U.S. DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT OFFICE OF INSPECTOR GENERAL September 30, 2013 MEMORANDUM NO: 2013-IE-0805 Memorandum TO: Jemine A. Bryon Chief Procurement Officer, N Theodore W. Tozer President, Government National Mortgage Association, T //signed// FROM: Donna M. Hawkins Acting Director, Inspections and Evaluations Division, GAH SUBJECT: Evaluation of Ginnie Mae’s Managed Data Center Sole-Source Requisition INTRODUCTION In response to a hotline complaint, we conducted an evaluation of the Government National Mortgage Association’s (Ginnie Mae) managed data center sole-source requisition. Specifically, the hotline complaint alleged that Ginnie Mae (1) intended to circumvent the normal competitive process and did not publicize the full details of the scope of the contract, (2) intended to issue a sole-source contract and then enlarge the scope postaward without the opportunity for further competition, and (3) purchased information technology (IT) equipment and licenses that will ultimately be transferred to the sole-source contractor. Our objectives were to determine whether Ginnie Mae followed Federal and U.S. Department of Housing and Urban Development (HUD) procurement procedures for the managed data center requisition and used funding under an existing contract vehicle to purchase IT hardware and licensing for use under the managed data center requisition (future contract). METHODOLOGY AND SCOPE We performed our evaluation in Washington, DC, between May 2012 and July 2013. To accomplish our objectives, we Office of Audit (Inspections and Evaluations Division) 451 7th Street SW., Room 8170, Washington, DC 20410 Phone (202) 402-8482, Fax (202) 401-2488 Visit the Office of Inspector General Web site at www.hudoig.gov. Reviewed applicable contracts, modifications, requisitions, and vouchers. Reviewed Federal and HUD procurement regulations, as well as relevant National Institute of Science and Technology (NIST) standards. Interviewed relevant Ginnie Mae and Office of the Chief Procurement Officer (OCPO) staff. We conducted the evaluation in accordance with the Quality Standards for Inspections issued by the Council of the Inspectors General on Integrity and Efficiency. Our review was limited to our objectives to evaluate the allegations made by the complainant. The auditees agreed with the report and chose not to provide comments to this final report. BACKGROUND Ginnie Mae is a Government-owned corporation within HUD that provides guarantees on federally insured mortgage-backed securities. Within Ginnie Mae, the Technology Management Division is responsible for providing the planning and technical execution leadership that meets Ginnie Mae’s evolving business, information, and security needs. The Division ensures that the enterprise architecture and related business and technology roadmap are aligned to meet the information and security requirements of Ginnie Mae and deliver on-time technology solutions to meet Ginnie Mae’s objectives. The Division needed the managed data center contract. OCPO is responsible for awarding and administering contract actions for HUD. HUD contracting officers have the authority to enter into, administer, and terminate contracts up to the limit of their individual delegations of authority. For IT systems and services contracts, the contracting officer must ensure that new contracts include appropriate clauses, other terms, and conditions to enforce HUD’s IT security policy. New contracts incorporate IT security functional and assurance requirements in accordance with HUD IT security policy. All IT security terms and conditions comply with departmental acquisition policy, the HUD Acquisition Regulation, the Federal Acquisition Regulation (FAR), and applicable statutes and Government- wide policies. On January 12, 2012, OCPO posted a special notice to FedBizOpps,1 which announced its intent to enter into a sole-source, firm-fixed-price, labor-hour contract with Navisite, Inc., to obtain hosting and data management services. The period of performance would be 1 base year with 4 option years. The notice further stated that Navisite, Inc., was the only responsible source meeting the minimum Government requirements, which included a NIST-certified tier 3 managed data center with an infrastructure meeting Federal Information Security Management Act of 2002, NIST, and Office of Management and Budget requirements, with telecommunication virtual private network, continuity of operations planning, hardware, software, and licensing capabilities. The notice did not request competitive proposals; however, 1 FedBizOpps (www.fbo.gov) is the single Government point of entry for Federal Government procurement opportunities over $25,000. Government buyers are able to publicize their business opportunities by posting information directly to FedBizOpps via the Internet. Through one portal – FedBizOpps – commercial vendors seeking Federal markets for their products and services can search, monitor, and retrieve opportunities solicited by the entire Federal contracting community. 