GAO doubtful first round of TMF projects will save as much money as claimed

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Technology Modernization Fund (TMF) has been doling out money to agencies for special projects since 2018. The first cohort of projects were supposed to show they would be able to produce enough savings to pay back the TMF. But will they? That’s doubtful in many cases. The Federal Drive with Tom Temin heard more from the Acting Director for Information Technology and Cybersecurity at the Government Accountability Office, Dave Hinchman.

Interview transcript:

Tom Temin: Your report looks at kind of the first blob of money that went out. Just give us a sense of how many projects you looked at and what was the total handout from the TMF for them?

        We want to hear from federal technology leaders about how you are addressing current cyber demands and how your agency is making the most of its resources to improve its cyber posture. | Take our quick survey

Dave Hinchman: Sure. So the law requires us to review every award that’s being made to agencies. And so our second report, which was issued in December of 2021, not only rehashed the first seven awards, but then additional force. We’ve now looked at 11 of the 23 awards that have been made. The 11 awards totals somewhere roughly $75 million.

Tom Temin: And in the awards since then, after August of 2021, it’s a lot more money, too, right?

Dave Hinchman: Yes. They’ve made an additional 12 awards starting in September of 2021, and those awards totaled somewhere about $330 million. There is one classified award in that pile, and we don’t know how much that award was for or what the award was.

Tom Temin: That could have been a billion for all we know. All right, then let’s talk about the ones that you have studied, those first 11. And they came under the regime where it was clear that the payback mechanism was part of it. What did you find?

Dave Hinchman: So first thing we did was we looked at the cost estimates that the agencies required to provide as part of their award package. We used our cost estimating best practices, the GAO has, and in doing that, we found that of those first 11 awards, 10 of them were not considered reliable based on important information that was missing from the cost estimate. And then looking further into that, we found that their cost savings projections have changed dramatically in some cases, to the point where the majority of them have not realized cost savings at this point.

Tom Temin Right. This is a kind of a classic problem with information technology. Is this type of stuff even measurable?

Dave Hinchman That’s an excellent question. And I think in fairness, projects change, especially IT projects. However, I think what we’ve used, the important baseline that should be there, which is the cost estimate that’s provided, should really provide a roadmap for what the project hopes to do. And while there may be deviations, I think that we’re seeing such significant changes to these projects,  post awards gives us a little bit of pause, and we’re wondering if really the right questions are being asked to agencies when they apply for these funds.

Tom Temin: Got it. So it’s maybe a lack of knowledge or sophistication on the part of the awarding board there that is looking at the applications and deciding who gets the money?

        Read more: Agency Oversight

Dave Hinchman: That’s certainly a possibility. We haven’t done the work to support that. I know that there’s I think that’s a reasonable conversation to have, but I still think that, you know, going back to some of our main recommendations, which is that GSA needs to provide explicit instructions to agencies for doing their cost estimates. If you have a solid cost estimate, you really shouldn’t be running into problems down the road like these agencies have.

Tom Temin: And of the 11, you said 10 did not have reliable cost estimates. Which one did have cost estimates that were reliable?

Dave Hinchman: Customs and Border Protection had an award for a module in their automated commercial environment, which is a system that manages cargo coming across the border. They were found to have a reliable estimate.

Tom Temin: And they had one of the biggest awards or the biggest in that tranche of 15 million.

Dave Hinchman: Yes, 15 million. So one of the larger awards.

Tom Temin: And that automated commercial environment, that is a very venerable system. I mean, some form of it goes back, I think, to the 1980s.

Dave Hinchman: Yes, it’s a very mature product, very mature technology. The program has been around a long time. I did audits that involved that program 15 years ago. So it’s been around.

        Sign up for our daily newsletter so you never miss a beat on all things federal

Tom Temin: So maybe they have a good basis for estimating what their costs are?

Dave Hinchman: Well, I think certainly a mature project who is in good standing, it’s been established, it’s been operating. And when you’re doing a small module, I think it was their collections module was something that they were adding. There’s certainly a good chance that the planning they’re going to have in place are going to help them with their cost estimate and understanding what they want to do and how much it’s going to cost.

Tom Temin: We’re speaking with Dave Hinchman. He’s acting director for information technology and cybersecurity at the Government Accountability Office. So what were your recommendations, especially as this TMF idea is heating up? Because, as you mentioned, the next group to date is another $330 million out there.

Dave Hinchman: So I think the two recommendations that are most important are that agents, both OMB and GSA, need to issue more explicit cost estimating guidance for agencies. OMB has countered that agencies are provided some instruction in the application package, but obviously the message isn’t getting through or that that’s not clear enough. And we think that it is worth it to provide explicit guidance for what agencies need to do. And that becomes even more important considering the scope and scale of the awards that are being made now.

Tom Temin: And would you say then that the GSA and Congress, really, and the OMB should retain the payback requirement because there’s some debate as to whether the next bunch of awards will even have that, simply because the idea is agencies need to modernize so badly, never mind if they can pay it back.

Dave Hinchman: Well, I think that it’s certainly part of the discussion. You know, when you look at a large award that’s being made, for instance, General Services got 187 million for their log in project. You know, the risk that an agency does not have a good plan in place increases. And with the possibility that an agency is only doing a partial or minimal repayment of its award as the team now allows, that certainly increases the risk, which is why we encourage all of the stakeholders and the TMF award decision process to make sure that they’re doing everything they need to do to provide the scrutiny of these awards, ensure that consumers and customers and citizens are getting the best value on this investment.

Tom Temin: Otherwise, it’s just a backdoor increase in the IT budget for everything else they’re doing?

Dave Hinchman: That’s certainly a risk and I know I’ve heard that argument before. I think one of the frustrations in the federal IT space is that the standard budget process is not IT’s friend. You know, in a two year cycle, your IT needs can change immeasurably. And TMF, and as you know, I think one option for providing a way to quickly respond to emergent needs, especially with cybersecurity, if you realize you have a vulnerability. And so I think it’s, you know, GAO and we’ve testified about this and written about this. The TMF is a great option for agencies, but we just want to make sure that it’s being run and operated as most efficiently as possible and it’s making good decisions with where the money goes.

Tom Temin: And what was the reaction of GSA or anybody else to the latest findings?

Dave Hinchman: They respectfully disagree. They still feel that the guidance that they’ve offered to agencies is enough. I do believe that they recognize there’s the potential for improved guidance in providing the agencies. I testified with the executive director of the TMF program office last week, and I think that there’s broad recognition both among Congress, as well as the stakeholders and us in the oversight position, that there’s always room to improve stuff. And I feel confident moving forward that that will find ways to do that.

Tom Temin: And it’s also fair to say that with the money that has been spent, agencies, regardless of whether they can pay it back, have made tangible improvements in their technology.

Dave Hinchman: Absolutely. You know, especially in the area of cybersecurity, it’s you know, it’s no longer will we be a victim of cybersecurity, it’s when will someone attack us? And this provides an opportunity for agencies to address fairly broad based efforts. For instance, zero trust architecture is, I think, the subject of year three or four of the most recent awards. And I think that’s the kind of thing where you won’t necessarily see tangible results down the road because you’re not being attacked. You know, the cost of a data breach or a malicious attack can be significant. But if that doesn’t happen, it’s more of a cost avoidance, you know, or an intangible savings. But I do think that there are definite advantages that agencies will realize from these awards.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.