DOT awards Ernst & Young $2.36M for penetration testing support under CSIPS Task Area 5

Contract Overview

Contract Amount: $2,356,792 ($2.4M)

Contractor: Ernst & Young LLP

Awarding Agency: Department of Transportation

Start Date: 2023-09-29

End Date: 2026-09-28

Contract Duration: 1,095 days

Daily Burn Rate: $2.2K/day

Competition Type: FULL AND OPEN COMPETITION

Number of Offers Received: 2

Pricing Type: LABOR HOURS

Sector: IT

Official Description: ESTABLISH A NEW TASK ORDER UNDER CSIPS TASK AREA 5 FOR PENETRATION TESTING SUPPORT.

Place of Performance

Location: WASHINGTON, DISTRICT OF COLUMBIA County, DISTRICT OF COLUMBIA, 20590

State: District of Columbia Government Spending

Plain-Language Summary

Department of Transportation obligated $2.4 million to ERNST & YOUNG LLP for work described as: ESTABLISH A NEW TASK ORDER UNDER CSIPS TASK AREA 5 FOR PENETRATION TESTING SUPPORT. Key points: 1. Contract focuses on critical cybersecurity functions, specifically penetration testing. 2. Awarded via a Best Practices Agreement (BPA) Call, indicating a pre-competed framework. 3. The contract duration of 1095 days suggests a need for sustained cybersecurity support. 4. The North American Industry Classification System (NAICS) code 541519 points to specialized IT services. 5. The contract is not set aside for small businesses, suggesting a focus on larger prime contractors. 6. The geographic location is Washington D.C., a common hub for federal contracting.

Value Assessment

Rating: fair

The contract value of $2.36 million over three years for penetration testing support appears reasonable given the specialized nature of cybersecurity services. Benchmarking against similar contracts for penetration testing is challenging without more specific details on the scope and deliverables. However, the labor hours pricing mechanism allows for flexibility, which can be beneficial but also introduces potential for cost overruns if not managed tightly. The absence of a fixed price for specific deliverables makes direct value-for-money assessment difficult at this stage.

Cost Per Unit: N/A

Competition Analysis

Competition Level: full-and-open

The contract was awarded under full and open competition, which is a positive indicator for price discovery and achieving fair market value. The specific mechanism used, a BPA Call, implies that the underlying BPA was likely competed previously, and this task order leverages that established competition. The number of bidders for this specific task order is not provided, but the 'full and open' designation suggests a broad solicitation.

Taxpayer Impact: Full and open competition generally benefits taxpayers by fostering a competitive environment that can drive down prices and encourage innovation from a wider pool of contractors.

Public Impact

The Federal Highway Administration (FHWA) will benefit from enhanced cybersecurity posture through regular penetration testing. This contract supports the delivery of critical IT security services to protect federal systems. The primary geographic impact is within Washington D.C., where the contract is managed. The contract likely involves skilled cybersecurity professionals, potentially impacting the IT workforce.

Waste & Efficiency Indicators

Waste Risk Score: 50 / 10

Warning Flags

Potential for cost creep due to labor hour pricing without clearly defined deliverables.
Limited transparency on the specific scope of penetration testing activities without further detail.
Reliance on a single contractor (Ernst & Young) for a critical cybersecurity function.

Positive Signals

Awarded through full and open competition, suggesting a competitive bidding process.
The contract is for penetration testing, a vital component of cybersecurity defense.
The task order is placed under an existing BPA, indicating a pre-vetted contractor pool.

Sector Analysis

The cybersecurity services market is a rapidly growing sector within the broader IT services industry. Federal agencies are increasingly investing in cybersecurity to protect sensitive data and critical infrastructure. Penetration testing, a key service under this contract, is a specialized area focused on identifying vulnerabilities in systems before malicious actors can exploit them. Spending in this area is driven by evolving threat landscapes and regulatory requirements. Comparable spending benchmarks are difficult to establish without detailed scope, but federal cybersecurity spending overall has seen significant increases.

Small Business Impact

This contract was not set aside for small businesses, as indicated by the 'ss' field being false. This suggests that the competition was open to all eligible businesses, including large corporations. There is no explicit mention of subcontracting requirements for small businesses within the provided data. The lack of a small business set-aside means that opportunities for small businesses to directly participate in this specific contract are limited, though they may be involved as subcontractors to the prime contractor, Ernst & Young.

Oversight & Accountability

Oversight for this contract will likely be managed by the Federal Highway Administration (FHWA) contracting officers and program managers. The Department of Transportation's Office of Inspector General (OIG) may also conduct audits or investigations into contract performance and spending. Transparency is facilitated through contract award databases like FPDS, where basic information is publicly available. Accountability will be driven by performance metrics and adherence to the terms and conditions of the task order.

