OPM computer upgrade

The upgrades to the computer systems used by the U.S. Office of Personnel Management
necessitated by the 2014-15 data breaches of their then-existing systems
will be a significant issue.
Many factors will come into play:
  • Unfortunately, political correctness,
    as it is hard to believe that ANY decision of this accursed Obama administration
    is not infused with the need to please the interest groups that have put it into power
    (the Secretary of the Army nomination being Exhibit A).
    And personnel decisions are always a target of the politically correct.
  • The technical challenge:
    Upgrading systems that have been in long use
    without a break in service.
  • The usual managerial issues of cost and schedule.
  • The question of how many resources should be spent in
    patching holes in the existing systems
    versus putting all effort into the new systems.

In any case,
this post is an attempt to bring together various news articles I have found
on this interesting (to me, anyhow) and important issue.

OPM response to cyberbreach challenged again
by Eric Yoder
Washington Post "Federal Eye" Blog, 2015-09-14


In his latest report, Inspector General Patrick E. McFarland responded in turn to OPM management’s replies to the original audit. The IG said that the time and effort needed to develop a full business case “proves the importance of this point. OPM did not take the time to complete the necessary planning, budgeting, and technical analysis before initiating this massive undertaking.”

It said that as a result, the process to identify existing systems, evaluate their technical specifications, determine requirements, and estimate costs of moving the data into a more secure environment still has not been completed. Nor is there support for OPM’s belief that some the cost of moving the data can be funded through discontinuing obsolete software, it said, calling OPM’s plan to find the rest of the funding from other accounts “inadequate and inappropriate.”

“Without this rigorous effort, we continue to believe that there is a high risk of project failure,” it said.

OPM also had rejected the IG’s recommendation to adopt industry best practices for planning such a project, saying it was following its own policies based on government standards. But the IG said that “based on documentation we have reviewed, we have determined that OPM is not in compliance with either best practices or its own policy.”

It noted that since the first report, former OPM director Katherine Archuleta had resigned under pressure and a Senate committee rejected a bid to add funding for the project even while backing extending the services to the victims. “In such a turbulent environment, there is an even greater need for a disciplined project management approach to promote the best possibility of a successful outcome,” it said.

Another point of contention is how OPM has characterized the contract for the project. “OPM’s original assertion that the sole-source contract was not intended to be used for the Migration and Clean-up phases of the Project is not correct,” the IG said. “In fact, the conflicting statements from OPM officials regarding this contract are extremely concerning, especially the comments that were made under oath before Congress by both former Director Archuleta and CIO [Donna] Seymour.”

The report, dated Sept. 3, was released Monday by both the IG’s office and the House Oversight and Government Reform Committee, one of several panels that have held contentious hearings with administration officials on the breaches and the response.

IG slams OPM on management, funding of IT upgrades
Aaron Boyd, Senior Staff Writer
Federal Times, 2015-09-15

[An important development.]


The IG response focused on two recommendations from the audit
that have caused contention between the [IG] office and the [OPM] agency,
how the IT upgrade program is being managed and
how the contracts are being awarded and paid for.

Before OPM began its four-phase upgrade,
the IG recommended the agency develop a business case that included
an "assessment of the scope of the migration process,
the level of effort required to complete it and its estimated costs."

[How can you intelligently write an RFP
without having at least a WAG on those issues?]

The agency countered that the leg work for a business case would take eight to 12 months
and disrupt the first phase of the program,
which was already underway in response to the breaches.
As that phase progressed,
OPM discovered it would need a wholesale rearchitecting of its systems
and reworked existing upgrade and migration plans to meet its needs.

The IG was not satisfied with this response.

"That it will require some time
and a significant level of effort and analysis
to complete this process
proves the importance of this point," McFarland wrote.
"OPM did not take the time to complete
the necessary planning, budgeting and technical analysis
before initiating this massive undertaking."

[If I can believe this,
OPM's approach was first to select a contractor, have the contractor start work,
then let the contractor define the scope of the contract?
It certainly is commonplace for technically challenged agencies
to hire a contractor to provide overall technical guidance to a project,
but normally that contractor, because of his privileged position,
is forbidden from actually performing the work himself.
If the work must be extremely secure,
requiring very high clearance levels,
there may be a small universe of contractors who have
both the expertise (often very, very specialized) and the clearances
necessary to do the work,
and such good management practices may be relaxed.
But in the OPM case, surely there is a large pool of corporations
who have both the expertise and the clearances to do the work.]

