Mr. Chairman and members of the Subcommittee:
I am pleased to be here to comment on NASA's budget request for FY 2000.
In the last 6 months, NASA has achieved a new level of success in its mission to explore space. Clearly, John Glenn's historic Shuttle flight captured the public's attention. However, NASA also accomplished many important (while less visible) milestones. For example, the first two elements of the International Space Station, Zarya and Unity, were launched. Also, NASA and its partners realized progress in the X-33 program. This is a joint effort by NASA and the private sector to develop and demonstrate technologies needed to build a next generation reusable launch vehicle (RLV) to provide "better, faster, cheaper" access to space for expanded human exploration.
These successes and others that the Agency accomplishes through partnerships and cooperative agreements with national and international aerospace agencies and companies can make positive contributions in an era of downsizing, diminished budgets, and global economies. I support the Agency's continued initiatives in forging innovative liaisons with international, commercial and other federal entities. However, NASA and its partners must demonstrate both excellence in achieving their missions and integrity in conducting their business operations. My office focuses on the integrity of NASA's business operations through our investigations, audits and other reviews. I will direct my written remarks on major business challenges facing the Agency which impact on efficient and effective use of the funds Congress appropriates for NASA programs.
I have previously discussed these issues in response to a request from the Honorable Richard K. Armey, House Majority Leader, to identify the 10 most serious management challenges for NASA. For purposes of this testimony, I will highlight only some of these challenges. The complete text of my response to the House, as well as other published reports, descriptions of on-going projects, and the fiscal year workplan are available through the Office of Inspector General (OIG) Internet homepage at http://oig.nasa.gov/.
1. INTERNATIONAL SPACE STATION (ISS)
The mission of the ISS is to enable long-term human presence in space. It will afford scientists, engineers, and perhaps, entrepreneurs a platform on which to perform complex, long-duration, and replicable experiments in the unique environment of space. However, cost overruns and schedule delays related to Russia's precarious political situation continue. Also, Boeing, NASA's prime contractor is experiencing cost overruns and schedule delays.
NASA must ensure its policies, practices, oversight, implementation and follow-up on cost and schedule for this program are sufficient to meet the goals of this high profile program. Two recent OIG audit reports highlighted areas where NASA's oversight could improve. The report on Space Station Corrective Action Plans (IG-99-007, January 28, 1999) found that the corrective action planning process of the prime contractor was not effectively used to control the negative cost and schedule variances experienced by the program. Corrective action planning is critical to minimizing cost growth and schedule delays when the mitigation opportunities are the greatest. We found that Government oversight of corrective action planning also needed improvement. Management agreed with our recommendations to strengthen corrective action planning as a means to respond to negative contractor performance trends. Our audit of Space Station Contingency Planning for International Partners (IG-99-009, March 9, 1999) found that the contingency plan did not include or clearly identify several critical elements for effective cost and schedule management, as required by Agency guidance. Specifically, the plan did not contain cost and schedule impacts and did not clearly identify mitigation measures and primary consequences of the contingencies. Further, NASA did not have a process that ensured the contingency plan was kept current. For example, the Program plan did not include some actions being taken to prevent further Russian delays. Also, the contingency plan did not address the Year 2000 computer problem. The Agency accepted our recommendations. We will continue to monitor their implementation.
OMB recently identified the International Space Station as one of its 24 Priority Management Objectives for FY 2000. The 24 objectives were chosen as areas in need of priority oversight which will receive on-going attention from the Administration.
Over the last several years, NASA has reported to the Congress Space Station cost overruns and schedule delays. In order to assess root causes of this problem, the Administrator recently asked the OIG to review estimated overruns and rate increases proposed by Boeing. We have assigned a team of auditors to review the most recent overruns and proposed overhead rate increases. We plan to resolve such questions as whether relevant program risks have been identified and appropriately quantified in terms of cost and schedule impact, and whether the Boeing rate increases are allowable, allocable and reasonable costs to be charged to NASA contracts. We will also be reviewing management actions to mitigate these issues.
2. INFORMATION TECHNOLOGY SECURITY (ISS)
Under NASA's current approach, responsibilities for ITS have been divided among multiple Centers. Some of the key functions are performed by a single individual at these locations when, in many cases, the extent and complexity of these functions require a team of IT security professionals. This multiple-Center approach leads to serious coordination problems, diminishes corporate oversight, and leaves NASA partners more vulnerable.
