IT Management: VA Needs to Improve CIO Oversight of Procurements
Fast Facts
The Department of Veterans Affairs spends billions of dollars each year on IT to help manage veterans' benefits and deliver health care.
According to federal laws and guidance, VA's Chief Information Officer (CIO) should be fully accountable for IT acquisition and management decisions. CIO oversight helps ensure that IT acquisitions aren't poorly planned or duplicative.
Our review of 26 IT contract awards from fiscal year 2021 showed that 14 didn't have CIO approval. Of those, 13 were managed by offices that don't specialize in IT. Our recommendation is to help ensure CIO approval.
Our Sample of VA Contract Awards and Their Approvals by Type of Contracting Office
Highlights
What GAO Found
The Department of Veterans Affairs (VA) procured IT and IT-related assets and activities that were often not approved by its Chief Information Officer (CIO). Such approval is required by the Federal Information Technology Acquisition Reform Act (FITARA). VA awarded 11,644 new contract actions categorized as IT between March 2018 and the end of fiscal year 2021. VA did not provide evidence of CIO approval for 4,513 (or 39 percent) of these contract actions.
A more in-depth review of 26 selected IT contract actions from fiscal year 2021 confirmed that 12 had documentation showing approval by appropriate agency officials at the required level of authority. The remaining 14 contract actions lacked CIO approval documentation (see figure).
The Department of Veterans Affairs' Documented Chief Information Officer Approvals for Selected Fiscal Year 2021 IT Contract Actions
Of the 14 contract actions lacking CIO approval, 13 were managed by non-IT contracting offices. According to VA officials, their contracting systems lack an automated control that would remind contracting officers of CIO review and approval requirements. Without an automated check or control to ensure contracting officer compliance, it is likely that there will continue to be IT procurements that will not be routed for CIO review, particularly for non-IT contracting offices. The lack of visibility into the procurement of much of VA's IT assets and activities constrained the CIO's opportunity to provide input on current and planned IT acquisitions. This, in turn, could result in awarding contracts that are duplicative or poorly conceived.
Why GAO Did This Study
VA annually spends billions of dollars on IT each year to support the delivery of veterans' benefits and health care services. IT acquisition reform legislation, commonly referred to as FITARA, strengthens the authority of CIOs to provide needed direction and oversight.
GAO was asked to review VA's IT management. The specific objective was to determine the extent to which VA's IT and IT-related assets and activities are being procured with CIO approval.
GAO identified IT-categorized contract actions for new awards from March 2018 through the end of fiscal year 2021. GAO also selected 26 IT-categorized contract actions from fiscal year 2021 for an in-depth individual review of the approval documentation. The 26 actions selected represented a range of cost thresholds and different VA contracting offices.
Recommendations
GAO is recommending that VA implement automated controls into relevant contracting systems to ensure CIO review of IT procurements. VA concurred with the recommendation.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Veterans Affairs | The Secretary of VA should direct the Chief Information Officer and Chief Acquisition Officer to implement automated controls into relevant contracting systems to help ensure that IT and IT-related assets and activities are appropriately identified for VA's FITARA approval process. (Recommendation 1) |
Open
The Department of Veterans Affairs (VA) concurred with our recommendation. As of September 2023, the department noted that the Office of Information and Technology and the Office of Acquisition and Logistics are developing an action plan that includes (1) establishing a tiger team focused on creating improved controls for identifying IT acquisitions to ensure that they meet FITARA review requirements, (2) conducting internal audits that ensure FITARA compliance, and (3) developing additional policy and guidance that directs all IT and IT-related contracts to use the Technology Acquisition Center and follow updated procedures consistent with FITARA. The timeline for establishing the items in the described action plan and implementing automated controls have yet to be finalized. We will continue to monitor the department's progress in implementing our recommendation.
|