WASHINGTON — Veterans Affairs officials wasted millions on a $100 million computer security contract that became a virtual “open checkbook” because of poor oversight and sloppy management, an internal review says.
The audit by the VA inspector general brings renewed attention to problems of data security and contract management after the department sustained blistering criticism for its loss of nearly 26.5 million veterans’ sensitive personal information last May.
It found that the VA put out multiple and inconsistent changes to the contract awarded in 2002 to VAST, a small business joint venture based in Texas, for computer service work aimed at fending off computer hackers.
In the report, the VA generally agreed with the findings. It said it has created contract review boards to help improve oversight and will seek to recoup lost or unaccounted for payments.
“VA is committed to being a good fiscal steward of taxpayer dollars in carrying out our important mission of serving veterans,” spokesman Matt Burns said Wednesday.
According to the findings, the VA:
—Spent more than $35 million for equipment and supplies under the contract that it cannot account for.
—Hastily increased the scope of the contract several times, bringing the total value of the contract from $102.8 million to $250 million with little thought or oversight. “This made the contract an open checkbook … with little assurance of price reasonableness and no planned funding.”
—Did not ensure that the joint venture, VAST, met requirements to qualify as a small business.
—Made overpayments on the contract as high as $8.5 million.
—Did not conduct required background investigations on the contract employees.
In addition, because the department spent money on the contract so quickly, it was left temporarily without a defense against hackers after the 10 year contract was allowed to expire prematurely in 2005.
In recent weeks, VA officials have faced a fresh round of bipartisan criticism over data security, with auditors telling Congress that gaping holes persist and that most VA data remains unencrypted.
At a hearing last month, Maureen Regan, counselor to the VA inspector general, said the department still hasn’t fully implemented any of its recommendations from reports dating back to 2001.
The department also hasn’t adopted five key recommendations issued shortly after the massive data breach last May involving veterans. That data was later recovered.
The IG report was publicly released Feb. 26 and first noted Tuesday by McClatchy newspapers.