Library of Congress:

Strong Leadership Needed to Address Serious Information Technology Management Weaknesses

GAO-15-315: Published: Mar 31, 2015. Publicly Released: Mar 31, 2015.

Additional Materials:

Contact:

Joel C. Willemssen
(202) 512-6253
willemssenj@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Library of Congress has established policies and procedures for managing its information technology (IT) resources, but significant weaknesses across several areas have hindered their effectiveness:

Strategic planning: The Library does not have an IT strategic plan that is aligned with the overall agency strategic plan and establishes goals, measures, and strategies. This leaves the Library without a clear direction for its use of IT.

Investment management: Although the Library obligated at least $119 million on IT for fiscal year 2014, it is not effectively managing its investments. To its credit, the Library has established structures for managing IT investments—including a review board and a process for selecting investments. However, the board does not review all key investments, and its roles and responsibilities are not always clearly defined. Additionally, the Library does not have a complete process for tracking its IT spending or an accurate inventory of its assets. For example, while the inventory identifies over 18,000 computers currently in use, officials stated that the Library has fewer than 6,500. Until the Library addresses these weaknesses, its ability to make informed decisions will be impaired.

Information security and privacy: The Library assigned roles and responsibilities and developed policies and procedures for securing its information and systems. However, its implementation of key security and privacy management controls was uneven. For example, the Library's system inventory did not include all key systems. Additionally, the Library did not always fully define and test security controls for its systems, remediate weaknesses in a timely manner, and assess the risks to the privacy of personal information in its systems. Such deficiencies also contributed to weaknesses in technical security controls, putting the Library's systems and information at risk of compromise.

Service management: The Library's Information Technology Services (ITS) division is primarily responsible for providing IT services to the agency's operating units. While ITS has catalogued these services, it has not fully developed agreements with the other units specifying expected levels of performance. Further, the other units were often not satisfied with these services, which has contributed to them independently pursuing their own IT activities. This in turn has resulted in units purchasing unnecessary hardware and software, maintaining separate e-mail environments, and managing overlapping or duplicative IT activities.

Leadership: The Library does not have the leadership needed to address these IT management weaknesses. For example, the agency's chief information officer (CIO) position does not have adequate authority over or oversight of the Library's IT. Additionally, the Library has not had a permanent CIO since 2012 and has had five temporary CIOs in the interim.

In January 2015, at the conclusion of GAO's review, officials stated that that the Library plans to draft an IT strategic plan within 90 days and hire a permanent CIO. If it follows through on these plans, the Library will be in a stronger position to address its IT management weaknesses and more effectively support its mission.

Why GAO Did This Study

The Library of Congress is the world's largest library, whose mission is to make its resources available and useful to Congress and the American public. In carrying out its mission, the Library increasingly relies on IT systems, particularly in light of the ways that digital technology has changed the way information is created, shared, and preserved.

The House Appropriations Committee report accompanying the 2015 legislative branch appropriations bill required GAO to conduct a review of IT management at the Library. GAO's objectives focused on the extent to which the Library has established and implemented key IT practices and requirements in, among other areas: (1) strategic planning, (2) governance and investment management, (3) information security and privacy, (4) service management, and (5) leadership. To carry out its work, GAO reviewed Library regulations, policies, procedures, plans, and other relevant documentation for each area and interviewed key Library officials.

What GAO Recommends

GAO is recommending that the Library expeditiously hire a permanent CIO. GAO is also making 30 other recommendations to the Library aimed at establishing and implementing key IT management practices. The Library generally agreed with GAO's recommendations and described planned and ongoing actions to address them.

For more information, contact Joel C. Willemssen at (202) 512-6253 or willemssenj@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To provide stable, consistent, and effective leadership for addressing the weaknesses identified in this report, as well as for improving the organization's management of IT, the Librarian should expeditiously hire a permanent chief information officer responsible for managing the Library's IT and ensure that this official has clearly defined responsibilities and adequate authority, consistent with the role of a chief information officer as defined by best practices. This should include, among other things, (1) responsibility for commodity IT; (2) oversight of mission-specific systems, through the ITSC or another oversight mechanism; and (3) clarification of responsibilities and authorities between the Library CIO and service unit IT leadership.

    Agency Affected: Library of Congress

  2. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should complete an IT strategic plan within the time frame the Library has established for doing so. The plan, at a minimum, should (1) align with the agency's overall strategic plan, (2) provide results-oriented goals and performance measures, (3) identify the strategies for achieving the desired results, and (4) describe interdependencies among projects.

    Agency Affected: Library of Congress

  3. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should establish a time frame for developing a complete and reliable enterprise architecture that accurately captures the Library's current IT environment, describes its target environment, and outlines a strategy for transitioning from one to the other, and develop the architecture within the established time frame.

