Skip to main content

Library of Congress: Strong Leadership Needed to Address Serious Information Technology Management Weaknesses

GAO-15-315 Published: Mar 31, 2015. Publicly Released: Mar 31, 2015.
Jump To:
Skip to Highlights

Highlights

What GAO Found

The Library of Congress has established policies and procedures for managing its information technology (IT) resources, but significant weaknesses across several areas have hindered their effectiveness:

Strategic planning: The Library does not have an IT strategic plan that is aligned with the overall agency strategic plan and establishes goals, measures, and strategies. This leaves the Library without a clear direction for its use of IT.

Investment management: Although the Library obligated at least $119 million on IT for fiscal year 2014, it is not effectively managing its investments. To its credit, the Library has established structures for managing IT investments—including a review board and a process for selecting investments. However, the board does not review all key investments, and its roles and responsibilities are not always clearly defined. Additionally, the Library does not have a complete process for tracking its IT spending or an accurate inventory of its assets. For example, while the inventory identifies over 18,000 computers currently in use, officials stated that the Library has fewer than 6,500. Until the Library addresses these weaknesses, its ability to make informed decisions will be impaired.

Information security and privacy: The Library assigned roles and responsibilities and developed policies and procedures for securing its information and systems. However, its implementation of key security and privacy management controls was uneven. For example, the Library's system inventory did not include all key systems. Additionally, the Library did not always fully define and test security controls for its systems, remediate weaknesses in a timely manner, and assess the risks to the privacy of personal information in its systems. Such deficiencies also contributed to weaknesses in technical security controls, putting the Library's systems and information at risk of compromise.

Service management: The Library's Information Technology Services (ITS) division is primarily responsible for providing IT services to the agency's operating units. While ITS has catalogued these services, it has not fully developed agreements with the other units specifying expected levels of performance. Further, the other units were often not satisfied with these services, which has contributed to them independently pursuing their own IT activities. This in turn has resulted in units purchasing unnecessary hardware and software, maintaining separate e-mail environments, and managing overlapping or duplicative IT activities.

Leadership: The Library does not have the leadership needed to address these IT management weaknesses. For example, the agency's chief information officer (CIO) position does not have adequate authority over or oversight of the Library's IT. Additionally, the Library has not had a permanent CIO since 2012 and has had five temporary CIOs in the interim.

In January 2015, at the conclusion of GAO's review, officials stated that that the Library plans to draft an IT strategic plan within 90 days and hire a permanent CIO. If it follows through on these plans, the Library will be in a stronger position to address its IT management weaknesses and more effectively support its mission.

Why GAO Did This Study

The Library of Congress is the world's largest library, whose mission is to make its resources available and useful to Congress and the American public. In carrying out its mission, the Library increasingly relies on IT systems, particularly in light of the ways that digital technology has changed the way information is created, shared, and preserved.

The House Appropriations Committee report accompanying the 2015 legislative branch appropriations bill required GAO to conduct a review of IT management at the Library. GAO's objectives focused on the extent to which the Library has established and implemented key IT practices and requirements in, among other areas: (1) strategic planning, (2) governance and investment management, (3) information security and privacy, (4) service management, and (5) leadership. To carry out its work, GAO reviewed Library regulations, policies, procedures, plans, and other relevant documentation for each area and interviewed key Library officials.

Recommendations

GAO is recommending that the Library expeditiously hire a permanent CIO. GAO is also making 30 other recommendations to the Library aimed at establishing and implementing key IT management practices. The Library generally agreed with GAO's recommendations and described planned and ongoing actions to address them.