For the last 2 years, the OIG has recommended that NASA designate ITS as a high-risk area in the annual Federal Manager's Financial Integrity Act (FMFIA) Report. We based our recommendation on our concerns about the fragmentation of the ITS program,(1) the lack of policies and guidance, documented network physical and system security weaknesses, the lack of properly trained personnel, and lack of adequate threat analysis. Instead, NASA characterizes ITS only as a "significant concern." In May 1998, the Acting Deputy Administrator, acknowledging significant ITS issues raised by the OIG, requested a review of NASA's ITS program. The Agency's final report recognized numerous and serious deficiencies. The Agency is committed to implementing a wide range of improvements.
NASA is a vulnerable target because it depends heavily on IT and the Internet to support the operations it conducts at its field centers and other facilities across the United States and abroad. Unfortunately, hackers have diverse motives for compromising NASA's systems, including intellectual challenge, malice, or espionage. Because of NASA's vulnerability, the OIG dedicates considerable resources to oversight of ITS.
The OIG has established a Computer Crimes Division (CCD) that investigates felonious intrusions into NASA's systems. Our Inspections Unit also is proactive in selected security issue reviews, including the X-33, Flight Termination Systems, and NASA's incident response contract. The Audit program has dedicated resources to assessing NASA's IT program, including disaster recovery plans. Based on the information from the three program areas, we have briefed NASA on serious network and communication security vulnerabilities.
In keeping with our commitment to assist NASA in ensuring the integrity of Agency information technology programs and operations, I met with the Administrator to assure his continued support for CCD's efforts to combat network systems crimes. On October 5, 1998, the Administrator issued a letter to all NASA employees that stressed the reality of cyber-based threats and crimes, and the policy requirement that NASA employees and supporting contractors report all incidents to their local Center IT Security Manager. The IT Security Manager, in turn, must report all incidents, or suspected incidents, involving computer crimes to the OIG. The Administrator also directed NASA's inter-Center cyber incident coordination body (NASA's Automated Systems Incident Response Capability (NASIRC)) to provide information on security incidents to the OIG. The Chief Information Officer (CIO) affirmed the Administrator's direction that the IT Security Manager must report all incidents that may constitute a computer crime to the OIG. Despite this strong direction from the Administrator and follow-up by the CIO, there is room for considerable improvement by the Centers and NASIRC to timely report incidents.
NASA is not unique in its vulnerabilities. The Internet and network technologies have brought tremendous gains in communication and analyses. They have also brought unprecedented vulnerability to the Government and the private sector. As a result, this area will remain a high risk to which the OIG will devote priority attention.
3. FINANCIAL MANAGEMENT SYSTEMS
NASA's financial management environment comprised of decentralized, non-integrated systems has been identified by the Agency as a significant area of concern in its FY 1998 Federal Managers' Financial Integrity Report. To remedy this situation, NASA will implement the Integrated Financial Management Project (IFMP), an Agency-wide, fully integrated, transaction-driven financial management system intended to provide for full-cost accounting and other budget information. However, implementation of the new NASA-wide system has slipped from July 1999 to June 2000. Additionally, costs for the system have increased significantly, the integrated test facility is still not completed, and there is a significant potential that the revised delivery schedule will not be met by the contractor. The delay in implementing the Integrated Financial Management Project will result in NASA's continued inability to fully and efficiently comply with the provisions of the Federal Financial Management Improvement Act of 1996. Also, NASA will not be able to implement full cost management as planned.
We continue to have serious concerns about delays in the delivery of the product, disputes about the scope of the deliverables, the limited opportunity for adequate integration and testing of the software and hardware; the labor intensive Center data conversion activities; appropriate security architecture for the IFMP; and the costs associated with running parallel legacy systems until the IFMP is fully implemented. We will continue to follow this area until the new system is successfully developed and implemented.
4. YEAR 2000 DATE CONVERSION
The change of date from 1999 to 2000 and beyond, known as the Y2K date conversion problem, has the potential to affect the integrity of data and the continuity of processing capabilities of NASA's extensive systems networks. In numerous reports to Congress, the OMB and GAO have identified the importance and risks associated with the Y2K problem, both in terms of complexity and time constraints. Congress requires OMB to report to them on a quarterly basis the status of Y2K efforts for Government systems, including cost estimates, strategies, and implementation schedules. In turn, OMB monitors the progress of work at Federal agencies through stringent quarterly reporting requirements. Because of the wide-ranging systems involved and the inherent risks, Y2K date conversion is a significant area of management concern.
