Library of Congress:

Strong Leadership Needed to Address Serious Information Technology Management Weaknesses

GAO-15-315: Published: Mar 31, 2015. Publicly Released: Mar 31, 2015.

Additional Materials:

Contact:

Joel C. Willemssen
(202) 512-6253
willemssenj@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Library of Congress has established policies and procedures for managing its information technology (IT) resources, but significant weaknesses across several areas have hindered their effectiveness:

Strategic planning: The Library does not have an IT strategic plan that is aligned with the overall agency strategic plan and establishes goals, measures, and strategies. This leaves the Library without a clear direction for its use of IT.

Investment management: Although the Library obligated at least $119 million on IT for fiscal year 2014, it is not effectively managing its investments. To its credit, the Library has established structures for managing IT investments—including a review board and a process for selecting investments. However, the board does not review all key investments, and its roles and responsibilities are not always clearly defined. Additionally, the Library does not have a complete process for tracking its IT spending or an accurate inventory of its assets. For example, while the inventory identifies over 18,000 computers currently in use, officials stated that the Library has fewer than 6,500. Until the Library addresses these weaknesses, its ability to make informed decisions will be impaired.

Information security and privacy: The Library assigned roles and responsibilities and developed policies and procedures for securing its information and systems. However, its implementation of key security and privacy management controls was uneven. For example, the Library's system inventory did not include all key systems. Additionally, the Library did not always fully define and test security controls for its systems, remediate weaknesses in a timely manner, and assess the risks to the privacy of personal information in its systems. Such deficiencies also contributed to weaknesses in technical security controls, putting the Library's systems and information at risk of compromise.

Service management: The Library's Information Technology Services (ITS) division is primarily responsible for providing IT services to the agency's operating units. While ITS has catalogued these services, it has not fully developed agreements with the other units specifying expected levels of performance. Further, the other units were often not satisfied with these services, which has contributed to them independently pursuing their own IT activities. This in turn has resulted in units purchasing unnecessary hardware and software, maintaining separate e-mail environments, and managing overlapping or duplicative IT activities.

Leadership: The Library does not have the leadership needed to address these IT management weaknesses. For example, the agency's chief information officer (CIO) position does not have adequate authority over or oversight of the Library's IT. Additionally, the Library has not had a permanent CIO since 2012 and has had five temporary CIOs in the interim.

In January 2015, at the conclusion of GAO's review, officials stated that that the Library plans to draft an IT strategic plan within 90 days and hire a permanent CIO. If it follows through on these plans, the Library will be in a stronger position to address its IT management weaknesses and more effectively support its mission.

Why GAO Did This Study

The Library of Congress is the world's largest library, whose mission is to make its resources available and useful to Congress and the American public. In carrying out its mission, the Library increasingly relies on IT systems, particularly in light of the ways that digital technology has changed the way information is created, shared, and preserved.

The House Appropriations Committee report accompanying the 2015 legislative branch appropriations bill required GAO to conduct a review of IT management at the Library. GAO's objectives focused on the extent to which the Library has established and implemented key IT practices and requirements in, among other areas: (1) strategic planning, (2) governance and investment management, (3) information security and privacy, (4) service management, and (5) leadership. To carry out its work, GAO reviewed Library regulations, policies, procedures, plans, and other relevant documentation for each area and interviewed key Library officials.

What GAO Recommends

GAO is recommending that the Library expeditiously hire a permanent CIO. GAO is also making 30 other recommendations to the Library aimed at establishing and implementing key IT management practices. The Library generally agreed with GAO's recommendations and described planned and ongoing actions to address them.

For more information, contact Joel C. Willemssen at (202) 512-6253 or willemssenj@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in September 2015 the Library hired a permanent Chief Information Officer (CIO). Additionally, in November 2016 the Librarian directed all top-level IT staff in the Library's various service units to be detailed to the Library's Office of the CIO, including service unit IT leadership. Further, in May 2017 the Librarian approved Library of Congress Regulations regarding the Office of the Chief Information Officer and IT Steering Committee (ITSC). These regulations make the CIO responsible for commodity IT and define the CIO's responsibilities for oversight of mission-specific systems through the ITSC. By hiring a permanent CIO with responsibility for IT, sufficient authority, and clearly defined responsibilities, the Library is better positioned to effectively acquire, operate, and maintain its IT in support of its mission.

