VA awards $76M cybersecurity policy compliance contract to Deloitte Consulting LLP

Contract Overview

Contract Amount: $76,111,472 ($76.1M)

Contractor: Deloitte Consulting LLP

Awarding Agency: Department of Veterans Affairs

Start Date: 2017-09-06

End Date: 2022-09-24

Contract Duration: 1,844 days

Daily Burn Rate: $41.3K/day

Competition Type: FULL AND OPEN COMPETITION

Number of Offers Received: 2

Pricing Type: FIXED PRICE LEVEL OF EFFORT

Sector: IT

Official Description: IGF::OT::IGF CYBER SECURITY POLICY COMPLIANCE ANALYTICS SUPPORT (CSPCAS)

Place of Performance

Location: ALEXANDRIA, ALEXANDRIA CITY County, VIRGINIA, 22314

State: Virginia Government Spending

Plain-Language Summary

Department of Veterans Affairs obligated $76.1 million to DELOITTE CONSULTING LLP for work described as: IGF::OT::IGF CYBER SECURITY POLICY COMPLIANCE ANALYTICS SUPPORT (CSPCAS) Key points: 1. Contract provides essential cybersecurity policy compliance analytics support. 2. The contract was awarded through full and open competition, suggesting a competitive bidding process. 3. The fixed-price level-of-effort contract type aims to control costs for defined work. 4. The duration of the contract is substantial, spanning over 1800 days. 5. The contractor, Deloitte Consulting LLP, is a major player in the consulting and IT services sector. 6. The contract value is significant, reflecting the importance of cybersecurity for the VA.

Value Assessment

Rating: good

The contract value of approximately $76 million over its period of performance appears reasonable for comprehensive cybersecurity policy compliance analytics support. Benchmarking against similar large-scale IT support contracts within federal agencies suggests this pricing is within expected ranges, especially considering the specialized nature of cybersecurity compliance. The fixed-price nature of the contract provides cost certainty for the government, assuming the scope of work remains stable. The contract was awarded to a single vendor, indicating a potentially focused relationship for this specific service.

Cost Per Unit: N/A

Competition Analysis

Competition Level: full-and-open

This contract was awarded under full and open competition, indicating that all responsible sources were permitted to submit offers. The fact that it resulted in a single award suggests that Deloitte Consulting LLP was the most advantageous offer based on the evaluation criteria. While the number of bidders is not explicitly stated, full and open competition generally fosters price discovery and encourages competitive pricing among potential offerors.

Taxpayer Impact: Full and open competition is beneficial for taxpayers as it typically leads to more competitive pricing and a wider range of innovative solutions being considered, ultimately maximizing the value for government spending.

Public Impact

The Department of Veterans Affairs (VA) benefits from enhanced cybersecurity posture and compliance. Services delivered include analytics support for policy compliance, crucial for protecting sensitive veteran data. The contract's impact is primarily national, supporting the VA's nationwide operations. Workforce implications include the potential for specialized cybersecurity and analytics roles within Deloitte and potentially the VA.

Waste & Efficiency Indicators

Waste Risk Score: 50 / 10

Warning Flags

Potential for vendor lock-in due to the long-term nature and specialized services.
Reliance on a single contractor for critical cybersecurity compliance functions.
Ensuring continuous innovation and adaptation to evolving cyber threats within the contract scope.

Positive Signals

Award to a reputable contractor with demonstrated experience in IT and cybersecurity.
The use of full and open competition suggests a robust selection process.
Fixed-price contract type provides budget predictability for the VA.

Sector Analysis

The cybersecurity services market is a rapidly growing and critical sector within the broader IT industry. Federal agencies, including the VA, are significant spenders in this area due to the increasing volume and sophistication of cyber threats. This contract for policy compliance analytics support fits within the broader category of IT professional services, specifically focusing on security and compliance. Comparable spending benchmarks for cybersecurity support services can vary widely based on scope, duration, and contractor expertise, but a $76 million award over five years indicates a substantial and complex requirement.

Small Business Impact

The provided data indicates that this contract was not set aside for small businesses (ss: false, sb: false). Therefore, there are no direct subcontracting implications for small businesses stemming from a small business set-aside. The award to a large prime contractor like Deloitte Consulting LLP means that any subcontracting opportunities would be at the discretion of the prime contractor, and there is no specific requirement mandated by a set-aside program.

Oversight & Accountability

Oversight for this contract would typically be managed by the Department of Veterans Affairs contracting officers and program managers. Accountability measures are inherent in the fixed-price level-of-effort contract type, which requires the contractor to deliver specific outcomes within agreed-upon cost parameters. Transparency is generally facilitated through contract award databases and reporting requirements. The Inspector General's office for the VA would have jurisdiction to investigate any potential fraud, waste, or abuse related to this contract.

Related Government Programs

VA IT Modernization
Federal Cybersecurity Initiatives
IT Professional Services
Cybersecurity Compliance Support

Risk Flags

Long contract duration may lead to technology obsolescence if not managed.
Reliance on a single vendor for critical compliance functions.
Potential for cost overruns if scope is not tightly controlled.

Frequently Asked Questions

What is this federal contract paying for?

Department of Veterans Affairs awarded $76.1 million to DELOITTE CONSULTING LLP. IGF::OT::IGF CYBER SECURITY POLICY COMPLIANCE ANALYTICS SUPPORT (CSPCAS)

Who is the contractor on this award?

The obligated recipient is DELOITTE CONSULTING LLP.

Which agency awarded this contract?

Awarding agency: Department of Veterans Affairs (Department of Veterans Affairs).

What is the total obligated amount?

The obligated amount is $76.1 million.

What is the period of performance?

Start: 2017-09-06. End: 2022-09-24.

