Information Technology Management:

Social Security Administration Practices Can Be Improved

GAO-01-961: Published: Aug 21, 2001. Publicly Released: Sep 20, 2001.

Contact:

Linda D. Koontz
(202) 512-6257
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Social Security Administration (SSA) needs to identify strengths and weaknesses within its agencywide operational and managerial capabilities to enable the delivery of high-quality customer service in the face of increases in both workloads and in the number of retirements from its experienced workforce. Evaluating SSA's management of information technology (IT) is critical to assess whether the agency is adequately addressing these capabilities. This report reviews SSA's IT policies, procedures, and practices in the following five areas: investment management, enterprise architecture, software acquisition and development, information security, and human capital. GAO found that SSA had many important IT management policies and procedures in place in each of these five key areas but did not always implement them consistently. In some areas, SSA had not established key policies, procedures, or practices essential to ensure that its IT was effectively managed. GAO found weaknesses in all of the five key areas of IT management--particularly in investment management and human capital management.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the human capital area, analyze and document the effectiveness of its strategies for recruiting, training, and retaining IT personnel, and use these results to continuously improve its IT human capital strategies.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with this recommendation. Relying on its online Skills Inventory Planning System and a gap analysis of its current and future IT staff requirements, SSA developed an IT Workforce Strategic Plan. The plan links workforce strategies to the Agency Strategic Plan and information resources management (IRM) strategies. SSA documented the effectiveness of its strategies for recruiting, training, and retaining IT staff in its IT Workforce Strategic Plan and in the Office of Systems 2004 Strategic Recruitment and Retention Plan. Using the information that the skills survey provided, SSA's Office of Systems has targeted hiring employees with the skills to match requirements defined in its gap analysis and in support of its Agency Strategic goals and IRM strategies. As a result of these actions, SSA senior decisionmakers will have assurance that they are effectively addressing IT knowledge and skill gaps in support of its strategic goals and IRM strategies.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the enterprise architecture area, establish milestones for and complete key elements of SSA's enterprisewide architecture, including (1) finalizing its framework, (2) updating and organizing its architectures and architecture definitions under the framework, and (3) reflecting its future service delivery vision and e-business goals.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with this recommendation. Over the past several years, SSA has completed key elements of its enterprise-wide architecture, including an enterprise-wide architecture framework. Specifically, SSA developed an enterprise information technology architecture (EITA) framework, which provides a structure for organizing the products that describe existing and future SSA architectures. The framework also identifies (1) the strategic information assets that define SSA's business processes; (2) the information necessary to operate these processes; (3) the technologies needed to support business operations; and (4) the transition process for implementing new technologies in response to the changing needs of SSA. As with the Federal Enterprise Architecture Framework, SSA's EITA framework defines three general categories of architecture--data, applications, and infrastructure. SSA also documented its current architectures in the areas of business process, application, data, and infrastructure, and its targeted application architecture. In addition, SSA reflected its future service delivery and e-business goals in its EITA Application Architecture document. SSA's EITA goals and initiatives supporting future service delivery goals include: (1) increasing programmatic automation; (2) developing an administrative business architecture; (3) incorporating enhanced system security technology; (4) providing multi-tiered workload control capabilities; and (5) supporting paperless processing. The e-business goal focuses on providing automated client self-help capabilities such as developing an Internet-based input channel that allows SSA clientele to deal directly with the agency's systems for programmatic transactions. Further, in an effort to continuously improve its enterprise architecture, SSA reported that it has implemented an independent verification and validation process for a third-party subject matter expert to review its entire enterprise architecture for completeness, conformance with OMB requirements, and level of maturity. As a result of these actions, SSA now has procedures in place to help effectively guide and constrain the development and evolution of its information systems.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the investment management area, implement investment process benchmarking so that measurable improvements may be made to agency IT investment management processes based on those used by best-in-class organizations.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with GAO's recommendation and reported that, on a continuing basis, the agency reviews assessments of capital planning and investment control processes in other agencies to learn about problematic activities and best practices related to benchmarking. SSA also stated that it performs benchmarking on an ad hoc basis, when the agency believes that it is needed and practical. For example, SSA performed a total cost of ownership (TCO) analysis for its desktop computing environment that benchmarked the TCO experienced in other organizations to assist SSA in making an investment decision in this area. It also reported that it participated in benchmarking activities through discussions with other agencies concerning their implementation of Electronic-Capital Planning and Investment Control (e-CPIC).

