Federal Agencies are Using Last Summer’s ‘Cyber Sprint’ to Justify Sole-Source IT Contracts

A reflection of the Department of Homeland Security logo is seen reflected in the glasses of a cyber security analyst in the agency's watch and warning center.

A reflection of the Department of Homeland Security logo is seen reflected in the glasses of a cyber security analyst in the agency's watch and warning center. Mark J. Terrill/AP File Photo

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
Aliya Sternstein By Aliya Sternstein,
Senior Correspondent

By Aliya Sternstein

|

Some of these so-called sole-source contracts appear to violate federal contracting rules, according to procurement experts.

Several federal agencies are not letting eligible companies compete for IT contracts, reasoning that only a current or other favored supplier can handle work demanded by a 30-day cybersecurity exercise.

But that exercise was supposed to have ended last July, and some of these so-called sole-source contracts issued by the departments of Homeland Security and Labor, among others, appear to strain, if not outright violate, federal contracting rules, according to procurement attorneys.

A keyword search through the government's business opportunity website for "cyber" contracts posted July 30 or afterward turned up eight such noncompetitive deals. Because many contracts are not disclosed online or are published in unsearchable PDFs, the total number may be much higher, say federal acquisition experts.

All of this work was prompted by a June 2015 revelation that cyberspies swiped millions of national security background check records from the Office of Personnel Management. During the "cyber sprint," the White House Office of Management and Budget ordered all federal agencies to race through some basic housekeeping, like patching software bugs and tightening network access controls.

But the White House did not say agencies should award noncompetitive contracts to get the job done.

That raises questions as to why the departments of Homeland Security, Health and Human Services, Interior and Labor are invoking the sprint to justify barring other companies from competing.

Agencies Patch Together Deals with Bridge Contracts

Contracting officers are obligated by law to obtain the best deal for the government.

Among the rationales agencies provided for the noncompetitive cyber deals: There was not enough time to review proposals or only one supplier could meet their needs.

"I think it's a hard argument to make because I don't see any direction from OMB that you must get contracts in place to address the Cybersecurity Sprint initiative within, like, a couple of weeks," or immediately, says Rob Burton, former deputy and acting administrator of the White House Office of Federal Procurement Policy.

Under the 1984 Competition in Contracting Act, an agency’s "own lack of advance planning" is not an excuse for stopping other companies from proposing deals, the U.S. Court of Federal Claims ruled in 2013.

Bridge contracts, or extensions awarded to an incumbent vendor, generally are no exception to the rule.  

Only when an "unusual and compelling urgency" could hurt the agency is it acceptable to skip the competition, according to the Federal Acquisition Regulation – the bible of government contracting.

Even under that exemption, a bridge contract must be no longer than one year.

Yet, Labor on Feb. 10 posted a justification for a no-competition 3-year bridge with Accenture to comply with the cyber sprint.

"Accenture is the only contractor that can perform this work along with the accelerated federal cyber sprint requirements because Accenture possesses the specialized knowledge, skills and abilities needed" to ensure the "secure operations of DOL's most critical information systems while at the same time carrying out the unexpected federal cyber sprint requirements," the contracting notice states.

Labor spokesman Stephen Barr told Nextgov in an email, "this is a bridge contract to ensure there is no lapse in services until a competitive award can be made."

He declined to provide the value of the new contract. The earlier contract, a 5-year deal that had been awarded competitively, expired in January.

"While meeting ongoing cyber sprint challenges are a part of this bridge contract,” the focus is Labor’s “overall needs for a secure computing environment, including how we integrate operations and modernize our systems," Barr said.

An Accenture spokeswoman deferred to Labor for comment.

There is little transparency into the use of bridge contracts, by the government’s own admission.

Federal auditors last fall found that agencies have “limited or no insight” into their use of these deals. Extensions envisioned as short-term that the Government Accountability Office studied ended up spanning multiple years.

A Leg up on Rivals?

Of the contracts referencing the cyber sprint that disclosed their dollar amounts, costs ranged from about $200,000 to a little over $1 million.

Contractors who clinched the short-term pacts will have a leg up on rivals when it is time to bid on a long-term deal, says Charles Tiefer, a member of the Commission on Wartime Contracting in Iraq and Afghanistan, which investigated spending waste and fraud.

The government might want consistency in handling the cyberthreat, so those contractors could receive the next job automatically, he added.

"Cyber is a gold rush," budgeted at $19 billion for fiscal 2017, said Tiefer, who's also a University of Baltimore law professor.

Some of the contracts awarded by agencies may actually have nothing to do with the cyber sprint. 

Interior's Bureau of Reclamation awarded two contract extensions labeled "CyberSprint Security" and "Cyber Sprint Application Developer."  

