Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Chief information officers"

    26 publications with a total of 299 open recommendations including 6 priority recommendations
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    3 open recommendations
    Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to task an integrated project team, made up of an IT project manager and business owner, with including specific actions in the Public Health and Medical Situational Awareness Strategy Implementation Plan for conducting all activities required to establish and operate the network.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to task the integrated project team with developing a project management plan that includes measurable steps--including a timeline of tasks, resource requirements, estimates of costs, and performance metrics--that can be used to guide and monitor HHS's actions to establish the network defined in the plans.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to conduct all IT management and oversight processes related to the establishment of the network in accordance with Enterprise Performance Life Cycle Framework guidance, under the leadership of the HHS CIO.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    20 open recommendations
    Recommendation: As most agencies lack plans to meet OMB's data center optimization targets by the end of fiscal year 2018, it is increasingly likely that these agencies will require additional time to achieve the data center consolidation and optimization goals required by FITARA and OMB guidance. In order to provide agencies with additional time to meet OMB's data center optimization targets and achieve the related cost savings, Congress should consider extending the time frame for the data center consolidation and optimization provisions of FITARA beyond their current expiration date of October 1, 2018.

    Agency: Congress
    Status: Open

    Comments: When we determine what steps the Congress has taken, we will provide updated information.
    Recommendation: To better ensure that agencies complete important DCOI planning documentation and that the initiative improves governmental efficiency and achieves intended cost savings, the Director of OMB should direct the Federal chief information officer to formally document a requirement for agencies to include plans, as part of existing OMB reporting mechanisms, to implement automated monitoring tools at their agency-owned data centers.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Commerce
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Energy
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of the Interior
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Justice
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Labor
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of the Treasury
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of State
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: General Services Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Small Business Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Office of Personnel Management
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Joseph W. Kirschbaum
    Phone: (202) 512-9971

    2 open recommendations
    Recommendation: To ensure that DOD implements the tasks and objectives of key cybersecurity guidance to strengthen its cybersecurity posture, the Secretary of Defense should direct the Principal Cyber Advisor to modify the criteria for closing tasks from The DOD Cyber Strategy to reflect whether tasks have been implemented, and to re-evaluate tasks that have been previously determined to be completed to ensure that they meet the modified criteria.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To ensure that DOD implements the tasks and objectives of key cybersecurity guidance to strengthen its cybersecurity posture, the Secretary of Defense should direct the Commander of CYBERCOM, in coordination with the Under Secretary of Defense for Acquisition, Technology, and Logistics and DOD Chief Information Officer, to establish a timeframe and monitor implementation of the DOD Cybersecurity Campaign objective to develop cybersecurity readiness assessments to help ensure accountability.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Joe Kirschbaum
    Phone: (202) 512-9971

    2 open recommendations
    Recommendation: As DOD continues to improve the completeness and transparency of subsequent joint reports' methodologies in order to assist Congress in understanding the basis of the NC3 estimates by documenting the methodological assumptions and limitations affecting the report's estimates for sustaining and modernizing the NC3 system, as we previously recommended, for future joint reports, the DOD CIO should include explanations of how DOD (1) selects program elements for inclusion in its NC3 estimate, (2) determines its weighted analysis ratios, and (3) differentiates its methodology for calculating operation and maintenance estimates from its methodologies for calculating estimates for the other NC3 line items.

    Agency: Department of Defense: Office of the Chief Information Officer
    Status: Open

    Comments: DOD concurred with the recommendation, stating that it has incorporated it into the fiscal year 2018 joint report. DOD also said that subsequent joint reports will provide updated methodological inputs, assumptions and limitations affecting NC3 estimates. Once DOD releases the fiscal year 2018 joint report, we will determine the extent to which it addresses the recommendation.
    Recommendation: In order to assist Congress in comparing year-to-year cost estimates between joint reports, for future joint reports, the Secretary of the Air Force should provide information about any programmatic changes (i.e., programs being moved from one line item to another) in its estimates and include an explanation of the reasons for those changes and how those changes may affect year-to-year comparisons of the budget estimates.

    Agency: Department of Defense: Department of the Air Force
    Status: Open

    Comments: DOD concurred with this recommendation, stating that it has been incorporated into the fiscal year 2018 joint report. DOD further stated that subsequent joint reports will continue to provide the recommended information but also will be revised as necessary to ensure a complete and transparent statement on programmatic changes and their possible effect on year-to-year comparisons of budget estimates. Once DOD releases the fiscal year 2018 joint report, we will determine the extent to which it addresses the recommendation.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    5 open recommendations
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to update FMCSA's IT strategic plan to include well-defined goals, strategies, measures, and timelines for modernizing its systems.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to ensure that the IT investment process guidance lays out the roles and responsibilities of all working groups and individuals involved in the agency's governance process.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to finalize the restructure of the Office of Information Technology, including fully defining the roles and responsibilities of the CIO.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to ensure that appropriate governance bodies review all IT investments and track corrective actions to closure.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to ensure that required operational analyses are performed for Aspen, Motor Carrier Management Information System, Sentri 2.0, and Unified Registration System on an annual basis.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    6 open recommendations
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to update the department's IT Acquisition Review governance process to increase the number of contracts and agreements (associated with both major and non-major investments) that are reviewed by the CIO and appropriate delegates.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the specific staff or positions currently within the department's IT acquisition cadre; and (2) assessing whether these staff and positions address all of the specialized skills and knowledge needed, as outlined in OMB's Office of Federal Procurement Policy's guidance for developing an IT acquisition cadre.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable).

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Director: David Powner
    Phone: (202) 512-9286

    29 open recommendations
    Recommendation: To better ensure that federal data center optimization efforts improve governmental efficiency and achieve cost savings, the Director of OMB should direct the Federal CIO to provide the necessary oversight to ensure that each agency completes their DCOI strategic plan in accordance with OMB's guidance implementing Federal Information Technology Acquisition Reform provisions (FITARA).

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) has not yet taken any actions to implement our recommendation. We will continue to monitor OMB's progress in implementing this recommendation.
    Recommendation: To better ensure that federal data center optimization efforts improve governmental efficiency and achieve cost savings, the Director of OMB should direct the Federal CIO to provide the necessary oversight to ensure that agency reporting of achieved data center consolidation and optimization cost savings and avoidances is consistent across all reporting mechanisms, including quarterly data submissions and agency DCOI strategic plans.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) has not yet taken any actions to implement our recommendation. We will continue to monitor OMB's progress in implementing this recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and described planned actions to address it. Specifically, the department stated that it will continue to aggregate its data center inventory and update its DCOI strategic plan by OMB's April 17, 2017, submission deadline. We reviewed the updated DCOI strategic plan and found that the department included planned savings figures for fiscal years 2016 through 2018 and achieved figures for 2016. However, Commerce did not include $517 million in historical savings that the department previously reported to the Office of Management and Budget, as was required to be included in the plan. Additionally, the department's chief information officer statement, regarding compliance with Federal Information Technology Acquisition Reform Act reporting requirements, is not yet publicly available, as is required. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Social Security Administration
    Status: Open

    Comments: The Social Security Administration agreed with our recommendation and described planned actions to address it. Specifically, the agency noted that it will continue to economize and evolve its data center optimization management and will continue to encourage open dialog and information exchange between agencies to achieve efficiencies and enhanced data center operations government-wide. We will continue to monitor the agency's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of Interior agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of Treasury has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of State
    Status: Open

    Comments: The Department of State agreed with our recommendation and described planned actions to address it. Specifically, the department described plans to acquire, subject to funding availability, automated monitoring tools for its enterprise data centers. It also described plans to engage OMB to rebaseline the closure target for its non-tiered data centers located outside the United States, based on the department's mission needs. In addition, the department noted that it is in the process of identifying the number of server rooms in the United States that meet the DCOI definition of a data center. We will continue to monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency described planned actions to address our recommendation. Specifically, the agency stated that it will update its data center optimization initiative strategic plan to include elements not reflected in the 2016 submission and will complete the plan to the extent feasible. We will continue to monitor the agency's progress in taking these actions.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration agreed with our recommendation and described planned actions to address it. Specifically, the agency stated that it would provide OMB with an update to the agency's DCOI strategic plan that would address missing elements and any identified challenges. We will continue to monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Small Business Administration
    Status: Open

    Comments: The Small Business Administration agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: The Nuclear Regulatory Commission disagreed with our recommendation. We will continue to monitor the agency's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: United States Agency for International Development
    Status: Open

    Comments: The U.S. Agency for International Development described planned actions to address our recommendation. Specifically, the agency stated it would take action to complete the missing elements in its DCOI strategic plan, including addressing any identified challenges, and submit the completed strategic plan to OMB. We will continue to monitor the agency's progress in taking these actions.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and described planned actions to address it. Specifically, the department stated that it will, through the integrated data collection process, continue to collect and report all initiatives resulting in cost savings and avoidances to ensure IT savings are being captured and realized. We will monitor the department's efforts to address this recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of Interior agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of Treasury has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of State
    Status: Open

    Comments: The Department of State agreed with our recommendation and described planned actions to address it. Specifically, the department described plans to acquire, subject to funding availability, automated monitoring tools for its enterprise data centers. It also described plans to engage OMB to rebaseline the closure target for its non-tiered data centers located outside the United States, based on the department's mission needs. In addition, the department noted that it is in the process of identifying the number of server rooms in the United States that meet the DCOI definition of a data center. We will continue to monitor the department's efforts to address our recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency described planned actions to address our recommendation. Specifically, the agency stated that it is working toward consistent reporting on cost savings and avoidances in future reporting submissions and is finalizing a cost analysis methodology to be applied to its data center optimization initiative strategy. The agency further stated that it would ensure consistent use of the process for all reporting queries. We will continue to monitor the agency's progress in taking these actions.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: United States Agency for International Development
    Status: Open

    Comments: The U.S. Agency for International Development described planned actions to address our recommendation. Specifically, the agency stated it would, in accordance with OMB, take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans. We will continue to monitor the agency's progress in taking these actions.
    Director: Powner, David A
    Phone: (202) 512-9286

    5 open recommendations
    including 2 priority recommendations
    Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Commerce should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process; (2) develop competency and staffing requirements; (3) assess competency and staffing needs regularly; (4) assess gaps in competencies for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, cross-functional training of acquisition and program personnel, a career path for program managers, and special hiring authorities, if justified and cost-effective; (7) monitor the department's progress in addressing IT competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: The department has not yet provided its written response to this recommendation. We will continue to monitor the department's progress in implementing the recommendation.
    Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Defense should require the Chief Information Officer, the Under Secretary of Defense for Personnel and Readiness, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) develop competencies for all staff; (2) assess competency needs regularly for all positions; (3) assess gaps in competencies for all components of the workforce; (4) develop strategies and plans to address gaps in competencies; (5) implement activities that address gaps, including developing a program management career path, if justified and cost-effective; (6) monitor the department's progress in addressing competency gaps identified for IT staff; and (7) report to department leadership on progress in addressing competency gaps.

    Agency: Department of Defense
    Status: Open

    Comments: The department has provided a written response to this recommendation and we are currently evaluating it.
    Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Health and Human Services should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process inclusive of all staff; (2) develop staffing requirements for all positions; (3) assess staffing needs regularly; (4) assess gaps in competencies and staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, if justified and cost-effective; (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The department has provided a written response to this recommendation and we are currently evaluating it.
    Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Transportation should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish a time frame for when the department is to finalize its draft workforce planning process and maintain that process; (2) develop staffing requirements for all positions; (3) assess competency and staffing needs regularly for all positions; (4) assess gaps in staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, cross-functional training of acquisition and program personnel, a career path for program managers, and use of special hiring authorities, if justified and cost-effective;e (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

    Agency: Department of Transportation
    Status: Open
    Priority recommendation

    Comments: The department agreed with the recommendation and stated that it plans to fully implement the recommendation by December 2019. To fully implement this recommendation, DOT should prioritize the completion of its IT workforce planning process and then begin implementing the process in phases based on the availability of resources.
    Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of the Treasury should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process; (2) develop competency and staffing requirements for all positions; (3) assess competency and staffing needs regularly; (4) assess gaps in competencies and staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing for all components of the workforce; (6) implement activities that address gaps, including a career path for program managers and special hiring authorities, if justified and cost-effective; (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps for all components of the workforce.