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the investment management area, develop, manage, and regularly evaluate the performance of a comprehensive IT investment portfolio containing detailed and summary information (including data on costs, benefits, schedules, and risks) for all IT investments.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with this recommendation. The Capital Planning and Investment Control process guide states that the SSA Information Technology Advisory Board is to develop, manage, and regularly (on a quarterly basis) evaluate the performance of SSA's comprehensive IT investment portfolio containing detailed and summary information (including data on costs, benefits, schedules and risk) for all IT investments. In addition, according to SSA, agency IT investments are reviewed and managed in monthly Office of Systems project reviews and CIO milestone reviews.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the investment management area, regularly perform post-implementation reviews of IT investments and develop lessons learned from the process.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with this recommendation and has outlined in its Capital Planning and Investment Control (CPIC) process guide the major activities required for a post-implementation review (PIR). The guide states, for example, that a PIR normally is to be conducted 3 to 12 months after the system becomes operational to validate estimated benefits and costs. In addition, the guide states that the PIR is to document lessons learned and provide insights to improve the evaluation phase, as well as decision making and oversight in the selection and control phases of the IT CPIC process. SSA performed a PIR of its Intelligent Work Station/Local Area Network (IWS/LAN) initiative. The agency also has recently taken steps such as capturing baseline information to perform a PIR of its electronic disability system initiative.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the investment management area, revise the IT oversight process so that the executive staff oversees the comparison of actual cost, benefit, schedule, and risk data with original estimates for all investments to determine whether they are proceeding as expected, and if not, to take corrective actions as appropriate.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with this recommendation. According to the agency, its CIO-chaired, executive-level Information Technology Advisory Board (ITAB) is charged with overseeing IT projects, including comparing actual cost, benefit, schedule, and risk data with original estimates to determine whether the projects are proceeding as expected or require corrective action. This includes approving IT projects prior to the beginning of the fiscal year. Further, on a quarterly basis, the ITAB reviews the progress of each IT project and the capital investments that have been agreed to. SSA stated that when projects are not proceeding as planned, the CIO involves appropriate members of the ITAB to determine the reasons for the problems and to take corrective action such as redirecting or terminating the project when necessary.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the investment management area, establish and annually review cost, benefit, schedule, and risk life-cycle expectations for each selected investment.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with this recommendation, and according to its Capital Planning and Investment Control process guide, agency executives are to regularly monitor the progress of ongoing IT projects against projected cost, schedule, and performance (including delivered benefits). SSA stated that IT investments are reviewed and managed in monthly Office of Systems project reviews, CIO milestone reviews, and, on an exception basis, CIO-directed in-process reviews. In addition, IT investments are monitored in quarterly meetings of the CIO-chaired Information Technology Advisory Board.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the investment management area, analyze and prioritize all IT investments based on the predefined selection criteria and make selection decisions according to the established process.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with GAO's recommendation, and in response established guidance that requires executive level officials to prioritize IT investments based on predefined criteria such as costs, benefits, schedule and risks. Further, the agency's Capital Planning and Investment control Process Guide specifically states that an analysis of costs and benefits should be prepared for IT projects and updated throughout their life cycle. SSA also implemented a selection and prioritization methodology (Strategic Objective Portfolio Methodology) that it believes is conducive to achieving success in budget and performance integration. For example, SSA reported that this methodology brings to IT strategic meetings a lead portfolio manager, the customer, developer and planner. The meeting results in a prioritized list of requirements that will compete for funding in SSA's Information Technology Advisory Board process based on the agency's selection criteria.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the investment management area, develop and maintain selection criteria that include explicit cost, benefit, schedule, and risk criteria to facilitate the objective analysis, comparison, prioritization, and selection of IT investments.