From: InfoSec News (alertsinfosecnews.org)
Date: Wed Mar 28 2007 - 03:01:43 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.sanluisobispo.com/mld/sanluisobispo/news/nation/16982592.htm

By Chris Adams
McClatchy Newspapers
March 27, 2007

WASHINGTON - The Department of Veterans Affairs backdated a key document
and violated other rules as it pushed through a $100 million computer
security contract that resulted in inflated prices and duplicate
payments, according to a previously undisclosed report.

In the end, the contract turned into "an open checkbook" for various VA
expenses, and the agency today can't detail the whereabouts of some $35
million in equipment purchased under the contract, the report by the
VA's inspector general said.

Indeed, the agency blew through the contract's funds so quickly that the
VA was temporarily left without proper defenses against computer hackers
and was forced into a higher "CYBERCON" alert level.

As it responds to concerns about the treatment of veterans served by its
health care and disability programs, the VA's internal auditor has said
in recent months that the agency has another significant problem: the
way it contracts for millions of dollars in supplies and personnel.

With a budget of more than $70 billion and more than 235,000 employees,
the VA is one of the largest departments in the federal government. But
the VA inspector general has repeatedly found that the agency doesn't
follow proper contracting procedures, resulting in "significant dollar
losses and failed projects," in the words of the most recent report.

Although it disputed some of the inspector general's legal
interpretations, for the most part the VA accepted the investigator's
findings and promised to make fixes. In response to questions about this
report and others, a VA spokesman said that the agency was having
trouble keeping good workers and that annual turnover in its central
acquisition office has been more than 60 percent.

"VA is committed to being a good fiscal steward of taxpayer dollars,"
said spokesman Matt Burns, who added that the department is "working
aggressively to strengthen its acquisition function and correct issues
identified by the IG." The agency has taken several steps to help
prevent future problems, he said.

An official for SecureInfo Corp., the company that received the
contract, disagreed with the inspector general's conclusions. Stewart
Curley, the chief financial officer, said the VA "at no time during the
review raised any concerns to us regarding" his company's activities.

He said the company would detail its objections to the inspector general
in writing.

The Feb. 26 inspector general's report detailed a series of decisions
between 2002 and 2005 to purchase computer services for what was called
the "central incident response capability" contract. It's designed to
help the VA fend off computer hackers.

In 2002 testimony before a congressional subcommittee, a top VA official
said the agency had conducted a rigorous several-month effort to award
the contract to a collective bid from several companies joined together
under the name VAST, for Veterans Affairs Security Team. The lead
company was SecureInfo, which has offices in Virginia and Texas and
supplies several government agencies with computer security expertise.

The contract was valued at $103 million. But the inspector general found
several problems in the VA's decisions, resulting in "uncontrolled
spending, overpayments and illegal contracting actions."

Among them:

- Although the contract was awarded in July 2002 as a small business
  set-aside, the inspector general said VAST didn't meet the
  requirements of a small business. VAST brought together several small
  and large businesses and had been incorporated in Texas seven days
  before the contract was awarded. At one time in the contracting
  process, VAST boasted that it had "180,000 technical professionals" at
  its disposal, calling into question its status as a small business.

- Even though the VA's in-house lawyer recommended they do so, two VA
  contracting officials chose not to tell the VA's inspector general
  that they heard an allegation that somebody was trying to manipulate
  the contracting process. The allegation didn't involve VAST, said
  Maureen Regan, who handled the report for the inspector general's
  office. But not referring the allegation to the inspector general for
  proper investigation was "inappropriate," the report said.

- In October 2002, the VA made a key modification to the contract,
  changing a portion of it from fixed terms to more open-ended terms. It
  made that change retroactive to August 2002.

That decision helped turn the contract into "an open checkbook for"
computer-related expenditures, many of which weren't related to the
original contract. Those new expenditures "were essentially awarded
non-competitively and with little or no assurance of price
reasonableness."

Other expenses may have been double-billed - meaning the VA paid VAST
twice for at least some of the same services, the report said. But
because VAST had been formed just to get the VA contract and "was
nothing more than an empty shell," it could be difficult for the VA to
recoup $8.5 million in potential overpayments.

In addition to labor costs, the VA spent more than $35 million for
equipment and supplies under the contract. But the VA doesn't know what
equipment it has or where it might be located, the report says.

The contract was expected to last up to 10 years. But the VA spent $92
million within three years and had to let the contract expire when its
funds ran out.

The VA's in-house lawyer disputed some of the report's legal findings
and also rejected the contention that the office hadn't adequately
examined the contract.

But the inspector general said the lawyer's office didn't document why
the VA modified the contract in 2002. The lawyer responded that
"thorough review and analysis are not always reduced to writing,"
according to the report.

The inspector general concluded that the VA's unwillingness to accept
some of the report's findings "will most likely result in a continuation
of contract failures such as this."

_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]