Best Practices and Leading Practices in Information Technology Management
GAO has identified a set of essential and complementary management disciplines that provide a sound foundation for information technology (IT) management. These include: IT strategic planning, Enterprise architecture, IT investment management and Information Security.
IT strategic planning
Advances in technology are changing the way agencies do business. Two laws, the Paperwork Reduction Act of 1995 and the Clinger-Cohen Act of 1996, establish a framework to help agencies more effectively manage IT through strategic planning.
An agency should:
- Document its IT strategic planning process, including, at a minimum, (1) the responsibilities and accountability for IT resources across the agency; and (2) the method by which the agency defines program information needs and develops strategies, systems, and capabilities to meet those needs.
- Document its process to integrate IT management operations and decisions with organizational planning, budget, financial management, human resources management, and program decisions.
- Require that information security management processes be integrated with strategic and operational planning processes.
- Institute a process to account for all IT-related expenses and results.
- Prepare an enterprisewide strategic information resources management plan. At a minimum, an information resources management plan should (1) describe how IT activities will be used to help accomplish agency missions and operations, including related resources; and (2) identify a major IT acquisition program(s) or any phase or increment of that program that has significantly deviated from cost, performance, or schedule goals established for the program.
- Ensure its performance plan required under the Government Performance and Results Act of 1993 (GPRA), as amended by the GPRA Modernization Act of 2010 (1) describes how IT supports strategic and program goals; (2) identifies the resources and time periods required to implement the information security program plan required by FISMA; and (3) describes major IT acquisitions contained in the capital asset plan that will bear significantly on the achievement of a performance goal.
- Have a documented process to (1) develop IT goals in support of agency needs; (2) measure progress against these goals; and (3) assign roles and responsibilities for achieving these goals.
- Establish goals that, at a minimum, address how IT contributes to (1) program productivity, (2) efficiency, (3) effectiveness, and (4) service delivery to the public (if applicable).
- Establish IT performance measures to monitor actual-versus-expected performance. Measures should align with the GPRA performance plan.
- In an annual report, to be included in the budget submission, describe progress in using IT to improve the efficiency and effectiveness of agency operations and, as appropriate, deliver services to the public.
- Benchmark IT management processes against appropriate public and private sector organizations and/or processes in terms of costs, speed, productivity, and quality of outputs and outcomes.
IT investment management
IT projects can significantly improve an organization's performance, but they can also become costly, risky, and unproductive. Agencies can maximize the value of IT investments and minimize the risks of IT acquisitions when they have an effective and efficient IT investment management process, as described in GAO's guide to effective IT investment management, (GAO-04-394G).
- Stage 1: Create awareness
- Raise awareness about the importance of a disciplined investment management processes.
- Stage 2: Build the foundation
- Create an investment review board, and define its membership, guiding policies, operations, roles, responsibilities, and authorities.
- For each project, develop a business case that identifies the key executive sponsor, business customers (or end users), and the business needs that the IT project will support.
- Introduce a defined process that the organization can use to select new IT proposals and reselect ongoing projects.
- Monitor projects against cost and schedule expectations as well as anticipated benefits and risks.
- Stage 3: Develop a complete investment portfolio
- Define criteria for determining which investments to include in the investment portfolio. Criteria could include quantitative or qualitative factors such as cost, benefit, schedule, and risk.
- Use the criteria to select investments for the portfolio.
- Evaluate the portfolio by adding the element of portfolio performance to the organization's control process activities.
- Review IT projects by comparing actual results to estimates in order to learn from past investments and initiatives.
- Stage 4: Improve the process
- Evaluate the performance of the portfolio to improve both current IT investment management processes and the future performance of the IT portfolio.
- Analyze and manage the replacement of IT investments and assets with their higher-value successors.
- Stage 5: Leverage IT for strategic outcomes
- Optimize the investment management process exploit IT decision making to improve the value of an IT investment management process.
- Learn about and implement other organizations' best practices for IT investment.
- Use IT to renovate and transform work processes and to push the organization to explore new and better ways to execute its mission.
GAO-04-49: Published: Jan 12, 2004. Publicly Released: Feb 11, 2004.
Over the years, the Congress has promulgated laws and the Office of Management and Budget and GAO have issued policies and guidance, respectively, on (1) information technology (IT) strategic planning/performance measurement (which defines what an organization seeks to accomplish, identifies the strategies it will use to achieve desired results, and then determines how well it is succeeding in rea...