    Agency: Department of the Treasury
    Status: Open

    Comments: The department has not yet provided its written response to this recommendation. We will continue to monitor the department's progress in implementing the recommendation.
    Director: David Powner
    Phone: (202) 512-9286

    25 open recommendations
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: United States Agency for International Development
    Status: Open

    Comments: We plan to follow up on the agency's actions to implement this recommendation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Agriculture
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Education
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Commerce
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Energy
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Social Security Administration
    Status: Open

    Comments: In its comments on a draft of our report, SSA agreed with our recommendation. Subsequent to SSA informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of the Interior
    Status: Open

    Comments: We plan to follow up on the department's actions to implement this recommendation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Transportation
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Labor
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of the Treasury
    Status: Open

    Comments: The department said it had no comments on our draft report and recommendation. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of State
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In its comments on a draft of our report, EPA generally agreed with our recommendation. Subsequent to EPA informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: In its comments on a draft of our report, NASA concurred with our recommendation. Subsequent to NASA informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: National Science Foundation
    Status: Open

    Comments: NSF stated that it had no comments on our draft report and recommendation. We will plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Small Business Administration
    Status: Open

    Comments: In comments on a draft of our report, SBA said the report captures its current posture. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: In comments on a draft of our report, NRC stated that it generally agreed with the report. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Office of Personnel Management
    Status: Open

    Comments: In its comments on a draft of our report, OPM concurred with our recommendation. Subsequent to OPM informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Defense should direct the responsible official to modify the department's existing processes to collect and review cost, technical, and business information for the enterprise and business IT systems within the Enterprise Information Environment Mission Area applications which are currently not reviewed as part of the department's process for business systems.

    Agency: Department of Defense
    Status: Open

    Comments: In comments on a draft of our report, the department disagreed with our recommendation. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Homeland Security should direct the department's CIO to identify one high-cost function it could collect detailed cost, technical, and business information for and modify existing processes to collect and review this information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of the Interior should direct the department's CIO to document and implement a plan for establishing policy that would define a standard analytical technique for rationalizing the investment portfolio.

    Agency: Department of the Interior
    Status: Open

    Comments: We plan to follow up on the department's actions to implement this recommendation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Labor should direct the department's CIO to consider a segmented approach to further rationalize and identify a function for which it would modify existing processes to collect and review application-specific cost, technical, and business value information.

    Agency: Department of Labor
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Director of the National Science Foundation should direct the CIO to consistently document evaluations for all applications and report cost information for them in the roadmap or other documentation.

    Agency: National Science Foundation
    Status: Open

    Comments: NSF stated that it had no comments on our draft report and recommendation. We will plan to follow up.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    22 open recommendations
    Recommendation: To assist CISOs in carrying out their responsibilities, the Director of OMB should issue guidance for agencies' implementation of the FISMA 2014 requirements to ensure that (1) senior agency officials carry out information security responsibilities and (2) agency personnel are held accountable for complying with the agency-wide information security program. This guidance should clarify the role of the agency CISO with respect to these requirements, as well as implementing the other elements of an agency-wide information security program, taking into account the challenges identified in this report.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) partially concurred with this recommendation, but does not intend to directly issue guidance as recommended. Instead, we are reviewing the relevant OMB memoranda that officials believe address the intent of the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with the FISMA 2014, the Secretary of Commerce should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce concurred with the recommendation, stating that the department's policy documents are expected to be updated by the end of the 4th Quarter in 2017. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the senior information security officer (SISO) is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that information security policies and procedures are developed and maintained.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) did not concur with our recommendation, nor has it provided evidence that it has implemented the recommendations.
    Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) partially concurred with our recommendation, but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) partially concurred with our recommendation, but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that all users receive information security awareness training.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that the department has a process for planning implementing, evaluating, and documenting remedial actions.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy for oversight of security for information systems that are operated by contractors on the department's behalf.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Energy should define the CISO's role in department policy in the periodic authorization of the department's information systems.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy concurred with the recommendation, and estimates completion by March 1, 2018. The Department decided in April 2017 to make significant updates to its Cyber Security Program, and estimates it will take up to nine months to gain Departmental concurrence, complete revisions, and close this recommendation. However, the Department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Health and Human Services should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Attorney General should define the CISO's role in department policy for ensuring that information security policies and procedures are developed and maintained.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Attorney General should define the CISO's role in department policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of State should define the CISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

    Agency: Department of State
    Status: Open

    Comments: The Department of State (State) concurred with this recommendation. We are currently reviewing the evidence provided by State to determine whether the role of the CISO has been defined in its policy to for ensuring that State has procedures for incident detection, response, and reporting.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2018. However, the department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that security controls are tested periodically.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2018. However, the department has not yet provided sufficient evidence that it has implemented the recommendation.
    Recommendation: To ensure that the role of the senior agency information security officer (SAISO) is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy for ensuring that subordinate security plans are documented for the department's information systems.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) concurred with our recommendation. We are currently reviewing the evidence provided by EPA to determine whether the role of the SAISO has been defined in its policy to for ensuring that subordinate security plans are documented for the agency's information systems.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy for ensuring that plans and procedures are in place to ensure recovery and continued operations of the department's information systems in the event of a disruption.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) concurred with our recommendation. We are currently reviewing the evidence provided by EPA to determine whether the role of the SAISO has been defined in its policy to ensure recovery and continued operations of the agency's information systems in the event of a disruption.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Environment Protection Agency should define the SAISO's role in agency policy in the periodic authorization of the department's information systems.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) concurred with our recommendation. We are currently reviewing the evidence provided by EPA to determine whether the role of the SAISO has been defined in agency policy for the periodic authorization of the department's information systems.
    Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the National Aeronautics and Space Administration should define the SAISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation. We are currently reviewing the evidence provided by NASA to determine whether the role of the SAISO has been defined in agency policy for oversight of security for information systems that are operated by contractors on NASA's behalf.
    Recommendation: To ensure that the role of the CISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the Small Business Administration should define the CISO's role in agency policy for ensuring that personnel with significant security responsibilities receive appropriate training.

    Agency: Small Business Administration
    Status: Open

    Comments: The Small Business administration (SBA) concurs with our recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    8 open recommendations
    Recommendation: To assist VA in sustaining an IT workforce with the necessary knowledge, skills, and abilities to execute its mission and goals, the Secretary of Veterans Affairs should direct the Chief Information Officer to track and review OI&T historical workforce data and projections related to leadership retirements.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that OI&T's Human Capital Management Office (HCM) had completed a succession planning project that encompassed all senior leadership and included data review and risk assessment for each position. VA also stated that OI&T tracks the gains and losses associated with its leadership positions and provided this information for fiscal year 2016. However, the department has not provided documentation that supports the assertion that historical and projected OI&T leadership retirement data was presented and discussed as part of the succession planning project and did not provide data on projected retirements for OI&T's leadership positions. Additionally, the department stated that OI&T HCM has the ability to project retirement eligibility but has not provided documentation to support this assertion. It is important that VA tracks and reviews its OI&T historical workforce data and forecasts its leadership retirements to avoid being unprepared to effectively respond to vacancies in key leadership positions.
    Recommendation: To assist VA in sustaining an IT workforce with the necessary knowledge, skills, and abilities to execute its mission and goals, the Secretary of Veterans Affairs should direct the Chief Information Officer to identify IT skills needed beyond the current fiscal year to assist in identifying future skills gaps.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that Information Technology Workforce Development (ITWD) will produce reports that identify skill gaps and will contain long-term recommendations that show the types of IT skills each organization needs to increase and which proficiency level targets need the most emphasis. As of July 2017, VA stated that ITWD reviewed, and updated where needed, the fiscal year 2017 competencies within each OI&T competency model role in order to align the models to the OI&T Transformation initiative. According to the department, the resulting updates support learning solutions that sustain and accelerate OI&T's transformation. Additionally, VA stated that 85 percent of OI&T staff completed a validated competency self-assessment and provided the OI&T fiscal year 2017 Training Gap Analysis Report which shows the strengths and gaps of OI&T by organization, trends between fiscal years 2016 and 2017, findings, next steps, and recommended actions for the next fiscal year. The department also stated that ITWD held meetings to review skill gap and learning solution reports. VA provided these reports and they present the top gaps and strengths, key findings, and next steps to address the skill gaps. While the department has taken these actions, its OI&T Training Gap Analysis Report does not identify IT skills needed beyond fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to project planning, to include (1) estimating the level of effort that will need to be expended for work products and tasks, and (2) making adjustments to the project plan to reconcile differences between estimated and available resources.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and stated that OI&T is documenting changes to processes related to project planning as it transitions from PMAS to the Veteran-Focused Integration Process (VIP). According to VA, the VIP processes will lead to better requirements elaboration and prioritization, increasing significantly the accuracy of estimates related to level of effort. Additionally, the department stated that by using short Agile sprints, the project team will be able adjust the project plan frequently to reconcile differences between estimated and available resources. As of July 2017, VA stated that all projects have transitioned to the VIP, which ensures they are incorporating the Agile methodology into the project lifecycle. According to the department, the latest version of its VIP Guide incorporates the use of daily scrum and weekly scrum of scrum meetings that can be used to frequently adjust the project plan to reconcile differences between estimated and available resources. VA stated that the project planning processes will continue to evolve beyond July and expects to complete its actions in response to this recommendation by the end of fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to requirements management, to include identifying changes to be made to plans and work products as a result of requirements baseline changes.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that OI&T is revising its documentation related to requirements management as part of the transition to the Veteran-Focused Integration Process (VIP). According to VA, requirements will be tracked using the IBM Rational Tools Suite, which will be able to provide a snapshot of the original baseline and all captured changes in the form of an audit trail that captures the history of requirement changes. As of July 2017, the department stated that all projects have transitioned to the VIP and requirements baselines and subsequent changes are tracked in the Rational Tools Suite. VA also reported that efforts in fiscal year 2017 to consolidate all mandatory architectural, design, and process methodologies into a single library of requirements were successful, which resulted in combining the full body of requirements. Additionally according to the department, versioning of the requirements will allow the office to trace specific versions of individual requirements and their evolution by time period and project inheritance. VA stated that it expects to complete its actions in response to this recommendation by the end of fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to risk management, to include (1) determining costs and benefits of implementing the risk mitigation plan for each risk and (2) collecting performance measures on risk handling activities.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that the IBM Rational Tools Suite will be used to manage risks and issues. According to VA, the tools suite will allow requirements to be linked to risks, which will provide traceability; teams will be able to track and report steps taken to mitigate risks; and an audit trail will show the history of changes made to each risk. The department also reported that the Office of Privacy and Risk will establish risk mitigation strategies for OI&T. As of July 2017, VA stated that risks data capture has been developed as a standardized process and that data on project and program risks in the Rational Tools Suite is aggregated and prepared for use to verify aggressive management, and will be included in enterprise reporting. The department stated that work is underway with the Performance Management Office and that OI&T expects to complete its actions in response to this recommendation by the end of fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to project monitoring and control, to include the 10 best practices that were missing from the guidance.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that implementation of the Veteran-Focused Integration Process (VIP) and Agile processes within OI&T will address eight of the ten best practices related to project monitoring and control that were missing from its guidance. In regard to monitoring the knowledge and skills of project staff, OI&T's IT Workforce Development (ITWD) group collects and analyzes competency assessment data, which is used in requirements gathering meetings with OI&T leaders. According to VA, during these meetings organizational needs and next steps are discussed in detail. Additionally, the department's latest version of its VIP Guide states that the product team should be cross-functional and include all skills needed to deliver a product. Further, the department reported that data management activities, issues, and impacts will be managed using VIP, Agile, and IBM Rational Tools Suite. According to its VIP Guide, OI&T expects that all products follow the Agile product management process and use the Rational Tools Suite to manage scheduled product sprints and backlog, product requirements, risks and issues, and product planning and engineering documentation, among others. Also, VA stated that Agile methodologies will require stakeholders to be involved in the daily scrum meetings, user acceptance testing, and acceptance of deliverables, which will address stakeholders being involved regularly and documenting the results of stakeholder involvement status reviews. According to the VIP Guide, the Agile development methodologies require development teams to meet often with stakeholders to ensure transparency and foster a collaborative work environment. Additionally, the department stated that critical decision events are using Rational based data assessments to report on level of satisfaction of project controls and process compliance requirements. Further, according to the VIP Guide, the Product Owner will have a key role in the decision-making process during the development of the product and will be able to regularly express concerns and/or approvals to best meet user satisfaction. The department stated that critical decision events are being held at the portfolio level, and action items from these events are being tracked. VA provided meeting minutes from critical decision events that were held in October and December 2016. The December 2016 meeting minutes identified action items and the status of those items. Although VA has taken actions to address the majority of best practices related to project monitoring and control, the department's new VIP process does not include two practices that call for (1) tracking expended effort and (2) monitoring the utilization of staff and resources. Until OI&T's documented processes for project monitoring and control fully reflect best practices, the office is at risk that its projects will not achieve expected results.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to process and product quality assurance, to include (1) documenting a description of the quality assurance reporting chain and defining how objectivity will be ensured, and (2) periodically reviewing open noncompliance issues and trends with management that is designated to receive and act on them.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that the implementation of the Veteran-Focused Integration Process (VIP), Agile processes, and the Rational Toolset within OI&T will address process and product quality assurance. According to VA, as a part of VIP, the Product Owner is engaged from intake through project completion, which will ensure that the quality of the product is maintained throughout the life cycle. Additionally the department reported that the process of periodically reviewing open non-compliance issues and trends with management that is designated to receive and act on them will be accomplished through CIOStat meetings held with OI&T senior leadership. VA also reported that the Rational Quality Manager tool is used to automate routine testing activities to identify non-compliance issues and trends. As of July 2017, the department stated that the Product Owner is beginning to have a stronger role on the project team, which enables them to assist in all types of issues, including quality assurance. VA also stated that Release Agents develop and distribute Release Readiness Reports, which provide a status of all release requirements and of traceability among requirements, deliverables, and test results. VA expects to complete its actions in response to this recommendation by the end of fiscal year 2017.
    Recommendation: To assist VA in establishing comprehensive and documented processes that reflect system development and acquisition best practices, the Secretary of Veterans Affairs should direct the Chief Information Officer to revise OI&T's documented processes related to project scheduling, to include the 9 best practices that were missing from the guidance and revise the documented processes where the guidance was contrary to best practices.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and reported that the implementation of VIP and Agile processes within OI&T will address five of the nine best practices related to project scheduling that are missing from its guidance. According to VA, business and compliance requirements will be captured during the planning phase and maintained in the IBM Rational Tools Suite to manage scheduled project/product builds and backlog which will allow the project to more accurately maintain the schedule baseline, capture all schedule changes, and provides an audit trail of all the changes. Additionally, the department reported that the IBM Rational Tools Suite connects requirements, change orders, test cases, and test results in order to have full traceability in a closed loop system. VA also noted that the use of short development builds within Agile increases the probability of successful adherence to the schedule; and Agile provides the flexibility to make schedule changes using the backlog to prioritize requirements. As of July 2017, VA stated that Project Build Planning sessions capture and prioritize all backlog items with high level activities captured in the VIP Dashboard; and that each project task receives an estimated duration. The department also stated that the project team commits to a high level scope for each build and then the scope is solidified and committed to in detail at each Sprint Plan. According to VA, at the end of each sprint the Product Owner accepts or rejects the product of what was committed to at Sprint Planning. The department also stated that there is a high-level commitment at the Critical Decision 1 meeting; that each build gets committed to at a more granular level; and that sprint planning includes establishing a firm commitment for exactly what will be completed during the sprint. The department further stated that part of the Agile process being used by OI&T removes rigid, mandatory constraints as long as project teams follow compliance epics. Additionally, the department reported that because of the use of Agile methodology, if a task is critical today, the project team can reprioritize and address the needs of the project immediately. According to VA, Agile supports both sustainment and development projects, by allowing changes to the project backlog to address high priority functionality. VA also stated that Agile allows flexibility to shift from one build to another based on priorities and to shift backlog items based on VIP Triad priorities. Additionally, according to the department, risks are managed in the Rational Tools Suite and impediments are raised and escalated during daily scrums and scrum of scrum calls. The VIP Guide indicates that product teams are required to make timely updates to the VIP Dashboard regarding schedule and that the Rational Tools Suite will be used to manage and administer source control and baselines; manage risks and issues; and manage scheduled product sprints and backlogs. However, the VIP Guide does not include practices to (1) document that each project task should receive a duration estimate; (2)require that the project schedule be traceable horizontally and vertically; (3) sequence all activities; and (4) confirm that the critical path is valid. Until OI&T's documented processes for developing schedules fully reflect best practices, the office is at risk that schedules created for its projects will not be reliable.
    Director: David A. Powner
    Phone: (202) 512-9286