Related Government Programs

Cybersecurity Services
IT Professional Services
Penetration Testing
Federal Information Security Management Act (FISMA) Compliance
Department of Transportation IT Contracts

Risk Flags

Labor Hour Pricing Risk
Scope Definition Ambiguity
Cybersecurity Service Dependency

Frequently Asked Questions

What is this federal contract paying for?

Department of Transportation awarded $2.4 million to ERNST & YOUNG LLP. ESTABLISH A NEW TASK ORDER UNDER CSIPS TASK AREA 5 FOR PENETRATION TESTING SUPPORT.

Who is the contractor on this award?

The obligated recipient is ERNST & YOUNG LLP.

Which agency awarded this contract?

Awarding agency: Department of Transportation (Federal Highway Administration).

What is the total obligated amount?

The obligated amount is $2.4 million.

What is the period of performance?

Start: 2023-09-29. End: 2026-09-28.

What is the specific scope of penetration testing to be performed under this task order?

The provided data indicates the task is for 'PENETRATION TESTING SUPPORT' under 'CSIPS TASK AREA 5'. However, the specific scope, methodologies, systems to be tested, and reporting requirements are not detailed in the summary data. Typically, penetration testing involves simulating cyberattacks to identify vulnerabilities. The Federal Highway Administration (FHWA) would have a detailed Statement of Work (SOW) outlining these specifics, including the types of tests (e.g., network, application, social engineering), frequency, and expected deliverables. Without the SOW, it's difficult to fully assess the value and risk associated with this contract.

How does the $2.36 million cost compare to similar penetration testing contracts awarded by the federal government?

Benchmarking this $2.36 million contract against similar federal penetration testing contracts requires access to detailed contract data, including the scope of work, duration, number of bidders, and specific services rendered. The provided data shows a 3-year duration (1095 days) and a labor-hour pricing model. Contracts for penetration testing can vary significantly in cost based on the complexity of the systems being tested, the depth of the analysis, and the required expertise. While $2.36 million over three years might seem substantial, it could represent good value if it covers comprehensive testing of critical infrastructure for a large agency like the FHWA. However, without more granular data, a definitive comparison is not possible.

What are the key performance indicators (KPIs) or metrics used to evaluate Ernst & Young's performance on this contract?

The provided summary data does not specify the Key Performance Indicators (KPIs) or metrics for evaluating Ernst & Young's performance. Typically, for penetration testing contracts, KPIs would focus on the number and severity of vulnerabilities identified, the timeliness of reporting, the accuracy of findings, and adherence to the agreed-upon testing schedule and scope. The contract's success would likely be measured by its contribution to improving the FHWA's overall cybersecurity posture and reducing its attack surface. The contracting officer's representative (COR) would be responsible for monitoring performance against these metrics.

What is the track record of Ernst & Young in providing cybersecurity and penetration testing services to the federal government?

Ernst & Young (EY) is a major global professional services firm with a significant presence in government contracting, including cybersecurity services. They have a history of performing various IT and consulting services for federal agencies. While specific details on their past performance on penetration testing contracts for the Department of Transportation or similar agencies are not in the provided summary, EY's extensive experience and resources suggest a capable provider. Agencies typically vet contractors through past performance evaluations during the bidding process, implying EY met the required standards for this contract.

What is the potential risk associated with using a labor-hour contract type for penetration testing services?

Labor-hour contract types, like the one used here, carry inherent risks for the government, primarily related to cost control. Since payment is based on the hours worked by contractor personnel at specified rates, there's a risk of cost overruns if the project takes longer than anticipated or if labor hours are not efficiently utilized. This contrasts with fixed-price contracts, which offer greater cost certainty. To mitigate this risk, the government relies on strong oversight, detailed monitoring of labor hours, and clear performance standards to ensure that the work performed is necessary and productive. The 'full and open competition' aspect helps, but diligent contract management is crucial.

Industry Classification

NAICS: Professional, Scientific, and Technical Services › Computer Systems Design and Related Services › Other Computer Related Services

Product/Service Code: IT AND TELECOM - INFORMATION TECHNOLOGY AND TELECOMMUNICATIONS › IT AND TELECOM - SECURITY AND COMPLIANCE

Competition & Pricing

Extent Competed: FULL AND OPEN COMPETITION

Solicitation Procedures: SUBJECT TO MULTIPLE AWARD FAIR OPPORTUNITY

Offers Received: 2

Pricing Type: LABOR HOURS (Z)

Evaluated Preference: NONE

Contractor Details

Address: 1 MANHATTAN WEST, NEW YORK, NY, 10001

Business Categories: Category Business, Not Designated a Small Business, Partnership or Limited Liability Partnership, Special Designations, U.S.-Owned Business

Financial Breakdown

Contract Ceiling: $2,356,792

Exercised Options: $2,356,792

Current Obligation: $2,356,792

Actual Outlays: $1,504,344

Contract Characteristics

Commercial Item: COMMERCIAL PRODUCTS/SERVICES PROCEDURES NOT USED

Parent Contract

Parent Award PIID: 693JJ320A000018

IDV Type: BPA

Timeline