Finish what they pay for
[Programming note: I plan to be off next week, while I participate in the Wisconsin ritual of going “up north” for a couple of days.]
As readers of this newsletter know all too well, things can go wrong in government contracting.
There are different categories of ways things can go wrong, though. Most of the time, things go wrong in tiny, quiet ways that create headaches for a limited number of people. Things like invoices not matching up with CLINs. Annoying? Sure. Catastrophic? Nah.
Occasionally, things can go wrong in spectacular ways but everyone just sort of accepts it? For example, when the product delivered just plain stinks but technically meets the contract requirements.[1]
Sometimes, though, when particular things go wrong, lawyers get involved. And when that happens, the headaches are much bigger and involve lots of money.
Here’s a cautionary tale for you, shared by a friend of the newsletter. And content warning: I get a bit soap-boxy near the end.
Back in April 2021, as part of the pandemic response, the New York state government — like other state governments — was responsible for implementing the federally funded emergency rental assistance program (ERAP). On May 3, 2021, New York’s Office of Temporary and Disability Assistance (OTDA) entered into a contract with Guidehouse, which agreed to “ultimate responsibility for the ERAP program, including for the technology and services provided to the State.”
In turn, Guidehouse subcontracted with Nan McKay & Associates (NMA), to provide “the technology product used by New York residents to fill out and submit forms requesting financial assistance under the ERAP,” which was set to go live on June 1, 2021. As one of the requirements of the contract, which flowed down to the subcontract, Guidehouse and NMA agreed to conduct “certain cybersecurity testing and scanning… while the ERAP Application was in the ‘pre-production environments,’ meaning prior to the launch of the ERAP Application to the public.”
Now, as anyone who has ever delivered software in government will tell you, this project was probably doomed long before the ink was dry. Delivering a public-facing web application to production in 20 business days is, uh, ambitious.
But, the program had “emergency” in the name for cripes’ sake[2], so Guidehouse and NMA agreed to get it done.
You can guess it didn’t go well:
On or about May 28, 2021, NMA informed Guidehouse that it was having difficulty with one of its cybersecurity testing tools and, thus, it would be unlikely to complete the required pre-production cybersecurity testing of the ERAP Application prior to the ERAP Application’s scheduled go-live date. As a result, shortly thereafter, Guidehouse notified NMA that Guidehouse would assume pre-production testing duties and conduct the pre-go-live cybersecurity testing of the ERAP Application. Guidehouse, using a different testing tool, could not get it to timely work either and ultimately, neither Guidehouse nor NMA satisfied their obligation to complete the required pre-production cybersecurity testing.
It got worse:
The state’s ERAP went live on June 1, 2021. Twelve hours later, OTDA shut down the ERAP website after determining that certain applicants’ personally identifiable information (PII) had been compromised and portions were available on the internet. Guidehouse and Nan McKay acknowledged that had either of them conducted the contractually-required cybersecurity testing, the conditions that resulted in the information security breach may have been detected and the incident prevented.
In addition, as part of its settlement, Guidehouse admitted that for a short time period in 2021, it used a third-party data cloud software program to store personally identifiable information without first obtaining OTDA’s permission, in violation of its contract.
Earlier this week, Guidehouse and NMA settled with the Justice Department to the tune of $7.6 million and $3.7 million, respectively, to resolve allegations that they violated the False Claims Act.
At one level, it’s a pretty straightforward case. If you say you’re going to conduct pre-production cybersecurity testing, you have to conduct pre-production cybersecurity testing.
At another level, you gotta wonder whether this would have ended up on the DOJ’s docket if the application hadn’t been taken down on the first day.[3] I mean, the press release and settlement agreement make it pretty clear that Guidehouse and NMA tried to conduct the tests, they just failed at it.
And, at a third level, maybe the real lesson here is that cyber compliance is just so much easier to enforce than a crappy user experience? Here’s a story from June 2021:
Nearly a month after the state officially opened applications for the rent relief program, real estate and tenant advocates agree that the program is off to a rocky start due to frustrating technical difficulties on top of a complicated process that can take two or more hours to complete. ***
Technical problems surfaced almost immediately after applications opened June 1. Applications must be completed during one online session — an onerous requirement because numerous documents are required, including the renter’s personal identification, Social Security numbers for any household members who have one, and proof of the rental amount, income eligibility, residency and occupancy. Landlords must submit a W-9 tax form, lease, rent roll and banking information.
Uploading documents has been exasperating since some days the system works and some days it doesn’t, landlord and tenant advocates say.
Reading that, you might wish that the government would be more upset about the lack of system availability and the user burden associated with service completion than it was around a pre-production security scan. But that’s not how government contracting works.
A big part of this business is knowing the different types of ways things can end badly. Unless it’s built directly into the contract, a bad user experience might not be the sort of thing that gets lawyers involved. You might just be able to make lives miserable for thousands of users, chalk it up to a compressed timeline, and get away with acceptable past performance.
But, if you promised some security scans and failed to successfully complete them before the go-live date, expect to be spending time with your lawyers.
[1] See, e.g., most employee-facing applications in government.
[2] Oh yah, I’m getting ready for going up nort’.
[3] I spent a considerable amount of time trying to find an appropriate and funny angle to point out that the False Claims Act litigation was initiated by a former Guidehouse employee, who will now rake in nearly $2 million as part of the settlement. Instead, I will simply observe that this is evidence of the Matt Levine line of reasoning that “[i]f you can find out bad news about companies, there are a lot of ways to make money.” Maybe the good news about govcon is that there’s actually a lot of bad news?