    12 open recommendations
    Recommendation: In order to improve the accuracy of IT Dashboard incremental development data, the Director of OMB should direct the Federal Chief Information Officer (CIO) to clarify existing guidance regarding what IT investments are and are not subject to requirements on the use of incremental development and how CIOs should report the status of projects that are not subject to these requirements.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) has taken initial steps to implement our recommendation. Specifically, OMB's June 2016 annual capital planning guidance for fiscal year 2018 included instructions on what types of investments were required to adhere to incremental development requirements related to the delivery of usable functionality. The guidance stated that all software development projects are required to produce usable functionality at intervals of no more than six months. Further, all major development projects within investments are required to use modular/agile principles. However, OMB's guidance still lacks direction on how CIOs are to report the status of nonsoftware projects, as we recommended. In the absence of our recommended guidance clarification, OMB is at risk of agencies continuing to be unclear about how nonsoftware development investment data are to be reported on the Dashboard, increasing the risk that data on the IT Dashboard will not always be accurate. We will continue to evaluate OMB's progress in clarifying its guidance and considering a change to provide more detailed guidance related to the reporting of nonsoftware development investment data.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the Enterprise Business Management Office within the Office of the Chief Information Officer will validate each investment reported on the Dashboard and work with program officials to ensure they appropriately update the data for the IT Dashboard. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education (Education) concurred with our recommendation and stated that the department will ensure that the data is kept current using their IT portfolio management process. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce (Commerce) concurred with our recommendation and stated that these changes would be incorporated into the department?s Dashboard reporting. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (Defense) partially concurred with our recommendation and stated that the department is taking action to update the Dashboard data as appropriate. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) concurred with our recommendation. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation (Transportation) concurred with our recommendation and stated the department was committed to ensuring the information on the IT Dashboard reflects up to date information. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury (Treasury) did not comment on our recommendation. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education (Education) concurred with our recommendation to establish a departmentwide certification policy. Education officials reported in March 2017 that the department will complete changes to its guidance by November 2017. However, until this guidance is finalized, Education will not be able to fully ensure adequate implement of, or benefit from, incremental development practices. We will continue to evaluate Education's progress in implementing this recommendation.
    Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (Defense) did not concur with our recommendation, stating that its existing guidance was adequate in this area. However, in August 2016, Defense issued its fiscal year 2018 budget submission guidance which required each component CIO to certify that IT investments were adequately implementing incremental development. The component CIOs were to document the certification in a statement of compliance memorandum, using their agency's letterhead, and submit the memorandum to the Defense CIO. Defense officials report that this same guidance will be added to the Financial Management Regulations during summer 2017. Until this annual guidance has been updated and incorporated into the department's standing policies, Defense is at risk of overlooking this requirement in subsequent years. We will continue to evaluate Defense's progress in implementing this recommendation.
    Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) concurred with our recommendation to establish a departmentwide certification policy. However, HHS officials reported in April 2017 that they did not have a timeframe for when the department's new certification guidance would be completed. Until this guidance is finalized, HHS will not be able to fully ensure adequate implement of, or benefit from, incremental development practices. We will continue to evaluate HHS's progress in implementing this recommendation.
    Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury (Treasury) did not comment on our recommendations. Further, Treasury officials reported in March 2017 that it had no plans to revise its policies, as we recommended. Until the department establishes a CIO certification policy, Treasury will not be able to fully ensure adequate implement of, or benefit from, incremental development practices. We will continue to evaluate Treasury's progress in implementing this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    5 open recommendations
    Recommendation: To effectively measure 18F's performance, the Administrator of GSA should direct the Commissioner for the Technology Transformation Service to ensure that goals and associated performance measures are outcome-oriented and that performance measures have targets, including (1) performance measures and targets tied to fully recovering program costs; and (2) goals, performance measures, and targets for how the program will achieve its mission after September 2016.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration (GSA) agreed with, and has begun to take steps to implement, this recommendation. Specifically, GSA developed a quarterly performance report for fiscal year 2017 that includes an outcome-oriented goal for 18F as well as associated performance measures and targets. According to a Technology Transformation Service official, GSA plans to expand its quarterly performance report for fiscal year 2018 to reflect additional 18F goals and performance measures, including measures tied to fully recovering program costs. We will continue to evaluate GSA's progress in implementing this recommendation.
    Recommendation: To effectively measure 18F's performance, the Administrator of GSA should direct the Commissioner for the Technology Transformation Service to assess actual results for each performance measure.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration (GSA) agreed with, and has begun to take steps to implement, this recommendation. Specifically, GSA developed a quarterly performance report for fiscal year 2017 that includes an outcome-oriented goal for 18F as well as associated performance measures with targets. Additionally, GSA has assessed actual results of the performance measures for the first two quarters of fiscal year 2017. According to a Technology Transformation Service official, GSA plans to expand its quarterly performance report for fiscal year 2018 to include additional 18F goals and performance measures. We will continue to evaluate GSA's progress in implementing this recommendation.
    Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to ensure that all goals and associated performance measures are outcome-oriented and that performance measures have targets.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in its December 2016 report to Congress, OMB developed three goals for U.S. Digital Service (USDS): (1) rethink how the federal government builds and buys digital services; (2) expand the use of common, platforms, services, and tools; and (3) bring top technical talent into public service. In addition, OMB established performance measures with targets for its third goal and for each of the program's major projects. However, OMB has not established performance measures for the first two USDS goals. Further, the program's third goal is not outcome-oriented. We will continue to evaluate OMB's progress in implementing this recommendation.
    Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to assess actual results for each performance measure.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in its December 2016 report to Congress, OMB assessed the results of performance measures for one of the U.S. Digital Service (USDS) program's goals--bring top technical talent into public service--and for each of the program's major projects. However, OMB has not established performance measures for the other two USDS goals--rethink how the federal government builds and buys digital services; and expand the use of common, platforms, services, and tools. We will continue to evaluate OMB's progress in implementing this recommendation.
    Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to update USDS policy to clearly define the responsibilities and authorities governing the relationships between CIOs and the digital service teams and require existing agency digital service teams to address this policy. In doing so, the Federal Chief Information Officer should ensure that this policy is aligned with relevant federal law and OMB guidance on CIO responsibilities and authorities.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. In particular, OMB updated its digital service team policy to require that teams appropriately inform their chief information officers (CIO) regarding U.S. Digital Service (USDS) projects. However, the policy does not describe the responsibilities or authorities governing the relationships between CIOs and digital service teams. We will continue to evaluate OMB's progress in implementing this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    22 open recommendations
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Education
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address it. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Energy
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that the Office of the CIO will update the CIO's OMB IT Dashboard Standard Operating Procedure to include the evaluation and assessment of active risks. This effort is to be completed by the end of December 2016. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department agreed with this recommendation and, in a written response, stated that it plans to address this recommendation with the following actions: (1) developing a method to review and assign ratings for active risks that will be incorporated into CIO ratings and (2) integrating the risk rating methodology into a new process for all major investments' CIO ratings. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it is amending its current monthly review process to ensure that risks are factored into its IT Dashboard CIO ratings. VA expects to complete this effort during the first quarter of 2017. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of State
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address the recommendation. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Office of Personnel Management
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Defense, Education, and Homeland Security; and the Commissioner of the Social Security Administration should direct their CIOs to update their CIO ratings at least as frequently as required in OMB's guidance.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) disagreed with this recommendation. In its written response, the Department noted that its semi-annual reporting is consistent with FITARA requirements and is documented in its OMB-approved FITARA Implementation Plan. After the publication of our report in June 2016, OMB issued its "Fiscal Year 2018 IT Budget-Capital Planning Guidance." This guidance removes the mandatory reporting frequency, but states that OMB expects that the CIOs would evaluate and rate their investments at specific times, including when the investment business cases are submitted to OMB in the agency budget request and when the business cases are prepared for the President's Budget release. In light of this new guidance, we analyzed the Department's update frequency for its 34 major investments (as listed on the IT Dashboard in June 2017). From June 2016 through May 2017, we found that 26 of the investments' ratings were updated once: in May 2017. The other 8 investments were not updated during this timeframe. Prior to this, the last DOD rating updates were made in March 2016, over a year beforehand. This analysis shows that DOD is not adhering to either its own semi-annual reporting requirements or to OMB's expectations. As such, we are not closing the recommendation at this time. We will continue to monitor the IT Dashboard for changes to DOD's update frequency. We maintain that frequent rating updates help ensure that the information on the Dashboard is timely and accurately reflects recent changes. Without such updates, the CIO ratings on the IT Dashboard may not reflect the current level of investment risk.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that the Office of the CIO Enterprise Business Management Office is updating its program assessment guideline. The updated guideline will include risk-based scores as the basis for its investment ratings. The Department expects to release this new guideline by the end of December 2016. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Education
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address it. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department agreed with our recommendation and, in a written response, stated that the CIO has revised the IT Dashboard assessment criteria to directly incorporate the degree of risk represented in the investments' Business Case documents. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Energy
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that the Office of the CIO will update its IT Dashboard Standard Operating Procedure to include an active risk sub-criteria comprised of probability and impact scores. This effort is to be completed by the end of December 2016. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. According to HHS, these risk areas reflect both internal and external risks that affect an investment's ability to accomplish its goals. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Social Security Administration
    Status: Open

