VA watchdog clears senior IT leader of misconduct allegations made by former CISO

The Office of Accountability and Whistleblower Protection has dismissed three complaints brought against Joe Stenaka.
Department of Veterans Affairs
(Veterans Health / Flickr)

A Department of Veterans Affairs watchdog has dismissed three misconduct allegations against a top federal IT official brought by the agency’s former chief information security officer.

According to two copies of a January report obtained exclusively by FedScoop, the VA’s Office of Accountability and Whistleblower Protection (OAWP) did not substantiate three complaints filed against Joseph Stenaka in October 2020 by Paul Cunningham.

Stenaka at the time of the complaint was executive director for information security operations within the department’s Office of Information and Technology (OIT), and in that role he reported directly to Cunningham. Both Cunningham and Stenaka have since departed from their roles at the VA.

The three complaints submitted against Stenaka were: that he failed to follow supervisory instructions when he attended a Sept. 4, 2020, meeting with Susan Perez, OIT chief of staff; that he demonstrated lack of candor in response to questions from his supervisor about his attendance at a Sept. 4, 2020, meeting; and that Stenaka made disrespectful statements about OIT senior leaders in a Sept 4, 2020, meeting.


The allegations filed against Stenaka came just a month after the IT official submitted a protected whistleblower complaint in which he raised concerns about negotiations between Cunningham and software company Splunk over a cloud computing contract.

A previous OAWP report, also obtained by FedScoop, found that Paul Cunningham retaliated against Stenaka, first by giving him a low performance rating and then by having him removed from his post in January 2021. 

In his whistleblower complaint at the time, Stenaka alleged that Cunningham gave up to 10 terabytes of perpetual licenses from an existing Splunk Perpetual Contract for a discount on a future Splunk SaaS cloud contract and received only “pennies on the dollar,” for what the Splunk contract was worth.

Stenaka suggested Cunningham’s comfortable relationship with Mark Jarek, the director of business development and strategy at Splunk, gave rise to inappropriate negotiations with Splunk and there was concern the VA would lose up to $170 million due to this.

The U.S. Code forbids personnel action against any federal employee who discloses information in a bid to stop gross mismanagement, gross waste of funds, abuse of authority, or to highlight a substantial and specific danger to public health or safety. 


Stenaka left the VA in February and is currently the chief information security officer at the Social Security Administration.

Following his departure from the VA, also in Febaury, Cunningham joined Missouri-headquartered consulting firm World Wide Technology as chief technology advisor for public sector cybersecurity business.

When contacted for comment, a Splunk spokesperson said: “Splunk is aware of the VA’s Office of Accountability and Whistleblower Protection (OAWP) February report addressing internal procurement processes. As a policy, Splunk does not comment on internal customer concerns.”

A VA spokesperson said: “To protect the privacy of our employees, VA doesn’t typically comment on specific investigations or personnel actions involving whistleblower complaints.”

Paul Cunningham did not immediately respond to a request for comment.


Editor’s note: This story was updated to include comment from the VA.

Latest Podcasts