Oversight

IG: OPM still lacking in planning for IT overhaul

Wikimedia image: U.S. Office of Personnel Management seal.

The Office of Personnel Management still has not carried out federally mandated planning practices for a project to overhaul the agency’s IT infrastructure that began two years ago, according to the OPM inspector general. The assessment is the latest blow to an ambitious application-migration project that has been plagued by questionable planning and the departure of its prime contractor.

"Most, if not all, of the supporting project management activities" required by the Office of Management and Budget have not been completed, the IG said in a report released May 26.

It is the latest scathing assessment the agency watchdog has issued of OPM's effort to revamp its IT security following a data breach in the spring of 2014. The project, which was known as the Shell but is now dubbed Infrastructure as a Service (IaaS), involves building infrastructure to house applications migrated from OPM's mainframe computers, according to the IG.

Earlier this month, prime contractor Imperatis abruptly quit the project, citing financial distress. An agency spokesman has said the company’s departure would have little impact on the project.

Nonetheless, the report issued by Acting IG Norbert Vint said OPM's lack of planning could continue to undercut the success of the project.

Before beginning the IT overhaul, OPM did not carry out a required “analysis of alternatives” to determine whether moving all infrastructure to the new Shell environment was worthwhile, according to the IG.

"We were told by [Office of the CIO] staff that OPM's former chief information officer [Donna Seymour] discussed possible alternatives with her staff, with input from Imperatis," the report states, but "no documentation was provided to us to support this assertion."

In their response to a draft of the IG's report, OPM officials said they planned to do an analysis of alternatives for migrating to the Shell.

The IG had previously criticized OPM for not doing a Major IT Business Case for the IaaS project, a move that would outline financing and a management strategy. OPM eventually completed a business case, but the IG's office did not like what it saw.

"Now that we have reviewed OPM's recent business case and its supporting activities in depth, we are even more concerned about the lack of disciplined capital planning processes," the report states.

Funding still a problem

Cost estimates for the IaaS project have been elusive. OPM has put the cost of some of the work at $93 million. That estimate, however, does not include the priciest phase of the project: the migration of systems to the Shell environment, according to former OPM IG Patrick McFarland.

Funding for work on IaaS has previously been a cause for concern for project insiders, according to documents obtained by FCW.

OPM has made progress in tallying IT systems that need to be moved to the Shell, according to the IG. Nonetheless, the report faulted OPM for making cost estimates for the project that were "unsupported by any detailed technical analysis" of the effort needed to modernize and migrate agency systems.

OPM agreed that it would benefit from better life cycle cost estimates. Officials said they plan to use a new framework to do so that was designed by Clifton Triplett, a senior IT adviser the agency hired last fall.

After a devastating breach of OPM systems that compromised at least 22 million federal records, the White House announced a new background check agency -- to be housed at OPM but run on systems built by the Defense Department -- to better protect the data. The new regime and its accompanying IT requirements make it even more important that OPM conduct the aforementioned “analysis of alternatives,” the IG report states.

The new background-check regime might also throw a wrench in OPM’s funding plans for the IaaS project. Officials had planned to use some revolving fund money from background investigations to bankroll the project, according to the IG. But with the IT systems for background checks no longer part of the Shell environment, "it would seem that a large portion of the planned funding source will not be available for the project," the report states.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.