the inspector general for 
  proper investigation was "inappropriate," the report said.

- In October 2002, the VA made a key modification to the contract, 
  changing a portion of it from fixed terms to more open-ended terms. It 
  made that change retroactive to August 2002.

That decision helped turn the contract into "an open checkbook for" 
computer-related expenditures, many of which weren't related to the 
original contract. Those new expenditures "were essentially awarded 
non-competitively and with little or no assurance of price 

Other expenses may have been double-billed - meaning the VA paid VAST 
twice for at least some of the same services, the report said. But 
because VAST had been formed just to get the VA contract and "was 
nothing more than an empty shell," it could be difficult for the VA to 
recoup $8.5 million in potential overpayments.

In addition to labor costs, the VA spent more than $35 million for 
equipment and supplies under the contract. But the VA doesn't know what 
equipment it has or where it might be located, the report says.

The contract was expected to last up to 10 years. But the VA spent $92 
million within three years and had to let the contract expire when its 
funds ran out.

The VA's in-house lawyer disputed some of the report's legal findings 
and also rejected the contention that the office hadn't adequately 
examined the contract.

But the inspector general said the lawyer's office didn't document why 
the VA modified the contract in 2002. The lawyer responded that 
"thorough review and analysis are not always reduced to writing," 
according to the report.

The inspector general concluded that the VA's unwillingness to accept 
some of the report's findings "will most likely result in a continuation 
of contract failures such as this."

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Wed Mar 28 2007 - 00:16:47 PST