    Comments: The agency partially agreed with our recommendation and, in a written response, stated that its CIO rating criteria includes a review of the level of risk facing an investment relative to that investment's ability to accomplish its goals. The written statement also notes that the CIO receives regular updates from key stakeholders on investment risks and mitigation plans. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of the Treasury
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it plans to require investment managers to assess operational risks detailing the probability and impact of pending threats to success. VA expects to complete this effort during the first quarter of 2017. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of State
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address the recommendation. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The agency disagreed with the recommendation and has not provided an update on its actions to address the recommendation. We will continue to monitor the implementation of this recommendation.
    Director: Valerie Melvin
    Phone: (202) 512-6304

    2 open recommendations
    Recommendation: To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, goals, and objectives, the Commissioner of FDA should require the CIO to establish schedules and milestones for completing a version of an IT strategic plan that incorporates elements to align the plan's strategies with agency-wide priorities; includes results-oriented goals and performance measures that support the agency's mission, along with targets for measuring the extent to which outcomes of IT initiatives support FDA's ability to achieve agency-wide goals and objectives; identifies key IT initiatives that support the agency's goals; and describes interdependencies among the initiatives.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: FDA concurred with the recommendation and stated that the agency plans to implement it. We contacted the agency in March 2017 and have requested documents regarding FDA's actions to address the recommendation. We are waiting to receive the documents. We will update the status of the agency's actions after we receive and evaluate their response.
    Recommendation: To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, goals, and objectives, the Commissioner of FDA should require the CIO to implement the plan to ensure that expected outcomes of the agency's key IT initiatives are achieved.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: FDA concurred with the recommendation and stated that the agency plans to implement it. We contacted the agency in March 2017 and have requested documents regarding FDA's actions to address the recommendation. We are waiting to receive the documents. We will update the status of the agency's actions after we receive and evaluate their response.
    Director: Joe Kirschbaum
    Phone: (202) 512-9971

    4 open recommendations
    Recommendation: To provide decision makers with better insight and additional context to identify any significant changes to the estimates in the joint report from the prior year and understand the reasons for such changes, and to improve the completeness and transparency of the budget estimates in the report, we recommend that, for future joint reports, the Secretary of Defense should direct the Secretary of the Air Force, the Secretary of the Navy, and the Department of Defense Chief Information Officer (DOD CIO), and the Secretary of Energy direct the Administrator of the National Nuclear Security Administration (NNSA) to provide more thorough documentation in the joint report on the methodologies used to develop the budget estimates, including information that may be available in related planning documents, and ensure the accuracy and completeness of the information included.

    Agency: Department of Defense
    Status: Open

    Comments: In commenting on this report, DOD and DOE concurred with our recommendation to provide more thorough documentation in the joint report on the methodologies used to develop the budget estimates and ensure the accuracy and completeness of the information included. DOD stated that it added information on the methodologies used to develop the estimates in the April 2015 joint report and would consider including further information in subsequent reports. However, neither department provided information on the specific steps it would take to ensure the accuracy and completeness of the information included in future joint reports. We continue to believe that the joint reports should include accurate and complete budget estimates.
    Recommendation: To provide decision makers with better insight and additional context to identify any significant changes to the estimates in the joint report from the prior year and understand the reasons for such changes, and to improve the completeness and transparency of the budget estimates in the report, we recommend that, for future joint reports, the Secretary of Defense should direct the Secretary of the Air Force, the Secretary of the Navy, and the DOD CIO, and the Secretary of Energy direct the Administrator of NNSA to provide comparative information on changes in the budget estimates from the prior year and explain the reasons for those changes.

    Agency: Department of Defense
    Status: Open

    Comments: In commenting on this report, DOE concurred and DOD partially concurred with our recommendation to provide comparative information on changes in the budget estimates from the prior year and explain the reasons for those changes. DOD noted that Section 1043 of the National Defense Authorization Act for Fiscal Year 2012, which required the joint report, does not require a comparative year-to-year analysis, and recommended that Congress amend the existing language to require that the joint report include an additional subsection providing a quantitative comparison of current budget estimates with the previous year's data. While Section 1043 does not require a comparative year-to-year analysis, the departments are not restricted from including such information and we continue to believe that providing comparative information on changes in the budget estimates from year-to-year and explanations for the changes would be beneficial to congressional decision makers.
    Recommendation: To provide decision makers with better insight and additional context to identify any significant changes to the estimates in the joint report from the prior year and understand the reasons for such changes, and to improve the completeness and transparency of the budget estimates in the report, we recommend that, for future joint reports, the Secretary of Defense should direct the Secretary of the Air Force, the Secretary of the Navy, and the Department of Defense Chief Information Officer (DOD CIO), and the Secretary of Energy direct the Administrator of the National Nuclear Security Administration (NNSA) to provide more thorough documentation in the joint report on the methodologies used to develop the budget estimates, including information that may be available in related planning documents, and ensure the accuracy and completeness of the information included.

    Agency: Department of Energy
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To provide decision makers with better insight and additional context to identify any significant changes to the estimates in the joint report from the prior year and understand the reasons for such changes, and to improve the completeness and transparency of the budget estimates in the report, we recommend that, for future joint reports, the Secretary of Defense should direct the Secretary of the Air Force, the Secretary of the Navy, and the DOD CIO, and the Secretary of Energy direct the Administrator of NNSA to provide comparative information on changes in the budget estimates from the prior year and explain the reasons for those changes.

    Agency: Department of Energy
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    27 open recommendations
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Commerce should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce has not yet implemented this recommendation. In response to our report, the department said it planned to address the recommendation by the second quarter of fiscal year 2016. However, as of August 2017, it had not demonstrated that it had done so. We will continue to monitor the department's progress.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Commerce should ensure a reliable department-wide inventory of mobile service contracts is developed and maintained.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce has not yet implemented this recommendation. In response to our report, the department said it planned to address the recommendation by the second quarter of fiscal year 2016. However, as of August 2017, it had not demonstrated that it had done so. We will continue to monitor the department's progress.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Commerce should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce has not yet implemented this recommendation. In response to our report, the department said it planned to address the recommendation by the second quarter of fiscal year 2016. However, as of August 2017, it had not demonstrated that it had done so. We will continue to monitor the department's progress.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Defense should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

    Agency: Department of Defense
    Status: Open

    Comments: As of August 2017, the Department of Defense had not implemented this recommendation. In July 2016, the department reported that it does not maintain a single, centralized device-level inventory and, instead, the military departments track and manage their own devices and contracted wireless services as separate enterprises. However, as we stated in our report, the inventory need not be generated centrally at the headquarters level; the department can compile a comprehensive inventory using its components' complete inventories. We will continue to monitor the department's efforts to address this recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Defense should ensure a reliable department-wide inventory of mobile service contracts is developed and maintained.

    Agency: Department of Defense
    Status: Open

    Comments: As of August 2017, the Department of Defense had not implemented this recommendation. The department updated its mobile services contract inventory in August 2015; however, as of August 2017, the department had not demonstrated that it has maintained the inventory. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Health and Human Services should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services has not implemented this recommendation. In April 2016, an audit liaison in the Office of the Chief Information Officer reported that each component maintains processes and procedures for device management. However, as of August 2017, the department had not provided evidence that components have established procedures that address the elements of our recommendation. We will continue to monitor the department's implementation of this recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Homeland Security should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security has taken steps to implement this recommendation. Specifically, it developed inventories for the two components we reviewed. The department also reported that it had identified all components' devices. However, as of August 2017, it had not provided evidence that all the components had an inventory of unique devices and associated services. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Homeland Security should ensure a reliable department-wide inventory of mobile service contracts is developed and maintained.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security has taken steps to implement the recommendation, but more needs to be done. Specifically, in May 2017, the department developed an enterprise-wide inventory of mobile service contracts; however, the department has not demonstrated that it has maintained the inventory quarterly. We will continue to monitor the department's efforts to fully implement the recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Homeland Security should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security has not implemented the recommendation. In August 2017, a Program Management Specialist in the Office of the Chief Information Office described steps the department was taking as it considers a follow-on to its department-wide blanket purchase agreement for wireless expense management services. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of the Interior should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of the Interior has not implemented this recommendation. As of May 2017, the department was in the process of migrating its cellular service contracts to the General Services Administration's federal wireless strategic sourcing initiative blanket purchase agreement as its agency-wide solution for mobile devices and services. According to the department, the initiative requires awardee(s) and orderers to conduct a complete inventory of devices and legacy service contracts as they transition to the blanket purchase agreement. According to the department's transition plan, the transition is to be complete by February 2018. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of the Interior should ensure a reliable department-wide inventory of mobile service contracts is developed and maintained.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of the Interior has not implemented this recommendation. As of May 2017, the department was in the process of migrating its cellular service contracts to the General Services Administration's federal wireless strategic sourcing initiative blanket purchase agreement as its agency-wide solution for mobile devices and services. According to the department, the initiative requires awardee(s) and orderers to conduct a complete inventory of devices and legacy service contracts as they transition to the blanket purchase agreement. According to the department's transition plan, the transition is to be complete by February 2018. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Attorney General should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice has taken steps to implement this recommendation. Specifically, in response to our findings, the department's Chief Information Officer issued a memo that required components to establish procedures for regular reviews of invoices for wireless services to identify unused and underused devices or services, as well as any over-usage charges to service plans. However, as of August 2017, the department had not demonstrated that its components had implemented the requirements. We will continue to monitor the department's progress.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of State should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

    Agency: Department of State
    Status: Open

    Comments: The Department of State has not yet implemented this recommendation. In July 2017, the department stated that it planned to transition its mobile devices and services to the General Services Administration's Federal Strategic Sourcing Initiative. However, the department has not addressed developing an inventory of mobile devices and services. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of State should ensure a reliable department-wide inventory of mobile service contracts is maintained.

    Agency: Department of State
    Status: Open

    Comments: The Department of State has not implemented this recommendation. In July 2017, the department stated that it plans to transition its mobile devices and services to the General Services Administration's Federal Strategic Sourcing Initiative. However, the department has not addressed developing an inventory of mobile service contracts. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of State should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of State
    Status: Open

    Comments: The Department of State has not yet implemented this recommendation. In July 2017, the department stated that it was in the process of implementing a Telecommunications Expense Management System to provide visibility into mobile spending, asset management, usage, and tracking. However, the department has not provided evidence that it has established procedures that address the elements of our recommendation . We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Transportation should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation has not yet demonstrated that it has implemented our recommendation. Specifically, as of August 2017, neither of the two components we reviewed in May 2015 had addressed the weaknesses we identified in their procedures. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of the Treasury should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury has not yet implemented this recommendation. In May 2016, the Department of the Treasury stated that it had performed data calls to collect data on mobile device inventories across the department. However, as of August 2017, the department had not demonstrated that it had established a department-wide inventory of mobile devices and services. We will monitor the department's progress in implementing this recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Veterans Affairs should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs has not yet implemented this recommendation. The department stated that its Office of Information and Technology drafted documentation for the development and implementation of a system to manage spending on mobile devices and services. However, the solution had not been funded. The department stated that a target date for addressing the recommendation is December 2017, conditional upon available funds.
    Recommendation: To help the agency effectively manage spending on mobile devices and services, the Administrator of the Environmental Protection Agency should ensure a complete inventory of mobile devices and associated services is established.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency had taken steps to implement this recommendation. Specifically, it reported that it had conducted a management review and identified improvements to ensure that the agency has a complete inventory of mobile devices and services. However, as of August 2017, it had not demonstrated that it had established a complete inventory. We will continue to monitor the agency's progress.
    Recommendation: To help the agency effectively manage spending on mobile devices and services, the Administrator of the Environmental Protection Agency should ensure procedures to monitor and control spending are established agency-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency has not yet implemented this recommendation. The agency stated that program offices receive quarterly mobile device usage reports and are requested to review them. However, as of August 2017, the agency had not provided documented procedures that address the elements of our recommendation.
    Recommendation: To help the agency effectively manage spending on mobile devices and services, the Administrator of the National Aeronautics and Space Administration should ensure a complete inventory of mobile devices and associated services is established.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) has not yet implemented the recommendation. In August 2017, officials from NASA's Office of the Chief Information Officer stated that the agency plans to address the recommendation through a strategic sourcing approach the agency is developing and estimates implementing in fiscal year 2018. The officials stated that the agency expects to fully address the recommendation by December 2018.
    Recommendation: To help the agency effectively manage spending on mobile devices and services, the Administrator of the National Aeronautics and Space Administration should ensure a reliable inventory of mobile service contracts is developed and maintained.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics Administration (NASA) has not yet implemented the recommendation. In August 2017, officials from NASA's Office of the Chief Information Officer stated that the agency plans to address the recommendation through a strategic sourcing approach the agency is developing and estimates implementing in fiscal year 2018. The officials stated that the agency expects to fully address the recommendation by March 2019.
    Recommendation: To help the agency effectively manage spending on mobile devices and services, the Administrator of the National Aeronautics and Space Administration should ensure procedures to monitor and control spending are established agency-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) has not implemented the recommendation. In August 2017, officials from NASA's Office of the Chief Information Officer stated that the agency plans to address the recommendation through an Enterprise Mobility Service Contract that it plans to fully transition to by July 2019. The officials stated that the contract will allow the agency to monitor and optimize usage.
    Recommendation: To help the agency effectively manage spending on mobile devices and services, the Commissioner of the Social Security Administration should ensure a complete inventory of mobile devices and associated services is established.

