SOCIAL SECURITY ADMINISTRATION
THE SOCIAL
SECURITY ADMINISTRATION'S
ENTERPRISE-WIDE NETWORK
INFRASTRUCTURE CONTRACT
September
2008
A-14-08-18014
AUDIT REPORT
Mission
By conducting independent and objective audits, evaluations and investigations,
we inspire public confidence in the integrity and security of SSA's programs
and operations and protect them against fraud, waste and abuse. We provide timely,
useful and reliable information and advice to Administration officials, Congress
and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
We strive for continual improvement in SSA's programs, operations and management
by proactively seeking new ways to prevent and deter fraud, waste and abuse.
We commit to integrity and excellence by supporting an environment that provides
a valuable public service while encouraging employee development and retention
and fostering diversity and innovation.
MEMORANDUM
Date: September 2, 2008
To: The Commissioner
From: Inspector General
Subject: The Social Security Administration's Enterprise-Wide Network Infrastructure Contract (A-14-08-18014)
OBJECTIVE
The objectives of our review were to determine whether Northrop Grumman Computing Services, Inc. (Northrop Grumman) adhered to the terms of the contract and whether Social Security Administration (SSA) personnel properly monitored the contract. Specifically, we reviewed the Agency's administrative controls and oversight of the Northrop Grumman contract. We did not independently: test the acquired software; evaluate the equipment maintenance service provided; or test the functionality of the equipment acquired.
BACKGROUND
On September 28, 2005, SSA entered into a contract with Northrop Grumman to
address hardware, software, maintenance and technical support (see Appendix
C for definitions of key contract terminology) of the Agency's Enterprise-Wide
Network. The contract has an estimated value of $153.2 million for 60 months
from September 28, 2005 through September 27, 2010. The network, known as the
Social Security Administration's Enterprise-Wide Network Infrastructure (SSANet),
has thousands of daily users. For example, SSA's 62,000 employees use Internet
and
Intranet resources in over 1,300 offices nationwide to communicate and process
SSA workloads, such as retirement and disability claims. As of July 2007, SSA
had paid, and we reviewed, $27.3 million of the estimated $153.2 million.
Under SSA policy and Federal contracting regulations, SSA is required to monitor the contract to ensure the terms are met. This includes both monitoring contractor technical performance and contractor adherence to contract terms.
RESULTS OF REVIEW
In general, SSA properly monitored the contract and ensured Northrop Grumman adhered to the contract terms. However, some aspects of the contract oversight warrant more attention by the Agency.
For example, SSA appropriately ensured that:
Invoices were certified as correct before payment and were paid in accordance
with the Prompt Payment Act.
Certifications were made that goods and services were received before payment.
Invoices, individually or in total, did not exceed allowed amounts.
Equipment unit prices and hourly rates billed on contractor invoices adhered
to contract terms.
The contractor was timely in delivering commercial products and engineering
services ordered.
However, the following issues need further attention by SSA:
Equipment was not tagged and accounted for in an inventory system.
Equipment disposal was not done in accordance with Federal regulations and SSA
policy.
Suitability testing was not performed for all subcontractor personnel who worked
under this contract.
EQUIPMENT WAS NOT TAGGED AND ACCOUNTED FOR IN AN INVENTORY SYSTEM
According to SSA policy, some network equipment purchased under this contract should have been tagged with a bar code and accounted for in an inventory system. However, SSA did not tag or account for the network equipment provided under this contract. As of July 31, 2007, more than $12 million in equipment was purchased under this contract. This included more than 1,400 computer switches that had a median unit price of about $2,756. According to SSA policy, because the unit price of these switches met SSA's definition of 'accountable property,' they should have been tagged and accounted for in an inventory system. SSA indicated that all equipment was not received centrally before distribution and it was, therefore, not possible to tag and record this equipment in an inventory system. Regardless of the dollar threshold set, noncompliance with Agency policy lessens the effectiveness of management controls in this area because all equipment is not being appropriately tagged and accounted for.
EQUIPMENT DISPOSAL WAS NOT DONE IN ACCORDANCE WITH FEDERAL REGULATIONS AND SSA POLICY
SSA did not properly monitor and report the disposal of telecommunication equipment (switches and routers) purchased under this contract to ensure compliance with Federal regulations and SSA internal policy. The contract indicates that when SSA determines Information Technology equipment will be replaced, the Agency must follow the policies and procedures on exchange/sale contained in the Federal Property Management Regulations. Federal regulations require that SSA provide a list to GSA of all telecommunication equipment disposed of by exchange/sale. Additionally, based on SSA policy, GSA is the disposal agency for the Government, and all requests for the disposal of this type of equipment should be sent through GSA for action.