    Recommendation: To provide stable, consistent, and effective leadership for addressing the weaknesses identified in this report, as well as for improving the organization's management of IT, the Librarian should expeditiously hire a permanent chief information officer responsible for managing the Library's IT and ensure that this official has clearly defined responsibilities and adequate authority, consistent with the role of a chief information officer as defined by best practices. This should include, among other things, (1) responsibility for commodity IT; (2) oversight of mission-specific systems, through the ITSC or another oversight mechanism; and (3) clarification of responsibilities and authorities between the Library CIO and service unit IT leadership.

    Agency Affected: Library of Congress

  2. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in March 2016, the Library finalized its IT strategic plan and updated its plan in April 2017. The plan includes four goals that are generally results-oriented and describes how each goal aligns with the agency's overall strategic plan. Additionally, the Library developed fiscal year 2017 performance measures and associated targets for each of the four goals. Further, the plan includes strategies for achieving its goals. Lastly, the plan describes interdependencies among projects. By developing an IT strategic plan that sets forth a long-term vision and the intermediate steps that are needed to guide the agency, the Library is better positioned to effectively prioritize investments and use the best mix of limited resources to move toward its longer-term, agency-wide goals.

    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should complete an IT strategic plan within the time frame the Library has established for doing so. The plan, at a minimum, should (1) align with the agency's overall strategic plan, (2) provide results-oriented goals and performance measures, (3) identify the strategies for achieving the desired results, and (4) describe interdependencies among projects.

    Agency Affected: Library of Congress

  3. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to address, this recommendation. For example, according to Library officials, they have developed a schedule and processes for creating an architecture that describes the current and target environments. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should establish a time frame for developing a complete and reliable enterprise architecture that accurately captures the Library's current IT environment, describes its target environment, and outlines a strategy for transitioning from one to the other, and develop the architecture within the established time frame.

    Agency Affected: Library of Congress

  4. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in July 2016 the Library engaged the Office of Personnel Management (OPM) to develop and conduct a skills assessment of the Library's IT workforce. According to Library officials, OPM led a focus group with IT specialists to review and revise competency and skill lists for IT positions. Those officials also stated that OPM plans to administer a gap analysis survey by June 2017. Upon completion of OPM's assessment, the Library plans to develop a strategy for closing any identified gaps. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should establish a time frame for implementing a Library-wide assessment of IT human capital needs and complete the assessment within the established time frame. This assessment should, at a minimum, analyze any gaps between current skills and future needs, and include a strategy for closing any identified gaps.

    Agency Affected: Library of Congress

  5. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in June 2017 the Library finalized its regulation on Information Technology (IT) Investment Management. According to the regulation, all IT investment proposals are to be reviewed annually by the Architecture Review Board and the IT Steering Committee. After these reviews have been completed, the IT Steering Committee is to then identify which IT investment proposals are to be included in the annual IT Investment Portfolio. Once the IT Investment Portfolio has been developed, the directive calls for the Library's Executive Committee to review the portfolio and for the Librarian to provide final approval. By clarifying which governance bodies are responsible for making investment decisions, the Library is better positioned to ensure that investments are properly aligned with the business needs of the entire organization.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should clarify investment management policy to identify which governance bodies are responsible for making investment decisions, and under what conditions.

    Agency Affected: Library of Congress

  6. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Library developed a template for IT investment proposals that calls for investment managers to provide information on how the investments align with the Library's IT strategic plan and enterprise architecture. Additionally, in February 2017, the Library provided us with IT investment proposals for 19 fiscal year 2017 investments. To the Library's credit, the proposals describe how many of the investments align with the IT strategic plan and enterprise architecture. However, we also identified instances where the alignment with the IT strategic plan and enterprise architecture was not included in the proposals or was not clearly defined. In a written response, the Library stated that the inconsistencies were attributable to manual processes for collecting the information and that it is working to make improvements to these processes for the fiscal year 2018 investments. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement a process for linking IT strategic planning, enterprise architecture, and IT investment management.