    Agency: Social Security Administration
    Status: Open

    Comments: The Social Security Administration (SSA) described steps it was taking to address our recommendation. Specifically, the agency stated that it had deployed and is operating a Mobile Expense Management System that will be used to maintain an enterprise-wide inventory of mobile devices and associated services once all the agency's mobile service contracts/accounts have been successfully consolidated onto one of the agency's blanket purchasing agreements. SSA expected to complete this consolidation in the September to October 2016 timeframe. However, as of August 2017, the agency had not demonstrated that it had implemented the recommendation. We will continue to monitor its progress in implementing this recommendation.
    Recommendation: To help the agency effectively manage spending on mobile devices and services, the Commissioner of the Social Security Administration should ensure procedures to monitor and control spending are established agency-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Social Security Administration
    Status: Open

    Comments: The Social Security Administration (SSA) described steps it was taking to address this recommendation. Specifically, the agency stated that representatives from various agency components were working to develop and document the policies, guidelines, processes, and procedures to effectively implement an enterprise model for mobile provisioning and management. SSA expects to complete this effort in fiscal year 2017. As of August 2017, the agency had not demonstrated that it had addressed the recommendation. We will continue to monitor its progress in implementing this recommendation.
    Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of the Treasury should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury has not yet implemented this recommendation. In May 2016, the department stated that it had awarded two contracts to facilitate mobile device management, and had advised its bureaus to track, analyze, and manage mobile device use and cost in accordance with GAO guidance at their level until migration to the department-wide contracts has been completed. However, as of August 2017, the department had not demonstrated that it had established department-wide procedures to monitor and control spending on mobile devices and services. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To better enable OMB to oversee agency efforts to consolidate mobile telecommunications contracts, the Director should measure and report progress in achieving its goal of cost savings through consolidation, as described in the 2012 Digital Government Strategy.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: As of August 2017, the Office of Management and Budget (OMB) had made progress in implementing this recommendation by requiring agencies to track savings; however, it had not yet reported progress in achieving its goal of cost savings. Specifically, in August 2016, OMB issued a policy requiring covered agencies to appoint, by November 2016, a dedicated lead for mobile devices and services. The official is expected to work closely with senior agency officials to establish and maintain an agency-wide inventory of mobile contracts, identify opportunities for contract consolidation, and track savings, among other things. In addition, according to an official in OMB's Office of Federal Procurement, a team led by OMB, the General Services Administration, and the departments of Defense and Homeland Security, is to develop an approach for measuring savings related to mobile devices and services.
    Director: David Powner
    Phone: (202) 512-9286

    5 open recommendations
    Recommendation: To better ensure that the PortfolioStat initiative improves governmental efficiency and achieves cost savings, the Director of OMB should direct the Federal CIO to ensure that its reports to Congress about the results of IT reform efforts accurately reflect savings generated from all PortfolioStat initiatives, including those associated with FDCCI.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In July 2016, we followed up with OMB on its efforts to address this recommendation. As of September 1, 2016, we were still waiting for the agency's response.
    Recommendation: To better ensure that the PortfolioStat initiative improves governmental efficiency and achieves cost savings, the Director of OMB should direct the Federal CIO to track agencies' planned savings and use them as a baseline for measuring reported actual savings.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In July 2016, we followed up with OMB on its efforts to address this recommendation. As of September 1, 2016, we were still waiting for the agency's response.
    Recommendation: To better ensure that the PortfolioStat initiative improves governmental efficiency and achieves cost savings, the Director of OMB should direct the Federal CIO to require agencies to document specifically how the cost savings achieved from PortfolioStat have been reinvested.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In July 2016, we followed up with OMB on its efforts to address this recommendation. As of September 1, 2016, we were still waiting for the agency's response.
    Recommendation: To better ensure that the PortfolioStat initiative improves governmental efficiency and achieves cost savings, the Director of OMB should direct the Federal CIO to establish time frames for completing assigned PortfolioStat action items and hold agencies accountable for meeting those time frames.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In July 2016, we followed up with OMB on its efforts to address this recommendation. As of September 1, 2016, we were still waiting for the agency's response.
    Recommendation: The Secretary of Defense should direct the Chief Information Officer to revisit the 25 cost initiatives GAO reported in GAO-14-65 to identify those that have achieved savings and cost avoidances and report those savings and avoidances to OMB.

    Agency: Department of Defense
    Status: Open

    Comments: In March 2016, during our review of federal agencies' efforts to rationalize their portfolio of software applications, the department reported that it does not collect data specifically on savings and cost avoidance associated with the business and enterprise IT applications that comprise most of the 25 cost initiatives reported in GAO-14-65. We will continue to follow up with the department on this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: To improve the effectiveness of OMB streamlining efforts and ensure agency CIOs are better able to carry out their responsibilities in managing IT, including implementing OMB's IT reform initiatives, the Director of OMB should direct the Federal CIO, in collaboration with agency CIOs, to ensure there is a common understanding with agency CIOs on the priority of the current reporting requirements and related IT reform initiatives. This should include addressing underlying reasons cited by CIOs regarding the usefulness of requirements, including when department priorities are reportedly different than OMB's and the burdensome and duplicative nature of requirements.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) neither agreed or disagreed with our recommendation. Subsequently, OMB has taken steps to address some aspects of our recommendation. Specifically, in January 2017, OMB worked with the Chief Information Officer (CIO) Council to issue a report entitled "State of Federal Information Technology (SOFIT)" which outlined current IT trends and their key challenges, and made recommendations to improve implementation efforts. Notably, the report also identified differences in priorities between OMB and agency CIOs on key IT reform initiatives and the need for improved reporting requirements. In addition, in June 2017, OMB staff reported that they met the CIO and head of each agency this past spring regarding their priorities and challenges. While these are positive steps toward ensuring a common understanding of these initiatives and reporting requirements, OMB still needs to take action to address the underlying reasons for these differences in priorities and reduce burdensome and duplicative requirements. Until OMB takes action in these areas, there is a risk that key IT reform initiatives may not fully succeed. We will continue to evaluate OMB's progress in addressing our recommendation.
    Director: Joel Willemssen
    Phone: (202) 512-6253

    2 open recommendations
    Recommendation: To help ensure that the Copyright Office makes improvements to its current IT environment, the Librarian of Congress should direct the Register of Copyrights to, for current and proposed initiatives to improve the IT environment at the Copyright Office, develop plans including investment proposals that identify the business problem, a proposed solution, the expected benefits, how the solution aligns with the Library's strategic plan, an initial 3-year cost estimate, and expected funding sources, and bring those to the Library's IT Steering Committee for review, as required by Library policy.

    Agency: Library of Congress
    Status: Open

    Comments: In commenting on our draft report, the Copyright Office neither agreed nor disagreed with our recommendation. Subsequently, the Copyright Office has begun to take steps to address this recommendation. For example, in November 2015 Copyright submitted to the Library's IT Steering Committee plans for three new fiscal year 2017 IT initiatives aimed at improving current systems, such as technical upgrades to the electronic (eCO) registration system. For each initiative, the office developed plans that identified the business problems, proposed solutions, expected benefits, alignment with the Library's strategic plan, initial 3-year cost estimates, and expected funding sources. In November 2016, the Librarian of Congress directed all top-level IT staff in the Library's various service units, including the Copyright CIO, to be detailed to the Library's OCIO. Subsequently, in April 2017 Library and Copyright Office officials stated that the Copyright Office, in coordination with the Library OCIO, will develop IT investment proposals for fiscal year 2018, including proposals for modernizing the Copyright Office's IT systems. We will continue to evaluate the Copyright Office's efforts to address our recommendation.
    Recommendation: To help ensure that the Copyright Office makes improvements to its current IT environment, the Librarian of Congress should direct the Register of Copyrights to develop an IT strategic plan that includes the office's prioritized IT goals, measures, and timelines, and is aligned with the Library's ongoing strategic planning efforts.

    Agency: Library of Congress
    Status: Open

    Comments: In commenting on our draft report, the Copyright Office neither agreed nor disagreed with our recommendation. In November 2016, the Librarian of Congress directed all top-level IT staff in the Library's various service units, including the Copyright Chief Information Officer (CIO), to be detailed to the Library's Office of the CIO. In light of this organizational realignment, in May 2017 the Library's Office of the CIO and the Copyright Office stated that they will be working in coordination to address our recommendation. We will continue to evaluate the Library and Copyright's efforts to address our recommendation.
    Director: Joel C. Willemssen
    Phone: (202) 512-6253

