Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

Infrastructure Support Contract 3 (ISC-3) with CSRA, Inc.

This is the accessible text file for FDIC OIG report number PAE Memorandum 18-001 entitled 'Infrastructure Support Contract 3 (ISC-3) with CSRA, Inc.' .

This text file was formatted by the FDIC OIG to be accessible to users with visual impairments.

We have maintained the structural and data integrity of the original printed product in this text file to the extent possible. Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporation’s comments, are provided but may not exactly duplicate the presentation or format of the printed version.

The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version.

Federal Deposit Insurance Corporation

Office of Inspector General

[Image - FDIC OIG logo]

Infrastructure Support Contract 3 (ISC-3) with CSRA, Inc.

July 2018 PAE Memorandum 18-001


Program Audits and Evaluations

[OIG values - Integrity, Independence, Accuracy, Objectivity, Accountability]

[FDIC OIG letterhead - FDIC OIG logo, Federal Deposit Insurance Corporation, Office of Inspector General, Office of Program Audits and Evaluations]

Date: July 2, 2018

Memorandum To: Russell G. Pittman, Director, Division of Information Technology

Arleas Upton Kea, Director, Division of Administration

From: Stephen M. Beard, Acting Assistant Inspector General for Program Audits and Evaluations /Signed/

Subject: Infrastructure Support Contract 3 (ISC-3) with CSRA, Inc., PAE Memorandum 18-001

In October 2017, we initiated preliminary research in support of a planned audit of FDIC’s Infrastructure Support Contract 3 (ISC-3 contract). During this phase of the assignment, we conducted interviews with representatives from FDIC’s Division of Information Technology (DIT) and Division of Administration (DOA); the General Services Administration (GSA) and GSA’s Federal Systems Integration and Management Center (FEDSIM); and CSRA Inc. (CSRA).1 We also gathered relevant information and performed limited testing in connection with a sample of billings and procedural operations. Our work did not constitute an audit in accordance with Government Auditing Standards.

Footnote 1: General Dynamics acquired CSRA in April 2018. [End of footnote]


The ISC-3 contract is a Government–Wide Acquisition Contract, and as such, is subject to the FAR (Federal Acquisition Regulation). The ISC-3 contract is administered through and managed by FEDSIM, which provides acquisition services to federal agencies and is housed in GSA. FDIC reimburses FEDSIM for actual contract costs and pays FEDSIM a monthly fee for managing and administering the contract. According to the Interagency Agreement between FDIC and FEDSIM that governs the contract, FEDSIM is responsible for:

According to the Interagency Agreement between FDIC and FEDSIM that governs the contract, FEDSIM is responsible for:

- Managing all phases of the contract;

- Resolving contractual problem or issues and, if necessary, adjudicating disputes with the contractor;

- Enforcing contractual terms and conditions to ensure timely delivery of goods and services; - Performing final acceptance of supplies and services;

- Paying non-disputed invoices for goods and services; and

- Tracking project status and costs. The Interagency Agreement also stipulates that FDIC is responsible for:

- Fully funding all costs related to products and services ordered;

- Ensuring that contractor personnel have appropriate security clearances on file;

- Tracking, measuring, and evaluating contractor performance and reporting to FEDSIM’s point of contact on a monthly basis;

- Advising FEDSIM immediately of any problems or changed conditions that affect performance by the contractor; and

- Receiving, inspecting, and then accepting or rejecting deliverables.

The ISC-3 contract covers the day-to-day operations of FDIC’s infrastructure facilities, hardware, software, and systems. The contract primarily supports operational security, client support/help desk functions, data center operations, asset management, and systems engineering areas. The contract also provides support activities that facilitate FDIC’s delivery of software applications by managing the underlying infrastructure; supporting release management; and providing operations and maintenance of the development, quality assurance, testing, production, and disaster recovery environments. In addition, the contract provides a mechanism to facilitate the procurement of information technology hardware and software resources to meet corporate goals of rapid response during emergencies.

FDIC engaged CSRA as the contractor for the ISC-3 contract. CSRA contractors and subcontractors perform services for FDIC on site and remotely to support FDIC operations at FDIC Headquarters’ buildings in Washington, D.C. and Arlington, Virginia, and at FDIC’s Dallas Regional Office. As of December 2017, there were a total of 318 CSRA contractors and subcontractors who supported FDIC’s operations (250 CSRA contractors and 68 CSRA subcontractors). Since contract inception, FDIC approved approximately 1,100 CSRA employees or subcontractors to work on the ISC-3 contract. The ISC-3 contract allows for a maximum expenditure of $365 million over the 53-month period from February 3, 2014 through July 31, 2018. As of December 2017, FDIC had expended $168.9 million in contract costs.

