FAS’s Office of Assisted Acquisition Services Should Improve Its Oversight and Administration of Classified Contracts

Why We Performed This Audit

The Federal Acquisition Service’s Office of Assisted Acquisition Services (AAS) provides its customer agencies with customized acquisition, project management, and financial management services for large or complex information technology and professional services solutions. In Fiscal Year 2023, AAS revenue was over $16 billion, representing 48 percent of GSA’s total revenue. In addition, AAS contracts have become more complex, including contracts considered high-risk because of their classified performance elements. Our audit objectives were to determine if: (1) AAS contracts are accurately classified, (2) sufficient controls are in place to monitor and ensure compliance with AAS policy for contract security classification levels, and (3) AAS contracting personnel possess adequate security clearances to effectively award and administer contracts with classified elements.

What We Found

While AAS has established contract security classification levels, its oversight and administration of contracts with classified performance elements are impaired by two issues.

First, we found that AAS Level 2 (Unclassified Acquisition – Secure Facility Access Required) contracts are not accurately classified. As a result, some contracts are not subject to the portfolio reviews implemented by AAS to reduce its risk. Although AAS updated contract security classification level definitions in 2023, the new standards have not been implemented effectively. We found that: (1) AAS contracting personnel were unaware of the new definitions and did not review the security classification levels of existing contracts to verify accuracy, and (2) AAS does not have sufficient controls in place to monitor and ensure compliance with AAS policy for contract security classification levels.

Second, we found that AAS policy does not require AAS Level 3 (Classified Elements for Performance) contracting officers to have adequate security clearances. This can impair the administration of contracts with classified elements.
 

What We Recommend

We recommend that the Federal Acquisition Service Commissioner:

1. Conduct a review of all active AAS Level 2 contracts to ensure that all contract security classifications adhere to AAS’s current policy and definitions.
2. Consolidate and improve contract security classification guidance to provide more detail and clarity for AAS contracting personnel.
3. Update existing controls to monitor and ensure compliance with contract security classifications by:
   1. Including a review of the security classification level in contract file transfer checklists;
   2. Verifying compliance with AAS security classification policies during existing internal contract reviews; and
   3. Updating briefing templates to use consistent terminology.
4. Implement Assisted Services Shared Information System controls to ensure accuracy and integrity of contract security classifications by:
   1. Prioritizing the development of edit history for immediate visibility of changes to the contract security classification level; and
   2. Limiting the ability to edit contract data to only the assigned acquisition personnel and their supervisory chain.
5. Strengthen AAS policy to require AAS Level 3 contracting officers to have adequate security clearances and establish a plan to initiate the security clearance process for affected contracting officers.
6. Provide AAS contracting personnel with training on any updated policies or guidance implemented in response to the audit findings.

The Acting Federal Acquisition Service Commissioner concurred with our recommendations. Agency comments can be found in their entirety in Appendix B.