oversight

Evaluation of Ginnie Mae's Managed Data Center Sole-Source Requisition

Published by the Department of Housing and Urban Development, Office of Inspector General on 2013-09-30.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                 U.S. DEPARTMENT OF
                                HOUSING AND URBAN DEVELOPMENT
                                         OFFICE OF INSPECTOR GENERAL



                                                     September 30, 2013
                                                                                               MEMORANDUM NO:
                                                                                                    2013-IE-0805



Memorandum
TO:            Jemine A. Bryon
               Chief Procurement Officer, N
               Theodore W. Tozer
               President, Government National Mortgage Association, T

               //signed//
FROM:          Donna M. Hawkins
               Acting Director, Inspections and Evaluations Division, GAH

SUBJECT:       Evaluation of Ginnie Mae’s Managed Data Center Sole-Source Requisition


                                            INTRODUCTION

In response to a hotline complaint, we conducted an evaluation of the Government National
Mortgage Association’s (Ginnie Mae) managed data center sole-source requisition. Specifically,
the hotline complaint alleged that Ginnie Mae (1) intended to circumvent the normal competitive
process and did not publicize the full details of the scope of the contract, (2) intended to issue a
sole-source contract and then enlarge the scope postaward without the opportunity for further
competition, and (3) purchased information technology (IT) equipment and licenses that will
ultimately be transferred to the sole-source contractor.

Our objectives were to determine whether Ginnie Mae followed Federal and U.S. Department of
Housing and Urban Development (HUD) procurement procedures for the managed data center
requisition and used funding under an existing contract vehicle to purchase IT hardware and
licensing for use under the managed data center requisition (future contract).

                                 METHODOLOGY AND SCOPE

We performed our evaluation in Washington, DC, between May 2012 and July 2013.


To accomplish our objectives, we

                                Office of Audit (Inspections and Evaluations Division)
                                 451 7th Street SW., Room 8170, Washington, DC 20410
                                       Phone (202) 402-8482, Fax (202) 401-2488
                           Visit the Office of Inspector General Web site at www.hudoig.gov.
        Reviewed applicable contracts, modifications, requisitions, and vouchers.
        Reviewed Federal and HUD procurement regulations, as well as relevant National
         Institute of Science and Technology (NIST) standards.
        Interviewed relevant Ginnie Mae and Office of the Chief Procurement Officer (OCPO)
         staff.

We conducted the evaluation in accordance with the Quality Standards for Inspections issued by
the Council of the Inspectors General on Integrity and Efficiency. Our review was limited to our
objectives to evaluate the allegations made by the complainant.

The auditees agreed with the report and chose not to provide comments to this final report.

                                                BACKGROUND

Ginnie Mae is a Government-owned corporation within HUD that provides guarantees on
federally insured mortgage-backed securities. Within Ginnie Mae, the Technology Management
Division is responsible for providing the planning and technical execution leadership that meets
Ginnie Mae’s evolving business, information, and security needs. The Division ensures that the
enterprise architecture and related business and technology roadmap are aligned to meet the
information and security requirements of Ginnie Mae and deliver on-time technology solutions
to meet Ginnie Mae’s objectives. The Division needed the managed data center contract.

OCPO is responsible for awarding and administering contract actions for HUD. HUD
contracting officers have the authority to enter into, administer, and terminate contracts up to the
limit of their individual delegations of authority. For IT systems and services contracts, the
contracting officer must ensure that new contracts include appropriate clauses, other terms, and
conditions to enforce HUD’s IT security policy. New contracts incorporate IT security
functional and assurance requirements in accordance with HUD IT security policy. All IT
security terms and conditions comply with departmental acquisition policy, the HUD Acquisition
Regulation, the Federal Acquisition Regulation (FAR), and applicable statutes and Government-
wide policies.

On January 12, 2012, OCPO posted a special notice to FedBizOpps,1 which announced its intent
to enter into a sole-source, firm-fixed-price, labor-hour contract with Navisite, Inc., to obtain
hosting and data management services. The period of performance would be 1 base year with 4
option years. The notice further stated that Navisite, Inc., was the only responsible source
meeting the minimum Government requirements, which included a NIST-certified tier 3
managed data center with an infrastructure meeting Federal Information Security Management
Act of 2002, NIST, and Office of Management and Budget requirements, with
telecommunication virtual private network, continuity of operations planning, hardware,
software, and licensing capabilities. The notice did not request competitive proposals; however,

1
  FedBizOpps (www.fbo.gov) is the single Government point of entry for Federal Government procurement
opportunities over $25,000. Government buyers are able to publicize their business opportunities by posting
information directly to FedBizOpps via the Internet. Through one portal – FedBizOpps – commercial vendors
seeking Federal markets for their products and services can search, monitor, and retrieve opportunities solicited by
the entire Federal contracting community.


                                                          2
it did solicit capability statements from interested parties. Those statements were due to HUD on
January 23, 2012, by 3:00 p.m. The notice further stated that although the information collected
would be considered when determining whether to use competitive contracting, it was left up to
the Government’s discretion to decide not to compete these services. Navisite, Inc., was
awarded the contract on June 4, 2012.