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with this recommendation. SSA's information technology (IT) investment management and budget documentation identifies predefined selection criteria that include: (1) support of an agency strategic goal; (2) expected project cost, schedule, benefit, and performance outcomes; (3) summary of accomplishments to date (including studies, pilots, or related procurement awards made or scheduled to be made); and (4) current cost-benefit analysis or return-on-investment data (including identification of risks). The agency's Capital Planning and Investment Control process guide specifically states that an analysis of costs and benefits should be prepared for IT projects and updated throughout their life cycle. Also, as part of SSA's budget call, the Office of Systems distributes instructions throughout the agency that include criteria for reporting cost, benefit, schedule, and risk information for IT projects. The instructions require agency components to describe how project performance will be measured and reported; the planned system's life and the strategy for refreshment and replacement of supporting technology; and a summary of accomplishments to date, including studies, pilots, or related procurement awards made or scheduled to be made. Collectively, these IT investment selection criteria should facilitate objective analyses, comparisons, prioritizations, and selections of SSA's IT investments.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the enterprise architecture area, effectively implement change management and legacy system integration policies, procedures, and processes across the agency, and set target dates for full implementation of these maintenance processes.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with this recommendation. SSA established an Enterprise Information Technology Architecture (EITA) change management control process which applies to the technology infrastructure, application, and data components of its EITA. SSA also stated that its legacy systems are fully integrated with its EITA. The legacy systems are described in the agency's EITA within the context of the agency's infrastructure, data, and application architecture processes that include target architectures. In addition, SSA established a transition strategy for its EITA, which describes the agency's strategy for migrating from the existing IT architecture, including legacy systems, to the target enterprise architecture.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the area of software development, consistently apply the requirements management, project planning, project tracking and oversight, quality assurance, and configuration management policies and procedures developed by the software process improvement program across all software development efforts.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: In order to ensure that its Software Process Improvement (SPI) policies and procedures are consistently followed, the Social Security Administration's (SSA) Office of Systems developed a systems development, delivery, and support policy. This policy requires that all priority software development efforts adhere to its project management directive, which addresses the key software development process areas, including requirements management, project planning, project tracking and oversight, quality assurance, and configuration management. In addition, the Office of Systems acquired 18 information technology specialists to serve as process consultants to priority software development efforts. Among other tasks, these individuals are responsible for ensuring that software development project managers follow SPI-compliant practices and that any deviations or non-compliance are identified and reported.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the human capital area, implement workforce strategies that support the results of this gap analysis.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with this recommendation, and using its online Skills Inventory Planning Systems, the agency identified and assessed its current and future information technology (IT) staff skills and requirements, and performed a related gap analysis. SSA subsequently developed an IT workforce strategic plan that provides the framework for linking workforce strategies and planning to the findings of the gap analysis. Further, SSA established an oversight committee to identify steps for developing a strategy to integrate skill gap issues with its human capital planning efforts. The committee identified specific areas that linked skill gaps to budget, recruitment, and training strategies. Further, the findings of the gap analysis are used to periodically update SSA's IT recruitment plan.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the human capital area, determine whether a gap exists between current and future IT staff requirements and current staffing.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with this recommendation, and in June 2003, it performed a gap analysis between its current and future information technology staff requirements. The gap analysis is being used in the agency's Office of Systems workforce strategies and planning efforts including, project allocations, human capital resource allocations, training, recruitment, retention, and reassessment of the Office of Systems organization. SSA plans to conduct a skills inventory and gap analysis annually.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the human capital area, develop and maintain an inventory of the Office of Systems' current IT staff's knowledge and skills.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with this recommendation, and developed an online Skills Inventory Planning System (SIPS). The SIPS has been used to capture information on the competencies and skills of technical employees in SSA's Office of Systems, collect information on future skill needs, perform a gap analysis between current skills and future skills requirements on which to develop IT workforce planning strategies, track skills lost to potential retirements, and support the Office of System's human capital strategy.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the human capital area, complete an assessment of the Office of Systems; current and future IT knowledge and skill needs.