10 Vendors Receive Over Half of VA's IT Contracts, Drawing Lawmaker Concern

Lawmakers expressed concerns about the Department of Veterans Affairs’ oversight of major information technology contracts—particularly the consolidation of high-cost projects across a dwindling number of outside vendors—during a House Veterans’ Affairs Subcommittee on Technology Modernization hearing on Wednesday. 

During his opening remarks, Rep. Matt Rosendale, R-Mont.—the panel’s chairman—said that, when it comes to VA’s IT contracting, “spending is going up, and the number of companies receiving the contracts is going down.”

“When the same few companies work in—and even make decisions for—all the major organizations within the VA, there is no way to maintain fair dealing,” he added. “Either the supplier base has to expand, or some of these companies have to be barred from holding certain future contracts.”

Shelby Oakley—a director in the Government Accountability Office's contracting and national security acquisitions team—told the panel that the watchdog found “VA’s IT obligations have been increasingly concentrated with a small group of contractors,” with more than half of VA’s IT-related contracts going to only 10 outside vendors in 2021. She noted that this was “up from 45% in 2017.” 

“More broadly, 30 contractors received about 75% of VA’s IT obligations over this same time period,” Oakley added.

Rep. Sheila Cherfilus-McCormick, D-Fla.—the subcommittee’s ranking member—echoed Rosendale’s concerns, noting that “VA’s annual IT obligations have increased from $4.2 billion in 2017 to $6.5 billion in 2021.” 

“The number of companies receiving those awards has decreased, and a question last Congress—but continues into this Congress—is where are the checks and balances in VA’s oversight of major IT acquisition?” she added. “I still have not heard a good answer to this question. Whether it’s benefits, financial management, supply chain or health care record modernization, there is a lot of talk about following a framework and accountability, but very little evidence.” 

GAO has previously highlighted serious concerns about VA’s oversight of major IT acquisitions and the department’s contracting process, adding them to their high-risk list of programs “that are vulnerable to waste, fraud, abuse or mismanagement, or in need of transformation.”

Oakley noted in her written testimony that VA’s oversight of its large-scale projects led to GAO adding the department’s health care to its high-risk list in 2015 “due, in part, to its IT challenges,” and that the watchdog subsequently added VA acquisition management to the list in 2019 “as a result of the department’s significant contract obligations and numerous challenges to efficient acquisitions.”

Internal oversight of VA’s major IT acquisitions have also been a consistent concern. Oakley told the panel that, despite being required to have VA’s chief information officer review and approve VA’s IT contracts, GAO found that the department “awarded almost 12,000 new IT contract actions between March 2018 and September 2021,” but that it “did not provide evidence of CIO approval for over 4,500—or 35%—of these contract actions.”

One of VA’s IT projects that has been the subject of intense congressional scrutiny in recent years has been the department’s multi-billion dollar effort to modernize its electronic health record system. Lawmakers, in particular, have criticized the ballooning cost of the project, as well as Oracle Cerner’s management of the software’s deployment in the wake of veteran deaths and patient safety concerns tied to the rollout of the new EHR system.

VA and Oracle Cerner agreed earlier this month to extend their contract for the EHR modernization program, although the renegotiated agreement includes a shorter-term extension and new penalties for missed deadlines and poor performance metrics. 

The contract was extended after VA announced on April 21 that it was pausing deployments of the new EHR system at additional medical centers until the department “is confident that the new EHR is highly functioning at current sites and ready to deliver for veterans and VA clinicians at future sites.”

House lawmakers have already proposed bipartisan legislation to address issues with the deployment of the new EHR system, as well as broader concerns about VA’s management of major IT projects. 

Last month, Rep. Mike Bost, R-Ill.—who chairs the House Veterans’ Affairs Committee—and Rep. Mark Takano, D-Calif.—the full panel’s ranking member—introduced legislation designed to enhance oversight and accountability of the new EHR system’s deployment. The legislation also includes the text from a bill originally introduced by Takano that would require VA to “enter into a contract for the independent verification and validation of certain modernization efforts.”

To expand VA’s supplier base and to help bolster some of the department’s ongoing modernization efforts, some lawmakers also used the hearing to float the idea of having VA work to ensure that large-scale IT projects can be fulfilled, at least in part, by smaller tech firms.

Rep. Keith Self, R-Texas, asked the witnesses about the possibility of breaking larger IT initiatives, such as VA’s EHR modernization program, ”into smaller contracts” that could then be awarded to other contractors. 

“Absolutely,” Hana Schank—a senior advisor at the New America think tank—said. She added that “in a normal scenario” it would make sense to break contracts, like for the new EHR system, into a scheduling contract and other sub-components.

“You can break these things up into individual pieces,” Schank said, adding that “every big tech project is—I don’t want to say breakup-able—but it can be divided that way.” 

Oakley said she agreed with Schank, adding that GAO has “done a lot of work on the practices of leading companies that do product development for cyber products as well as cyber physical products,” and that “these companies take an iterative approach to development.”

Rosendale said that it sounded as though, if VA “had smaller pods or components which communicated with each other seamlessly,” then the department “could get these systems.”

“The problem is we have people that are putting the [contract] requirements out that aren’t really familiar with the application, how it’s going to be utilized,” he added.