VA watchdog finds former CISO retaliated against colleague for concerns over Splunk contract
A former chief information security officer at the Department of Veterans Affairs twice retaliated against a fellow IT leader for making protected disclosures about a technology contract, an agency watchdog found.
According to a February report from the VA’s Office of Accountability and Whistleblower Protection (OAWP), disciplinary action was taken against Joseph Stenaka after he raised concerns about contract negotiations between former CISO Paul Cunningham and software company Splunk.
Paul Cunningham gave Joseph Stenaka a low performance rating and had him removed from his post as executive director for information security operations within the department’s Office of Information and Technology, according to the report, which was exclusively obtained by FedScoop.
“OAWP did substantiate Allegation 1: Cunningham retaliated against Stenaka for making protected disclosures in violation of 5 U.S. Code § 2302(b)(8) when he rated Stenaka’s performance minimally satisfactory,” the watchdog said.
Cunningham also retaliated after Stenaka filed a protected whistleblower complaint, the OAWP found. In his complaint, Stenaka alleged also that former acting VA CIO Dominic Cussatt had retaliated against him. These allegations were not addressed in the February report.
Stenaka was sanctioned after making disclosures in which he alleged that Cunningham exchanged licenses under a contract with software company Splunk for future credit without involving contracting officials, according to the OAWP.
Under federal procurement law, all agreements between federal agencies and contractors must be reviewed by a contracting officer to ensure that all legal requirements have been met.
In September 2020, Stenaka made disclosures to the chief of staff at the VA’s OIT, in which he said that Cunningham had received only “pennies on the dollar” for what the Splunk contract was worth.
During the period relevant to the investigation, Stenaka reported to Cunningham, who served as CISO and deputy assistant secretary of the Office of Information and Technology at the department.
The U.S. Code forbids personnel action against any federal employee who discloses information in a bid to stop gross mismanagement, gross waste of funds, abuse of authority, or to highlight a substantial and specific danger to public health or safety.
A VA spokesperson said: “Mr. Cunningham no longer works for VA. For privacy reasons, VA does not comment on personnel matters.”
Editor’s note: This story was updated to include comment from the VA.