According to SSA internal policy, an SSA property management officer should determine the value of the equipment and a technical expert should complete a utilization review before disposal. As of July 2007, SSA had received over $250,000 in trade-in credits for the return of more than 1,400 switches and other equipment. SSA did not: involve GSA in conducting this activity; report this activity to GSA; conduct value assessments to ensure compliance with the contract; and complete utilization reviews of equipment before disposal. It was also noted that sections of SSA's internal policy on equipment disposal referred to GSA forms that were outdated.
More than 1,700 other SSA switches will no longer be supported as of November
3, 2009. We found that the company that supplies the switches to Northrop Grumman
is the same company that determined the switches needed to be replaced and the
trade-in value given for the items returned. SSA accepted the trade-in value
without determining whether it was the best value to SSA. Federal regulations
require that agencies determine whether an exchange or sale will provide the
greater return to the Government. However, there was no assurance that SSA actually
achieved the "greater return" or that trade-in was warranted because
the items involved were not controlled and accounted for by SSA in an inventory
system and virtually all of the activity surrounding the trade-in process was
not controlled by SSA. In the future, SSA could use other methods to determine
and document the best return on investment
approach for equipment disposal. For example, SSA could contact equipment resellers,
eBay, Craig's list, and other equipment manufacturers to validate the trade-in
credit amount.
SUITABILITY TESTING WAS NOT PERFORMED FOR ALL SUBCONTRACTOR PERSONNEL
Suitability testing for all subcontractors was not performed. Northrop Grumman used subcontractor personnel to install equipment at various SSA locations nationwide. None of the subcontractor employees involved in this activity had the appropriate suitability check performed, and no waivers were granted. Allowing contractor personnel, who have not undergone an appropriate suitability review, access to SSA facilities heightens SSA risk that sensitive systems and/or data could be disclosed or compromised.
The contract established procedures for obtaining suitability determinations for contractor personnel who will perform under the network contract. Northrop Grumman did not adhere to the contract terms when it used subcontractor personnel to perform the installation of equipment at various SSA locations nationwide. The Office of Acquisition and Grants formally notified Northrop Grumman of this contract breach and requested that the contractor comply.
While SSA did not ensure contractor compliance with the contract, it should be noted that subcontractor personnel were usually escorted or observed by SSA staff when allowed access to SSA sites and equipment. We found one exception where a subcontractor employee may not have been continuously escorted or observed while performing an installation. These same issues were identified in other SSA reviews that we have performed and we are aware of the Agency's ongoing efforts to address this condition.
CONCLUSION AND RECOMMENDATIONS
Although SSA exercised a degree of administrative oversight and accountability of this contract, there are some areas that warrant management's attention.
We recommend SSA:
1. Appropriately tag and account for all equipment covered by SSA's policy.
2. Comply with Federal requirements and existing internal policy regarding the tracking and disposal of equipment.
3. Update its policy to reflect current GSA forms used in the disposal of equipment.
4. Ensure all contractor personnel have obtained appropriate suitability determinations before working under a contract.
AGENCY COMMENTS
SSA agreed with all of our recommendations. See Appendix D for the full text of SSA's comments.
Patrick P. O'Carroll, Jr.
Appendices
APPENDIX A - Acronyms
APPENDIX B - Scope and Methodology
APPENDIX C - Key Contract Terminology Definitions
APPENDIX D - Agency Comments
APPENDIX E - OIG Contacts and Staff Acknowledgments
Appendix A
Acronyms
AIMS Administrative Instructions Manual System
C.F.R. Code of Federal Regulations
FAR Federal Acquisition Regulation
FMRS Federal Management Regulation System
GSA General Services Administration
MRM Material Resources Manual
Northrop Grumman Northrop Grumman Computing Systems, Inc.
OIG Office of the Inspector General
SSA Social Security Administration
SSANet SSA Enterprise-Wide Network
Appendix B
Scope and Methodology
We conducted our audit field work between June and December 2007 in Baltimore,
Maryland. The principal entities audited were the Social Security Administration's
(SSA) Offices of Acquisition and Grants and Telecommunications and Systems Operations.