Recommendations for Executive Action

Agency Affected Recommendation Status
Library of Congress To provide stable, consistent, and effective leadership for addressing the weaknesses identified in this report, as well as for improving the organization's management of IT, the Librarian should expeditiously hire a permanent chief information officer responsible for managing the Library's IT and ensure that this official has clearly defined responsibilities and adequate authority, consistent with the role of a chief information officer as defined by best practices. This should include, among other things, (1) responsibility for commodity IT; (2) oversight of mission-specific systems, through the ITSC or another oversight mechanism; and (3) clarification of responsibilities and authorities between the Library CIO and service unit IT leadership.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in September 2015 the Library hired a permanent Chief Information Officer (CIO). Additionally, in November 2016 the Librarian directed all top-level IT staff in the Library's various service units to be detailed to the Library's Office of the CIO, including service unit IT leadership. Further, in May 2017 the Librarian approved Library of Congress Regulations regarding the Office of the Chief Information Officer and IT Steering Committee (ITSC). These regulations make the CIO responsible for commodity IT and define the CIO's responsibilities for oversight of mission-specific systems through the ITSC. By hiring a permanent CIO with responsibility for IT, sufficient authority, and clearly defined responsibilities, the Library is better positioned to effectively acquire, operate, and maintain its IT in support of its mission.
Library of Congress To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should complete an IT strategic plan within the time frame the Library has established for doing so. The plan, at a minimum, should (1) align with the agency's overall strategic plan, (2) provide results-oriented goals and performance measures, (3) identify the strategies for achieving the desired results, and (4) describe interdependencies among projects.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in March 2016, the Library finalized its IT strategic plan and updated its plan in April 2017. The plan includes four goals that are generally results-oriented and describes how each goal aligns with the agency's overall strategic plan. Additionally, the Library developed fiscal year 2017 performance measures and associated targets for each of the four goals. Further, the plan includes strategies for achieving its goals. Lastly, the plan describes interdependencies among projects. By developing an IT strategic plan that sets forth a long-term vision and the intermediate steps that are needed to guide the agency, the Library is better positioned to effectively prioritize investments and use the best mix of limited resources to move toward its longer-term, agency-wide goals.
Library of Congress To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should establish a time frame for developing a complete and reliable enterprise architecture that accurately captures the Library's current IT environment, describes its target environment, and outlines a strategy for transitioning from one to the other, and develop the architecture within the established time frame.
Closed – Implemented
The Library of Congress generally agreed with, and has addressed, this recommendation. Specifically, the Library developed an enterprise architecture that captures the Library's current IT environment, describes the target IT environment, and outlines a strategy for transitioning from one to the other. By developing an enterprise architecture, the Library will have increased assurance that the planning and implementation of the agency's IT systems will take full account of the business and technology environment in which the systems are to operate.
Library of Congress To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should establish a time frame for implementing a Library-wide assessment of IT human capital needs and complete the assessment within the established time frame. This assessment should, at a minimum, analyze any gaps between current skills and future needs, and include a strategy for closing any identified gaps.
Closed – Implemented
The Library of Congress generally agreed with, and has addressed, this recommendation. Specifically, between July 2016 and December 2017, the Library engaged the Office of Personnel Management to perform a Library-wide assessment of IT human capital needs, including an analysis of gaps between current skills and future needs. In addition, the Library finalized a strategy for closing identified IT skills gaps as well as a follow-on training plan in December 2017 and September 2018, respectively. By identifying IT skills gaps and developing a strategy for closing those gaps, the Library is better positioned to meet its future IT needs.
Library of Congress To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should clarify investment management policy to identify which governance bodies are responsible for making investment decisions, and under what conditions.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in June 2017 the Library finalized its regulation on Information Technology (IT) Investment Management. According to the regulation, all IT investment proposals are to be reviewed annually by the Architecture Review Board and the IT Steering Committee. After these reviews have been completed, the IT Steering Committee is to then identify which IT investment proposals are to be included in the annual IT Investment Portfolio. Once the IT Investment Portfolio has been developed, the directive calls for the Library's Executive Committee to review the portfolio and for the Librarian to provide final approval. By clarifying which governance bodies are responsible for making investment decisions, the Library is better positioned to ensure that investments are properly aligned with the business needs of the entire organization.
Library of Congress To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement a process for linking IT strategic planning, enterprise architecture, and IT investment management.
Closed – Implemented
The Library of Congress agreed with and has taken steps to implement this recommendation. As part of its investment management process, the Library developed a template for IT investment proposals that calls for investment managers to provide information on how the investments align with the Library's IT strategic plan and enterprise architecture (EA). In addition, for 15 fiscal year 2018 investments, the Library described how these investments align with its IT strategic plan and architecture. Specifically, all the investment proposals described alignment with the Library's IT strategic goals. With respect to EA, all 15 investments described alignment with the business functions of the organization, and all but three described alignment with the Library's technical environment. By establishing and implementing a process for linking IT investment management with IT strategic planning and EA, the Library is better positioned to make investment decisions that meet the needs of the agency.