    Agency Affected: Library of Congress

  7. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include reselecting investments that are already operational. Additionally, in October 2016 the Librarian approved the Library's fiscal year 2017 IT investment plan, which describes $145 million in planned IT spending on systems across the Library that are both operational and in development. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement policies and procedures for reselecting investments that are already operational.

    Agency Affected: Library of Congress

  8. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include ensuring that investment selection decisions have an impact on decisions to fund investments. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement policies and procedures for ensuring that investment selection decisions have an impact on decisions to fund investments.

    Agency Affected: Library of Congress

  9. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include ensuring that appropriate governance bodies review all investments that meet defined criteria. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should ensure that appropriate governance bodies review all investments that meet defined criteria.

    Agency Affected: Library of Congress

  10. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include requiring investments in development to submit complete investment data in quarterly reports submitted to the Information Technology Steering Committee. Additionally, officials stated that the Library has begun to require IT investments to submit quarterly reports with complete investment data, including cost and schedule variances and risk management data. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should require investments in development to submit complete investment data (i.e., cost and schedule variances and risk management data) in quarterly reports submitted to the ITSC.

    Agency Affected: Library of Congress

  11. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in September 2015 the Library's Chief Information Officer and Chief Financial Officer issued a memorandum requiring service units to track IT spending and provided guidance on how this is to be done. In April 2017, the Library finalized a report of fiscal year 2016 non-personnel IT expenditures. The report describes about $82 million in expenditures and shows how the money was spent by IT cost categories (e.g., data center, desktop and laptop systems, IT management) and by service unit. By developing and implementing a process for maintaining a full accounting of IT-related expenditures, the Library is in a more knowledgeable position to make decisions.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies, to include guidance for service units on classifying expenditures as IT, for maintaining a full accounting of the Library's IT-related expenditures.

    Agency Affected: Library of Congress

  12. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. The Library is revising its asset management policy to improve its process for developing and maintaining its inventory of IT assets. Additionally, the Library's Office of the CIO has engaged a contractor to perform a full inventory of IT assets by September 2017. The Library plans to complete the steps necessary to implement this recommendation by September 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies for developing a comprehensive inventory of IT assets.

    Agency Affected: Library of Congress

  13. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Between October 2015 and June 2016, the Library has conducted post-implementation reviews for three investments. For each review the Library compared expectations for cost, schedule, performance, and mission improvement outcomes, consistent with established policies and procedures. As a result, the Library is better positioned to learn from all past investments and evaluate the effectiveness of its investment management process.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should implement policies and procedures for conducting post-implementation reviews of investments.

    Agency Affected: Library of Congress

  14. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include key practices on portfolio management. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies and procedures consistent with the key practices on portfolio management, including (1) defining the portfolio criteria, (2) creating the portfolio, and (3) evaluating the portfolio.

    Agency Affected: Library of Congress

  15. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives to relating to IT investment management, to include requiring investments to identify and review risks. Additionally, in February 2017, the Library provided us with risk management information for 19 fiscal year 2017 investments. To its credit, the Library generally identified, documented, evaluated, and categorized risks for each of the 19 investments. However, the Library did not always document the context and consequences of occurrence for all risks and did not describe mitigation plans for all risks. In a written response, the Library noted that it will improve the guidance for risk management, providing examples that should ultimately elicit more useful information for the IT Steering Committee to make decisions or take action when necessary. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should complete and implement an organization-wide policy for risk management that includes key practices as discussed in this report, and within the time frame the Library established for doing so.

    Agency Affected: Library of Congress

  16. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a Project Management Office within the Office of the Chief Information Officer and tasked the office with communicating and enforcing Library requirements for project management and systems development. Additionally, according to the Library, it is working to give the Project Management Office the authority to establish organization-wide policy for requirements development. Further, the Project Management Office is drafting detailed guidance for the Library on requirements development. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for requirements development that includes key practices as discussed in this report.

    Agency Affected: Library of Congress

  17. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a Project Management Office within the Office of the Chief Information Officer and tasked the office with communicating and enforcing Library requirements for project management and systems development. Additionally, according to the Library, it is working to give the OCIO's Project Management Office the authority to establish organization-wide policy for cost estimating. Further, the Project Management Office is drafting detailed guidance for the Library on cost estimating. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for developing cost estimates that includes key practices as discussed in this report.