On January 26, 2012, HUD’s Office of Inspector General received a complaint in which the
complainant stated the following concerns and allegations regarding the managed data center
special notice and the requisition:

       Ginnie Mae intended to circumvent the normal competitive process and did not publicize
        the full details of the scope of the contract.
       Ginnie Mae’s intent is to issue a sole-source contract and then enlarge the scope post-
        award without the opportunity for further competition.
       Ginnie Mae purchased IT equipment and licenses that will ultimately be transferred to
        Navisite, Inc., the sole-source contractor, and this could potentially increase the cost of
        the contract.

The complainant believed that Ginnie Mae was attempting to solicit industry input, with
negligible publicity and without fully disclosing the future and anticipated scope and
requirements, and proceeding with the sole-source award.

                                    RESULTS OF REVIEW

We reviewed the allegations contained in a hotline complaint that Ginnie Mae did not publicize
the full details of the scope of the contract, intended to issue a sole-source contract and then
enlarge the scope post-award without the opportunity for further competition, and purchased IT
equipment and licenses that will ultimately be transferred to Navisite, Inc., the sole-source
contractor. Additionally, we reviewed an allegation that data center hosting and managed
servicing is competitive in nature, with dozens of companies (either specialized data center
providers, other industry providers, or government contractors) that are able to provide
comparable services. We found no evidence to substantiate these allegations. The significant
allegations made in the complaint and the results of our review of those allegations are detailed
as follows:

   Allegation 1: Ginnie Mae intended to circumvent the normal competitive process and did not
    publicize the full details of the scope of the contract. We reviewed the solicitation and sole-
    source justification and interviewed pertinent staff from OCPO and Ginnie Mae. We found
    that OCPO and Ginnie Mae followed Federal procurement laws in selecting the sole-source
    option. FAR 6.302-1 states that contracting without full and open competition is authorized
    when services required by the agency are available from only one responsible source and no
    other type of services will satisfy agency requirements. While other vendors may be able to
    perform data center hosting and management services, OCPO and Ginnie Mae ultimately
    deemed Navisite, Inc., as the only reliable source to hold a Ginnie Mae-issued NIST
    certification and the U.S. Treasury’s authority to operate an automated clearing house.
    Within the justification document, it explained why there was only one responsible source,


                                                 3
    noting that the four vendors that submitted capability statements were found unable to
    provide the services Navisite, Inc., could provide. Specifically, the justification cited (1) the
    interested vendors’ lack of Ginnie Mae NIST certification, (2) the time it would take the
    contractors to obtain certification, and (3) the urgency to fulfill the agency’s need before the
    prior contract expired to prevent a delay in service.

    Further, 41 U.S.C. (United States Code) 3304 (b)(2) states that in the case of a follow-on
    contract for the continued development or production of a major system, the property may be
    procured through procedures other than competitive procedures when it is likely that award
    to another source would result in (1) substantial duplication of cost to the Federal
    Government that is not expected to be recovered through competition or (2) unacceptable
    delay in fulfilling the executive agency’s needs. The special notice did not request proposals;
    instead, the notice solicited capability statements from interested parties to determine
    whether to conduct a competitive procurement. Although the capability statements would be
    considered when determining whether to use competitive contracting, it was left up to the
    Government’s discretion not to compete these services. Since OCPO and Ginnie Mae
    intended to negotiate a sole-source contract, it was not necessary to provide the full details of
    the requirements within the notice.

   Allegation 2: Ginnie Mae intended to issue a sole source contract and then enlarge the scope
    postaward without the opportunity for further competition. Although the complainant is
    correct that Ginnie Mae intended to award a sole-source contract, as indicated in the
    special notice, we cannot provide a conclusion about Ginnie Mae’s intent to expand the
    scope of the contract in the future. In reviewing the contract terms and the approved
    modifications, we did not find evidence that any work or contract line items were changed by
    the contract modifications. Therefore, all work to be performed on the contract at the time of
    our review was within the scope of the contract terms.

   Allegation 3: Ginnie Mae purchased IT equipment and licenses that will ultimately be
    transferred to Navisite, Inc., the sole-source contractor. We determined that this allegation
    did not have merit. We reviewed vouchers from January 1, 2011, through June 30, 2012, and
    based on our review of these vouchers, we found no evidence that Ginnie Mae purchased IT
    equipment and licenses for the purpose of transferring them to Navisite, Inc., as alluded to in
    the complainant. Although we did not note equipment or license purchases during our
    voucher review, Ginnie Mae stated that previously purchased IT equipment and licenses
    were being used by Navisite, Inc. These purchases were made under a prior contract, for
    which Navisite, Inc., was a subcontractor and performed technical tasks. Under this new
    contract, Navisite, Inc., continued to use the previously acquired Ginnie Mae IT equipment
    and licenses.

                                     RECOMMENDATIONS

There are no recommendations in this memorandum as we have no reportable findings from this
evaluation.




                                                  4