Library of Congress To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement policies and procedures for reselecting investments that are already operational.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in June 2017, the Library finalized its regulation on Information Technology (IT) Investment Management. According to the regulation, all IT investment proposals-including those that are operational-are to be reviewed annually by the IT Steering Committee and the Executive Committee. In addition, the Library's IT Steering Committee and Executive Committee reviewed key operational investments for fiscal years 2017 and 2018. By establishing and implementing a process for reselecting investments that are already operational, the Library is better positioned will to make investment decisions that meet the needs of the agency.
Library of Congress To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement policies and procedures for ensuring that investment selection decisions have an impact on decisions to fund investments.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. In June 2017, the Library finalized its regulation on Information Technology (IT) Investment Management. According to the regulation, funding requests for new IT programs are to be reviewed annually by the IT Steering Committee and the Executive Committee prior to being included in the agency's budget request. In addition, the Library's IT Steering Committee and Executive Committee reviewed the all of the funding requests for new IT programs for fiscal years 2017 and 2018. By establishing and implementing a process for ensuring that investment selection decisions have an impact on decisions to fund investments, the Library is better positioned will to make investment decisions that meet the needs of the agency.
Library of Congress To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should ensure that appropriate governance bodies review all investments that meet defined criteria.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. In June 2017, the Library finalized its regulation on Information Technology (IT) Investment Management. According to the regulation, all IT investment proposals are to be reviewed annually by the IT Steering Committee and the Executive Committee. In addition, the Library's IT Steering Committee and Executive Committee reviewed the key investments for fiscal years 2017 and 2018. By ensuring that appropriate governance bodies review all investments that meet defined criteria, the Library is better positioned will to make investment decisions that meet the needs of the agency.
Library of Congress To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should require investments in development to submit complete investment data (i.e., cost and schedule variances and risk management data) in quarterly reports submitted to the ITSC.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in June 2017 the Library finalized its regulation on Information Technology (IT) Investment Management. According to the regulation, Library units are required to complete and submit quarterly IT investment reports for review by the Library's IT Steering Committee. Additionally, the Library developed a standard investment reporting template that includes requests for cost, schedule, and risk management data. Further, in November 2017, the Library provided us with reports for 19 key IT investments in development. The reports almost always included complete data on investment cost, schedule, and risk management. By requiring investments to provide complete data on cost, schedule, and risk, the Library will be better positioned to see early warning signs that indicate the need for corrective action, thereby reducing the risk of failed investments or investments that do not adequately support business processes, meet user needs, or provide a successful return on investment.
Library of Congress To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies, to include guidance for service units on classifying expenditures as IT, for maintaining a full accounting of the Library's IT-related expenditures.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in September 2015 the Library's Chief Information Officer and Chief Financial Officer issued a memorandum requiring service units to track IT spending and provided guidance on how this is to be done. In April 2017, the Library finalized a report of fiscal year 2016 non-personnel IT expenditures. The report describes about $82 million in expenditures and shows how the money was spent by IT cost categories (e.g., data center, desktop and laptop systems, IT management) and by service unit. By developing and implementing a process for maintaining a full accounting of IT-related expenditures, the Library is in a more knowledgeable position to make decisions.
Library of Congress To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies for developing a comprehensive inventory of IT assets.
Closed – Implemented
The Library of Congress generally agreed with, and has addressed, this recommendation. In September 2018, the Library finalized an IT asset management directive, which includes procedures for developing and maintaining an inventory of IT assets. Additionally, the Library developed an inventory that describes the location and owner of nearly 5,000 Library-owned desktop and laptop computers. By establishing and implementing a policy for developing a comprehensive inventory of IT assets, the Library is better positioned to make informed decisions regarding IT investments.
Library of Congress To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should implement policies and procedures for conducting post-implementation reviews of investments.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Between October 2015 and June 2016, the Library has conducted post-implementation reviews for three investments. For each review the Library compared expectations for cost, schedule, performance, and mission improvement outcomes, consistent with established policies and procedures. As a result, the Library is better positioned to learn from all past investments and evaluate the effectiveness of its investment management process.
Library of Congress To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies and procedures consistent with the key practices on portfolio management, including (1) defining the portfolio criteria, (2) creating the portfolio, and (3) evaluating the portfolio.
Closed – Implemented
The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Library has established and implemented policies and procedures consistent with the following three key portfolio management practices: (1) defining the portfolio criteria, (2) creation the portfolio, and (3) evaluating the portfolio. By establishing and implementing policies and procedures for portfolio management, the Library is better positioned to make investment decisions that meet the needs of the agency