    Agency Affected: Library of Congress

  18. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a Project Management Office within the Office of the Chief Information Officer (OCIO) and tasked the office with communicating and enforcing Library requirements for project management and systems development. Additionally, according to the Library, it is working to give the OCIO's Project Management Office the authority to establish organization-wide policy for developing and maintaining project schedules. Further, the Project Management Office is drafting detailed guidance for the Library on developing and maintaining project schedules. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish a time frame for finalizing and implementing an organization-wide policy for developing and maintaining project schedules that includes key practices as discussed in this report, and finalize and implement the policy within the established time frame.

    Agency Affected: Library of Congress

  19. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, the Library's Information Technology Security Group conducted a review of Library systems and developed a consolidated inventory that includes all Library systems. Additionally, at the request of the Library's Chief Information Security Officer, each Library unit validated that the inventory is complete and accurate. As a result, the Library (1) has greatly increased assurance that it is aware of all of its systems and data, and (2) is in a more knowledgeable position to help ensure that these resources have appropriate security controls.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should develop a complete and accurate inventory of the agency's information systems.

    Agency Affected: Library of Congress

  20. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, the Information Technology Security Group reviewed all system security plans to ensure that they are complete. After the completion of this review, in December 2016 the Library provided us with system security plans for nine key systems. To its credit, the plans describe many of the common controls (i.e., where a system relies on controls established for another system) on which the systems relied. However, we also identified instances where the plans included conflicting information about whether certain controls are being implemented by the system, are inherited from another system, or are not being implemented. In a written response, the Library noted that it has requested additional funding to hire information system security officers in order to improve the Library's management of information security, including information security planning. The Library plans to complete the steps necessary to implement this recommendation by September 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should revise information security policy to require system security plans to describe common controls, and implement the policy.

    Agency Affected: Library of Congress

  21. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, the Library's Information Technology Security Group reviewed all system security plans to ensure that they are complete. After completing this review, in December 2016 the Library provided us with system security plans for nine key systems. Each of the plans generally includes descriptions of how security controls are implemented and justifications for why controls are not applied. However, we also identified instances where the plans included conflicting information about whether certain controls are being implemented. In a written response, the Library noted that it has requested additional funding to hire information system security officers in order to improve the Library's management of information security, including information security planning. The Library plans to complete the steps necessary to implement this recommendation by September 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should ensure that all system security plans are complete, including descriptions of how security controls are implemented and justifications for why controls are not applied.

    Agency Affected: Library of Congress

  22. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, in August 2015 the Library began monthly security testing and vulnerability scans for servers, networks, and workstations. Additionally, in November 2015 the Library finalized guidance for its continuous monitoring program, which includes the establishment of ongoing security controls assessments for each system. The Library began to implement this guidance in fiscal year 2016 and plans to complete the steps necessary to implement this recommendation by September 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should conduct comprehensive and effective security testing for all systems within the time frames called for by Library policy, to include assessing security controls that are inherited from the Library's information security program.

    Agency Affected: Library of Congress

  23. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in March 2017, the Library provided us with remedial action plans for key Library systems. The Library has generally documented and tracked remedial action plans for these key systems and has completed many. However, we also identified instances of remedial actions that, as of April 2017, had yet to be completed and were past their expected completion date. In a written response, the Library explained that it followed the Library's process for managing these actions and extended the time frames for all but three remedial actions. Further, in May 2017 the Library provided additional information regarding its process for extending timeframes for remedial actions. We are reviewing this information to determine the extent to which the Library followed its process.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should ensure that remedial action plans for identified security weaknesses are consistently documented, tracked, and completed in a timely manner.

    Agency Affected: Library of Congress

  24. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in October 2015 the Library finalized its guidance on security assessment and authorization, which requires authorizing officials to review the security status of information systems on an ongoing basis to determine whether the risk of operating the system remains acceptable. The Library began to implement this guidance in fiscal year 2016 and plans to complete the steps necessary to implement this recommendation by September 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should finalize and implement guidance on continuous monitoring to ensure that officials are informed when making authorization decisions about the risks associated with the operations of the Library's systems.