The ISC-3 contract was the only FDIC contract defined as a cost-plus-award-fee (cost-plus) contract when we conducted our review. A cost-plus contract provides for a fee consisting of (1) a base amount (which may be zero) fixed at inception of the contract and (2) an award amount, based upon a judgmental evaluation by the government, sufficient to provide motivation for excellence in contract performance. Upon expiration of the ISC-3 contract in July 2018, FDIC plans to directly administer and manage a new contract in-house as a time and materials contract.

Billing ChargesWe selected an initial sample of billings associated with eight contractors (three CSRA employees and five CSRA subcontractors) and verified the billings to invoices and source documents such as employee timesheets and pay slips. We derived our sample from charges captured in CSRA’s Monthly Financial Reports (MFR), an ISC-3 contract deliverable, which covered billings by contract line item number (CLIN) for August and September 2017. The table below shows the billings the OIG selected for review, which totaled $247,340.25.

Contract Costs in August and September 2017 and OIG Sampled Items


Row 1; Billing Month: August 2017 Direct Labor - CSRA Contractors (CLIN 4001): $2,548,798.43; Direct Labor - Subcontractors (CLIN 4002): $435,885.30; Long Distance Travel (CLIN 4003): $0; Ancillary Products and Services (CLIN 4004): $99,544.36 ;

Row 2; Billing Month: September 2017 Direct Labor - CSRA Contractors (CLIN 4001): $3,113,428.10; Direct Labor - Subcontractors (CLIN 4002): $616,557.23; Long Distance Travel (CLIN 4003): $0; Ancillary Products and Services (CLIN 4004): $131,620.68 ;

Row 3; Billing Month: OIG Sample ; Direct Labor - CSRA Contractors (CLIN 4001): $84,456.26 (1%) ; Direct Labor - Subcontractors (CLIN 4002): $109,013.88 (10%) ; Long Distance Travel (CLIN 4003): $0, (0%); Ancillary Products and Services (CLIN 4004): $53,870.11 (23%) ;

Row 4; Billing Month: Total Sampled; Direct Labor - CSRA Contractors (CLIN 4001): ; Direct Labor - Subcontractors (CLIN 4002): $247,340.25 of $6,945,834.10 (4 percent); Long Distance Travel (CLIN 4003): ; Ancillary Products and Services (CLIN 4004): ;

Source: OIG-generated based on MFR data.

[End of table]

We concluded that there was an increased risk that both errors and fraudulent activity would go undetected due to the complexity of CSRA’s accounting entries for contractor and subcontractor billings. Specifically, we noted:

- For the eight individuals in our sample, the August and September MFRs reflected work that the employees performed in prior months as a result of reconciliations and corrections.

- For one CSRA employee, CSRA entered information about the employee’s time into a tracking spreadsheet that CSRA used to allocate costs on a weekly basis. CSRA made several manual entries to reconcile the employee’s time because the employee formerly worked for SRA International, Inc., the predecessor to CSRA. As a result, this employee’s rates were different from those of other CSRA employees, requiring separate cost calculations.

- For one CSRA employee, CSRA billed the government for one hour of the employee’s work for a week in June 2017, but the employee actually worked 40 hours during that week according to the employee’s timesheet. CSRA attributed the discrepancy to the fact that its timekeeping system had not been properly set up for this employee. As of February 2018, CSRA was still correcting this issue and FDIC had not been billed for this employee’s costs in connection with 39 hours for the subject week.

- One CSRA subcontractor charged time to the wrong CLIN in May, June, and July 2017 and subsequently corrected it. As a result, CSRA had not properly accounted for the subcontractor’s work performed in these months and the related MFRs were incorrect. CSRA corrected the matter by August 2017 through a series of manual reconciliations and the August 2017 MFR accurately accounted for the employee’s time billed in the prior 3 months.

- One CSRA subcontractor had two time cards with hours that were manually changed and a third time card that was not signed by his supervisor.

According to CSRA, most of the reconciliations and corrections were due to coding errors. For example, the employees were either not set up properly in CSRA’s accounting system when they started on the contract or the employees charged their time to the wrong charge codes or organizational codes. CSRA provided the OIG with documentation that explained the reconciliations and corrections.

FEDSIM’s procedures did not include verifying contractors’ timesheets to source documentation. FEDSIM personnel informed the OIG that they do not verify billings for any of their clients. The Defense Contract Audit Agency (DCAA) is responsible for verifying billings to source documents, on a sample basis, after the ISC-3 contract expires. DCAA provides audit and financial advisory services to federal agencies responsible for acquisition and contract administration.