Library of Congress To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should complete and implement an organization-wide policy for risk management that includes key practices as discussed in this report, and within the time frame the Library established for doing so.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for risk management. Further, the Project Management Office developed risk management guidance that includes key risk management practices. In addition, the Library provided documentation for three key IT projects that demonstrated the implementation of this guidance. Establishing and implementing these policies will provide additional assurance that risks facing IT investments are being adequately addressed.
Library of Congress To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for requirements development that includes key practices as discussed in this report.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for requirements development. Further, the Project Management Office has finalized detailed guidance for the Library on requirements development. This guidance addressed key requirements management practices identified in our report. In addition, the Library provided documentation for three key IT projects that demonstrate evidence of the implementation of this guidance. By establishing and implementing a requirements management policy and procedures, the Library will have additional assurance that its IT investments will meet stakeholder and customer needs.
Library of Congress To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for developing cost estimates that includes key practices as discussed in this report.
Open
The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer (OCIO). Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing cost estimates for IT projects. However, in February 2021, the Library's Office of the Inspector General (OIG) reported that the Library did not follow all cost estimating best practices when developing cost baselines for the IT Modernization project efforts. In response, in September 2021 the Library developed a roadmap that outlined actions needed to improve cost estimating practices through 2026 and has taken initial steps to carry out those actions. For example, in April 2023 the Library stated that it had updated its cost estimating guidance to describe how a cost estimate should be used throughout a project's lifecycle. The Library anticipates that it will fully address this recommendation by December 2023. We will continue to evaluate the Library's progress in implementing this recommendation.
Library of Congress To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish a time frame for finalizing and implementing an organization-wide policy for developing and maintaining project schedules that includes key practices as discussed in this report, and finalize and implement the policy within the established time frame.
Open
The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a Project Management Office within the Office of the Chief Information Officer (OCIO) and tasked the office with communicating and enforcing Library requirements for IT project management and systems development. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing and maintaining IT project schedules. However, in February 2021, the Library's Office of the Inspector General (OIG) reported that the Library did not follow all scheduling best practices for its IT Modernization project efforts. In response, in September 2021 the Library developed a roadmap that outlined actions needed to improve IT project scheduling practices through 2026 and has taken initial steps to carry out those actions. For example, in April 2023, the Library stated that it had defined and begun implementing several process changes, including the use of integrated master schedules for large projects and programs, project baselines, and critical path analyses. The Library anticipates that it will fully address this recommendation by April 2024. We will continue to evaluate the Library's progress in implementing this recommendation.
Library of Congress To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should develop a complete and accurate inventory of the agency's information systems.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, the Library's Information Technology Security Group conducted a review of Library systems and developed a consolidated inventory that includes all Library systems. Additionally, at the request of the Library's Chief Information Security Officer, each Library unit validated that the inventory is complete and accurate. As a result, the Library (1) has greatly increased assurance that it is aware of all of its systems and data, and (2) is in a more knowledgeable position to help ensure that these resources have appropriate security controls.
Library of Congress To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should revise information security policy to require system security plans to describe common controls, and implement the policy.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in March 2016, the Library developed guidance that calls for system security plans to describe common security controls. In addition, the Library ensured that system security plans for key systems described common controls. By establishing and implementing a policy for describing common security controls, the Library is better positioned to make fully informed judgments regarding the risks involved in operating its systems.
Library of Congress To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should ensure that all system security plans are complete, including descriptions of how security controls are implemented and justifications for why controls are not applied.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, the Library ensured that the system security plans for key systems are complete by including descriptions of how security controls were implemented and justifications for why controls were not applied. By ensuring that system security plans are complete, the Library is better positioned to make fully informed judgments regarding the risks involved in operating its systems.
Library of Congress To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should conduct comprehensive and effective security testing for all systems within the time frames called for by Library policy, to include assessing security controls that are inherited from the Library's information security program.
Closed – Implemented
