recommended reading

Administration Got What It Deserved in Botched Rollout, Report Says

Sen. Orrin Hatch, R-Utah, ranking Republican on the Senate Finance Committee, left, talks with Sen. Chuck Grassley, R-Iowa

Sen. Orrin Hatch, R-Utah, ranking Republican on the Senate Finance Committee, left, talks with Sen. Chuck Grassley, R-Iowa // J. Scott Applewhite/AP

A joint Senate minority report issued Thursday further criticized the Obama administration’s botched rollout last year, attributing the website’s shortfalls to a poor information technology plan, even poorer management and leadership that focused more on plausible deniability than performance.

The report, issued by Sen. Orrin Hatch, R-Utah, ranking member of the Senate Finance Committee, and Sen. Chuck Grassley, R-Iowa, ranking member of the Senate Judiciary Committee, is essentially a 34-page evisceration of the administration’s handling of, which launched Oct. 1 but couldn’t properly handle traffic from Americans shopping for insurance. became the use case for how not to handle large IT projects for the rest of government, but the Senate report findings suggest many of its most major pitfalls could have been avoided.

The report cites several “red flags” in the project’s development process, including some that were well-publicized before the failed launch, including by the Government Accountability Office, as well as new pieces of information gleaned from reports issued by independent auditors.

Altogether, the report makes clear that large IT projects – the government obligated $677 million on the website last year – require much more than technology to flourish. They require leadership, effective management and communication between developers and a transparent approach to the public – none of which were occurred adequately during the implementation of, according to the report.

“The administration looked the other way on problems, even when the independent contractor hired to monitor the project was waving red flags, pointing to likely failure,” Grassley said in a statement. “This website wasn’t a ‘Field of Dreams’ fantasy where you hope for the best and everything works out because it’s a movie.  This involved taxpayer money and website users who wasted their time on something that wasn’t working.  When political will overpowers practical considerations, you get a mess like this website rollout.”

Some of the most troubling red flags listed in the report came from external auditors.

In one review, McKinsey & Company found that six months out, the design of the final system was considered “open,” meaning there was no fixed plan in place to follow. Contractors, including heavily-criticized and later-replaced CGI Federal, were essentially working blind, the report explained to the White House and the Health and Human Services Department. The McKinsey audit made recommendations to the administration, but the report stated the recommendations weren’t heard by top contractor leads over federal overseers until after the Oct. 1 launch.

The technical failures were also foreseen by TurningPoint Global Solutions, the auditors the Centers for Medicare and Medicaid Services contracted for technical and managerial reviews of the federal exchange. From September 2012 to September 2013, TurningPoint identified numerous technical and managerial concerns that likely played a role in the website’s failure, including “serious deficits in cloud computing.” Other findings from TurningPoint included 21,000 defective lines of code, no contingency plan for dealing with system defects and some 677 “serious defects” found in system tests.

TurningPoint’s audits suggested that contractors were not adhering to CMS’ chosen “agile” methodology to code for the federal exchange, focusing time on fixes or work-arounds than a final system.  These dire warnings were apparently not heeded, as the Senate report states it was not clear whether anyone outside the group at CMS that TurningPoint reported to even saw the reports.

This information squares against what public officials told Congress and expressed to the public, a prime example of politics trumping policy, according to the Senate report. On the inside, the report claims almost everyone involved with the project knew it was destined to fail. The public, however, didn’t have a clue.

“If there is one takeaway lesson from the failures associated with the launch of, it is that there was a lack of clear leadership from the beginning of the project,” the report stated. “Although CMS was in charge of building the website, CMS relied on a broad ‘enterprise architecture’ to make sure that all of the different offices were coordinating. Unfortunately, this approach made project management and accountability difficult.

“The ambiguity of responsibility gave all parties plausible deniability when things went wrong,” the report continued. “Each contractor and CMS unit could point fingers at others when the meltdown occurred. The fact that no one was flying the plane was not a surprise to HHS or CMS leadership or to the White House. They had known for months.”

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.