Federal Agencies are Using Last Summer’s ‘Cyber Sprint’ to Justify Sole-Source IT Contracts

A reflection of the Department of Homeland Security logo is seen reflected in the glasses of a cyber security analyst in the agency's watch and warning center.

A reflection of the Department of Homeland Security logo is seen reflected in the glasses of a cyber security analyst in the agency's watch and warning center. Mark J. Terrill/AP File Photo

Some of these so-called sole-source contracts appear to violate federal contracting rules, according to procurement experts.

Several federal agencies are not letting eligible companies compete for IT contracts, reasoning that only a current or other favored supplier can handle work demanded by a 30-day cybersecurity exercise.

But that exercise was supposed to have ended last July, and some of these so-called sole-source contracts issued by the departments of Homeland Security and Labor, among others, appear to strain, if not outright violate, federal contracting rules, according to procurement attorneys.

A keyword search through the government's business opportunity website for "cyber" contracts posted July 30 or afterward turned up eight such noncompetitive deals. Because many contracts are not disclosed online or are published in unsearchable PDFs, the total number may be much higher, say federal acquisition experts.

All of this work was prompted by a June 2015 revelation that cyberspies swiped millions of national security background check records from the Office of Personnel Management. During the "cyber sprint," the White House Office of Management and Budget ordered all federal agencies to race through some basic housekeeping, like patching software bugs and tightening network access controls.

But the White House did not say agencies should award noncompetitive contracts to get the job done.

That raises questions as to why the departments of Homeland Security, Health and Human Services, Interior and Labor are invoking the sprint to justify barring other companies from competing.

Agencies Patch Together Deals with Bridge Contracts

Contracting officers are obligated by law to obtain the best deal for the government.

Among the rationales agencies provided for the noncompetitive cyber deals: There was not enough time to review proposals or only one supplier could meet their needs.

"I think it's a hard argument to make because I don't see any direction from OMB that you must get contracts in place to address the Cybersecurity Sprint initiative within, like, a couple of weeks," or immediately, says Rob Burton, former deputy and acting administrator of the White House Office of Federal Procurement Policy.

Under the 1984 Competition in Contracting Act, an agency’s "own lack of advance planning" is not an excuse for stopping other companies from proposing deals, the U.S. Court of Federal Claims ruled in 2013.

Bridge contracts, or extensions awarded to an incumbent vendor, generally are no exception to the rule.  

Only when an "unusual and compelling urgency" could hurt the agency is it acceptable to skip the competition, according to the Federal Acquisition Regulation – the bible of government contracting.

Even under that exemption, a bridge contract must be no longer than one year.

Yet, Labor on Feb. 10 posted a justification for a no-competition 3-year bridge with Accenture to comply with the cyber sprint.

"Accenture is the only contractor that can perform this work along with the accelerated federal cyber sprint requirements because Accenture possesses the specialized knowledge, skills and abilities needed" to ensure the "secure operations of DOL's most critical information systems while at the same time carrying out the unexpected federal cyber sprint requirements," the contracting notice states.

Labor spokesman Stephen Barr told Nextgov in an email, "this is a bridge contract to ensure there is no lapse in services until a competitive award can be made."

He declined to provide the value of the new contract. The earlier contract, a 5-year deal that had been awarded competitively, expired in January.

"While meeting ongoing cyber sprint challenges are a part of this bridge contract,” the focus is Labor’s “overall needs for a secure computing environment, including how we integrate operations and modernize our systems," Barr said.

An Accenture spokeswoman deferred to Labor for comment.

There is little transparency into the use of bridge contracts, by the government’s own admission.

Federal auditors last fall found that agencies have “limited or no insight” into their use of these deals. Extensions envisioned as short-term that the Government Accountability Office studied ended up spanning multiple years.

A Leg up on Rivals?

Of the contracts referencing the cyber sprint that disclosed their dollar amounts, costs ranged from about $200,000 to a little over $1 million.

Contractors who clinched the short-term pacts will have a leg up on rivals when it is time to bid on a long-term deal, says Charles Tiefer, a member of the Commission on Wartime Contracting in Iraq and Afghanistan, which investigated spending waste and fraud.

The government might want consistency in handling the cyberthreat, so those contractors could receive the next job automatically, he added.

"Cyber is a gold rush," budgeted at $19 billion for fiscal 2017, said Tiefer, who's also a University of Baltimore law professor.

Some of the contracts awarded by agencies may actually have nothing to do with the cyber sprint. 

Interior's Bureau of Reclamation awarded two contract extensions labeled "CyberSprint Security" and "Cyber Sprint Application Developer."  

