recommended reading

IG: VA structured $133 million security contract to favor incumbent

The Veterans Affairs Department structured the requirements for a 2010 information security contract to give the incumbent a leg up, VA's inspector general found in a report released Wednesday.

The Office of Acquisition, Logistics and Construction used a technical evaluation process for the Sept. 28, 2010, award that favored "the incumbent, Booz Allen Hamilton, based on its performance as the VA's Information Assurance and Information Technology contractor," the IG said.

Booz Allen submitted a $133 million bid for providing support services to the chief information security officer, 22 percent above the least expensive competing proposal of $108.9 million and 16 percent higher than the other bid of $115 million, auditors said.

The acquisition office decided to forgo lower cost in favor of inside knowledge of VA's procedures and practices, the report said. Organizational knowledge can be a key factor in evaluation of contract proposals, the watchdog added. But Federal Acquisition Regulations state, "such knowledge should not be a justification for assigning strengths and weaknesses without first identifying the criteria as a significant evaluation factor" in procurement documents.

In their evaluation of the competing bids, acquisition officials credited Booz Allen with nine significant strengths, six of which related to its knowledge of VA practices and procedures. Lack of such knowledge was assessed as a weakness in evaluation of the other proposals, the IG report said.

Inconsistencies in proposal evaluation also "appeared to promote the [contract] award in favor" of Booz Allen, the IG report said. Another bidder suggested using of a suite of network monitoring tools that included Sourcefire, Netwitness and Arcsite, and was penalized because VA did not use such tools and officials deemed them a risk to the department's networks, the IG report said. Yet Booz Allen included the same network monitoring systems in its proposal and the "technical evaluation panel did not identify these tools as potential risks" the report said.

The acquisition office also did not provide a labor-cost rate analysis to justify the premium price paid to Booz Allen. "Such an analysis would have compared the labor rates of all proposals and determined whether Booz Allen Hamilton's labor rates were reasonable," the report stated.

The IG concluded, "while the award decision may have resulted in a low risk to the government and a decreased learning curve . . . VA should not have paid a premium price for the incumbent's knowledge. In our opinion, favoring the incumbent during the selection process did not promote full and open competition in accordance with the Federal Acquisition Regulation. This practice puts VA at risk of awarding future 'de facto' sole source contracts at greater expense to the Government because of reduced competition."

Belinda Finn, assistant VA inspector general, said the IG "will evaluate VA's contract award decisions in future audits to determine if evaluation panels assess vendor proposals based solely on evaluation factors stated in the solicitations."

Glenn Haggstrom, executive director of VA's Office of Acquisition, Logistics and Construction, said in a reply to the IG report that Booz Allen was selected for the contract because it received an "outstanding" rating on its technical proposals, which justified the price premium. He added that seven of the nine significant strengths for Booz Allen made limited or no mention of its experience with VA.

James Fisher, a Booz Allen spokesman said, "the OIG report was not directly focused on actions by Booz Allen itself, and we have no comment on its conclusions."

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.