The Library of Congress generally agreed with, and has implemented, this recommendation. Specifically, in November 2015 the Library finalized guidance for its continuous monitoring program, which includes the establishment of ongoing security controls assessments for each system. In July 2020, the Library demonstrated that it established and implemented a process for monitoring the extent to which the agency is conducting security testing for all systems within the time frames called for by Library policy. By using this process, the Library ensured that, as of July 2020, more than 80 percent of all security controls were tested consistent with the time frames called for by Library policy across all systems in the agency's continuous monitoring program. Although the Library can still improve in this area, by conducting security testing for more than 80 percent of the agency's systems in the continuous monitoring program, the Library has increased assurance that its security controls are working as intended, reducing the risk that attackers could compromise the confidentiality, integrity, or availability of the systems.
Library of Congress To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should ensure that remedial action plans for identified security weaknesses are consistently documented, tracked, and completed in a timely manner.
Closed – Implemented
The Library of Congress generally agreed with, and has addressed, this recommendation. Specifically, in September 2018 the Library provided remedial action plans for all Library systems; these plans included priority levels, status, and timeframes for estimated completion. In addition, the Library has established and implemented a policy requiring that owners and security officials for systems that meet any of the following thresholds are to discuss the remedial action plans with the Deputy Chief Information Officer on a bi-weekly basis (1) remedial action plans deemed to be "high impact" that are not addressed within 30 days and (2) the highest quantity of remedial action plans. Further, as authorizing official for all Library systems, the Deputy Chief Information Officer has established and implemented a policy requiring that any systems with "high impact" remedial action plans that are not addressed within 30 days will not be granted an authorization to operate that is longer than 30 days. Moreover, the Library has made significant improvements in its ability to address remedial action plans in a timely manner. For example, in September 2018 the Library had 65 percent less high impact remedial action plans when compared to about a year prior. By addressing weaknesses with the Library's process for remediating vulnerabilities, the agency is better positioned to track, assess, and accurately report the status of the agency's plans for addressing information security weaknesses.
Library of Congress To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should finalize and implement guidance on continuous monitoring to ensure that officials are informed when making authorization decisions about the risks associated with the operations of the Library's systems.
Closed – Implemented
The Library of Congress generally agreed with, and has addressed, this recommendation. Specifically, in October and November 2015, the Library finalized its guidance on continuous monitoring and system authorization decisions. This guidance calls for the Library to ensure that the results of security control testing are used to inform system authorization decisions and that all operational systems have received authorization to operate from the Library's authorizing official. The guidance also calls for the Library to ensure that that system risks are periodically reviewed by the Library's authorizing official. In addition, as of November 2018, the Library ensured that more than 90 percent of the agency's operational systems were authorized to operate and required those systems to follow the Library's continuous monitoring guidance for testing security controls. In doing so, the authorizing official reviewed the results of security control tests and granted systems with risks identified as being at acceptable level approval to operate for a year. By contrast, systems with risks that were not at an acceptable level-about 32 percent of Library systems as of September 2018-were granted approval to operate for less than a year, with most systems receiving approval for 30 days. Further, the Library has established and implemented a process for providing the Library's authorizing official the status of remedial action plans for all Library systems on a weekly basis. By establishing and implementing the guidance on continuous authorization decisions, the Library has increased assurance that appropriate officials have been informed of system risks when making authorization decisions.
Library of Congress To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should develop contingency plans for all systems that address key elements.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in December 2016 the Library finalized an IT system contingency planning template that generally addresses key elements of National Institute of Standards and Technology guidance. Additionally, In January 2018, the Library developed IT contingency plan for all systems that require such a plan. The Library also provided the IT contingency plans for nine key systems, and we determined these were consistent with federal guidance. By developing contingency plans for its systems, the Library has increased assurance that it will be able to recover systems entirely in the event of a large disaster and protect the information they contain from compromise.
Library of Congress To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should establish and implement a process for comprehensively identifying and tracking whether all personnel with access to Library systems have taken required security and privacy training.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to address, this recommendation. Specifically, in December 2017, the Library finalized a standard operating procedure that establishes a process for identifying and tracking whether all personnel with access to Library systems have taken required security and privacy training. In addition, in September 2018 the Library provided reports showing the users that completed the Library's security awareness training for fiscal year 2018. By establishing and implementing a process for tracking whether personnel have taken security and privacy training, the Library has increased assurance that personnel have a basic awareness of information security issues and agency security and privacy policies and procedures.
Library of Congress To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should establish a time frame for finalizing and implementing the Library's standard contract sections for information security and privacy requirements, and finalize and implement the requirements within that time frame.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in May 2016, the Library finalized its standard contract sections for information security and privacy requirements. These standard contract sections address federal information security guidelines and are required in all IT contracts. Additionally, in February 2017, the Library provided us with all contracts that were awarded between December 2016 and February 2017. Each of these contracts included the required information security and privacy sections. Further, the Library established and implemented a process for incorporating these sections into existing IT contracts. As a result, the Library has increased assurance that contractor personnel will operate and secure Library systems consistent with the agency's information security and privacy requirements.
