They ignored mandated financial controls and issued 10s of millions worth of contracts without following agency policy and FAR regulations. In a private corporation doing something like that would get you fired and it should in this case too.
They claim that their security mechanisms were adequate but they just didn't follow the compliance process. How can we be sure if the processes and mechanisms provided adequate security if they weren't properly audited as required? It is like your card processor claiming they are PCI compliant but not bothering to actually go through a compliance audit.
If they want to affect change in how IT is done in the federal government they need to create models that can be followed by other agencies without violating legally mandated financial and security controls. If those controls need to be changed than they can point out why and in what manner, but until they are changed ignoring them makes their work throw away efforts which can't be truly used by other agencies.
