A 10-year, $103 million contract to create a security incident response center at the U.S. Department of Veterans Affairs had to be aborted after less than three years because of funding problems resulting from inadequate planning and poor administration.
Instead of yielding a state-of-the-art security readiness and response capability, the contract became “an open checkbook” that led to the awarding of nearly two-dozen noncompetitive task orders, as well as inflated prices, overpayments and $35 million in unaccounted-for equipment purchases.
Those are just some of the findings of an audit by VA Inspector General George Opfer of the July 2002 Central Incident Response Capability (CIRC) contract awarded to Veterans Affairs Security Team LLC (VAST).
The audit report was quietly released in late February, about two years after the contract was aborted. By 2005, the VA had already spent about $91.8 million, just $11 million less than it had planned to spend over the 10-year life of the pact, the report said.
The VAST joint venture was created just a week before the awarding of the contract. It includes six small companies led by Washington-based SecureInfo Corp. and partners SAIC Inc. and the formerCompaq Computer Corp., according to the report.
SecureInfo CEO Christopher Fountain denied that VAST had been overpaid during its work for the VA.
“At no time during the review were we alerted to any such concerns” by the inspector general’s office, Fountain said last week. “They never told us they had found anything” that was a cause for concern.
In fact, Fountain contended that VAST incurred “several million dollars in liability” when the contract expired because of equipment purchases and other expenses.
Company Defends Work
“We believe that the government realized great value from the work we did perform for them,” Fountain said. “We believe we [set up] one of the most advanced security operations centers in the federal government.”
The report blamed many of the problems on the acquisition planning for the so-called managed security services (MSS) outsourcing component of the contract.
“Deficiencies in the planning, solicitation, evaluation of proposals, award and administration of the contract for MSS resulted in uncontrolled spending, overpayments and illegal contracting actions that resulted in the ultimate demise of the contract due to lack of funding,” Opfer said in his report.
He noted that three months after the contract was awarded, the VA changed the MSS component from a fixed price deal to a so-called Indefinite Delivery Indefinite Quantity agreement. “The modification allowed VA to issue task orders to fill requests from field facilities and Office of Cyber Security for MSS at additional cost,” Opfer said in the report.
Though this sort of a “cardinal change” was prohibited under the contract, it was nevertheless approved by the VA’s Office of General Counsel, Opfer noted in his report.
“This made the contract an open checkbook in that it resulted in the award of 22 noncompetitive task orders valued at approximately $48.6 million, with little assurance of price reasonableness and no planned funding,” the report said. At least 17 of those would have been prohibited under the original contract, Opfer said in his report.
The changes increased the contract’s potential value to about $250 million, according to the report.
The changing MSS requirements may have resulted in overpayments to VAST of about $3.8 million for undelivered services and an additional $4.7 million in duplicate payments.
On top of that, the auditor found no record for the VA’s spending of about $35 million.
In a statement, the VA general counsel’s office maintained that the modifications made to the CIRC contract were legal.
But Robert Howard, assistant secretary of IT for the VA, said that he concurred with the report’s findings and has launched an inventory of equipment as recommended by Opfer.
The VA did not respond to a request for comment.