    Agency Affected: Library of Congress

  4. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should establish a time frame for implementing a Library-wide assessment of IT human capital needs and complete the assessment within the established time frame. This assessment should, at a minimum, analyze any gaps between current skills and future needs, and include a strategy for closing any identified gaps.

    Agency Affected: Library of Congress

  5. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should clarify investment management policy to identify which governance bodies are responsible for making investment decisions, and under what conditions.

    Agency Affected: Library of Congress

  6. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement a process for linking IT strategic planning, enterprise architecture, and IT investment management.

    Agency Affected: Library of Congress

  7. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement policies and procedures for reselecting investments that are already operational.

    Agency Affected: Library of Congress

  8. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement policies and procedures for ensuring that investment selection decisions have an impact on decisions to fund investments.

    Agency Affected: Library of Congress

  9. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should ensure that appropriate governance bodies review all investments that meet defined criteria.

    Agency Affected: Library of Congress

  10. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should require investments in development to submit complete investment data (i.e., cost and schedule variances and risk management data) in quarterly reports submitted to the ITSC.

    Agency Affected: Library of Congress

  11. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies, to include guidance for service units on classifying expenditures as IT, for maintaining a full accounting of the Library's IT-related expenditures.

    Agency Affected: Library of Congress

  12. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies for developing a comprehensive inventory of IT assets.

    Agency Affected: Library of Congress

  13. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should implement policies and procedures for conducting post-implementation reviews of investments.

    Agency Affected: Library of Congress

  14. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies and procedures consistent with the key practices on portfolio management, including (1) defining the portfolio criteria, (2) creating the portfolio, and (3) evaluating the portfolio.

    Agency Affected: Library of Congress

  15. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should complete and implement an organization-wide policy for risk management that includes key practices as discussed in this report, and within the time frame the Library established for doing so.

    Agency Affected: Library of Congress

  16. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for requirements development that includes key practices as discussed in this report.

    Agency Affected: Library of Congress

  17. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for developing cost estimates that includes key practices as discussed in this report.

    Agency Affected: Library of Congress

  18. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish a time frame for finalizing and implementing an organization-wide policy for developing and maintaining project schedules that includes key practices as discussed in this report, and finalize and implement the policy within the established time frame.

    Agency Affected: Library of Congress

  19. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should develop a complete and accurate inventory of the agency's information systems.

    Agency Affected: Library of Congress

  20. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should revise information security policy to require system security plans to describe common controls, and implement the policy.

    Agency Affected: Library of Congress

  21. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should ensure that all system security plans are complete, including descriptions of how security controls are implemented and justifications for why controls are not applied.

    Agency Affected: Library of Congress

  22. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should conduct comprehensive and effective security testing for all systems within the time frames called for by Library policy, to include assessing security controls that are inherited from the Library's information security program.

    Agency Affected: Library of Congress

  23. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should ensure that remedial action plans for identified security weaknesses are consistently documented, tracked, and completed in a timely manner.

    Agency Affected: Library of Congress

  24. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should finalize and implement guidance on continuous monitoring to ensure that officials are informed when making authorization decisions about the risks associated with the operations of the Library's systems.

    Agency Affected: Library of Congress

  25. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should develop contingency plans for all systems that address key elements.

    Agency Affected: Library of Congress

  26. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should establish and implement a process for comprehensively identifying and tracking whether all personnel with access to Library systems have taken required security and privacy training.

    Agency Affected: Library of Congress

  27. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should establish a time frame for finalizing and implementing the Library's standard contract sections for information security and privacy requirements, and finalize and implement the requirements within that time frame.

    Agency Affected: Library of Congress

  28. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should require the chief privacy officer to establish and implement a process for reviewing the Library's privacy program, to include ensuring that privacy impact assessments are conducted for all information systems.

    Agency Affected: Library of Congress

  29. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To help ensure that services provided by ITS meet the needs of the Library's service units, the Librarian should finalize and implement a Library-wide policy for developing service-level agreements that (1) includes service-level targets for agreements with individual service units and (2) covers services in a way that best meets the need of both ITS and its customers, including individual service units.

    Agency Affected: Library of Congress

  30. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To help ensure that services provided by ITS meet the needs of the Library's service units, the Librarian should document and execute a plan for improving customer satisfaction with ITS services that includes prioritized improvement projects and associated resource requirements, schedules, and measurable goals and outcomes.

    Agency Affected: Library of Congress

  31. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: In addition, to help ensure an efficient and effective allocation of the agency's IT resources, the Librarian should conduct a review of the Library's IT portfolio to identify duplicative or overlapping activities and investments, including those identified in our report, and assess the costs and benefits of consolidating identified IT activities and investments.

    Agency Affected: Library of Congress

 

Explore the full database of GAO's Open Recommendations »

May 25, 2016

May 18, 2016

May 17, 2016

May 5, 2016

Apr 7, 2016

Mar 24, 2016

Mar 4, 2016

Dec 17, 2015

Dec 2, 2015

Looking for more? Browse all our products here