A justification for the security contract, which was posted Oct. 16, 2015, explains that "due to the recent cyberattacks on federal government IT systems, Office of Management and Budget and Department of Homeland Security have issued mandates for additional cybersecurity for all federal government IT systems and assuming the risk of keeping these systems online without current patches is not a prudent or judicious option." The application developer contract contains a similar justification.

But a bureau spokesman told Nextgov that, in fact, neither contract is actually related to the cyber sprint.

"They were incorrectly titled," Interior spokesman Peter Soeth said in an email. "These contracts were to address actions within the cybersecurity program at Reclamation and were incorrectly associated with the 30-day cyber sprint." Each of the awards is a 1-year, $1 million deal.

Such "cyber sprint" labeling might have prevented or reduced objections to issuing sole-source contracts, Tiefer said.

Tiefer said, proper contracting should keep continuations as short as possible, even during war.

"I can tell you many stories from Iraq and Afghanistan where, obviously, there had to be continuity of contracting," because, for example, "you don't leave the troops in the field without a logistics contract," he said. "You don't need a year-long contract to compete the next contract."

Sole-Source IT Deals at HHS, USCIS

Other examples of agencies sole-sourcing contracts citing the cyber sprint:

On Oct. 14, 2015, HHS announced a deal with Lockheed Martin for new IT support work that would last until Sept. 30, 2016. 

"The recent CyberSprint activities" resulted in a mandate to restrict access to the HHS network through personal devices and to strengthen login controls, the contract notice states. The award alters an existing, competitively awarded contract with Lockheed.

"This modification was not to support the CyperSprint activities," HHS told Nextgov in an emailed statement last month. 

On Aug. 28, 2015, U.S. Citizenship and Immigration Services, a DHS component, gave notice of a 1-year contract, awarded to IT firm RightStar for a proprietary identity verification tool. The agency's current help desk technology, made by Remedy, does not offer two-step ID authentication, as "required by the Presidential Cyber Security Sprint Directive," the announcement states.

The plug-in from RightStar is the only technology that can support two-step verification on the agency's existing version of Remedy, a justification states. 

Speaking on background, a DHS official told Nextgov in an email this support is needed "to comply with requirements to enhance the security of IT systems, as part of a broader departmental effort to protect our critical networks."

The $16,794 support for the ID tech plug-in covers a 12-month period because that is how the item is sold in the commercial marketplace, the official said.  

In late October, the DHS Federal Law Enforcement Training Center posted three sole-source contracts that, according to the agency, were essential to the sprint.

On an "unusual and compelling urgency" per federal contracting regulations and "per the DHS cybersecurity sprint," the agency signed a $284,706 deal with reseller Carahsoft to obtain AvePoint software migration services. The contract period is Sep. 29, 2015, through May 29. The help is for an upgrade to the DHS agency's SharePoint environment.

Using the same rationale, the agency purchased an Avaya Messaging System and an upgrade of its existing Mutare messaging server for $222,874 from tech company MCS of Tampa. The contract covered Sept. 30, 2015, through Dec. 30, 2015

The DHS center also awarded Optivor Technologies $1.4 million for an Avaya software upgrade to version 6.3 under the same justification. The agreement covers Sept. 28, 2015, through March 28.

Homeland Security "considered the required services and resultant periods of performance necessary to meet the Cybersecurity Sprint schedule," the official said. But the DHS center was not able to make all the changes within the 30 days "due to the complex nature of the requirements." The official noted that the longest period of work is eight months. 

Each of the four DHS contract actions "was undertaken in order to comply with the Presidential Cyber Security Sprint Directive," which required two-factor ID check on all federal IT systems, the official said. 

A ‘Troubling’ Lack of Attention 

Referring to all noncompetitive awards, Burton said, "There doesn't seem to be, within the government, a lot of concern about this particular area" of contracting, which he said is being abused, and called that lack of attention “troubling.” Now a federal procurement attorney at Venable LLP, Burton represents companies excluded from competition and companies who have received noncompetitive contracts.

He added, "Moving quickly or having urgency does not mean you forego competition and that's right in the FAR."

When asked about concerns that agencies are citing the cyber sprint to defend limiting the pool of companies vying for federal dollars, a White House official who spoke on background directed Nextgov to a number of websites detailing Federal Acquisition Regulation sole-source provisions.

For instance, under some circumstances, a department can award work to small businesses owned by women or service-disabled veterans, as well as to small firms located in historically underutilized business zones. In other situations, agencies can pick from a list of vendors that are pre-approved for supplying certain products.

White House officials "know very well" the way they set deadlines for securing IT systems during the sprint will result in sole-sourcing, Tiefer said.

"They don’t want the agencies to slow down and miss their mandates for anything, even for the valuable benefits of competition," he added.

NEXT STORY: Study names countries most vulnerable to cyberattacks

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.