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with this recommendation. In June 2003, the agency completed an assessment of its Office of Systems' current and future information technology (IT) knowledge and skills needs. As a result of this assessment, SSA managers included data in the agency's online skills inventory reflecting the competencies, skills, and retirement eligibility for approximately 2,300 IT specialists.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the information security area, use the platform security settings to strengthen security for each application utilizing these platforms.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with this recommendation, and in response, developed policy/risk models and technical system standard settings for its major system platforms. The policy/risk models protect the operating system from intrusion or the unauthorized escalation of system privileges. The security settings define the profiles for user access to applications or transactions within the applications, thus strengthening the security for the application utilizing the platform. SSA also developed and implemented new tools and procedures to monitor adherence to its major platforms' technical system standards, as well as procedures for corrective actions for noncompliance with these standards. As a result, SSA now has the necessary guidance and controls to provide effective oversight and evaluation of information security related to these platforms, including improved security for the applications utilizing the platforms.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the information security area, develop monitoring techniques and corrective actions for noncompliance for the major systems platforms.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with this recommendation and implemented actions to enhance its ability to effectively monitor and provide corrective actions for noncompliance with its technical system standards and risk policy models for major platforms. An independent audit of SSA's internal controls determined that SSA had developed procedures to support the monitoring and compliance aspects of the technical system standards for its major platforms, including the Windows NT, Windows 2000, AS 400, and WANG platforms. In addition, SSA implemented new tools to monitor adherence to platform security configuration standards for these platforms. Each platform is monitored periodically to ensure that administrators are adhering to the risk models and related technical system standards. In addition, SSA implemented corrective action prcedures to address instances of noncompliance with its major platforms' security configuration standards, including the establishment of a team of network experts to perform corrective actions for noncompliance issues. As a result of these actions, SSA improved its ability to provide effective oversight and evaluation of information security related to its major platforms and perform corrective actions for noncompliance with its platforms' security configuration standards.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the information security area, strengthen the entitywide security framework by completing policy/risk models and technical system standards (security settings) for SSA's major systems platforms.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA strengthened its entity-wide security framework by completing policy/risk models and technical system standards (security settings) for its major systems platforms. PricewaterhouseCoopers LLP audited SSA's systems of accounting and internal controls and reported that SSA had established and published technical security configuration standards (policy/risks models and technical standards) for its major platforms, including NT, Unix, AS 400, and SSA's firewall servers.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the CIO and the Deputy Commissioner for Systems to, in the enterprise architecture area, develop and implement a procedure to grant waivers to software development projects when deviations from policies and procedures occur.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: In June 2001, SSA's Office of Systems implemented a procedure for granting waivers to deviate from the Software Process Improvement (SPI) project management directive, which includes procedures for software development. Once a project manager develops a waiver, it is forwarded to the SPI office for review. If the SPI office determines that the waiver should be considered, it then forwards the waiver to the Deputy Commissioner for Systems and the Assistant Deputy Commissioner for Systems for its review. The waiver is not granted until it receives a final approval from the Deputy Commissioner or Assistant Deputy Commissioner for Systems.

    Recommendation: To improve SSA's IT management practices, the Acting Commissioner of Social Security should direct the Chief Information Officer (CIO) and the Deputy Commissioner for Systems to, in the investment management area, develop and implement a process guide that establishes the policies, procedures, and key criteria for conducting the IT investment management process and guiding executive staff operations.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA agreed with this recommendation and developed an Information Technology (IT) Capital Planning and Investment Control (CPIC) process guide that was presented to the CIO-chaired Information Technology Advisory Board (ITAB) in April 2003. The guide describes the select, control, and evaluate phases of SSA's IT investment management process. Our review of the guide determined that it documents the policies, procedures, and key criteria for SSA's IT investment management process and related executive staff operations.

    Apr 2, 2014

    Feb 26, 2014

    Feb 12, 2014

    Jan 13, 2014

    Nov 13, 2013

    Nov 6, 2013

    Sep 12, 2013

    Sep 11, 2013

    Looking for more? Browse all our products here