Exclusive: Official documents, interviews reveal scope of OPM’s financial woes

The Office of Personnel Management, an agency beleaguered by cyber intrusions and challenged by legacy IT systems, is struggling to come up with the money it needs for crucial IT modernization projects worth at least $117 million, according to agency documents obtained by FCW.

OPM has awarded two contracts for application migration and enterprise case management, yet official documents show personnel raising red flags about the availability of funding.

One document, which details the planned migration of applications off of mainframe computers and other tasks, counts on $123.5 million in new appropriations from fiscal years 2017 to 2019. (That total also includes extra funding for maintaining legacy systems.) In another, OPM's Federal Investigative Services division admits that is unclear if they will be able to fund their portion of an agency-wide enterprise case management system.

Whether legislators have an appetite to back OPM's push for additional funds, however, is an open question. Congress already rejected an effort to add $37 million to OPM's fiscal 2016 appropriation for the project in July.

An amendment by Sen. Barbara Mikulski (D-Md.) to the Cybersecurity Information Sharing Act, currently pending in the Senate, would provide the $37 million for OPM IT modernization. However, the amendment would have to pass the Senate and survive what promises to be a hard-fought reconciliation process in the House of Representatives.

The agency's financial straits are partly a function of a rush by CIO Donna Seymour to modernize OPM's IT infrastructure in the wake of multiple cyber intrusions and congressional scrutiny, according to current and former OPM officials. Those individuals spoke on the condition of anonymity because they feared retaliation if their names were used.

Seymour has been under immense pressure to deliver on the IT projects, with congressional overseers demanding action in the wake of the OPM data breaches. Former OPM Director Katherine Archuleta resigned in July over the millions of compromised personnel records, and Rep. Jason Chaffetz, (R-Utah), chairman of the House Oversight and Government Reform Committee, has called on Seymour to step down as well.

The office of the CIO (OCIO) also appears to be playing a game of cat and mouse with the agency's Inspector General. IG Patrick McFarland has accused the OCIO of providing his office "with inaccurate or misleading information" and making it difficult for watchdogs to do their job. Seymour has vowed to deliver the application and system migration project, known as the Shell, on time, but the IG claims to have been cut out of the beginning of that process.

"We did not learn the full scope of the project until March 2015, nearly a year after the agency began planning and implementing the project," McFarland wrote in a July 22 letter to OPM Acting Director Beth Cobert.

In interviews with FCW, multiple individuals working in IT policy at OPM described a stifling work environment in which they were punished for speaking out. One current official said that employees in Seymour's favor are able to get away with lax contracting practices and cutting others out of policy discussions. Another claimed to be sidelined on an IT project after raising concerns about the bidding process.

Seymour has relied on a small inner circle to make key decisions about agency IT policy and does not brook dissent, the employees allege. "Those who are close to her [and are] in her good graces do not counter her much," said one OPM employee who has worked with Seymour.

Multiple attempts to reach Seymour by phone and email were unsuccessful, and OPM spokesman Samuel Schumach said Seymour was unavailable to comment. A subsequent request for agency answers to written questions was not completed in time to be included in this article.

Lack of Shell funding a "high risk"

In the aftermath of the cyber breach that exposed the personal information of some 22.5 million current and former federal employees, Seymour and Archuleta testified on Capitol Hill about their modernization plans for the agency. Central to those plans is the Shell project, which involves building infrastructure to house applications migrated from aging mainframe computers. The agency is counting on the Shell to boost its IT security.

OPM divides the project into four phases: the "tactical" phase of securing the existing IT environment, the building of the Shell itself, the migration of all OPM systems to the new environment, and finally the "cleanup" phase of decommissioning hardware and systems.

OPM's award of a sole-source contract for the Shell project raised eyebrows at a June 24 hearing of the House Oversight and Government Reform Committee. "[W]hen it is a sole-source contract, it does beg a lot of questions," Chaffetz said. While he expressed confidence in Imperatis' ability to perform the work, the committee chairman also noted, "this organization has had a lot of problems in the past." Imperatis changed its name from Jorge Scientific Corp. after video surfaced in 2012 that appeared to show the firm's employees drunk and high while working in Afghanistan.

OPM leaders also have made inconsistent statements about the scope of the Imperatis contract. At the June 24 hearing, Archuleta said that contracts for the third and fourth phases of the project had yet to be awarded. But in a Sept. 3 letter to the IG, Cobert, Archuleta's successor, said that Imperatis will be involved in all four phases of the Shell project, albeit not in latter-stage tasks such as systems modernization and "disposal of decommissioned equipment."

OPM has awarded a contract that covers parts of all four phases of the immense modernization project, yet the IG's Sept. 3 flash audit update said the agency had yet to determine "the full scope and overall costs of the project."