The OIG has evaluated potential problems associated with cost estimates reported to OMB, inconsistent classification of inventories (mission critical vs. non-mission critical), and failure to identify systems completed. We also reviewed the Y2K status of major contractors. NASA depends on the Defense Contract Management Command (DCMC) and the Defense Contract Audit Agency (DCAA) to perform contract administration and audits at its contractor locations. An OIG audit disclosed that NASA had not asked the DCMC or DCAA to conduct Y2K reviews at major contractor locations. As a result, NASA risked using noncompliant data that may adversely affect the Agency's control, budgeting, program management, and cost accounting activities. Management has initiated a plan to assess the Y2K status of NASA's major contractors.
Another OIG review examined NASA's guidance that required contracting officers to include a clause in IT solicitations and new contracts addressing Y2K and to modify the statement of work in existing IT operation and maintenance contracts. An OIG audit at six NASA Centers showed that each Center included the required clause in their solicitations and new contracts for IT assets. However, as of the date of the audit, the Jet Propulsion Laboratory (JPL), NASA's federally funded research and development center (FFRDC), had not included the requirements in all of its existing IT operations and maintenance contracts. This could adversely impact the Agency's ability to meet OMB's milestones for Y2K renovation, validation, and implementation phases and increases the potential for noncompliant Agency systems on January 1, 2000. Management established a target date of June 30, 1999 for JPL to incorporate the Y2K requirements into the applicable contracts and will monitor JPL's progress towards meeting that date.
The OIG auditors provided and continue to provide real-time information to the CIO as we identify problems. This approach enhances NASA's success in meeting the Y2K challenge. The CIO's office, under the direction of its Y2K manager, has achieved commendable progress in meeting the deadlines established by the Administrator and OMB.
The Agency is now entering into the key phase of testing, verifying and validating converted or replaced platforms, applications, databases, utilities and interfaces in an operational environment. Thus, the Y2K issues remain a significant concern.
5. INTERNATIONAL AGREEMENTS
One goal of the National Space Policy is to promote international cooperative activities that are in the national interest. The National Aeronautics and Space Act of 1958 gives NASA statutory authority to enter into binding agreements with foreign entities. In carrying out its missions and in furtherance of the National Space Policy, NASA now has approximately 3,000 international agreements. These agreements span every NASA enterprise and involve numerous programs and projects -- the most notable being the International Space Station program.
We have begun work through our reviews, audits and investigations, highlighting key considerations with the use of international agreements. These include:
- Program and project vulnerability to schedule delays and cost overruns that require diplomatic rather than contractual solutions
- Security controls on technology that impacts national security
- Controls to assure the quality and timeliness of the goods and services provided
- Mechanisms to assure a balance between program needs and national considerations
- Plans with specific critical paths and planned alternative courses of action to maintain program/project continuity.
To assure the integrity of NASA's technology exchange, we have established the Technology Oversight Project (TOP). TOP is a long-term OIG cross-discipline approach to identify programmatic and systemic matters that adversely impact NASA's processes for sharing advanced technology. One current effort of the TOP is to examine whether the various types of agreements (e.g., cooperative agreements, grants) that NASA uses to develop technologies with outside entities sufficiently protect proprietary and trade secret information against misappropriation. The loss of commercially sensitive or trade secret technologies could adversely impact certain United States industries. Also, we investigate instances of criminal wrongdoing related to NASA's advanced technologies since technologies are frequently the targets of computer crimes.
As part of the TOP initiative, an audit was conducted to evaluate NASA's control of export-controlled technologies. We found that NASA has not identified all export-controlled technologies related to its major programs and does not maintain a catalog of classifications for transfers of export-controlled technologies. These problems are particularly acute because NASA programs and projects generally involve multiple NASA centers and extensive contractor support. Export control is handled on a decentralized basis and, absent NASA-wide classification of export controlled technologies, the potential existed for the same technology to be subjected to varying degrees of export control. The audit also showed that Agency oversight of training for personnel in the Export Control Program needs improvement. Specifically, annual Center-conducted audits of their export control system were not adequately performed and NASA personnel lack training in controlling and documenting export-controlled technologies. Improvements in each of these areas are necessary to ensure that controls over export-controlled technologies are sufficient enough to preclude unauthorized or unlicensed transfers. We recommended that management ensure that a cataloging process for export-controlled technologies is developed, that only qualified personnel perform export control self-audits, and NASA employees involved directly or indirectly with technology are trained in properly classifying and protecting export-controlled technologies. Management concurred with each of the recommendations and has planned responsive corrective actions.