Library of Congress To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should require the chief privacy officer to establish and implement a process for reviewing the Library's privacy program, to include ensuring that privacy impact assessments are conducted for all information systems.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. In particular, the Library has established a policy on privacy impact assessments. According to Library policy, privacy threshold analyses are to be conducted for all systems. Additionally, Library policy requires that privacy impact assessments be developed for systems with threshold analyses concluding that personally identifiable information (PII) is collected on members of the public or that sensitive PII is collected on any individual. Furthermore, Library policy calls for the Chief Privacy Office--the Office of General Counsel--to review all privacy impact assessments. In addition, the Library has implemented its policy on privacy impact assessments. Specifically, as of August 2017, the Library had established privacy threshold analyses for all 171 operational Library systems. Those assessments concluded that 81 of the 171 systems required privacy impact assessments, and the Library developed assessments for each of the 81 systems. Further, the Office of General Counsel reviewed the privacy impact assessments for all 81 systems. By ensuring that privacy impact assessments have been conducted for all IT systems, the Library has greater assurance that appropriate security controls are in place to protect PII.
Library of Congress To help ensure that services provided by ITS meet the needs of the Library's service units, the Librarian should finalize and implement a Library-wide policy for developing service-level agreements that (1) includes service-level targets for agreements with individual service units and (2) covers services in a way that best meets the need of both ITS and its customers, including individual service units.
Closed – Implemented
The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, the Library issued a directive for how its Office of the Chief Information Officer (OCIO) manages the IT services that it provides to the Library service units. The directive calls for OCIO to maintain a service catalog that describes the IT services provided by OCIO and that includes the service-level targets at which the resources and services are to be provided. In addition, the directive states that IT services not described in the service catalog may require a separately negotiated memorandum of agreement between OCIO and the service unit, and includes procedures for how these agreements are to be established. Consistent with this directive, in September 2016 the Library's OCIO finalized a new IT service catalog, which identifies 21 categories of IT services that are available to OCIO customers (e.g., data network management, IT service desk, and website support) and describes applicable service-level targets relating availability, fulfillment, and response. Additionally, between May 2016 and May 2017, the Office of the CIO executed memorandums of understanding with the six main Library units. Each memorandum establishes roles and responsibilities for specialized application and services that the Office of the CIO provides to those units. By establishing and implementing this service-level agreement structure, the Library's IT office is better positioned to provide services that meet the needs of its customers.
Library of Congress To help ensure that services provided by ITS meet the needs of the Library's service units, the Librarian should document and execute a plan for improving customer satisfaction with ITS services that includes prioritized improvement projects and associated resource requirements, schedules, and measurable goals and outcomes.
Closed – Implemented
The Library of Congress generally agreed with, and has implemented, this recommendation. Specifically, in September 2018 the Office of the Chief Information Officer (OCIO) finalized a quality improvement process model for the Library's information technology (IT) services and began implementing the model in March 2019. In addition, the Library's OCIO administered a customer satisfaction survey to its users in late 2019, and the respondents indicated that they were generally satisfied with the IT services provided by OCIO. By developing and taking initial steps to implement a plan for improving customer satisfaction with IT services, OCIO is better positioned effectively invest resources on improvement efforts that will satisfy users.
Library of Congress In addition, to help ensure an efficient and effective allocation of the agency's IT resources, the Librarian should conduct a review of the Library's IT portfolio to identify duplicative or overlapping activities and investments, including those identified in our report, and assess the costs and benefits of consolidating identified IT activities and investments.
Closed – Implemented
The Library of Congress generally agreed with, and has addressed, this recommendation. In September 2017, the Library finalized a review of the agency's IT portfolio. The review identified duplicative IT services across the Library and made recommendations to eliminate these services, such as giving all authority for IT contracting to the Office of the Chief Information Officer (OCIO). In addition, the Library engaged a vendor to analyze the costs and benefits of maintaining Congressional Research Service's (CRS) separate network and e-mail environment. The vendor made recommendations aimed at further consolidating OCIO and CRS's separate network and e-mail environments, as well as enhancements to how the Library protects CRS systems. By assessing the costs and benefits of consolidating duplicative IT investments, the Library is better positioned to justify whether its IT spending provides the appropriate balance of meeting business needs and saving taxpayer dollars.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Background investigationsChief information officersComputer securityConfidential informationCopyrightEnterprise architectureIT acquisitionsIT contingency plansIT investment managementInformation resources managementInformation securityInformation technologyInternal controlsInventory controlLaw librariesLibrariesPolicy evaluationQuality improvementRisk managementSoftwareStrategic information systems planningStrategic planningDuplication of effortPolicies and proceduresPrivacy