The VA Office of Inspector General (OIG) performed this audit to assess VA’s compliance with executive orders, federal regulations, and VA requirements for vetting contractor employees to serve on VA contracts. If contractor employees are not vetted before working for VA, they may endanger veterans and VA employees, as well as the efficiency and integrity of VA services, government property, and VA information.
The audit team found VA officials had a high rate of noncompliance. The team found that 94 percent of contract files reviewed did not include position designations establishing the investigative requirements for the contract. In addition, 90 percent did not include language to communicate vetting requirements to the contractor. Ultimately, 75 percent of employees under the contracts reviewed did not have a fingerprint check, and about 79 percent did not have a formal background investigation.
Noncompliance stemmed from differences among offices concerning roles and responsibilities for the suitability program and from incorrect guidance. The Office of Human Resources and Administration/Operations, Security, and Preparedness (HRA/OSP) and the Office of Information and Technology (OIT) had outdated and conflicting or inaccurate policies on the subject. Also, the Office of Acquisition, Logistics, and Construction (OALC) directed its staff to the wrong policies.
Because of long-standing disagreements between HRA/OSP and OALC concerning roles and responsibilities for personnel security, the OIG recommended the VA Deputy Secretary mediate their efforts to collaborate on developing and publishing updates to the policies and procedures for vetting contractors. The OIG further recommended the assistant secretary for HRA/OSP conduct compliance inspections at the St. Cloud VA Medical Center in Minnesota, where the OIG team found 52 percent of contractor employees (none of whom were vetted) had criminal records. The OIG also recommended OALC direct acquisition professionals to the correct policies for vetting contractor employees.
Open
Closed-Implemented
Closed-Not ImplementedMediate the two offices’ collaboration to develop and publish updates to the personnel security policies and procedures for vetting contractor employees to include appropriate roles and responsibilities; standard contract language to communicate the requirements for vetting contractor employees, including whether a fingerprint check or background investigation is required, that can be used across the department; and a requirement that the VA organization requesting a contract provide the position designation record in the acquisition package submitted to the contracting office.
Perform and document compliance inspections of the procedures for vetting contractor employees and the issuance of VA identification credentials at medical facilities supported by Network Contracting Office 23, including the St. Cloud VA Medical Center.
Update and publish the Veterans Affairs Acquisition Regulation and Veterans Affairs Acquisition Manual to direct the department’s acquisition professionals to the correct guidance for vetting contractor employees, which should include VA’s personnel security and suitability program policy.
Update and publish or rescind Acquisition Policy Flash 16-13, “Use of VA Handbook 6500.6, Appendix A, Checklist for Information Security in VA Service Acquisitions,” to ensure VA acquisition professionals understand that VA Handbook 6500.6 is not the only personnel security policy they must comply with.
Update and publish VA Handbook 6500.6, Contract Security, in collaboration with the Office of Acquisition, Logistics, and Construction and the Office of Human Resources and Administration/Operations, Security, and Preparedness, including retitling it to better correspond to its content and removing any personnel security steps that should only be discussed in VA personnel security and suitability program policies.
Review the actions of the officials responsible for planning, awarding, and administering contract 36C26320A0021, which included vetting procedures that did not comply with federal or VA policies, and take administrative action if appropriate.