The Two Million Dollar Intern
The WasteWatcher
Worth his weight in gold, former astronaut Steve Austin used his super-human bionic strength to fight crime, injustice and international bad guys, all in the name of the red, white and blue. The U.S. Department of Agriculture (USDA) now has its own version of “The Six Million Dollar Man,” known as “The Two Million Dollar Intern.”
An August 2, 2012 audit by the USDA Office of Inspector General (IG) reviewed the Office of the Chief Information Officer’s (OCIO) funding for fiscal years (FY) 2010 and 2011 for information technology (IT) security enhancements. Along with the revelation of the $2 million internship program in which only one intern participated, the IG reported other deficiencies relating to planning and development, including exceeding proposed budgets for projects, not allotting sufficient funding for other projects to key security areas, and inadequate implementation of some projects.
The $2 million internship program was part of $64 million in additional appropriations for the agency covering FY 2010 and FY 2011, specifically to be used to enhance and strengthen USDA’s IT security. According to the report, during that two-year period, the agency began 16 separate security enhancement projects and as of April 2, 2012 had spent $63.4 million on those projects. However, all 16 projects were begun at one time without proper planning or prioritization.
The $2 million internship program was part of $6.7 million spent by the OCIO in FYs 2010 and 2011 for three projects that were not proposed to Congress in its budget request. The other projects not proposed to Congress were $2.45 million for re-engineered certification and accreditation and $2.25 million for governance, risk and compliance. The internship project was intended to develop a highly skilled IT security workforce at the department. From the $2 million used to fund the internship program, $686,000 was spent for the development and implementation of a networking website and approximately $192,500 for intern housing costs for two summers. According to the IG’s audit, in FY 2010, the OCIO also spent $4.7 million that was supposed to be used for network security assessments on unrelated projects.
In addition, the IG stated that the OCIO had spent $235,000 on a project that duplicated another project’s objective. The duplicate project was eventually cancelled, and now serves as a good example of the continued need for better management and planning within the OCIO.
The IG made it clear that the OCIO is not sufficiently prioritizing or managing projects intended to reduce critical IT security weaknesses, and is instead initiating more projects than it can complete in a reasonable timeframe. The IG recommended the OCIO should document the priority of projects, develop detailed internal control procedures for project management, and strengthen communication and coordination among OCIO management, project managers, account managers, and contractors.
On Sunday, August 12, 2012, CAGW President Tom Schatz appeared on “Fox and Friends” to discuss the report’s findings, noting that it was “typical” for an agency to request “all this money and we’ll figure out how to spend it.” Schatz emphasized the fact that the Senate has not passed a budget in more than 1,200 days, and said “if you don’t have a plan, how can you know how to spend the money?”
One of the IG’s recommendations was for the OCIO to develop “detailed internal control procedures for project management that include the requirement to specify and document project milestones, accurately allocate and track project costs, develop project timelines, and establish project-specific roles and responsibilities.” OCIO responded that it had already implemented some internal control procedures for project management, and as of FY 2010 require project managers to engage the Portfolio and Project Management Branch of International Technology Services when developing projects. The OCIO is also in the process of developing required project documentation that will include project charters, defined roles and responsibilities, project plans, work breakdown structures, and project schedules. The IG asked the OCIO to formalize these procedures into a policy and provide estimated release dates of projects to management for decisions.
In contrast to the USDA’s program management problems highlighted in the IG’s report is the Department of Veterans Affairs’ Program Management Accountability System (PMAS), which was discussed in a September 30, 2011, CAGW article, has had much better success at tracking IT expenditures. An August 18, 2011 blog post on CIO.gov discussed how the VA used its PMAS system to evaluate IT programs and take appropriate action in reducing or eliminating programs that could fail to meet their goals or commitments in a timely manner.
While the two million dollar intern is not quite the six million dollar man, USDA’s IT security remains at risk. The agency should have better planned its IT development strategy by using a program similar to the VA’s PMAS. It then would be better positioned to prioritize IT project spending, particularly in its IT security portfolio, and improve its use of taxpayer funding.