As examples, the letter points to the fact that
OPM has yet to determine the full cost of the project —
particularly around migration —
and has had to go back to the first phase
to compete tasks it had missed due to poor planning, according to the IG.

The IG also docked the agency for not ensuring it had proper funding to complete the program.
OPM secured $21 million for fiscal 2016, however that is earmarked for IT security upgrades
and does not include implementing and migrating to a new system,
which will cost in the area of $37 million. The Senate Appropriations Committee denied that funding request in July.

"When asked about this issue, OPM officials informed us that funding for migration costs would come from a combination of savings generated by discontinuing obsolete software and from program office budgets, including OPM's trust funds and the revolving fund," McFarland wrote. "In our view, there is no evidence to support this plan and it is inadequate and inappropriate."

Along with program management issues, the IG's letter also goes after OPM on contracting, citing its sole-source award to Imperatis for all four phases of the project.

OPM justified the sole-source award by stating Imperatis was the only vendor qualified to assist with the immediate action needed to secure the agency's IT systems.
However, the IG took issue with the company's role in every aspect of the project, citing this as above and beyond the sole-source justification and a violation of the federal acquisition regulation.

[Sounds like a very good point.]

"The extent of the work that Imperatis will perform on the migration and cleanup phases is not relevant," McFarland wrote.
"There is no justification for Imperatis to perform any work on the project after the tactical phase was completed."

The IG reiterated its recommendation that OPM put the remainder of the project to an open competition.

Rep. Jason Chaffetz, R-Utah, chairman of the House Committee on Oversight and Government Reform, urged OPM to follow the IG's recommendations, citing the agency's failure to follow the office's warnings in the past.

"It's unsettling that despite a data breach that put the sensitive, personal information of 21.5 million Americans at risk, OPM once again refuses to heed warnings from the IG," Chaffetz said Monday after reading the IG letter. "Ignoring the IG's warnings largely got them into this mess in the first place. If OPM wants to regain the trust of Congress and the American people, they must make implementing the IG's recommendations a top priority."

OPM response to cyberbreach challenged again
by Eric Yoder
Washington Post "Federal Eye", 2015-09-21, page A15

[This seems to be a print version of the 09-14 blog entry that appears above.]

Exclusive: Official documents, interviews reveal scope of OPM’s financial woes
The agency has IT upgrades planned that will cost at least $117 million.
Where that money will come from is an open question.

By Sean Lyngaas
Federal Computer Week (FCW), 2015-10-19

The Office of Personnel Management, an agency beleaguered by cyber intrusions and challenged by legacy IT systems, is struggling to come up with the money it needs for crucial IT modernization projects worth at least $117 million, according to agency documents obtained by FCW.

OPM has awarded two contracts for application migration and enterprise case management, yet official documents show personnel raising red flags about the availability of funding.

One document, which details the planned migration of applications off of mainframe computers and other tasks, counts on $123.5 million in new appropriations from fiscal years 2017 to 2019. (That total also includes extra funding for maintaining legacy systems.) In another, OPM's Federal Investigative Services division admits that is unclear if they will be able to fund their portion of an agency-wide enterprise case management system.

Whether legislators have an appetite to back OPM's push for additional funds, however, is an open question. Congress already rejected an effort to add $37 million to OPM's fiscal 2016 appropriation for the project in July.


The office of the CIO (OCIO) also appears to be playing a game of cat and mouse with the agency's Inspector General. IG Patrick McFarland has accused the OCIO of providing his office "with inaccurate or misleading information" and making it difficult for watchdogs to do their job. Seymour has vowed to deliver the application and system migration project, known as the Shell, on time, but the IG claims to have been cut out of the beginning of that process.

"We did not learn the full scope of the project until March 2015, nearly a year after the agency began planning and implementing the project," McFarland wrote in a July 22 letter to OPM Acting Director Beth Cobert.

In interviews with FCW, multiple individuals working in IT policy at OPM described a stifling work environment in which they were punished for speaking out. One current official said that employees in Seymour's favor are able to get away with lax contracting practices and cutting others out of policy discussions. Another claimed to be sidelined on an IT project after raising concerns about the bidding process.

Seymour has relied on a small inner circle to make key decisions about agency IT policy and does not brook dissent, the employees allege. "Those who are close to her [and are] in her good graces do not counter her much," said one OPM employee who has worked with Seymour.