2 it did solicit capability statements from interested parties. Those statements were due to HUD on January 23, 2012, by 3:00 p.m. The notice further stated that although the information collected would be considered when determining whether to use competitive contracting, it was left up to the Government’s discretion to decide not to compete these services. Navisite, Inc., was awarded the contract on June 4, 2012. On January 26, 2012, HUD’s Office of Inspector General received a complaint in which the complainant stated the following concerns and allegations regarding the managed data center special notice and the requisition: Ginnie Mae intended to circumvent the normal competitive process and did not publicize the full details of the scope of the contract. Ginnie Mae’s intent is to issue a sole-source contract and then enlarge the scope post- award without the opportunity for further competition. Ginnie Mae purchased IT equipment and licenses that will ultimately be transferred to Navisite, Inc., the sole-source contractor, and this could potentially increase the cost of the contract. The complainant believed that Ginnie Mae was attempting to solicit industry input, with negligible publicity and without fully disclosing the future and anticipated scope and requirements, and proceeding with the sole-source award. RESULTS OF REVIEW We reviewed the allegations contained in a hotline complaint that Ginnie Mae did not publicize the full details of the scope of the contract, intended to issue a sole-source contract and then enlarge the scope post-award without the opportunity for further competition, and purchased IT equipment and licenses that will ultimately be transferred to Navisite, Inc., the sole-source contractor. Additionally, we reviewed an allegation that data center hosting and managed servicing is competitive in nature, with dozens of companies (either specialized data center providers, other industry providers, or government contractors) that are able to provide comparable services. We found no evidence to substantiate these allegations. The significant allegations made in the complaint and the results of our review of those allegations are detailed as follows: Allegation 1: Ginnie Mae intended to circumvent the normal competitive process and did not publicize the full details of the scope of the contract. We reviewed the solicitation and sole- source justification and interviewed pertinent staff from OCPO and Ginnie Mae. We found that OCPO and Ginnie Mae followed Federal procurement laws in selecting the sole-source option. FAR 6.302-1 states that contracting without full and open competition is authorized when services required by the agency are available from only one responsible source and no other type of services will satisfy agency requirements. While other vendors may be able to perform data center hosting and management services, OCPO and Ginnie Mae ultimately deemed Navisite, Inc., as the only reliable source to hold a Ginnie Mae-issued NIST certification and the U.S. Treasury’s authority to operate an automated clearing house. Within the justification document, it explained why there was only one responsible source, 3 noting that the four vendors that submitted capability statements were found unable to provide the services Navisite, Inc., could provide. Specifically, the justification cited (1) the interested vendors’ lack of Ginnie Mae NIST certification, (2) the time it would take the contractors to obtain certification, and (3) the urgency to fulfill the agency’s need before the prior contract expired to prevent a delay in service. Further, 41 U.S.C. (United States Code) 3304 (b)(2) states that in the case of a follow-on contract for the continued development or production of a major system, the property may be procured through procedures other than competitive procedures when it is likely that award to another source would result in (1) substantial duplication of cost to the Federal Government that is not expected to be recovered through competition or (2) unacceptable delay in fulfilling the executive agency’s needs. The special notice did not request proposals; instead, the notice solicited capability statements from interested parties to determine whether to conduct a competitive procurement. Although the capability statements would be considered when determining whether to use competitive contracting, it was left up to the Government’s discretion not to compete these services. Since OCPO and Ginnie Mae intended to negotiate a sole-source contract, it was not necessary to provide the full details of the requirements within the notice. Allegation 2: Ginnie Mae intended to issue a sole source contract and then enlarge the scope postaward without the opportunity for further competition. Although the complainant is correct that Ginnie Mae intended to award a sole-source contract, as indicated in the special notice, we cannot provide a conclusion about Ginnie Mae’s intent to expand the scope of the contract in the future. In reviewing the contract terms and the approved modifications, we did not find evidence that any work or contract line items were changed by the contract modifications. Therefore, all work to be performed on the contract at the time of our review was within the scope of the contract terms. Allegation 3: Ginnie Mae purchased IT equipment and licenses that will ultimately be transferred to Navisite, Inc., the sole-source contractor. We determined that this allegation did not have merit. We reviewed vouchers from January 1, 2011, through June 30, 2012, and based on our review of these vouchers, we found no evidence that Ginnie Mae purchased IT equipment and licenses for the purpose of transferring them to Navisite, Inc., as alluded to in the complainant. Although we did not note equipment or license purchases during our voucher review, Ginnie Mae stated that previously purchased IT equipment and licenses were being used by Navisite, Inc. These purchases were made under a prior contract, for which Navisite, Inc., was a subcontractor and performed technical tasks. Under this new contract, Navisite, Inc., continued to use the previously acquired Ginnie Mae IT equipment and licenses. RECOMMENDATIONS There are no recommendations in this memorandum as we have no reportable findings from this evaluation. 4
Evaluation of Ginnie Mae's Managed Data Center Sole-Source Requisition
Published by the Department of Housing and Urban Development, Office of Inspector General on 2013-09-30.
Below is a raw (and likely hideous) rendition of the original report. (PDF)