    24 open recommendations
    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should establish a time frame for developing a complete and reliable enterprise architecture that accurately captures the Library's current IT environment, describes its target environment, and outlines a strategy for transitioning from one to the other, and develop the architecture within the established time frame.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to address, this recommendation. Specifically, according to Library officials, they have developed a schedule and processes for developing an architecture that describes the current and target IT environments. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should establish a time frame for implementing a Library-wide assessment of IT human capital needs and complete the assessment within the established time frame. This assessment should, at a minimum, analyze any gaps between current skills and future needs, and include a strategy for closing any identified gaps.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in July 2016 the Library engaged the Office of Personnel Management (OPM) to develop and conduct a skills assessment of the Library's IT workforce. According to Library officials, OPM led a focus group with IT specialists to review and revise competency and skill lists for IT positions. In June 2017, OPM administered a gap analysis survey to all IT specialists, supervisors, managers, and leaders within the Library. According to Library officials, the Library is developing a strategy for closing gaps identified in the survey results. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement a process for linking IT strategic planning, enterprise architecture, and IT investment management.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Library developed a template for IT investment proposals that calls for investment managers to provide information on how the investments align with the Library's IT strategic plan and enterprise architecture. Additionally, in February 2017, the Library provided us with IT investment proposals for 19 fiscal year 2017 investments. To the Library's credit, the proposals describe how many of the investments align with the IT strategic plan and enterprise architecture. However, we also identified instances where the alignment with the IT strategic plan and enterprise architecture was not included in the proposals or was not clearly defined. In a written response, the Library stated that the inconsistencies were attributable to manual processes for collecting the information and that it is working to make improvements to these processes for the fiscal year 2018 investments. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement policies and procedures for reselecting investments that are already operational.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include reselecting investments that are already operational. Additionally, in October 2016 the Librarian approved the Library's fiscal year 2017 IT investment plan, which describes $145 million in planned IT spending on systems across the Library that are both operational and in development. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement policies and procedures for ensuring that investment selection decisions have an impact on decisions to fund investments.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include ensuring that investment selection decisions have an impact on decisions to fund investments. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should ensure that appropriate governance bodies review all investments that meet defined criteria.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include ensuring that appropriate governance bodies review all investments that meet defined criteria. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should require investments in development to submit complete investment data (i.e., cost and schedule variances and risk management data) in quarterly reports submitted to the ITSC.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include requiring investments in development to submit complete investment data in quarterly reports submitted to the Information Technology Steering Committee. Additionally, officials stated that the Library has begun to require IT investments to submit quarterly reports with complete investment data, including cost and schedule variances and risk management data. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies for developing a comprehensive inventory of IT assets.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. The Library is revising its asset management policy to improve its process for developing and maintaining its inventory of IT assets. Additionally, the Office of the CIO engaged a contractor to perform a full inventory of its IT assets in September 2017. Further, the Library is working to reconcile the results of this IT asset inventory with the information in its asset management system. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies and procedures consistent with the key practices on portfolio management, including (1) defining the portfolio criteria, (2) creating the portfolio, and (3) evaluating the portfolio.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include key practices on portfolio management. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should complete and implement an organization-wide policy for risk management that includes key practices as discussed in this report, and within the time frame the Library established for doing so.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives to relating to IT investment management, to include requiring investments to identify and review risks. Additionally, in February 2017, the Library provided us with risk management information for 19 fiscal year 2017 investments. To its credit, the Library generally identified, documented, evaluated, and categorized risks for each of the 19 investments. However, the Library did not always document the context and consequences of occurrence for all risks and did not describe mitigation plans for all risks. In a written response, the Library noted that it will improve the guidance for risk management, providing examples that should ultimately elicit more useful information for the IT Steering Committee to make decisions or take action when necessary. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for requirements development that includes key practices as discussed in this report.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for requirements development. Further, the Project Management Office has finalized detailed guidance for the Library on requirements development. We are reviewing this information to determine the extent to which the guidance includes key practices for requirements development. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for developing cost estimates that includes key practices as discussed in this report.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing and maintaining project schedules. Further, the Project Management Office has finalized detailed guidance for the Library on developing and maintaining project schedules. We are reviewing this information to determine the extent to which the guidance includes key practices for developing and maintaining project schedules. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish a time frame for finalizing and implementing an organization-wide policy for developing and maintaining project schedules that includes key practices as discussed in this report, and finalize and implement the policy within the established time frame.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a Project Management Office within the Office of the Chief Information Officer (OCIO) and tasked the office with communicating and enforcing Library requirements for project management and systems development. Additionally, according to the Library, it is working to give the OCIO's Project Management Office the authority to establish organization-wide policy for developing and maintaining project schedules. Further, the Project Management Office is drafting detailed guidance for the Library on developing and maintaining project schedules. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should revise information security policy to require system security plans to describe common controls, and implement the policy.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, the Information Technology Security Group reviewed all system security plans to ensure that they are complete. After the completion of this review, in August 2017 the Library provided us with system security plans for nine key systems. To its credit, the plans describe many of the common controls (i.e., where a system relies on controls established for another system) on which the systems relied. However, we also identified instances where the plans included conflicting information about whether certain controls are being implemented by the system, are inherited from another system, or are not being implemented. According to the Library, in August 2017 it hired additional information system security officers in order to improve the Library's management of information security, including information security planning. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should ensure that all system security plans are complete, including descriptions of how security controls are implemented and justifications for why controls are not applied.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, the Library?s Information Technology Security Group reviewed all system security plans to ensure that they are complete. After completing this review, in August 2017 the Library provided us with system security plans for nine key systems. Each of the plans generally includes descriptions of how security controls are implemented and justifications for why controls are not applied. However, we also identified instances where the plans included conflicting information about whether certain controls are being implemented. According to the Library, in August 2017 it hired additional information system security officers in order to improve the Library's management of information security, including information security planning. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should conduct comprehensive and effective security testing for all systems within the time frames called for by Library policy, to include assessing security controls that are inherited from the Library's information security program.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, in August 2015 the Library began monthly security testing and vulnerability scans for servers, networks, and workstations. Additionally, in November 2015 the Library finalized guidance for its continuous monitoring program, which includes the establishment of ongoing security controls assessments for each system. The Library began to implement this guidance in fiscal year 2016 and plans to complete the steps necessary to implement this recommendation by June 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should ensure that remedial action plans for identified security weaknesses are consistently documented, tracked, and completed in a timely manner.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in August 2017, the Library provided us with remedial action plans for key Library systems. The Library has generally documented and tracked remedial action plans for these key systems and has completed many. However, we also identified instances of remedial actions that, as of August 2017, had yet to be completed and were past their expected completion date. According to the Library, in August 2017 it hired additional information system security officers in order to improve the Library's management of information security, including management of remedial action plans. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should finalize and implement guidance on continuous monitoring to ensure that officials are informed when making authorization decisions about the risks associated with the operations of the Library's systems.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in October 2015 the Library finalized its guidance on security assessment and authorization, which requires authorizing officials to review the security status of information systems on an ongoing basis to determine whether the risk of operating the system remains acceptable. The Library began to implement this guidance in fiscal year 2016 and plans to complete the steps necessary to implement this recommendation by June 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should develop contingency plans for all systems that address key elements.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in December 2016 the Library finalized an IT system contingency planning template that generally addresses key elements of National Institute of Standards and Technology guidance. Additionally, in April 2017 the Library required that contingency plans be established for all systems by September 2017. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should establish and implement a process for comprehensively identifying and tracking whether all personnel with access to Library systems have taken required security and privacy training.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. According to Library officials, the OCIO is developing a process to track user accounts, including contractors and volunteers, on Library systems to ensure completion of required annual IT Security Training. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should establish a time frame for finalizing and implementing the Library's standard contract sections for information security and privacy requirements, and finalize and implement the requirements within that time frame.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. In April and September 2016 the Library provided us with IT contracts that included some, but not all, of the standard contract sections required by Library policy. In February 2017, the Library provided us with newly awarded IT contracts, each of which included the required information security and privacy sections. Further, according to the Library, it plans to incorporate its required information security and privacy provisions into its existing contracts for IT services as the Library exercises options for these contracts. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To help ensure that services provided by ITS meet the needs of the Library's service units, the Librarian should finalize and implement a Library-wide policy for developing service-level agreements that (1) includes service-level targets for agreements with individual service units and (2) covers services in a way that best meets the need of both ITS and its customers, including individual service units.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in September 2016 the Library?s Office of the CIO finalized a new service catalog that captures its IT services. The catalog identifies 21 categories of IT services that are available to Office of the CIO customers (e.g., data network management, IT service desk, and website support) and describes applicable service-level targets relating availability, fulfillment, and response. Additionally, between May 2016 and May 2017, the Office of the CIO executed memorandums of understanding with the six main Library units. Each memorandum establishes roles and responsibilities for specialized application and services that the Office of the CIO provides to those units. Further, the Library's Office of the CIO is developing a directive on its memorandums of understanding and plans to brief its customers on that directive in November 2017. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To help ensure that services provided by ITS meet the needs of the Library's service units, the Librarian should document and execute a plan for improving customer satisfaction with ITS services that includes prioritized improvement projects and associated resource requirements, schedules, and measurable goals and outcomes.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Office of the Chief Information Officer has begun drafting a customer satisfaction improvement plan. The Library expects this plan to be finalized by December 2017. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: In addition, to help ensure an efficient and effective allocation of the agency's IT resources, the Librarian should conduct a review of the Library's IT portfolio to identify duplicative or overlapping activities and investments, including those identified in our report, and assess the costs and benefits of consolidating identified IT activities and investments.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Library is drafting several policies and directives to relating to IT investment management, to include reviewing the Library's IT portfolio to identify duplicative or overlapping activities and investments. In addition, according to Library officials, the Library has taken a number of steps to reduce duplicative IT activities. For example, in March 2015 we reported that the Office of Security and Emergency Preparedness (OSEP) managed its own network independent of the Library's central IT provider. However, in June 2017 the Library reported that the Office of the CIO is managing the OSEP network. Further, the Library plans to assess the costs and benefits of consolidating potentially duplicative email and network services identified in our March 2015 report. The Library plans to complete the steps necessary to implement this recommendation by March 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    5 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and ensure that the executive-level investment review board meets as outlined in its charter, documents criteria for use by the other boards, and distributes its decisions to appropriate stakeholders.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: As of April 2017, HUD had not provided information demonstrating that the department has addressed this recommendation. HUD reported that it established a new executive-level investment review board (i.e. the Executive Operations Committee) that replaced the board discussed in our report. However, as of April 2017, the department had not yet documented criteria the Committee had established for use by other boards or provided evidence of how this new committee would distribute decisions made to appropriate stakeholders.
    Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish and maintain a complete set of governance policies, establish time frames for establishing policies planned but not yet developed, and update key governance documents to reflect changes made to established practices.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: As of April 2017, the department had taken steps to address this recommendation. In 2015, HUD updated its Project Planning and Management policy and confirmed that the remaining policies to be developed were the IT Risk Policy and the IT Performance Management Policy. HUD also reported that the department planned to revise additional existing policies, including the IT Management Framework Policy, IT Capital Management Policy, IT Project Planning & Management Policy, IT Governance Policy, and IT Strategic Planning Policy. As of April 2017, the department had finalized a Risk Policy but reported it was still working on additional policy updates anticipated to be finalized during 2017.
    Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish an IT investment selection process that includes (1) articulating how reviews of project proposals are to be conducted; (2) planning how data (including cost estimates) are to be developed and verified and validated; (3) establishing criteria for how cost, schedule, and project risk are to be analyzed; (4) developing procedures for how proposed projects are to be compared to one another in terms of investment size (cost), project longevity (schedule), technical difficulty, project risk, and cost-benefit analysis; and (5) ensuring that final selection decisions made by senior decision makers and governance boards are supported by analysis, consider predefined quantitative measures, and are consistently documented.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: As of April 2017, HUD had not provided information demonstrating that the department has addressed this recommendation. In 2015, HUD reported that it had begun using a new tool to support its IT selection process. As of April 2017, the department had reported on improvements to its investment process but had not yet provided evidence of specific actions or plans aimed at ensuring the five IT selection processes highlighted in this recommendation would be addressed.
    Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish a well-defined process that incorporates key practices for overseeing investments, including (1) monitoring actual project performance against expected outcomes for project cost, schedule, benefit, and risk; (2) establishing and documenting cost-, schedule-, and performance-based thresholds for triggering remedial actions or elevating project review to higher-level investment boards; and (3) conducting post-implementation reviews to evaluate results of projects after they are completed.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: As of April 2017, the department had taken steps to address this recommendation. Specifically, in April 2016, HUD provided evidence of actions taken toward developing new processes for investment oversight practices. Specifically, the department created processes for conducting project health assessments and weekly project management meetings intended to monitor, among other things, actual performance against expected outcomes, and to establish thresholds for triggering remedial actions or elevating projects for additional review. As of April 2017, the department had not provided evidence that these new processes were fully established and institutionalized.
    Recommendation: To establish an enterprise-wide view of cost savings and operational efficiencies generated by investments and governance processes, the Secretary of Housing and Urban Development should direct the Deputy Secretary and Chief Information Officer to place a higher priority on identifying governance-related cost savings and efficiencies and establish and institutionalize a process for identifying and tracking comprehensive, high-quality data on savings and efficiencies resulting from IT investments and the IT governance process.

    Agency: Department of Housing and Urban Development
    Status: Open
    Priority recommendation

    Comments: As of April 2017, the department had taken steps to address this recommendation. Specifically, in April 2016, HUD provided examples of cost savings that the department had identified by "scrubbing" existing contracts during the fiscal year 2015 budget formulation process, along with copies of a template that it designed and used to help identify such savings. As of April 2017, the department had not yet provided evidence that it had formally established policies and procedures or taken other actions to institutionalize a process for identifying and providing an enterprise-wide view of IT-related cost savings and operational efficiencies.
    Director: David A. Powner
    Phone: (202) 512-9286

    10 open recommendations
    including 2 priority recommendations
    Recommendation: The Secretaries of HHS, the Interior, Justice, and Labor, and the Administrators of GSA and NASA should complete action plans for addressing their challenges in reporting cost savings, as discussed in this report.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services agreed with, and has taken initial steps to implement, our recommendation. In June 2015, the department reported that it had begun an effort to calculate the tangible cost savings and avoidances derived from closing over 50 data centers as part of its data center consolidation efforts. As of March 2017, the department reported that it had closed a total of 74 data centers and had identified $6.64 million in cost savings and avoidances, which is approximately $2.30 million more than what we reported in September 2014. However, the identified cost savings does not include any savings from fiscal years 2015 or 2016. Accordingly, we conclude the department has not yet completed efforts to address challenges in calculating cost savings and avoidances. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of HHS, the Interior, Justice, and Labor, and the Administrators of GSA and NASA should complete action plans for addressing their challenges in reporting cost savings, as discussed in this report.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of the Interior agreed with, and has taken initial steps to implement, our recommendation. Specifically, in December 2014, the Interior's Deputy Assistant Secretary for Policy, Management and Budget established a series of steps toward addressing our recommendation. The steps include, for example, consolidating and streamlining data center consolidation reporting processes, developing a template that all department bureaus and offices are required to use, and issuing a directive requiring consistent reporting for all data center cost savings and avoidances. In addition, the department submitted a Data Center Optimization Initiative strategic plan to the Office of Management and Budget (OMB) in September 2016. In the plan, the department reported closing 53 data centers and achieving $4.4 million in cost savings and avoidances in fiscal year 2016. However, the plan does not indicate how the department will address identified challenges nor does it indicate whether the department has successfully implemented its directive on consistent monitoring of cost savings and avoidances. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of HHS, the Interior, Justice, and Labor, and the Administrators of GSA and NASA should complete action plans for addressing their challenges in reporting cost savings, as discussed in this report.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor agreed with, and has taken initial steps to implement, our recommendation. In September 2015, the department stated that its Office of the Chief Information Officer was working to develop an enterprise data center inventory as part of the department-wide Data Center Consolidation Initiative Working Group. In September 2016, the department submitted its Data Center Optimization Initiative plan to the Office of Management and Budget. The plan reported that the department had closed 28 non-tiered data centers in fiscal year 2016 and indicated that the department had historical cost savings of $4.85 million to date. However, as of March 2017, the department had not yet reported any resulting cost savings or avoidances in its quarterly report to OMB. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Department of Agriculture agreed with, and has taken initial steps to implement, our recommendation. In September 2014, we found that the department reported fiscal year 2012 through 2015 cost savings and avoidances of $244.17 million to GAO, but had only reported $71.20 million to the Office of Management and Budget (OMB)--a difference of approximately $172.97 million. Moreover, as of March 2017, the department still had not yet fully reported its savings to OMB, as we recommended. Specifically, the department had reported a total of about $25.07 million in cost savings and avoidances to OMB from fiscal years 2012 to 2016--an amount that is approximately $219.1 million short of the total savings and avoidances that the department had reported to GAO as of September 2014. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: DOD concurred with, and has taken initial steps to implement, our priority recommendation. In March 2016, we determined that the department had identified a total of about $1.07 billion in data center consolidation cost savings from fiscal year 2012 through 2016. However, as of March 2017, the department had not yet fully reported its savings to the Office of Management and Budget, as we recommended. Specifically, as of June 2016, the department reported $859 million in savings to the Office of Management and Budget--an amount $211 million less than the $1.07 billion previously reported to us. However, as of March 2017, the department only reported $331 million to the Office of Management and Budget--a decrease of $528 million and $739 million less than what was previously reported to us. In light of the department's considerable planned savings, and the significant decrease in what is being reported, full and accurate reporting by the department is critical toward ensuring that the Office of Management and Budget and Congress have the ability to oversee DOD's progress against key data center consolidation initiative goals.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of the Interior agreed with, and has taken initial steps to implement, our recommendation. In September 2014, we found that the department had reported fiscal year 2012 to 2015 cost savings and avoidances of $84.42 million to GAO, but had only reported $13.59 million to OMB--a difference of approximately $70.83 million. Moreover, as of February 2017, the department had not yet fully reported its savings to OMB, as we recommended. Specifically, the department had reported a total of about $13.61 million in cost savings and avoidances to OMB from fiscal years 2012 to 2016--an amount that is approximately $70.81 million short of the total savings and avoidances that the department had reported to GAO as of September 2014. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with our recommendation, but had not yet taken steps to implement it. In September 2014, we found that the department had reported fiscal year 2012 to 2015 cost savings and avoidances of $140.18 million to GAO, but had only reported $7.36 million to OMB--a difference of approximately $132.82 million. However, in February 2017, the department had still only reported a total of $4.89 million in data center consolidation savings and avoidance to OMB. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Department of the Treasury
    Status: Open
    Priority recommendation