GAO-17-533T: Published: Apr 4, 2017. Publicly Released: Apr 4, 2017.
GAO and others have identified a number of key challenges facing federal agencies in ensuring that they have an effective cybersecurity workforce:Identifying skills gaps: As GAO reported in 2011, 2015, and 2016, federal agencies have faced challenges in effectively implementing workforce planning processes for information technology (IT) and defining cybersecurity staffing needs. GAO also reporte...
GAO-17-408T: Published: Feb 7, 2017. Publicly Released: Feb 7, 2017.
GAO noted in July 2016 that the Department of Veterans Affairs (VA) had moved forward with an effort to modernize its health information system—the Veterans Health Information Systems and Technology Architecture (VistA)—but that the department is uncertain of its long-term plan for addressing its electronic health record system needs beyond fiscal year 2018. Beyond modernizing VistA, GAO repor...
GAO-17-8: Published: Nov 30, 2016. Publicly Released: Nov 30, 2016.
Integrated program teams (IPT) are cross-functional or multidisciplinary groups of individuals that are organized and collectively responsible for delivering a product to an external or internal customer. GAO identified three characteristics that contribute to the creation and operation of a comprehensive IPT: (1) executive leadership through team support, empowerment, and oversight; (2) team comp...
GAO-16-885T: Published: Sep 19, 2016. Publicly Released: Sep 20, 2016.
Cyber incidents affecting federal agencies have continued to grow, increasing about 1,300 percent from fiscal year 2006 to fiscal year 2015.Cyber Incidents Reported by Federal Agencies, Fiscal Year 2006--2015Several laws and policies establish a framework for the federal government's information security and assign implementation and oversight responsibilities to key federal entities, including th...
GAO-16-602: Published: Aug 15, 2016. Publicly Released: Sep 14, 2016.
The General Service Administration's (GSA) 18F and Office of Management and Budget's (OMB) U.S. Digital Service (USDS) have provided a variety of services to agencies supporting their information technology (IT) efforts. Specifically, 18F staff helped 18 agencies with 32 projects and generally provided development and consulting services, including software development solutions and acquisition co...
GAO-16-638: Published: Jun 21, 2016. Publicly Released: Jun 21, 2016.
Selected large and medium urban transit providers have deployed most Intelligent Transportation Systems (ITS) technologies, such as automatic vehicle location (AVL) and electronic fare payment. Most of these providers reported sharing data collected from ITS with the public or regional transportation providers to enable technology innovations and improve regional planning. Large and medium urban t...
GAO-16-733T: Published: Jun 10, 2016. Publicly Released: Jun 10, 2016.
In a draft report, GAO determined that the General Service Administration's (GSA) 18F and Office of Management and Budget's (OMB) U.S. Digital Service (USDS) have provided a variety of services to agencies supporting their information technology (IT) efforts. Specifically, 18F staff helped 18 agencies with 32 projects and generally provided development and consulting services, including software d...
GAO-16-723T: Published: Jun 9, 2016. Publicly Released: Jun 9, 2016.
The 2020 Census program is heavily dependent upon the Census Enterprise Data Collection and Processing (CEDCAP) program to deliver the key systems needed to support the 2020 Census redesign. However, GAO's preliminary findings showed that while the two programs have taken steps to coordinate their schedules, risks, and requirements, they lacked effective processes for managing their interdependenc...
GAO-16-494: Published: Jun 2, 2016. Publicly Released: Jun 2, 2016.
Agencies determined investments' Chief Information Officer (CIO) ratings using a variety of processes, which included the Office of Management and Budget's (OMB) six suggested factors (including risk management, requirements management, and historical performance). Specifically, all 17 selected agencies incorporated at least two of OMB's factors into their risk rating processes and 9 used all of t...
GAO-16-696T: Published: May 25, 2016. Publicly Released: May 25, 2016.
The federal government spent more than 75 percent of the total amount budgeted for information technology (IT) for fiscal year 2015 on operations and maintenance (O&M) investments. Specifically, 5,233 of the government's approximately 7,000 IT investments are spending all of their funds on O&M activities. Such spending has increased over the past 7 fiscal years, which has resulted in a $7.3 billio...