A justification for the security contract, which was posted Oct. 16, 2015, explains that "due to the recent cyberattacks on federal government IT systems, Office of Management and Budget and Department of Homeland Security have issued mandates for additional cybersecurity for all federal government IT systems and assuming the risk of keeping these systems online without current patches is not a prudent or judicious option." The application developer contract contains a similar justification.

But a bureau spokesman told Nextgov that, in fact, neither contract is actually related to the cyber sprint.

"They were incorrectly titled," Interior spokesman Peter Soeth said in an email. "These contracts were to address actions within the cybersecurity program at Reclamation and were incorrectly associated with the 30-day cyber sprint." Each of the awards is a 1-year, $1 million deal.

Such "cyber sprint" labeling might have prevented or reduced objections to issuing sole-source contracts, Tiefer said.

Tiefer said, proper contracting should keep continuations as short as possible, even during war.

"I can tell you many stories from Iraq and Afghanistan where, obviously, there had to be continuity of contracting," because, for example, "you don't leave the troops in the field without a logistics contract," he said. "You don't need a year-long contract to compete the next contract."

Sole-Source IT Deals at HHS, USCIS

Other examples of agencies sole-sourcing contracts citing the cyber sprint:

On Oct. 14, 2015, HHS announced a deal with Lockheed Martin for new IT support work that would last until Sept. 30, 2016. 

"The recent CyberSprint activities" resulted in a mandate to restrict access to the HHS network through personal devices and to strengthen login controls, the contract notice states. The award alters an existing, competitively awarded contract with Lockheed.

"This modification was not to support the CyperSprint activities," HHS told Nextgov in an emailed statement last month. 

On Aug. 28, 2015, U.S. Citizenship and Immigration Services, a DHS component, gave notice of a 1-year contract, awarded to IT firm RightStar for a proprietary identity verification tool. The agency's current help desk technology, made by Remedy, does not offer two-step ID authentication, as "required by the Presidential Cyber Security Sprint Directive," the announcement states.

The plug-in from RightStar is the only technology that can support two-step verification on the agency's existing version of Remedy, a justification states. 

Speaking on background, a DHS official told Nextgov in an email this support is needed "to comply with requirements to enhance the security of IT systems, as part of a broader departmental effort to protect our critical networks."

The $16,794 support for the ID tech plug-in covers a 12-month period because that is how the item is sold in the commercial marketplace, the official said.  

In late October, the DHS Federal Law Enforcement Training Center posted three sole-source contracts that, according to the agency, were essential to the sprint.

On an "unusual and compelling urgency" per federal contracting regulations and "per the DHS cybersecurity sprint," the agency signed a $284,706 deal with reseller Carahsoft to obtain AvePoint software migration services. The contract period is Sep. 29, 2015, through May 29. The help is for an upgrade to the DHS agency's SharePoint environment.

Using the same rationale, the agency purchased an Avaya Messaging System and an upgrade of its existing Mutare messaging server for $222,874 from tech company MCS of Tampa. The contract covered Sept. 30, 2015, through Dec. 30, 2015

The DHS center also awarded Optivor Technologies $1.4 million for an Avaya software upgrade to version 6.3 under the same justification. The agreement covers Sept. 28, 2015, through March 28.

Homeland Security "considered the required services and resultant periods of performance necessary to meet the Cybersecurity Sprint schedule," the official said. But the DHS center was not able to make all the changes within the 30 days "due to the complex nature of the requirements." The official noted that the longest period of work is eight months. 

Each of the four DHS contract actions "was undertaken in order to comply with the Presidential Cyber Security Sprint Directive," which required two-factor ID check on all federal IT systems, the official said. 

A ‘Troubling’ Lack of Attention 

Referring to all noncompetitive awards, Burton said, "There doesn't seem to be, within the government, a lot of concern about this particular area" of contracting, which he said is being abused, and called that lack of attention “troubling.” Now a federal procurement attorney at Venable LLP, Burton represents companies excluded from competition and companies who have received noncompetitive contracts.

He added, "Moving quickly or having urgency does not mean you forego competition and that's right in the FAR."

When asked about concerns that agencies are citing the cyber sprint to defend limiting the pool of companies vying for federal dollars, a White House official who spoke on background directed Nextgov to a number of websites detailing Federal Acquisition Regulation sole-source provisions.

For instance, under some circumstances, a department can award work to small businesses owned by women or service-disabled veterans, as well as to small firms located in historically underutilized business zones. In other situations, agencies can pick from a list of vendors that are pre-approved for supplying certain products.

White House officials "know very well" the way they set deadlines for securing IT systems during the sprint will result in sole-sourcing, Tiefer said.

"They don’t want the agencies to slow down and miss their mandates for anything, even for the valuable benefits of competition," he added.