    Comments: Treasury did not comment on this recommendation and has not comprehensively reported cost savings and avoidances, as we recommended. For example, as of March 2017, Treasury had reported about $1.14 billion in data center consolidation-related cost avoidances in its quarterly report to OMB--an increase of about $734 million compared to a previous report. However, the department has not yet reported to OMB other cost avoidances totaling about $210 million that the department had previously reported to us. We will continue to monitor Treasury's progress against this recommendation.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Office of Personnel Management
    Status: Open

    Comments: The Office of Personnel Management agreed with our recommendation, but has not yet taken steps to implement it. In September 2014, we found that the agency had reported fiscal year 2012 to 2015 cost savings and avoidances of $3.40 million to GAO, but had not reported any of its savings and avoidances to the Office of Management and Budget as required. As of March 2017, the agency had not yet reported any data center consolidation cost savings and avoidances to the Office of Management and Budget. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To better ensure that the Federal Data Center Consolidation Initiative (FDCCI) improves governmental efficiency and achieves cost savings, the Director of OMB should direct the Federal chief information officer (CIO) to utilize the existing PortfolioStat review sessions to assist the Department of Health and Human Services (HHS), Interior, Justice, Labor, the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) in identifying data center consolidation cost savings opportunities.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) agreed with, and has taken initial steps to implement, our recommendation. Specifically, in June 2015, OMB issued a memorandum that discussed the fiscal year 2015 PortfolioStat requirements, including that agencies should hold PortfolioStat sessions on a quarterly basis (versus annually, as done previously) with OMB, the agency chief information officer, and other attendees. The memorandum also stated that, during these sessions, agencies are expected to discuss a strategy to reduce duplication and waste within the IT portfolio of the agency, identify projected cost savings resulting from such strategy, and identify ways to increase the efficiency and effectiveness of IT investments, among other things. However, as of March 2017, several agencies were still reporting limited savings from their consolidation efforts. For example, the Department of Transportation reported closing 146 data centers through February 2017, but had reported only $4.9 million in savings. As another example, the Department of Labor reported closing 25 data centers through February 2017, but reported no resulting cost savings. Until OMB assists these agencies with limited or no cost savings reported, they may not be able to identify the full extent of savings from their consolidation efforts. We will continue to evaluate OMB's progress in implementing this recommendation.
    Director: Powner, David A
    Phone: (202) 512-9286

    3 open recommendations
    Recommendation: To better ensure that the Dashboard provides meaningful ratings and reliable investment data, the Director of OMB should direct the Federal CIO to make accessible regularly updated portions of the public version of the Dashboard (such as CIO ratings) independent of the annual budget process.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: Although the Federal CIO did not agree or disagree with our recommendation, OMB has taken initial steps to implement it. Specifically, OMB recently updated the Dashboard with a number of changes, and OMB officials stated in 2015 that they intended for the Dashboard to be able to show updates throughout the year. That said, OMB has yet to implement this recommendation. Specifically, OMB did not publish updates to the public version of the Dashboard during the fiscal year 2018 budget formulation process, starting at the end of August 2016. We will continue to monitor the Dashboard to determine if portions of the public version of the Dashboard (such as CIO ratings) are available throughout the year. Maintaining the availability of these data is important for increasing the utility of the Dashboard as a tool for greater IT investment oversight and transparency.
    Recommendation: To better ensure that the Dashboard provides accurate ratings, the Secretary of Commerce should direct the department CIO to ensure that the department's investments are appropriately categorized in accordance with existing statutes and that major IT investments are included on the Dashboard.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce disagreed with this recommendation. In written correspondence, the Department noted that, although it is no longer reporting three of the 10 investments reviewed for this engagement on the IT Dashboard, it is maintaining oversight through monthly Dashboard-like assessments. As of July 28, 2016, the Department stated that it did not have plans to re-categorize these three particular investments as IT and report the data on the IT Dashboard. We continue to believe that this recommendation has merit and will monitor the Department's efforts to maintain oversight for these investments.
    Recommendation: To better ensure that the Dashboard provides accurate ratings, the Secretary of Energy should direct the department CIO to ensure that the department's investments are appropriately categorized in accordance with existing statutes and that major IT investments are included on the Dashboard.

    Agency: Department of Energy
    Status: Open

    Comments: While the Department of Energy had agreed with this recommendation, in subsequent written correspondence, it explained that five of the eight investments noted by GAO as being IT were no longer being reported in the IT Portfolio on the Dashboard. Instead, the Department was reporting these data to OMB via an alternative reporting mechanism specific to high performance computing. In addition, the Department noted that the remaining three investments were deconsolidated or downgraded into non-major investments, or eliminated by funding and, as such, these investments will not be included on the Dashboard. However, we continue to believe that this recommendation has merit and that the remaining investments are more properly classified as IT. We will continue to monitor the Department's efforts to maintain oversight for these investments.
    Director: Powner, David A
    Phone: (202)512-9286

    48 open recommendations
    including 1 priority recommendation
    Recommendation: To help ensure the success of PortfolioStat, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to disclose the limitations of any data reported (or disclose the parameters and assumptions of these data) on the agencies' consolidation efforts and associated savings and cost avoidance.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In its comments on GAO's November 2013 report, OMB disagreed with this recommended action, stating that it had disclosed limitations on data reported and cited three instances of these efforts. However, GAO maintained that, while OMB reported limitations of data regarding commodity information technology (IT) consolidation efforts in these cases, the information reported did not provide stakeholders and the public with a complete understanding of the data presented. For example, OMB did not disclose that information from the Departments of Defense (DOD) and Justice was not included in the consolidation estimates reported, which, considering the scope of DOD's efforts in this area (at least $3.2 billion), was a major gap. As of March 2017, OMB still had not addressed this recommendation. During that month, the agency told GAO that improving the quality of the data agencies submit through the integrated data collections (which include data on agencies' consolidation efforts and associated savings and cost avoidance) is a priority and that Office of the Federal Chief Information Officer staff follow up with agencies when they detect anomalies in the data reported. OMB, however, did not address actions to disclose the limitations of data reported or disclose the parameters and assumptions of these data. Such disclosure would provide the public and other stakeholders with crucial information needed to understand the status of PortfolioStat and agency progress in meeting the goals of the initiative.
    Recommendation: To help ensure the success of PortfolioStat, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to require that agencies report on efforts to address action plan items as part of future PortfolioStat reporting.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: OMB's June 2015 memorandum on the management and oversight of federal information technology (M-15-14) established quarterly PortfolioStat sessions between OMB and agency Chief Information Officers. This represented a change from the previously required annual action item memos. In November 2016, OMB stated that it informally tracks action items resulting from PortfolioStat but no formal documentation is kept. We will continue to follow up on how OMB ensures that agencies report on efforts to address action items as part of future PortfolioStat reporting.
    Recommendation: To help ensure the success of PortfolioStat, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to improve transparency of and accountability for PortfolioStat by publicly disclosing planned and actual data consolidation efforts and related cost savings by agency.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In October 2015, OMB started displaying actual data consolidation savings data on the federal information technology (IT) dashboard, consistent with provisions of the IT reform legislation commonly referred to as the Federal Information Technology Acquisition Reform Act. However, in November 2016, and again in March 2017, OMB stated that it does not track planned cost savings and cost avoidance figures and did not provide any plans to do so. Improving the transparency and accountability for PortfolioStat by publicly disclosing both planned and actual data consolidation efforts and related cost savings by agency would provide stakeholders, including Congress and the public, a means to monitor agencies' progress and hold them accountable for reducing duplication and achieving cost savings.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Agriculture should direct the CIO to develop a complete commodity IT baseline.

    Agency: Department of Agriculture
    Status: Open

    Comments: In its March 2014 statement of actions to address our recommendations, the Department of Agriculture (USDA) provided information on its efforts to ensure the quality of its commodity IT baseline data. Specifically, USDA reported having (1) developed a central repository for agencies and staff offices to populate commodity IT data and (2) provided training on the use of the repository, and (3)established an addtional level of oversight to monitor data quality. We are reviewing supporting documentation obtained from the department to determine whether the recommendation has been fully addressed.
    Recommendation: To improve the department's implementation of PortfolioStat, in future reporting to OMB, the Secretary of Agriculture should direct the CIO to fully describe the following PortfolioStat Action plan elements: (1) consolidate commodity IT spending under the agency CIO and (2) establish criteria for wasteful, low-value, or duplicative investments.

    Agency: Department of Agriculture
    Status: Open

    Comments: In its March 2014 statement of actions to address our recommendations, the Department of Agriculture provided information on the elements identified in the recommendation. We are reviewing additional supporting documentation obtained from the department to determine whether the recommendation has been fully addressed.
    Recommendation: To improve the department's implementation of PortfolioStat, as the department finalizes and matures its valuation methodology, the Secretary of Agriculture should direct the CIO to utilize this process to identify whether there are additional opportunities to reduce duplicative, low-value, or wasteful investments.

    Agency: Department of Agriculture
    Status: Open

    Comments: In its March 2014 statement of actions to address our recommendations, the Department of Agriculture stated that its Chief Information Officer will formalize and implement a value-based measurement model to help determine which IT investments should be included in the USDA IT portfolio. We are reviewing supporting documentation obtained from the department to determine whether this recommendation has been fully addressed.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Agriculture should direct the CIO to develop support for the estimated savings for fiscal years 2013 through 2015 for the Cellular Phone Contract Consolidation, IT Infrastructure Consolidation/Enterprise Data Center Consolidation, and Geospatial Consolidation initiatives.

    Agency: Department of Agriculture
    Status: Open

    Comments: In its March 2014 statement of actions to address our recommendations, the Department of Agriculture stated that its CIO has developed supporting documentation for the cost savings/avoidance associated with the efforts identified in the recommendation. We are reviewing supporting documentation obtained from the department to determine whether this recommendation has been fully addressed.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Commerce should direct the CIO to reflect 100 percent of information technology investments in the department's enterprise architecture.

    Agency: Department of Commerce
    Status: Open

    Comments: In its January 2014 statement of actions to address our recommendations, the Department of Commerce stated that the majority of its IT investments were made at the operating unit level and it was therefore planning on issuing policy to require consistency between the operating units' enterprise architecture and the totality of IT investments as reflected in the annual capital asset plan and business case summary submission. The department noted it would also require that consistency between the department's enterprise architecture and the IT investment portfolio is confirmed before submission of either of these artifacts. We are following up with the department to determine the status of these planned actions.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Commerce should direct the CIO to develop a complete commodity IT baseline.