What is Deloitte Consulting LLP's track record with the Department of Veterans Affairs and similar federal cybersecurity contracts?

Deloitte Consulting LLP has a significant history of contracting with the Department of Veterans Affairs (VA) and other federal agencies, particularly in the areas of IT modernization, cybersecurity, and management consulting. Their track record with the VA includes numerous awards across various service categories, reflecting a deep engagement with the department's needs. For cybersecurity-specific contracts, Deloitte is known for providing a wide range of services, including policy development, risk assessment, compliance monitoring, and incident response. Their experience often involves managing large, complex programs similar to this CSPCAS contract. Federal procurement databases often show a consistent pattern of awards to Deloitte for high-value IT and security-related services, indicating a strong past performance record that likely contributed to their selection for this contract. However, a detailed review of past performance evaluations and any past issues or disputes would be necessary for a complete assessment.

How does the $76 million contract value compare to other cybersecurity policy compliance support contracts awarded by the VA or other large federal agencies?

The $76 million contract value for cybersecurity policy compliance analytics support, awarded over approximately five years, positions it as a significant, but not unprecedented, federal IT services contract. For large agencies like the VA, which manage vast amounts of sensitive data and operate complex IT infrastructures, annual spending on cybersecurity can easily reach tens or hundreds of millions of dollars. When compared to similar contracts for comprehensive cybersecurity support, policy development, and compliance analytics, this award appears to be within a reasonable range. For instance, other federal agencies have awarded multi-year contracts in the tens of millions to over a hundred million dollars for specialized cybersecurity services. The specific nature of 'policy compliance analytics support' suggests a focus on ensuring adherence to regulations and internal policies, which can be resource-intensive. Therefore, while substantial, the $76 million figure is consistent with the scale and criticality of cybersecurity needs within a major federal department like the VA.

What are the primary risks associated with a five-year fixed-price level-of-effort contract for cybersecurity services?

A primary risk with a five-year fixed-price level-of-effort (FPLOE) contract for cybersecurity services is the potential for scope creep or evolving threat landscapes that may not be adequately captured by the initial effort estimates. While FPLOE provides cost certainty for a defined level of effort, if the actual effort required significantly exceeds projections due to unforeseen complexities or new regulatory mandates, the government might not receive the full value for the fixed price, or the contractor may be incentivized to limit effort. Conversely, if the effort is less than anticipated, the government may overpay for unused capacity. Another risk is the potential for the contractor to become complacent over a long contract term, leading to a decline in service quality or innovation if not actively managed and incentivized. Furthermore, the rapid pace of cybersecurity evolution means that the defined 'level of effort' might become outdated, requiring careful contract management and potential modifications to ensure continued effectiveness against emerging threats.

How effective is the 'full and open competition' approach in ensuring the VA receives the best value for cybersecurity policy compliance support?

The 'full and open competition' approach is generally considered the most effective method for the VA to ensure it receives the best value for cybersecurity policy compliance support. By allowing all responsible sources to compete, the VA maximizes the pool of potential offerors, increasing the likelihood of receiving innovative solutions and competitive pricing. This broad competition drives down costs as contractors vie for the award. It also allows the VA to rigorously evaluate proposals based on a combination of technical merit, past performance, and price, selecting the offer that provides the greatest overall value. While it requires a robust and well-defined solicitation process, successful full and open competition typically leads to superior outcomes compared to limited or sole-source procurements, as it leverages market forces to achieve government objectives efficiently and economically.

What are the historical spending patterns for cybersecurity policy compliance support at the VA, and how does this $76 million award fit within that trend?

Historical spending patterns for cybersecurity policy compliance support at the VA, and indeed across the federal government, have shown a consistent upward trend over the past decade. This is driven by increasing cyber threats, expanding digital services, and evolving regulatory requirements (e.g., NIST, CMMC). The VA, managing vast amounts of sensitive veteran health and personal data, is a prime target and thus invests heavily in cybersecurity. While specific historical data for 'policy compliance analytics support' alone might be granular, the overall VA spending on IT security, compliance, and related services runs into hundreds of millions, if not billions, annually. A $76 million award over five years ($15.2 million annually on average) for a specialized but critical function like policy compliance analytics fits within this broader trend of significant and sustained investment in cybersecurity. It suggests the VA is dedicating substantial resources to ensure its compliance frameworks are robust and effectively monitored, reflecting a strategic priority rather than an anomaly.

Industry Classification

NAICS: Professional, Scientific, and Technical Services › Computer Systems Design and Related Services › Computer Systems Design Services

Product/Service Code: SUPPORT SVCS (PROF, ADMIN, MGMT) › PROFESSIONAL SERVICES

Competition & Pricing

Extent Competed: FULL AND OPEN COMPETITION

Solicitation Procedures: SUBJECT TO MULTIPLE AWARD FAIR OPPORTUNITY

Offers Received: 2

Pricing Type: FIXED PRICE LEVEL OF EFFORT (B)

Evaluated Preference: NONE

Contractor Details

Parent Company: Deloitte Financial Advisory Services LLP

Address: 1725 DUKE ST, ALEXANDRIA, VA, 22314

Business Categories: Category Business, Not Designated a Small Business, Partnership or Limited Liability Partnership, Special Designations, U.S.-Owned Business

Financial Breakdown

Contract Ceiling: $76,454,922

Exercised Options: $76,111,472

Current Obligation: $76,111,472

Subaward Activity

Number of Subawards: 4

Total Subaward Amount: $2,551,122

Contract Characteristics

Commercial Item: COMMERCIAL PRODUCTS/SERVICES PROCEDURES NOT USED

Parent Contract

Parent Award PIID: HHSN316201200018W

IDV Type: GWAC

Timeline