I would note that NASA management was fully supportive of the OIG's review during the entire time, beginning with identifying for us appropriate training, to making suggestions about improvements the Agency should initiate to improve the Export-Control Program.
6. CONTRACT MANAGEMENT
Most OIG criminal investigations, programmatic reviews and audits have contract-related issues, whether it be the ISS initiative, the IT program, or Earth Science mission. We also devote considerable attention to NASA's contract with the California Institute of Technology (CALTECH), which administers JPL.
Both the GAO and we have identified NASA contract management as a continuing area of primary concern. GAO does not believe that NASA has demonstrated the capability to consistently produce accurate and reliable procurement-related information in order to better assess and oversee its procurement activities. Specifically, GAO cited the Agency's delay in implementing the Integrated Financial Management Project, lack of formal evaluation requirements for field center procurement activities, and delay in the implementation of NASA's procurement metrics initiative.
At present, shifts in the NASA acquisition workload and workforce are impacting the experience levels of NASA's procurement personnel. The continuous turnover of NASA procurement staff has led to a lack of continuity in administering contracts. Procurement personnel are seriously challenged both by workload and by the many changes in the field of recent years. Initiatives such as performance-based contracting and expanded use of indefinite delivery/indefinite quantity contracts present new areas of potential risk together with opportunities for improvement. In an effort to compensate for lack of Government resources, NASA procurement and program personnel are becoming increasingly reliant on contractors to administer programs, which increases risk if oversight is not appropriate. Contract management risks may also increase as procurement activities continue to rely heavily on information technology, which promises both economies and efficiencies but also potential security vulnerabilities. In light of these issues, we consider contract management a significant area of management concern.
One of the responsibilities of my office is to ensure that the work of non-Federal auditors meets established audit standards. We have worked diligently to ensure that the audit requirements of the Single Audit Act of 1984, as amended, are fulfilled with regard to JPL which up until FY 1997 was included in the financial reporting of CALTECH. In brief, the single audit combines the financial statement audit traditionally performed by public accountants with the incurred cost audit traditionally performed by Federal auditors. The intended result is the promotion of sound financial management, internal controls, and efficient Federal award administration.
We have extensively coordinated with the Federal entities that participate in the single audit oversight process of CALTECH and JPL. We established a uniform position among these Federal entities on completing the delinquent and future audits and were able to secure commitments from CALTECH senior management to support these audits. Working together, these Federal entities, including the Office of Management and Budget, Office of Inspector General, DoD, Defense Contract Audit Agency, Office of Naval Research and our office, were able to succeed in securing corrective action on long-standing problems in completing audits. I was pleased to learn that the FY 1996 CALTECH and JPL audits were completed on March 31, 1999, and that progress is being made on the FY 1997 single audit. Problems with accounting practice changes and cost allocations have negatively impacted Government oversight of CALTECH and JPL and audit delays have hampered negotiations of incurred cost rates. We will remain vigilant in our continuing oversight of the single audit process to ensure intended results are achieved.
Our ability to continue oversight of NASA's contract activity may be seriously impacted if the OIG cannot be guaranteed the access to contractors' data and facilities, absent use of subpoenas and court processes. In contrast, we have access to NASA's data and facilities pursuant to the IG Act. In this era of increased outsourcing, we are continuing our efforts to seek inclusion of a standard IG data access clause in NASA contracts. IG access provisions have been incorporated into Government-funded Space Act agreements, grants, and cooperative agreements. In the contract arena, we have submitted a proposal to the NASA General Counsel and the Acting Associate Administrator for Procurement for presentation to the FAR Council. If the FAR Council adopts the proposal, an IG access clause will have Government-wide effect. Until the FAR Council acts, we are proposing a provision for NASA to use in its contracts. We see a greater need to assure access to contractor records, premises, and personnel, as the Government downsizes and outsources more and more functions.
7. LAUNCH VEHICLES
NASA uses two types of launch vehicles, the Expendable Launch Vehicle (ELV) and the Reusable Launch Vehicle (RLV). The ELV's do not carry people and are disposable. ELV's are used to carry satellites and exploratory mission components into space, such as the Cassini and Mars Surveyor. NASA depends upon commercial sector suppliers for the ELV.