We reviewed records and interviewed staff in SSA's Offices of the Deputy Commissioner for Budget, Finance and Management; Finance and Property Management; and Personnel, Center for Personnel Security and Project Management. We also contacted regional office staff regarding the work performed onsite by subcontractor personnel.
We conducted this performance audit in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable basis for
our findings and conclusions based on our audit objectives. We believe the evidence
obtained provides a reasonable basis for our findings and conclusions based
on our audit objectives. To meet our objectives, we
reviewed applicable Federal laws and regulations and applicable SSA policies
and procedures;
reviewed the SSA Enterprise-Wide Network Infrastructure contract, contract number
SS00-05-40020;
interviewed Agency staff;
reviewed and observed Agency contract management processes;
examined each call order as if it were a contract unto itself;
tested hourly rates and unit prices for all 82 invoices submitted during the
review period for compliance with contract requirements;
selected and tested 7 of 41 invoices that contained personnel service cost for
compliance with contract requirements;
obtained, documented and examined other information relevant to our review;
and
selected 35 of 177 field office locations for inquiry where subcontractor installations
were conducted during 2007.
Testing Methodology and Results
Of 82 contractor invoices paid during the audit period ended July 31, 2007,
41 contained personnel service costs. For testing, we selected a sample of 7
invoices, totaling $559,017, of 41 invoices, totaling $3,438,034. We reviewed
one invoice, chosen at random, from each of the 7 quarters in the period of
our review. Our objectives were to determine whether personnel service invoices
were mathematically correct and contained support for the number of hours billed;
the hourly rates used in calculating the invoice amounts adhered to the contract
provisions; and that none of the invoices exceeded the call order award amounts.
We found one exception where an invoice was under-billed for less than 30 minutes.
This was not material to the contract.
We also examined all 82 invoices, totaling $27,370,982, the contractor submitted
during the review period of September 28, 2005 through July 31, 2007. Our objectives
were to determine whether the submitted invoices were mathematically correct;
unit prices adhered to contract provisions and were supported by General Services
Administration Federal Supply Schedule or other relevant documentation; certified
by the project officer prior to payment; certified prior to payment that services
were rendered; did not exceed the individual call order award amounts; paid
in accordance with the Prompt Payment Act; and the invoices submitted complied
with contract provisions. We found minor exceptions for some unit price amounts,
due to rounding, that were not material to the contract.
To confirm that subcontractor personnel actually installed equipment at SSA field office locations, we developed and used a questionnaire and contacted field office staff. We randomly selected 35 sites from a universe of 177 sites where installations were performed during the period January 1 through July 31, 2007. For each of the two subcontractors who performed the installations, we chose three installs for review for each month. For months with three or fewer installs, all installs were selected for review. We obtained responses from all 35 field office locations. We confirmed that the subcontractor personnel performed installations at 32 of the 35 field locations. Further, 31 of the 32 field offices responded that contractor personnel were either escorted or observed at all times during their visit. We were unable to confirm installations at 3 of the 35 field offices. SSA staff at one of the three sites could not recall the installation. Contact points involved with the installations at two of the three sites were unavailable because of retirement or death.
Appendix C
Key Contract Terminology Definitions
Equipment Maintenance The performance of onsite replacement of failed hardware.
Hardware Components that provide the foundation for the network.
Software Components that enable hardware to function.
Switch A device that channels incoming data toward their intended destination.
Technical Support Services Individuals with knowledge and experience bases in
technical areas. For example, network engineers; subject matter experts, software
specialists, and project managers.
Appendix D
Agency Comments
MEMORANDUM
Date: August 20, 2008
To: Patrick P. O'Carroll, Jr.
Inspector General
From: David V. Foster
Executive Counselor to the Commissioner
Subject: Office of the Inspector General (OIG) Draft Report, "The Social Security Administration's Enterprise-Wide Network Infrastructure Contract" (A-14-08-18014)--INFORMATION
We appreciate OIG's efforts in conducting this review. Attached is our response to the recommendations.
Please let me know if we can be of further assistance. Staff inquiries may
be directed to Candace Skurnik, Director, Audit Management and Liaison Staff,
at (410) 965-4636.
COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT REPORT, "THE
SOCIAL SECURITY ADMINISTRATION'S (SSA) ENTERPRISE-WIDE NETWORK INFRASTRUCTURE
CONTRACT " (A-14-08-18014)
Thank you for the opportunity to review and provide comments on this draft report. We concur with all four of the recommendations, and our responses to them are as follows:
Recommendation 1
Appropriately tag and account for all equipment covered by policy.
Comment
We agree. A three phase action plan is under development to tag and account for all Cisco equipment obtained under this contract using the Sunflower system. The first phase was put into place July 2, 2008. In this phase, all equipment being deployed by Northrop Grumman and SSA will be tagged prior to deployment. Phase 2 processes will address tagging of field replaced units, and Phase 3 will address all installed equipment.
Recommendation 2
Comply with Federal requirements and existing internal policy regarding the tracking and disposal of equipment.
Comment
We agree. We reviewed the Property Disposal Guide, and we are seeking additional guidance from OIG to comply with this recommendation. Currently, no trade-in actions are being pursued. However, in the recent past, trade-in actions have resulted in more than $250,000 credit to us.
On July 30, 2008, we emphasized with staff the need for the contracting officers to make a determination whether the proposed trade-in prices offered by vendors are fair and reasonable. We provided the contracting officers with the best sources and methods we currently have to assist them in making this determination. For all information technology equipment contracts that involve trade-ins, the contracting officers will now include evidence of their determination in the contract file.
Recommendation 3
Update policy to reflect current GSA forms used in the disposal of equipment.
Comment
We agree. We are updating all of the property management related material in the Administration Instruction Manual System to reflect current GSA forms used in equipment disposal. We will complete a first draft by the end of August 2008.
Recommendation 4
Ensure all contractor personnel have obtained appropriate suitability determinations before working under a contract.
Comment
We agree. Processes are in place to ensure that all Northrop Grumman contractors have suitability determinations before working under the contract. The subcontractors performed physical switch installations at small and medium sized remote sites, and we halted this activity in March 2008 due to the suitability status of these subcontractors. To date, we have cleared approximately 30 subcontractors through the suitability process and have additional personnel clearance actions currently underway.
Appendix E
OIG Contacts and Staff Acknowledgments
OIG Contacts
Kitt Winter, Director, Information Technology Audit Division, (410) 965-9702
Mary Ellen Moyer, Acting Audit Manager, (410) 966-1026
Acknowledgments
In addition to those named above:
Harold Hunter, Senior Auditor
For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General's Public Affairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number A-14-08-18014.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit
(OA), Office of Investigations (OI), Office of the Counsel to the Inspector
General (OCIG), Office of External Relations (OER), and Office of Technology
and Resource Management (OTRM). To ensure compliance with policies and procedures,
internal controls, and professional standards, the OIG also has a comprehensive
Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts financial and performance audits of the Social Security Administration's
(SSA) programs and operations and makes recommendations to ensure program objectives
are achieved effectively and efficiently. Financial audits assess whether SSA's
financial statements fairly present SSA's financial position, results of operations,
and cash flow. Performance audits review the economy, efficiency, and effectiveness
of SSA's programs and operations. OA also conducts short-term management reviews
and program evaluations on issues of concern to SSA, Congress, and the general
public.
Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement
in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries,
contractors, third parties, or SSA employees performing their official duties.
This office serves as liaison to the Department of Justice on all matters relating
to the investigation of SSA programs and personnel. OI also conducts joint investigations
with other Federal, State, and local law enforcement agencies.
Office of the Counsel to the Inspector General
OCIG provides independent legal advice and counsel to the IG on various matters,
including statutes, regulations, legislation, and policy directives. OCIG also
advises the IG on investigative procedures and techniques, as well as on legal
implications and conclusions to be drawn from audit and investigative material.
Also, OCIG administers the Civil Monetary Penalty program.
Office of External Relations
OER manages OIG's external and public affairs programs, and serves as the principal
advisor on news releases and in providing information to the various news reporting
services. OER develops OIG's media and public information policies, directs
OIG's external and public affairs programs, and serves as the primary contact
for those seeking information about OIG. OER prepares OIG publications, speeches,
and presentations to internal and external organizations, and responds to Congressional
correspondence.
Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security.
OTRM also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, OTRM is the focal point for OIG's strategic
planning function, and the development and monitoring of performance measures.
In addition, OTRM receives and assigns for action allegations of criminal and
administrative violations of Social Security laws, identifies fugitives receiving
benefit payments from SSA, and provides technological assistance to investigations.