FEDSIM personnel informed the OIG that it has several controls in place to ensure billings are accurate. Specifically, FEDSIM reviews the MFR each month by checking contractor rates for accuracy, questions billing anomalies in the MFR such as instances when employees bill more than 40 hours in a week, and reconciles changes in the MFR to employee changes in a weekly report that CSRA sends to FEDSIM. CSRA and DIT personnel informed us that DIT ensures that relevant changes are made before FEDSIM invoices FDIC. We confirmed that FEDSIM provided a monthly invoice and supporting documentation to the Oversight Manager (OM) for review and approval.

Based on our limited testing, we did not find CSRA’s invoices to be inaccurate or unsupported and we did not identify questioned costs.

Computer Security Incidents

FDIC reported 1,349 computer security incidents for the period June 24, 2015 through December 18, 2017.2 Of these incidents, we identified 60 (4 percent) resulting from actions taken by CSRA contractors or subcontractors. Of the 60 incidents, FDIC deemed 41 to be low￾or medium-risk. We researched the remaining 19 high-risk incidents and found that:

- Nine involved contractors sending FDIC information to a non-FDIC email address such as their personal email;

- Two involved contractors downloading information to removable or other external media;

- Three involved contractors accessing unauthorized privileged account information;

- Two involved policy violations such as contractors not protecting passwords; and

- Three involved potential breaches of information or data loss, but FDIC personnel ultimately concluded that the incidents were not material.

Footnote 2: FDIC defines a computer security incident as an event that threatens the security of an FDIC Automated Information System, including FDIC’s computers, mainframe, networks, software and associated equipment, and information stored or transmitted using that equipment. [End of footnote]

Collectively, FDIC took the following actions, when warranted, to address these incidents:3

Footnote 3: For some incidents, more than one of the actions described were taken and, in other cases, FDIC determined corrective or other types of action were not warranted.[End of footnote]

- In 11 instances, FDIC personnel required contractors to delete FDIC information from their personal email accounts, computers, and removable media and to confirm that they completed these actions.

_ In 10 instances, FDIC personnel wiped the compromised hard drives clean, deleted computer files, or destroyed removable media that contractors used.

- In 10 instances, FDIC required the contractors to review relevant FDIC policies and acknowledge their understanding of those policies.

- In one instance, a contractor was terminated, and in another instance, FDIC took another form of disciplinary action in connection with the contractor.

Contract Oversight

We assessed compliance with applicable requirements related to selected contract oversight functions performed by FDIC and FEDSIM personnel. Training for OM and Technical Monitors (TM). Seven DIT personnel oversee the ISC-3 contract, comprised of one OM and six TMs. We found that two TMs never took FDIC’s required contract oversight training and two other TMs took the training but their certificates had expired in 2008. The training is current for 3 years.

According to DOA officials, this requirement pertains to contracts managed by FDIC but not to the ISC-3 contract because it is managed by another federal agency. We concluded that it is a best practice for the TMs on the ISC-3 contract to take FDIC’s contract oversight training. DIT personnel informed the OIG that upon expiration of the ISC-3 contract on July 31, 2018, FDIC will administer the subsequent contract in-house and require all TMs on that contract to take contract oversight training.

Pre-employment Requirements. We verified that a sample of eight key CSRA contractors met pre-employment security clearance requirements, as required by the contract. Prior to working on the contract, the contractors were required to complete a pre-employment questionnaire and provide fingerprints, and FDIC personnel were required to certify their review and approval of the documentation. FDIC completed the background investigation steps in a timely manner and the CSRA contractors passed their background investigations prior to working on the ISC-3 contract.

Award Fee Payments. We found that FDIC assessed CSRA performance through 15 reviews in connection with 8 award fee payments, as required by the contract. FDIC conducted the assessments in a timely manner.

FEDSIM Performance Reviews. We verified that FEDSIM performed four performance reviews of CSRA from 2014 through April 2017, as required by the contract.


Based on our limited testing, we did not find CSRA’s invoices to be inaccurate or unsupported nor did we identify questioned costs. In addition, the ISC-3 contract expires in July 2018, and the future contract for these infrastructure, hardware, software, and systems functions will be administered through a time and materials contract that FDIC will manage in-house. For these reasons, we determined that additional work is not warranted and we will not perform an audit. We will, however, leverage our work with respect to this contract in another ongoing evaluation of FDIC’s overall Contract Oversight Management Program.

In response to a draft version of this memorandum, DIT and DOA officials expressed the view that the new contract that will replace the current ISC-3 contract will have a less complex billing process that will facilitate greater transparency. FDIC management will continue to expect the subsequent vendor to properly reconcile its invoices and do so within a reasonable timeframe. Further, DIT and DOA officials informed the OIG that management has initiated and will ensure that all required oversight management training is conducted for ISC-3 OMs and TMs in a timely manner.

Print Print