    Agency Affected: Library of Congress

  25. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in December 2016 the Library finalized an IT system contingency planning template that generally addresses key elements of National Institute of Standards and Technology guidance. Additionally, in April 2017 the Library required that contingency plans be established for all systems by September 2017. The Library plans to complete the steps necessary to implement this recommendation by September 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should develop contingency plans for all systems that address key elements.

    Agency Affected: Library of Congress

  26. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. According to Library officials, the Office of the Chief Information Officer is developing a process to track user accounts, including contractors and volunteers, on Library systems to ensure completion of required annual IT Security Training. The Library plans to complete the steps necessary to implement this recommendation in June 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should establish and implement a process for comprehensively identifying and tracking whether all personnel with access to Library systems have taken required security and privacy training.

    Agency Affected: Library of Congress

  27. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. In April and September 2016 the Library provided us with IT contracts that included some, but not all, of the standard contract sections required by Library policy. In February 2017, the Library provided us with newly awarded IT contracts, each of which included the required information security and privacy sections. Further, according to the Library, it plans to incorporate its required information security and privacy provisions into its existing contracts for IT services as the Library exercises options for these contracts. The Library plans to complete the steps necessary to implement this recommendation in June 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should establish a time frame for finalizing and implementing the Library's standard contract sections for information security and privacy requirements, and finalize and implement the requirements within that time frame.

    Agency Affected: Library of Congress

  28. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in May 2017 the Library provided us with privacy threshold analyses for nine key systems. Those assessments concluded that six of the nine systems required privacy impact assessments, and the Library provided us with each of those assessments. Additionally, as of May 2017, 95 percent of systems had completed and approved privacy threshold analyses. The Library plans to complete the steps necessary to implement this recommendation in June 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should require the chief privacy officer to establish and implement a process for reviewing the Library's privacy program, to include ensuring that privacy impact assessments are conducted for all information systems.

    Agency Affected: Library of Congress

  29. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in September 2016 the Library's Office of the Chief Information Officer (OCIO) finalized a new service catalog that captures its IT services. The catalog identifies 21 categories of IT services that are available to Office of the CIO customers (e.g., data network management, IT service desk, and website support) and describes applicable service-level targets relating to availability, fulfillment, and response. Additionally, between May 2016 and May 2017, the Office of the CIO executed memorandums of understanding with the six main Library units. Each memorandum establishes roles and responsibilities for specialized applications and services that the Office of the CIO provides to those units. Further, according to Library officials, the Library intends to write and promulgate a regulation on IT service management. The Library plans to complete the steps necessary to implement this recommendation by September 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To help ensure that services provided by ITS meet the needs of the Library's service units, the Librarian should finalize and implement a Library-wide policy for developing service-level agreements that (1) includes service-level targets for agreements with individual service units and (2) covers services in a way that best meets the need of both ITS and its customers, including individual service units.

    Agency Affected: Library of Congress

  30. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Office of the Chief Information Officer has begun drafting a customer satisfaction improvement plan. The Library expects this plan to be finalized by December 2017. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To help ensure that services provided by ITS meet the needs of the Library's service units, the Librarian should document and execute a plan for improving customer satisfaction with ITS services that includes prioritized improvement projects and associated resource requirements, schedules, and measurable goals and outcomes.

    Agency Affected: Library of Congress

  31. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Library is drafting several policies and directives relating to IT investment management, to include reviewing the Library's IT portfolio to identify duplicative or overlapping activities and investments. The Library plans to complete the steps necessary to implement this recommendation in June 2017. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: In addition, to help ensure an efficient and effective allocation of the agency's IT resources, the Librarian should conduct a review of the Library's IT portfolio to identify duplicative or overlapping activities and investments, including those identified in our report, and assess the costs and benefits of consolidating identified IT activities and investments.

    Agency Affected: Library of Congress

 

Explore the full database of GAO's Open Recommendations »

Jul 13, 2017

Jun 21, 2017

Jun 13, 2017

May 18, 2017

May 15, 2017

Apr 11, 2017

Mar 30, 2017

Mar 28, 2017

Mar 16, 2017

Mar 15, 2017

Looking for more? Browse all our products here