NASA extends incumbent on troubled ACES contract
It looks like NASA is going to go the full 10 years on its agencywide $2.5 billion IT services contract ACES, despite early hiccups.
It looks like NASA is going to go the full 10 years on its agencywide $2.5 billion IT services contract ACES, despite early hiccups.
The Agency Consolidated End-User Services contact was awarded to HP Enterprise Services in 2011. The contract was a four-year term with two three-year extensions. The goal of the contract was to unify wildly varying IT hardware acquisition and support across NASA's 10 field centers and other sites under the CIO.
According to a notice on FedBizOpps posted Oct. 16, NASA is extending the ACES contract on a sole-source basis to Enterprise Services -- the new name for HPE. "Awarding to any other source would result in unacceptable delays in fulfilling the agency's requirement," the notice reads.
It's not explicitly stated in the Oct. 16 notice that the sole-source award is the three-year option period allowed under the initial ACES contract. However, the previous three-year option period on ACES ends Oct. 31.
A spokesperson for NASA did not return an email from FCW seeking clarification.
Major problems with ACES started to emerge before the base period was over. In 2014, NASA's inspector general issued a report critical of the agency's internal IT governance and HP's performance on the contract.
NASA opted to extend for the first three-year option in January 2016, even as security problems were evident. In July 2016, NASA's CIO declined to renew expiring authority to operate (ATO) certification on two key ACES systems, citing serious security vulnerabilities, including a lack of a hardware inventory, inconsistent baseline security settings, no system in place to prevent unauthorized software from running, elevated user privileges and unpatched software bugs.
An ACES ATO was signed in July 2017, after a series of 90-day temporary certifications kept the system up and running. But even after that, NASA's IG reported in Oct. 2017 that despite progress, ACES security deficiencies continue to challenge the OCIO's credibility."
A subsequent IG audit of NASA's Security Operations Center published this May suggested that some of ACES's problems were in the rear-view mirror. "During this review," auditors wrote, "NASA officials reiterated the value of an enterprise-wide approach to IT security similar to its Agency-wide approach for other IT services such as ACES that provides computer and communications services to NASA employees and contractors."
NASA's Office of Inspector General did not return an email seeking clarification on whether there remained unfulfilled oversight recommendations on the ACES contract.