The Office of Personnel Management and its Inspector General continue to butt heads over the agency’s plan to improve its IT infrastructure.
OPM’s project management activities and the award of a sole source contract to Imperatis Corp., were at the center of the initial recommendations McFarland issued June 17.
Then-OPM Director Katherine Archuleta expressed her general disagreement with the audit June 22. And though Cobert recently offered additional comments and clarification, McFarland largely stands by his original recommendations.
Insight by MFGS, Inc.: In this exclusive Federal News Network survey, cybersecurity experts from the military services and intelligence community offer insights into how their agencies are transforming their approaches to cybersecurity to address the ever-changing threats.
“In the weeks that have elapsed since the issuance of the flash audit alert, a number of events have occurred which support our view that OPM should further develop its project management approach, and implement a procurement strategy that includes full and open competition for the later Project phases,” McFarland wrote in response to Cobert.
He cited Archuleta’s resignation and the Senate Appropriations Committee’s rejection of an amendment that would have given OPM $37 million to fast-track its IT infrastructure project, as signs that the agency doesn’t have a clear budget or project management plan.
McFarland said OPM is at a “high risk of project failure,” unless it writes a major IT business case to ensure it has the budget and project management tools it needs to finish the infrastructure plan.
In his original flash audit, the IG suggested OPM’s Office of the Chief Information Officer write a new business case and submit it to the Office of Management and Budget, as it prepares its fiscal 2017 budget. McFarland also said CIO Donna Seymour should assess the costs and timeline for the project’s migration process, while implementing standard project management best practices.
OPM generally disagreed with the IG’s recommendations. Archuleta wrote that a case proposal would take “eight months to a year of research, consultations, discussions and effort” and would put the agency’s current plans behind schedule.
But McFarland sees the business case as an important project management tool — and part of the process to define migration requirements and costs, which the IG said haven’t been finished yet.
And OPM, the IG said, has no way to fund its migration plans. The IG said the $21 million in the agency’s 2016 congressional budget request will go toward improving security software, not migration.
“OPM officials informed us that funding for migration costs would come from a combination of savings generated by discontinuing obsolete software and from program office budgets, including OPM’s trust funds and the revolving fund,” McFarland wrote. “In our view, there is no evidence to support this plan, and it is inadequate and inappropriate. There is no estimate of the cost savings that would result from cancelling obsolete software licenses.”
OPM agreed with the IG’s suggestion that it follow OMB project management standards and said it already was following them, according to Archuleta’s June 22 response. But she rejected the IG’s suggestion that OPM also adopt industry best practices, asserting that the agency follows the OPM System Development Life Cycle.
But McFarland said OPM shouldn’t turn a blind eye to industry best practices just because they are intended for the private sector.
“The practices are applicable to any organization, private or public-sector, involved in project management activities,” the IG said. “At any rate, based on documentation we have reviewed, we have determined that OPM is not in compliance with either best practices or its own policy.”
The IG originally recommended that OPM open up the third and fourth phases of the improvement project — migration and cleanup — to other competitors, based on concerns that OPM was prepared to use its sole-source contract with Imperatis Corp., for the entire infrastructure project.
Initially, the scope of Imperatis’ involvement wasn’t clear. The project’s original statement of work for the contract includes activities for all four phases. And when OIG staff met with Seymour, she argued in favor of using the sole-source contract for all parts of the project, McFarland said.
But Cobert clarified OPM’s acquisition plan in her Sept. 3 memo to McFarland. Imperatis will be involved in a “limited capacity” during the third and fourth phases, she wrote.
“Although the contract contemplates that Imperatis will have work to do in all four phases, not all aspects of the work required by OPM in phases three and four are included in the contract with Imperatis. For phases three and four — migration and cleanup — Imperatis’s role under the contract will consist of preparation and support, a role necessitated by the expertise and knowledge they have developed the design and implementation of during the design and implementation of the Shell (phase two), and will not include other components of phases three and four such as systems modernization (phase three) and disposal of decommissioned equipment (phase four),” Cobert said.
The conflicting statements from OPM leaders, McFarland said, are concerning. But he also said Imperatis has “no justification” for any involvement on the migration and cleanup phases after its work on the tactical phases was finished.
“The concern expressed in the flash audit alert is not related to the extent of the contractor’s involvement in the migration and cleanup phases,” McFarland said. “Rather, it is our view that any involvement that is not required to correct the urgent and compelling circumstances under which the sole-source contract was justified violates federal acquisition regulations.”
The regulation in question — 48 CRF 6.3 — lets OPM use a sole-source contract if no other contractor will meet the agency’s requirements.
OPM citied the “expertise and knowledge” Imperatis developed during the first two phases of the project. But the IG said OPM’s argument doesn’t cut it.
“The circumstances described in the supplemental response do not meet the requirements of this section, but even if they did, this justification must have been made at the time the contract was awarded,” the IG said.
Cobert’s memo also clarified the involvement Imperatis will have with the final two phases of the infrastructure project.
During the third phase, OPM said it will look into what acquisition strategies it will use to modernize business applications. It also said it will handle the bulk of the cleanup phase itself, with help from Imperatis and other contracts “depending on the volume and timing of the work.”
The IG isn’t the only one who has expressed concern with OPM’s IT Infrastructure Improvement Plan. House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah) has pushed OPM for more answers in the wake of two massive data breaches.
He said OPM should implement the IG’s recommendations, in part, to regain trust from Congress and federal employees.
“OPM continues to ignore serious concerns about their IT infrastructure improvement plan from the Inspector General,” Chaffetz said in a statement. “It’s unsettling that despite a data breach that put the sensitive, personal information of 21.5 million Americans at risk, OPM once again refuses to heed warnings from the IG. Ignoring the IG’s warnings largely got them into this mess in the first place.”