IG continues to ring alarm bells about OPM IT modernization project

Nearly a year after its inspector general issued a warning about the increased risk of failure of a major IT project, the Office of Personnel Management is struggling to demonstrate it’s on the right track.

The IG issued a third report May 18 on the agency’s “shell” project, highlighting why auditors are “even more concerned about the lack of disciplined capital planning processes” today than they were in June 2015.

Auditors say OPM’s “shell” project, which now is referred to as infrastructure-as-a-service (IaaS), to modernize and better secure its networks still doesn’t have a full compliant Circular A-11 business case, is missing a documented analysis of alternatives and its overall funding is at risk.

The IG’s report comes soon after the contractor hired to upgrade and secure its systems under the “shell” project recently went out of business. OPM terminated its contract with Imperatis May 9.

Advertisement

Imperatis was scheduled to complete the portion of the shell program it was hired to do in June.

The IG also issued a second report in September citing concerns about project management and OPM’s acquisition strategy.

This latest report on the program highlights a major hole in OPM’s plan to pay for the modernization effort.

The IG says OPM was planning on using fees it collected from doing background investigations to help pay for the estimated $91 million program. But with the creation of the National Background Investigations Bureau (NBIB) to replace the Federal Investigative Services and the responsibility for developing and maintaining the associated IT systems going to the Department of the Defense that funding option is no longer on the table.

“As a result of OPM’s failure to perform proper capital planning activities, especially developing a realistic estimate of the project’s life cycle costs and conducting the appropriate analysis of alternatives, we continue to believe that there is a very high risk that the project will fail to meet its stated objectives of delivering a more secure environment at a lower cost,” the audit said. “OPM did not develop a realistic budget based on an understanding of the number of systems that would need to be migrated to the new environment, the level of effort associated with the required modernization and security updates, and the cost of this process. Another critical requirement of the capital planning process is not only to develop realistic life-cycle cost estimates for the capital asset, but also to assess the political support for those costs. It would not make sense to initiate a major project potentially costing hundreds of millions of dollars without first understanding whether OMB would support, and the Congress would appropriate, funding for the project.”

Given this circumstance, the IG recommended, and OPM decided, to conduct a more in-depth analysis of alternatives (AoA).

“[The Office of the Chief Information Officer] agrees that conducting such an AoA going forward, including looking at alternatives to ‘shell’ for mitigating, migrating, or modernizing legacy applications and infrastructure, would be beneficial to OPM and bring enhanced rigor to the capital planning process,” Lisa Schlosser, OPM’s acting CIO said in response to the IG’s audit. “[It] has been, and continues to be, OPM’s intent to utilize an agile methodology that is iterative in nature and that allows us to continue to adapt to evolving needs, circumstances, and technologies.”

Schlosser said the alternatives may include “mitigation or modernization of the legacy system, and/or migration to other environments that are or may become available in the future, such as a commercial or government cloud.”

She also said OPM now is using an “application profiling” scoring approach to evaluate the urgency of modernizing or migrating individual systems and to estimate the cost of each application.

The IG didn’t say how much the IaaS program would cost, but did highlight the fact that OPM is spending about $25 million a year to maintain the infrastructure.

Auditors say without a better business case and cost estimates, OPM could end up supporting legacy and IaaS at the same time and spending almost all their money on maintaining both networks.

“Because OPM’s lifecycle cost estimates are unsupported and probably significantly understated, there is a high risk that future budgets will continue to be inadequate to complete the project,” the IG stated. “This increases the likelihood of the ‘worst case scenario’… unless OPM decides to simply move its legacy systems into the IaaS without first modernizing and updating their security and operational features.”

Additionally, the auditors say OPM now has a plan to move legacy systems from old data centers into a new one, but keeping the old technology separate from IaaS.

“While on the surface this seems like a reasonable plan to save money in the short term, it does not significantly reduce the risks associated with maintaining security controls in two logical environments indefinitely,” the IG stated.

OPM asked for $37 million for the “shell” project in its fiscal 2017 and 2016 budget requests, but Congress has so far decided against giving them extra money. The agency kicked off the IT modernization effort in 2014.

The massive data breach OPM suffered last year was, in part, due to its  reliance on old technology.