OPM has estimated that the Shell project will cost $93 million, McFarland said at the June 24 hearing. But that estimate only includes the first two phases of the project and not the most costly phase, the migration of systems to the Shell, according to McFarland.

The Imperatis contract was awarded after a different breach of OPM systems in March 2014. Due to the urgent need to shore up the agency's security, a former agency official told FCW, "a lot of the normal government contracting procedures were…not adhered to." There were also questions among some OPM officials about whether Imperatis had done its due diligence for the project, according to the former official.

"From a security standpoint, I have to be honest, I really didn't know what they were doing," the former OPM official said, referring to Imperatis. "They briefed us and everything, but I didn't see the type of security that you would normally expect to be planned into the life cycle of the project. I did not see that. And that was a real concern among…a lot of people at OPM."

When asked to address how the firm built in security measures to the Shell project, Imperatis said through a spokesperson: "The terms and conditions of our non-disclosure agreement preclude any comment or discussion by Imperatis in response to your request."

As of the IG's Sept. 3 update to its flash audit, OPM had yet to complete an Major IT Business Case for the Shell project -- a move that would map out the financing and management strategy for the program and one that is strongly recommended by the IG.

"OPM's position that the migration plans are extensions of existing IT investments…is particularly troubling, for several reasons," the IG wrote in the flash audit update. "First, many OPM systems are not aligned with the existing IT investments. It is not clear how funding and management of the migration of these systems would be captured by the existing IT investments. Second, and perhaps more concerning, is the practical effect of such an arrangement, which would impact management of the project throughout its lifecycle, and the transparency of spending associated with it."

OPM told the IG that it would take eight months to a year to complete the business case, delaying the agency's pressing modernization plans. Regardless, the former OPM official did not see the careful planning that a project of this magnitude would seem to warrant. "These applications…were supposed to go through certain procedures to make sure they're safe and they're not going to introduce new vulnerabilities into the new Shell environment," the former official said, adding, "I didn't really see any plans to do any of that."

At the June 24 hearing, Seymour told lawmakers that the building of the Shell is "on schedule and…on budget." Nonetheless, in four consecutive progress reports from July 31 to Sept. 3 that Imperatis prepared for OPM, "material funding for Shell" was rated as one of the program's high-risk issues. In the "mitigation strategy" column that succeeded that high-risk designation, the firm suggested: "Discuss potential for shifting labor dollars to materials." In the document, Imperatis Director of Business Development Melinda Byrd is listed as the person responsible for that risk.

The Imperatis report listed Seymour as the OPM official in charge of following up on that risk. In terms of the "assistance required" for that task, the firm wrote: "conversation regarding funding sources and amount and timing of any [modifications] for additional resources."

In its flash audit update, the inspector general expressed alarm at OPM's intent to pay for some of the Shell project via the agency's trust fund and its revolving fund, the chest of about $1.6 billion that OPM relies on to front the costs of the services it provides other federal agencies, such as background investigations and the maintenance of USAJOBS.gov.

"[P]rogram office budgets and the OPM trust and revolving funds should not be used to finance a project of this magnitude and potential cost," McFarland wrote. "The cost may be so high as to curtail vital OPM functions related to these programs and OPM's mission critical activities." Public law states that the revolving fund can only be used to finance functions covered by the budget estimates submitted to Congress for that fiscal year.

Cash squeeze not going away

Another project that OPM officials are scrambling to come up with resources to fund is a $24 million contract, awarded in August, for an enterprise case management system that automates human resources services. A document dated Oct. 1 listed funding as a risk to the portion of the ECMS project covering OPM's Federal Investigative Services division. "Given uncertainty of costs (and potential savings) ECMS might present, it is unclear if FIS will be able to fund its share of the platform and full FIS configuration," the document stated.

OPM's awarding of the $24-million contract to Ains, Inc., a firm with an office in Gaithersburg, Md., to install a commercial-off-the-shelf ECMS product, also left some OPM officials and industry sources puzzled. For one, there is a discrepancy in the original requirements drawn up for the ECMS and in the proposal put forth by Ains, the sources say. OPM officials also expressed concern about the financial structure of the contract – that it is unusually weighted toward installation of the product rather than licensing.

OPM's transition from its existing documents system, known as the Document Case Control System, to ECMS will involve integrating legacy systems and building new workflows -- tasks that officials say are not fully covered by current funding levels.

How OPM will fully fund the Shell modernization and ECMS projects remains an open question. In a document forecasting funding for the Shell project, OPM officials include $17.4 million annually in new appropriations for fiscals 2016 to 2019 for maintaining the Shell infrastructure and "dual environment" with the mainframes. The chart includes additional appropriations for migration costs to the tune of $42.8 million in fiscal 2017 and beyond.