Waxman hammers TSA over portal contract
Originally posted at 1:32PM Jan. 11; updated at 4:23PM Jan. 11
- By Alice Lipowicz
- Jan 11, 2008
Rep. Henry Waxman (D-Calif.) today accused the Transportation Security Administration of sloppy acquisition management and an apparent conflict of interest in the 2006 hiring of a Virginia contractor whose work subsequently put at risk the personal information of thousands of travelers.
The contract with Desyne Web Services Inc. of Boston, Va., resulted in creation of a poorly designed TSA public Web site with numerous security gaps that put thousands of airline travelers' personal information at risk of identity theft, Waxman, who chairs the Committee on Oversight and Government Reform, wrote in a report
But a TSA spokesman today characterized the findings of the report as old news.
"All of this was addressed by the TSA months ago," said Christopher White, a spokesman for TSA. "Each issue that has been raised was addressed by TSA." The security problems were addressed when the faulty Web site was shut down and users redirected to a secure site in February 2007, he said.
Furthermore, the TSA contends that only 247 people who used an insecure connection at the Web site were potentially exposed to the risk of identity theft. That is the only insecurity recognized by the TSA, White said. "Who are those other 800 plus people affected? You would need to ask the committee," White said. TSA has contacted the 247 people and determined that none of them has experienced an identity theft to date, he added.
Although the security vulnerabilities were discovered and the Web site shut down in February 2007, Waxman and the committee staff investigated the circumstances of how the contract was awarded.
His 12-page report, "Information Security Breach at TSA: The Traveler Redress Web Site," traces problems with the contract resulting from TSA's "poor acquisition practices, conflicts of interest and inadequate oversight."
TSA launched the travelers' redress Web site in October 2006 to assist people whose names were erroneously included on airline terrorist watch lists. The site was discovered to have multiple security vulnerabilities and insufficient encryption, and it was shut down in February 2007. These problems potentially exposed to the risk of identity theft the personal information of thousands of travelers who used the site, the report said.
Further investigation shed light on TSA's role in the failed project, Waxman wrote. For one thing, TSA awarded the contract without competition. Second, it was awarded in sppite of an apparent conflict of interest, the report charges.
TSA awarded the contract to Desyne Web Services without receiving another bid, Waxman said.
"According to an internal TSA investigation, the statement of work for the contract was 'written such that Desyne Web was the only vendor that could meet program requirements.' " the report states.
Waxman's report goes on to state that Nicholas Panuzio, who served as the technical lead on the Web site project and the point of contact with the contractor, was a former employee of Desyne. He had "an apparent conflict of interest," Waxman wrote. TSA has not disciplined Panuzio, who continues to hold a senior program management position at the agency, the report said. Panuzio could not immediately be reached for comment.
Regarding the conflict of interest allegation, White stated the TSA has reviewed those actions. "A thorough review was conducted and we have determined that nodisciplinary action was warranted. We have controls in place that precluded any one individual from awarding contracts by themselves," White said.
Nor has TSA sanctioned Desyne for its role in the faulty Web site, and TSA continues to pay Desyne to host and manage two other large IT programs: the TSA claims management system and a governmentwide traveler redress program, Waxman's report said.
Neither Desyne nor the former Desyne employee was immediately available to comment on the report.
Waxman also cited an internal TSA investigation that indicates insufficient planning, development and operation in addition to too much reliance on the contractor for IT expertise.
Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.