Exhibit 3,021: Millions wasted on US govt IT due to poor oversight, audit finds
$24M was paid out incorrectly - and that's just from a close look at 5 out of 48 orders under ENCORE III
A sweeping US government IT program has paid millions of dollars to contractors who may not even have performed the work, says the DoD's Inspector General's Office, and it's placing the blame mostly on unqualified overseers.
The OIG released a report this week on the $17.5 billion ENCORE III [PDF] program that found a number of issues with contracting officers representatives, or CORs, assigned by government officials to manage contractor performance and oversee project progress. CORs are assigned to verify payments to contractors are made properly and to ensure the work being done meets ENCORE III standards, but the OIG found several of those they interviewed weren't even qualified to do the work their job entails.
As a result, $24.2 million was paid out to contractors "without reasonable assurance that contractor information technology services met task order requirements," the OIG said in its report.
In its review of five task orders (out of a total of 48 that have been issued under the ENCORE III program since 2017), the OIG said that CORs for those tasks "did not consistently maintain documentation of inspections of contractor performance, submit timely surveillance reports to contracting officers, or review contractor interim vouchers to prevent improper payments."
In one example, the OIG said interviews with CORs and reviews of paperwork from the five task orders found that contractors submitted supporting documentation for just $7,348 worth of a total of $167,335 in travel costs. After requesting additional records from those contractors, the OIG determined "the DoD reimbursed the contractors for at least $24,905 in travel costs that did not appear reasonable, allowable or supported."
- NYPD blues: Cops ignored 93 percent of surveillance law rules
- NASA's space nuclear power program is a hot mess
- EPA orders US states to check cyber security of public water supplies
- The Pentagon is shockingly bad at managing its employee smartphones
Just to reiterate, the OIG only reviewed five of the 25 ongoing task orders of 48 issued since the program began, meaning there's likely a lot more waste out there than caught in the audit.
ENCORE III is a massive IT program managed by the Defense Information Systems Agency and designed to provide "the DoD and Federal agencies a full spectrum of IT services and solutions" under a pair of indefinite delivery/indefinite quantity contracts open for a full decade.
Performance areas in ENCORE III include ERP, analytics, network support, asset management, IT support services, cybersecurity assessment and implementation and other similar areas.
Don't shove - there's plenty blame to go around
The OIG doesn't place all the blame on the CORs, saying that the ENCORE III program doesn't require contracting officers to review records kept by their CORs until they've been in the job for a full year. "Our results indicate that waiting a year to review COR files is insufficient to detect and correct COR performance problems in a timely manner," the OIG said.
COR training was also called into question, as the OIG said that the training process did not include instructions on how to review contractor vouchers to prevent improper payments.
Rating infosec ... but without technical skills
However, while the system in which the CORs work may not have been preparing them for success, the CORs themselves were singled out for mostly being unqualified for their jobs, as six of the eight CORs working on ENCORE III lacked the technical skills to assess whether vendors met the cybersecurity requirements of the program.
Government agencies overseeing the program "did not nominate qualified officials to be CORs, and the contracting officers did not verify that the COR nominees possessed the technical experience needed to oversee cybersecurity services before designating them as CORs," the OIG found.
In at least one instance, the OIG said this resulted in a COR relying on other officials to inspect contractor performance, which the OIG said is a violation of DoD guidance and increases the chance services are paid for but never received.
The OIG made 19 recommendations to the groups overseeing ENCORE III, among them that CORs be audited by their contracting officers more than once a year, that training materials be improved and that rules be established to ensure contractive officers more closely monitor their CORs.
According to the OIG, government officials agreed with 14 of the 19 recommendations, but five (those mentioned above among them) remain unresolved; the OIG wants additional comments regarding those unresolved issues within 30 days.
Representatives for the ENCORE III program had yet to respond to our questions at the time of publication. ®