The RLV ferries people and cargo between the Earth and space. The Space Shuttle is NASA's current RLV. The Agency has signed cooperative agreements with four industry partners for the design and development of technology demonstrators leading to the next generation RLV. The goal of the RLV program is a substantial reduction in the cost of sending cargo to low-Earth orbit. Current RLV costs significantly impact NASA's budget and the commercial growth of the aerospace sector.
We are reviewing NASA's management of the availability of small ELV's to ensure schedule milestones and cost effectiveness of its missions, particularly launches for NASA's Offices of Earth Sciences and Space Science, "smaller, faster, cheaper, better" satellites. The small ELV's have experienced technical problems that have caused launch delays and cost increases where alternative launch capabilities needed to be acquired. NASA is acquiring these launch services commercially, and does not therefore exercise the same level of control over launch operations. Estimating the costs and committing to scheduled launches is a major challenge in this environment.
We also have been evaluating and continue to evaluate NASA's provision of the majority of developmental funds and assignment of technology rights to its industry partners in the development of the new RLV's. NASA awarded a cooperative agreement to Lockheed-Martin for performance of the X-33 technology demonstration program. Under this agreement, NASA will fund $913 million of the program's $1.1 billion costs, with Lockheed-Martin and four other industry partners funding the remaining $211 million. The OIG conducted an audit to determine whether NASA's use of a cooperative agreement was appropriate and whether the agreement effectively defines roles, responsibilities, and rights of the Government and industry partners. We found that NASA's use of a cooperative agreement has provided certain benefits including faster award and greater flexibility in managing the program. Conversely, we found that use of a cooperative agreement contributed to program management problems as follows: (1) program plans, internal agreements, and guidance documents either were not prepared or were not timely; (2) industry partners did not routinely provide required analyses of their cost estimates at program completion or submit monthly reports on resource contributions; (3) Center practices for controlling and reporting costs require improvement; (4) Government property reports submitted by industry partners were incomplete; and (5) ownership of the X-33 flight vehicle upon program completion has not been determined.
Another X-33 audit focused on the accuracy of Agency financial records. The audit showed that obligations of funds on the program were not recorded in a timely manner, resulting in potential violations of fiscal statutes and the Agency fund control system. Our audit showed that NASA established an arrangement with Lockheed-Martin, within the X-33 cooperative agreement, to delay billing for completed and Government-accepted milestones until the following fiscal year. NASA concluded that, under this arrangement, an obligation does not occur until Lockheed-Martin submits an invoice for payment and, thus, the Limitation of Government Obligation provisions within the cooperative agreement ensures this arrangement is compliant with fiscal statutes. For the other X-33 partners, NASA obligates funds on the cooperative agreement before work is performed and adjusts funding as work progresses. As a result of this practice, NASA had unrecorded year-end obligations, costs, and liabilities totaling $22 million in FY 1996 and $34 million in FY 1997. We contend that this practice resulted in Agency financial reports and the financial statements not being accurate. Management agreed to perform a study of the appropriateness of the existing funding and payment practices and to take corrective actions deemed appropriate by the study. NASA had not released the study results as of March 31, 1999. We will continue to monitor the X-33 payment and billing practices.
We are presently reviewing the cost estimates for the X-33 cooperative agreement. Our review will include coverage of the negative cost and schedule variances being reported on the agreement and the adequacy of the methodologies used to develop cost estimates in this unique environment.
Because of the importance of ELV's and RLV's to NASA's mission and the nation's economy, we will continue to monitor NASA's management practices in this arena.
Mr. Chairman, my office remains committed to working with the Administrator and the Congress to improve the business integrity of NASA. The Agency has an exciting mission and dedicated men and women working to push further the boundaries of space science and research.
1. NASA separates out ITS responsibilities for the protection of sensitive/unclassified information from the protection of classified information both at Headquarters and, often, at the Centers. In addition, responsibilities are severely fragmented over multiple centers: Ames Research Center is the focus for ITS; Kennedy Space Center, for one component of Communications Security (i.e., the Central Office of Record for the safeguarding and control of COMSEC material), with overall COMSEC management within the Security Management Office at Headquarters; Goddard Space Flight Center handles incident alerts; Glenn Research Center, ITS training, and Marshall Space Flight Center, firewall issues.