GovWin
B2G is moving!
Blogs posted after May 22, 2015 will be located on Deltek's central blog page at www.deltek.com/blog.
Just select the "B2G Essentials" blog to continue to receive this valuable content.
GAO: Federal Agencies are Falling Short in Overseeing IT Contractors

Federal agencies need to improve at overseeing the IT contractors that operate their computer systems and process their information, according to a study by the Government Accountability Office (GAO). Agencies are legally required to ensure that contractors adequately protect these assets, but GAO shows that there are inconsistencies among agencies’ handling of this responsibility.

GAO set out to assess how well certain agencies oversee the security and privacy controls for systems that are operated by contractors and how well the agencies with government-wide security and privacy guidance and oversight responsibilities were doing in helping them. In their audit, GAO reviewed the implementation of security and privacy controls for selected contractor-operated systems across six federal agencies, based on their reported number of contractor-operated systems. These were the Departments of Energy (DOE), Homeland Security (DHS), State, and Transportation (DOT), the Environmental Protection Agency (EPA) and the Office of Personnel Management (OPM). 

GAO found that the agencies generally had established security and privacy requirements for contractors to follow and prepared for assessments to determine the effectiveness of contractor implementation of controls. However, all but DHS were inconsistent in overseeing the execution and review of those assessments. One frequent area of inconsistency was in executing test plans that would identify potential security and privacy risks. In one example, GAO found that the DOT officials did not have evidence that 44 of 133 contractor employees operating one particular system had undergone a current background investigation.

A contributing reason for shortfalls that GAO identified in agency oversight of contractors was that agencies had not effectively documented procedures to direct officials in performing such oversight activities. None of the agencies had procedures in place to direct officials in how to conduct such oversight and that led to inconsistencies.

Another area mentioned by GAO is inconsistently-applied or unclear guidance. OMB FISMA reporting instructions to agencies state that systems operated by contractors are to be reported as part of the agency’s system inventory. But GAO found that agencies are interpreting and applying the guidance differently because the guidance for categorizing and reporting contractor-operated systems does not clearly define what constitutes a contractor-operated system. The difference in application causes many systems that are contractor-operated to not be classified as such.  This has resulted in incomplete information on the number of contractor-operated systems within the government.

Potential Cost Implications

Given the areas of shortfall within agencies it is possible that renewed efforts could have cost and administrative implications in several areas:

  • Personnel Security – Scrutiny of contractor background investigations is at an all-time high and inconsistencies discovered by GAO may result in direct costs and/or delays to companies and agencies while sufficient background investigations are completed. Similar implications may result if required agency-specific training in security or contingency planning has not been consistently administered.
  • Compliance Efforts – Given GAO’s spotlight on inconsistencies in how systems are evaluated, assessments of systems and personnel for compliance with agency requirements will likely increase, adding short-term burden until processes are in place and efforts are routine.
  • FISMA Assessment – Increased clarity or education from OMB on applying their FISMA reporting standards for contractor-operated systems could increase scrutiny on some systems – both government-owned, contractor-operated and contractor-owned, contractor-operated.  Many of these systems may have been previously overlooked or mis-categorized, which could spur deeper scrutiny and increased costs.

Potential Contractor Opportunities

As agencies strive to improve they may look to industry experts for assistance in the following areas:

  • Procedure Development – Agencies will need to document the procedures for their officials to follow in order to perform effective oversight of contractors. While these efforts may be considered inherently governmental in nature, some agencies may seek the help of contracted experts to aid in solidifying such procedures. Expect agencies to maintain directive control over this process.
  • Independent Assessments – GAO found that five of the six agencies they studied used independent assessors for system reviews, as required by NIST, and this included contracting for these assessment services. There may be continued opportunities for contractors to find work in this area. Expect agency officials to verify that the selected assessor is independent.
  • Test Plan Development and Execution – While most agencies that GAO audited had developed test plans, almost none of them had effectively executed test plans. Here is another area where independent contracted services may be in demand.

Considering GAO’s recommendations focus on both procedures and policies – that agencies develop procedures for contractor oversight and that OMB clarify reporting instructions to agencies – it will take some time for agencies to fully address the concerns raised in the report.

---
Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @GovWinSlye.

Federal Fourth Quarter FY 2014, Part 2 – $30B in IT Contracts Likely

The last two months of fiscal year (FY) 2014 are nearly upon us and that puts us on the cusp of the height of the 4th quarter (Q4) “federal IT busy season.” Even with several disruptions that have marked the first half of FY 2014, agencies do have budgets in place and are spending. If historical averages hold, several agencies will spend more than 50% of their FY 2014 contracted IT dollars in Q4.

Last week, I looked at potential total fourth quarter spending for the top 25 departments and agencies across all categories of contracted products and services, based on their reported historical contracted spending over the last several years. This week, I will focus on the Information Technology (IT) category in a similar fashion. (See last week’s entry for more detail on my approach.)

From FY 2009-2013 federal departments reported spending an average of 32% of their yearly contract dollars in the fourth quarter across all spending categories. However, the percentage of Q4 IT contract spending was 39% among the same departments for that period. Agencies tend to buy more of their IT in Q4 compared to other products and services, on average. Translating that into dollars, over the last five fiscal years federal agencies spent an average aggregate of nearly $30 billion on IT hardware, software, and services in Q4 alone. This is the case based on historical spending data, even in the era of sequestration and other budget constraints.

Which departments are the best targets for a firm’s Q4 IT capture efforts? Over the last five fiscal years the following 25 departments or agencies reported the largest overall contracted IT spending and make up 99% of the federal market. The chart below shows their average contracted IT spending in Q4 over the last five years.


Sixteen of the 25 top-spending departments will spend an average of 40% or more of their yearly contracted IT dollars in Q4 (and several more departments are not far behind in percentage points.) Those 16 departments account for an average of $20 billion in combined Q4 IT contracts from FY 2009-2013.

Three departments or agencies historically obligate more than half of their yearly IT contract dollars in the final fiscal quarter: AID (55%), State (56%) and HUD (70%).  Their 5-year average Q4 IT contracted spending is:

  • AID = $141.5 million
  • State = $690.5 million
  • HUD = $181.9 million

Not far behind, the departments that spend between 45% and 48% of their yearly IT contract dollars in Q4 – like HHS, DOJ, SSA, Energy, and DOI – tend to have even larger IT budgets. These five departments account for a combined average of $3.2 billion in Q4 IT contracts over the last 5 fiscal years.

Much of these contract dollars will flow to commodity IT products like software and peripherals, but significant dollars will also go toward IT services. Proposals that were submitted weeks or months ago may come back to the foreground for potential action and companies that can quickly turn around competitive quotes for their federal customers may have a chance at stealing business from incumbents. 

With FY 2014 getting a bit of a slow start due to delayed budgets and agency shutdowns, the rebounding we are seeing in the second half of the year may result in a record-breaking Q4. We will have to wait and see.

---
Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @GovWinSlye.