Is the authority of the CIO of Veterans Affairs simply symbolic?

The Veterans Affairs Chief Information Officer is often on the sidelines of major IT acquisitions. The CIO, by law, is suppose to be involved in all of the major acquisitions. But maybe it’s not. That’s what the Government Accountability Office found. For more on this,  Federal Drive with Tom Temin spoke with GAO’s Carol Harris, the director of Information Technology Acquisition Management.

IT Management: VA Needs to Improve CIO Oversight of Procurements

https://www.gao.gov/products/gao-23-105719

Interview transcript:

Tom Temin And I remember these debates. I remember the statute, and this goes back to not just the VA CIO, although there were specific legislation there, but all CIOs are supposed to have the budget. And you found that, golly, half the cases of the acquisitions you looked at, there was limited CIO involvement. Tell us more.

Carol Harris That’s right. So we found about 39% of the contract actions that we reviewed between March 2018 through the end of FY21 did not have evidence of CIO approval. But I did want to make one point, just to provide some context for your listeners, is that we in the VA IG had previously found issues with VA’s lack of compliance with [Federal IT Acquisition Reform Act (FITARA)] in this regard. Back in 2018 we reported that VA’s CIO did not review IT acquisition plans and strategies, and the IG also found that in about 70% of the cases that the CIO was not reviewing the contracts. And so in response to that, VA did transition to a new tracking system to streamline the CIO approval process and to expand CIO access and visibility to all related IT acquisitions. And so I think that context is important, because VA really has made some important progress in this area. It’s shrunk that gap from 70% to 39%. And so I did want to make sure that your listeners did understand that right.

Tom Temin They were looking at almost none of them. Now they’re looking at a little bit more than half of them, you might say, just to put it in rough terms.

Carol Harris Yeah, that’s correct.

Tom Temin But more than just simply evidence of approval, shouldn’t there be some way that the CIO can be actively involved in the planning and execution of those contracts, and then the approval is just kind of a pro forma at the end, because the process leading to that stamp should have involved the CIO. Tell us more about the structure behind all of this.

Carol Harris We did a more in-depth review of 26 selected IT contract actions within FY 21, and within about 14 of them they lacked total CIO approval, total CIO involvement, altogether. 13 of the 14 were actually managed by non-IT contracting officers. And so, I think that was part of the major issue. What we found was that these contracting officers just simply forgot to adhere to the department’s FITARA review. It wasn’t that they did it necessarily on purpose. They just were not aware of the requirements to ensure that the CIO had that awareness and that requirement to approve.

Tom Temin Now, Veterans Affairs has, I believe, the largest IT budget on the civilian side of the government. It’s either VA or Homeland security. But they’re big, they’re up there billions a year. Do we know what percentage of the IT dollars that these 14 contracts that did not have CIO involvement represent?

Carol Harris There are in the order of hundreds of millions of dollars. So we had to narrow the scope of our review. So unfortunately, we couldn’t generalize the sample that we evaluated. However, we do know that if we founded within this select sample size, it’s fair to say that it’s a larger problem overall.

        Read more: Veterans Affairs

Tom Temin Yeah, because a few hundred million is what every agency would love to have from the Technology Modernization Fund, for example, just to put it in context.

Carol Harris Exactly. And so based on the findings of our review, we recommended that VA provide an automated check within their system to facilitate this compliance and remind contracting officers of VA’s FITARA approval requirements. And VA did concur with the recommendation.

Tom Temin We’re speaking with Carol Harris. She’s director of Information Technology Acquisition Management at the GAO. And maybe the more difficult question is, is there any way of knowing whether it made any difference in the quality and delivery of the contracts in the materials and services under those contracts, with or without CIO involvement? Because if it doesn’t matter, then the whole FITARA presumption kind of fails?

Carol Harris That’s right. I think you just identified the scope of our next review. But all joking aside, having this full visibility into the procurement of VA’s IT assets and activities is so important, because it does help ensure that the CIO will be able to provide that input on the current in the planned IT acquisitions. And ensure that VA isn’t awarding IT contracts that are duplicative or poorly conceived. I mean, that’s so critical.

Tom Temin So you’ll be looking at the effects of this lack of activity by the CIO or the lack of involvement in the future. But at this point, it’s hard to tell what the effects are.

Carol Harris That’s correct, yes.

Tom Temin And to what extent do we know that this is the case in other agencies? Because under FITARA, every CIO is supposed to have budgetary authority, and with that authority comes the responsibility of looking at stuff before the contracts go out.

        Sign up for our daily newsletter so you never miss a beat on all things federal

Carol Harris Right. We are aware that this issue takes place across the government. Some agencies do it better than others. I think, as you noted earlier, because VA’s budget is so large in IT, that’s one of the reasons why we did want to focus on this department in particular.

Tom Temin And to be honest, the idea of putting in a reminder mechanism or something or some sort of a trigger in the automated process of moving these things along, presumably they don’t pass nine carbon copy forms anymore throughout the government, begs the issue of the culture, in which, golly, how else would you do it without having the CIO involved?

Carol Harris Exactly.

Tom Temin See what I’m getting at?

Carol Harris Yeah, absolutely. I think that that’s so critical. Another thing that we identified within this report is that we found that there were potential IT procurements that weren’t necessarily labeled as IT. And therefore, falling under the radar of the CIO. And so actually what we found was about 881 potential IT contract actions for new awards representing about close to $400 million. That categorization of the contract really depends on the predominant product or service being purchased. So if IT contracts with a minority percentage of IT spending is in place, and that most likely would not be assigned as IT. And so, I think that also goes to your point that it’s so critical that we identify these IT contracts and make sure that they’re labeled appropriately and make sure that these contracting systems are tracking them correctly so that the CIO does have that full visibility into all of them.

Tom Temin Yeah. For example, if you’re buying chromatography equipment or some kind of a scanner, well, you’re buying basically a really big expensive piece of hardware. But that hardware has firmware and there’s networking connectivity. There’s a big piece of information technology in a computer aided tomography machine, but that’s not really an IT acquisition in the sense of case management or scheduling systems are.

Carol Harris To your point, I mean, it is a cultural shift for these agencies, including VA, to know and understand that these really, because IT is so heavily embedded into these products that the CIO really should be involved.

Tom Temin Yeah, because there’s also the issue that these products, the medical products in particular, are often not up to snuff in a cybersecurity sense, and they will be on the VA network. And therefore, you would think the CIO would want to know, I don’t care what you’re buying if it has software and it’s going to be connected to the network, we got to know about it.

Carol Harris Exactly, because he can’t protect what he doesn’t know is on his network. So absolutely.

Tom Temin So your main recommendation was get the CIO involved, roughly?

Carol Harris Exactly. Yes, VA did recognize that the mislabeling of the contracts was an issue. And they did inform us that they are developing processes to catch these procurements from falling through the cracks. And so we believe that if VA is in effectively implementing what they say they’re going to, then those efforts really could provide the CIO with that additional visibility.

Tom Temin And they agree with you essentially in this whole effort.

Carol Harris Exactly. Yes, they did.

Tom Temin So maybe it’ll go down from 39%. Let’s hope for 20% or 10% next year.

Carol Harris Yep. We’re going to keep chipping away at this.

 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.