A Department of Veterans Affairs IT contract is riddled with “uncertainty” after it failed to provide adequate oversight and properly manage information security risks, a watchdog reported.
VA’s inspector general found in a recent audit that the department obligated $431 million to HP Enterprise Services — which since merged with CSC to become DXC Technology in April — since 2013 for development of the Real Time Location System “without a Government acceptance of a functional RTLS solution.” The system is supposed digitally track medical equipment and devices so that “medical staff have optimal equipment and supplies to treat Veterans” in a safe manner, according to the VA.
The report substantiates the depiction of the project in reports earlier this year, which revealed private communications among VA officials who expressed fear of a “catastrophic failure of the program as a whole.”
Per the original contract, which has a $543 million ceiling, the entire system was supposed to be functional sometime this year. But the IG found that VA and HPE weren’t even able to launch a pilot to one of the department’s Veterans Integrated Service Networks — the first, $7.5 million task order under the contract. That was scheduled to be completed by December 2013, but after hundreds of functionality defects and renegotiations to that specific task order, the parties terminated it.
Late last year, VA renegotiated the total contract “due to the vendor’s inability to implement a functional RTLS solution,” the IG’s report explains.
“Specifically, VA executed a Global Settlement Agreement that resulted in extensive changes to the vendor’s contract requirements, to include expiration of task orders for [two service networks], reduction in scope of RTLS applications deployed, extension of the contract period of performance through June 2018, and commitment of $431 million in total costs to the vendor as of December 2016,” it says. “According to the agreement, VA also released the contractor from any liability claims related to prior performance on the contract.”
Still, the IG concluded, “given the uncertainty of the project, future RTLS cost estimates are unknown. Moving forward, VA must exercise cost control, sound financial stewardship, and discipline in RTLS development.”
The IG pointed at VA’s lack of program management and oversight as the lead cause for the project’s lack of progress.
“VA deployed RTLS assets without appropriate project oversight because management failed to provide effective oversight of the RTLS project from acquisition through development and implementation,” the report says. Particularly, VA’s Office of Planning and Policy Enterprise Program Management Office dropped the ball, the IG says, by not following “project implementation policy, including adherence to VA’s [Project Management and Accountability System] process.”
“PMAS is VA’s principal means of holding IT project managers accountable for meeting cost, schedule, and scope milestones,” the report reads. “PMAS was designed to reduce project implementation risks, institute monitoring and controls, establish accountability, and create a reporting discipline. A VA directive mandated PMAS for all IT development projects.”
And on top of that, the RTLS team launched the system without first ensuring that it adhered to VA information security requirements and “without the appropriate system authorizations needed to connect such devices to VA’s network,” putting the internal network at unnecessary risk.
This type of perilous management of major IT contracts is nothing new to the VA. The department has long been criticized for its struggle to implement a modernized electronic health records system that is interoperable with Defense Department systems. VA is currently in the process of issuing a 10-year, $10 billion contract to Cerner through which it hopes to achieve such functionality, but overseers in Congress maintain their doubts based on past failures.
But Rep. Phil Roe, the Tennessee Republican chairman of the the House Committee on Veterans’ Affairs, has hope that VA Secretary David Shulkin can get the RTLS project back on track.
“[You] are disappointed, but I wasn’t surprised and I think that Dr. Shulkin will get it online,” Rep. Roe told a Tennessee local news station of the contract. “I don’t think it’s a matter of deliberately not doing it, I think it’s just having someone in charge to be sure that’s implemented and then it’s our responsibility in Congress to oversee these.”