September 03, 2013
Maryland in Hot Water over Statewide Broadband Management
By Mae Kowalke
Major IT infrastructure projects have a tendency to go beyond initial cost estimates and be complex beasts to manage. Maryland state auditors are saying that the state’s One Maryland Broadband Network suffers from such problems and then some.
The One Maryland Broadband Network, managed by the State of Maryland’s Department of Information Technology (DoIT), is a $158 million engineering and construction project intended to create a statewide high-speed fiber optics network. The project will build 1,340 miles of fiber-optic cabling. This will enhance broadband service to 1,087 community organizations, including hospitals, schools, police and other emergency responders. Roughly $115 million of the project is federally funded.
Auditors have found issues with the contracting practices, construction oversight, monitoring of sub-grants and cash control.
Specifically, the auditor found that the project management contractor selected by DoIT was chosen from a master list of pre-existing contractors and selected without a written task order specifying the contractor’s obligations, price or language protecting the state in the event the grant’s objectives were not fully met.
DoIT disagreed with this assessment, stating that the process was sufficient and the broadband network project was also much larger than the work anticipated at the time of the award of the master contract.
The auditor also found that the DoIT agreed to pay the project manager an 8 percent markup on subcontracted services, but the arrangement was made without the knowledge of senior management and in fact this was impermissible in all DoIT contracts. The cumulative markup of $103,000 was paid to the project manager through July 2012, according to the auditor.
There has been inadequate control over subcontractors, too, the audit found.
Each project segment’s work was stipulated in construction work orders, but the DoIT neglected to sign the work orders that would bind the parties. The DoIT paid contractors but did not maintain “Milestone Acceptance” documentation, and some DoIT employees had incompatible duties because they selected the contractors to be awarded the work, and subsequently approved their invoices, the auditor found.
There also have been problems with cloud services and disaster recovery. The auditor stated that the DoIT was not assuring that access permissions and file sharing were controlled based on a need-to-know, nor did it have capabilities to enforce the prohibition of storing sensitive information the cloud. Further, it did not have the capability to monitor cloud content or exercise control over who accesses such content.
In terms of disaster recovery, the auditor found that the DoIT risks a prolonged interruption of major computer operations because it doesn’t have backup configuration stored at a remote site corresponding with four key firewalls, nor does it have an updated disaster recovery plan. The last plan was in 2007.
While these issues are unfortunately common for such projects, the failure is no less a problem for the State of Maryland.
Edited by Rory J. Thompson
More Dark Fiber Community Stories