Review of Alleged Mismanagement of VA’s Real Time Location System Project

In September 2015, OIG received an allegation claiming VA management failed to comply with VA policy and guidance when it deployed Real Time Location System (RTLS) assets without appropriate project oversight. The complainant also stated that VA deployed RTLS assets without meeting VA information security requirements.OIG found that the RTLS Project Management Office (PMO) did not follow guidance from VA’s Technology Acquisition Center to use an incremental project management approach and did not follow VA’s project implementation policy requiring the use of the Project Management Accountability System for all acquisitions and delivery of RTLS assets. VA awarded the first RTLS task order in June 2012. As of December 2016, $431 million had been obligated for RTLS assets and services without Government acceptance of a functional RTLS solution.Additionally, OIG found that RTLS assets were connected to the VA network without proper testing and approval of system security controls in accordance with VA’s risk management framework. As a result, VA’s internal network faced unnecessary risks from these untested RTLS system security controls. In October 2016, RTLS was granted an initial authorization to operate on the VA network.OIG recommended the Acting Under Secretary for Health, in conjunction with the Acting Assistant Secretary for Information and Technology, apply additional resources and implement improved integrated project management controls for the reminder of the project to restrict further cost increases and enforce the use of incremental project management controls, such as those used within the Veteran-focused Integration Process (VIP) on all remaining RTLS task orders, to ensure such efforts will provide an adequate return on investment. In addition, OIG recommended the Acting Assistant Secretary for the Office of Information and Technology ensure risk assessments are conducted on future RTLS deployments to identify potential risks and vulnerabilities that may adversely affect other VA systems.