In an unusual move, NASA has let an IT system authority to operate lapse as a means of calling attention to a problematic contract.
In an unusual move, NASA has let the authority to operate for a contractor-run IT network expire. The move appears to be the agency's way of airing its longtime dissatisfaction with the way Hewlett Packard Enterprise is managing the network or perhaps a bold move in a high-stakes game of chicken.
Federal News Radio first reported the story on Aug. 22.
In 2010, NASA awarded HPE a 10-year contract worth as much as $2.5 billion. The four-year deal was followed by two three-year options. Despite NASA's decision to pick up the first option, the two entities have had a rocky relationship since the contract was awarded, including a scathing 2014 inspector general report that cited significant problems and found fault with both sides.
Former NASA CIO Linda Cureton told FCW that the act of letting an authority to operate (ATO) expire is not unprecedented, but it indicates that "the kind of progress the agency wants hasn't been made."
And doing so for an agencywide contract that supports desktops, laptops and other employee devices raises the stakes even higher and sends a firm, public message of dissatisfaction.
"Clearly people are trying to make statements here," said David Wennergren, executive vice president for operations and technology at the Professional Services Council. "When you let an ATO expire, you're making something very visible."
"What's unusual about this story is the way [it] happened," he added. "There are a number of ways this could have been addressed, and NASA has chosen a very public way."
Mike Hettinger, a technology policy expert who worked on Capitol Hill for 10 years, said NASA's decision is also a big deal because of the high price tag attached to NASA's IT and the repeated criticisms of it.
NASA and HPE declined to comment to FCW.
NASA received the only failing grade on the second Federal IT Acquisition Reform Act score card, and in response, CIO Renee Wynn, who took over in September 2015, pledged to improve the agency's lackluster IT security. To that end, NASA hired a full-time chief information security officer in July.
Cureton said the move to let the ATO expire could be an indication from Wynn that "delays will not be tolerated anymore."
"The advantage of letting it expire is that it forces...HPE to make some corrections," Cureton added.
According to Federal News Radio, NASA extended an interim ATO to the company. That conditional extension could be "an indication that NASA is trying to make this [partnership] work" while applying public pressure, Hettinger said.
But whether HPE can prove its worth during the 180-day extension depends on how far behind the company is in patching agency systems and the nature of the working relationship between the two entities, Cureton said.
The move is not without risks. Lacking a secure ATO is a last-resort strategy that muddies the future cybersecurity posture of the agency and "will weaken the CIO's position of consolidating all the disparate desktop environments," Cureton said.
"Best practices are that you don't ever want to have your ATOs expire," Wennergren said. "If you know that you need another one, you work with the company to get another one in place. If you run up to the end of the period and you don't have one in place...that says to me there are unresolved issues."
Cureton echoed that sentiment but said only time will tell if the move will lead to improvements -- with or without HPE.
"If the ATO expired today, they're no worse off than they were yesterday," she said. "But looking forward, are things getting worse? The [question] would be how long has it been this way and is the length of time making NASA more vulnerable or just neutral."
Hettinger said it was unclear whether the unusual business practice would trigger a congressional inquiry but added that, based on his experience, "it's certainly worth a hearing."
NEXT STORY: GSA set to approve first fast-tracked CSPs