    Agency: Department of Commerce
    Status: Open

    Comments: In its January 2014 statement of actions to address our recommendations, the Department of Commerce stated it had submitted two iterations of its commodity IT baseline to OMB since we made our recommendation. The department noted the PortfolioStat process and requirement to submit the baseline through the integrated data collection tool helped ensure the baseline was complete. We plan to follow up with Commerce officials.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Defense should direct the CIO to develop a complete commodity IT baseline.

    Agency: Department of Defense
    Status: Open

    Comments: In its December 2013 statement of actions to address our recommendations, the Department of Defense stated that it had efforts underway, including an initiative known as the Joint Information Environment, to further refine the Department's commodity IT baseline. As of August 2016, we found that the department's DOD IT Portfolio Repository included business and enterprise IT systems--two of three commodity IT areas defined by OMB--as part of an ongoing engagement. We are following up with the department to find out about actions to develop an inventory of assets associated with IT infrastructure--the third category of commodity IT defined by OMB.
    Recommendation: To improve the department's implementation of PortfolioStat, in the future reporting to OMB, the Secretary of Defense should direct the CIO to fully describe the following PortfolioStat action plan element: consolidate commodity IT spending under the agency CIO.

    Agency: Department of Defense
    Status: Open

    Comments: As of December 2013, the department did not concur with this recommendation stating that the commodity IT construct implemented in the PortfolioStat initiative did not work well within the department's federated processes. The department agreed, however, that a strategy, consistent with the intent of achieving better buying power and control of commodity IT items, should be developed and implemented within the department using existing authorities, and noted that it was in the process of implementing such a strategy. In August 2016, we followed up with the department to obtain an update on the status of this strategy and determine the associated reporting to OMB. As of the end of October, we were still waiting for a response.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Defense should direct the CIO to obtain support from the relevant component agencies for the estimated savings for fiscal years 2013 to 2015 for the data center consolidation, enterprise software purchasing, and General Fund Enterprise Business System initiatives.

    Agency: Department of Defense
    Status: Open

    Comments: In its statement of actions to address our recommendations, the Department of Defense stated that it already reports data center consolidation savings to both OMB and Congress and will continue to realize savings from the Enterprise Software Initiative, other strategic sourcing efforts, and the continuing implementation of General Fund Enterprise Business System initiatives. As of August 2016, we had collected support for data center consolidation as part of our ongoing data center consolidation work, and were waiting to receive support for the Enterprise Software Initiative savings for fiscal years 2013 to 2015 through recommendation follow-up for a prior software licensing review (GAO-14-413). We are following up with the department to obtain support for savings for the General Fund Enterprise Business System.
    Recommendation: To improve the U.S. Army Corps of Engineers' implementation of PortfolioStat, in future reporting to OMB, the Secretary of Defense should direct the Secretary of the Army to the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) target duplicative systems or contracts that support common business functions for consolidation; (3) establish criteria for identifying wasteful, low-value, or duplicative investments; and (4) establish a process to identify these potential investments and a schedule for eliminating them from the portfolio.

    Agency: Department of Defense
    Status: Open

    Comments: In its statement of actions to address our recommendations, the Department of Defense stated that the U.S. Army Corps of Engineers would fully describe the four action plan elements identified in this recommendation in future OMB reporting. We are following up with the department to determine the status of these efforts and obtain the associated supporting documentation.
    Recommendation: To improve the U.S. Army Corps of Engineers' implementation of PortfolioStat, the Secretary of Defense should direct the Secretary of the Army to report on the agency's progress in consolidating eCPIC to a shared service as part of the OMB integrated data collection quarterly reporting until completed.

    Agency: Department of Defense
    Status: Open

    Comments: In October 2016, the Department of Defense provided a report stating it had completed the consolidation of eCPIC to a shared service in August 2014. We are following up with the department to obtain supporting documentation.
    Recommendation: To improve the department's implementation of PortfolioStat, in future reporting to OMB, the Secretary of Energy should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO and (2) establish criteria for identifying wasteful, low-value, or duplicative investments.

    Agency: Department of Energy
    Status: Open

    Comments: In its March 2014 statement of actions to address our recommendations, the Department of Energy stated that it will update its policy orders as necessary to implement the OMB policy for consolidating commodity IT under the Chief Information Officer and include a description in future OMB reporting. The department also noted that it will work to establish additional value criteria to idenitfy low-value or duplicative federal commodity IT investments, and these criteria will be described in future OMB reporting. We are reviewing the department's reporting to OMB to determine the extent to which this recommendation has been addressed.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the Environmental Protection Agency should direct the CIO to develop a complete commodity IT baseline.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In August 2014, the Environmental Protection Agency reported that it uses OMB's quarterly integrated data collection submission process to continually update the information in its baseline. We are following up with the agency to determine whether it has any process to ensure the completeness of the information that is submitted.
    Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Administrator of the Environmental Protection Agency should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) establish targets for commodity IT spending reductions and deadlines for meeting those targets; and (3) establish criteria for identifying wasteful, low-value, or duplicative investments.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In August 2014, the Environmental Protection Agency stated that, in its August 2014 PortfolioStat update, it had reported to OMB on the status of actions to consolidate commodity IT spending under the agency CIO and to establish targets for commodity IT spending reductions. The agency also stated that it was working to develop criteria for identifying wasteful, low-value, and duplicative investments. We are reviewing the August 2014 PortfolioStat update to verify the agency's claims. We plan to also follow up on efforts to develop the aforementioned criteria and any associated reporting to OMB.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the Environmental Protection Agency should direct the CIO to report on the agency's progress in consolidating the managed print services and strategic sourcing of end user computing to shared services as part of the OMB integrated data collection quarterly reporting until completed.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In its March 2014 statement of actions to address our recommendations, the Environmental Protection Agency stated that it expected its print services to take on additional devices and locations beginning in April 2014 and that a contract vehicle for the purchasing and leasing of end user computing equipment was expected to be awarded by the end of the month. We are reviewing the agency's quarterly reporting to OMB to determine whether progress on the two initiatives was reported to OMB as we recommended.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of the Interior should direct the CIO to develop a complete commodity IT baseline.

    Agency: Department of the Interior
    Status: Open

    Comments: In August 2014, the Department reported that it was planning to undertake a series of activities spanning a 15-month timeframe to create a complete commodity IT baseline, including embarking upon a statistical analysis and cost projection initiative that is intended to identify the degree of confidence in the commodity IT baseline, and develop mechanisms that will enable validation and verification in the future. We will follow up with the department on the results of its activities.
    Recommendation: To improve the department's implementation of PortfolioStat, in future reporting to OMB, the Secretary of the Interior should direct the CIO to fully describe the following PortfolioStat action plan element: establish criteria for identifying wasteful, low-value, or duplicative investments.

    Agency: Department of the Interior
    Status: Open

    Comments: In its January 2014 comments on our report, the Department of the Interior stated that it was undertaking a business-driven approach that will involve working wtih its governance boards to establish criteria for identifying wasteful, low-value, or duplicative investments. The department stated it would establish the criteria by December 2014. However, the department did not address whether it would be reporting its plans to OMB, which was the focus of our recomnendation. We will follow up with officials on this.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of the Interior should direct the CIO to report on the department's progress in consolidating the Electronic Forms System component of the eMail Enterprise Records & Document Management System deployment 8 to a shared service as part of the OMB integrated data collection quarterly reporting until completed.

    Agency: Department of the Interior
    Status: Open

    Comments: In its January 2014 comments on our report, the Department of the Interior provided information on the status of its efforts to consolidate the Enterprise Forms System to a shared service and established a December 2014 target date for completion. In addition, the department stated that it would report on the status of the initiative quarterly until completion. We will follow up with the department to monitor its progress in completing the initiative and reporting on it to OMB.
    Recommendation: To improve the department's implementation of PortfolioStat, the Attorney General should direct the CIO to reflect 100 percent of information technology investments in the department's enterprise architecture.

    Agency: Department of Justice
    Status: Open

    Comments: In its December 2013 response to this recommendation, the Department of Justice stated that it had updated its enterprise architecture to include 100 percent of the information technology investments. However, it did not provide evidence of this action.We will follow up with the department to obtain supporting documentation.
    Recommendation: To improve the department's implementation of PortfolioStat, in future reporting to OMB, the Attorney General should direct the CIO to fully describe the following PortfolioStat action plan element: establish targets for commodity IT spending reductions and deadlines for meeting those targets.

    Agency: Department of Justice
    Status: Open

    Comments: In its December 2013 response to this recommendation, the Department of Justice (DOJ) stated that its Email and Collaboration Working Group established consolidation targets, and began Phase One of its email consolidation effort. In addition, DOJ provided information on the status of its efforts to establish additional targets. We are reviewing the information provided, as well as DOJ's reporting to OMB, to determine the extent to which this recommendation has been addressed.
    Recommendation: To improve the department's implementation of PortfolioStat, in future reporting to OMB, the Secretary of Labor should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO and (2) establish targets for commodity IT spending reductions and deadlines for meeting those targets.

    Agency: Department of Labor
    Status: Open

    Comments: In its December 2013 response to this recommendation, the Department of Labor stated that the Chief Information Officer participates in discussions to identify and eliminate duplication and facilitate the use of commodity IT and shared services through the IT governance committees. We are reviewing documentation we recently obtained from the department to determine the current status of action to address this recommendation.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Labor should direct the CIO to report on the department's progress in consolidating the cloud e-mail services to a shared service as part of the OMB integrated data collection quarterly reporting until completed.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor completed the consolidation of DOL agency e-mail systems into a shared cloud-based e-mail service in September 2014. In July 2015, the department provided evidence of a status report on the Office of Management and Budget IT dashboard showing completion of the initiative.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the National Aeronautics and Space Administration should direct the CIO to reflect 100 percent of information technology investments in the agency's enterprise architecture.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: in July 2015, NASA reported that it had initiated an effort referred to as Business Service Assessment (BSA) for IT to establish a more efficient IT operating model that maintains a minimum set of capabilities and meets current and future mission needs. The agency stated that one objective of the BSA is to guide technical, services, and investment decisions, create enterprise architecture and enterprise services methodologies for each IT domain that feeds into the overarching enterprise architecture for the full IT portfolio. In March 2016, the agency reported that final recommendations regarding the BSA were expected to be submitted to the Agency Mission Support Council at the end of the month. We are following up with NASA on the status of this recommendation.
    Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Administrator of the National Aeronautics and Space Administration should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) target duplicative systems or contracts that support common business functions for consolidation; (3) establish criteria for identifying wasteful, low-value, or duplicative investments; and (4) establish a process to identify these potential investments and a schedule for eliminating them from the portfolio.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: In May 2015, NASA reported that OMB published new action items that resulted in a shift in tracking of the previous action items identified in our recommendation. In July 2015, the agency provided evidence of a July 2015 report updating OMB of the status of these items.
    Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Archivist of the United States should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) target duplicative systems or contracts that support common business functions for consolidation; (3) establish criteria for identifying wasteful, low-value, or duplicative investments; and (4) establish a process to identify these potential investments and a schedule for eliminating them from the portfolio.

    Agency: National Archives and Records Administration
    Status: Open

    Comments: In its February 2014 statement of actions to address our recommendations, the National Archives and Records Administration reported that the four action plan elements identified in the recommendation had been included in the latest information resources management strategic plan submitted to OMB. We will review the plan to confirm whether the elements were included.
    Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Director of the National Science Foundation should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO and (2) establish criteria for identifying wasteful, low-value, or duplicative investments.

    Agency: National Science Foundation
    Status: Open

    Comments: The National Science Foundation (NSF) reported that while OMB had not requested that the agency provide updates to the 2012 PortfolioStat action plan, NSF had provided different, OMB-requested documentation in support of annual PortfolioStat activities. We plan to follow up with the agency to determine the extent to which the documentation provided to OMB addresses our recommendation.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Director of the Office of Personnel Management should direct the CIO to develop a complete commodity IT baseline.

    Agency: Office of Personnel Management
    Status: Open

    Comments: In August 2014, the Office of Personnel Management stated that it would be generating a policy requiring the baselines to be updated quarterly and established a target of May 2015 for fully implementing this recommendation. In March 2015, the agency stated that it was continuing to make progress toward the completion of its commodity IT baseline.
    Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Director of the Office of Personnel Management should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) move at least two commodity IT areas to shared services and (2) target duplicative systems or contracts that support common business functions for consolidation.

    Agency: Office of Personnel Management
    Status: Open

    Comments: In August 2014, the Office of Personnel Management stated that the initial program office responses to our recommendation represented the vision of the former Chief Information Officer (CIO). The agency stated that the new CIO's strategic plan would address duplicative systems and contracts as part of the CIO re-organization project that was underway, with the intent of bringing the different job functions under one group in order to utilize resources and common business functions more effectively. The agency established May 2015 as a target for fully implementing the recommendation. However, we have not yet received evidence of this action. We plan to follow up on the status of actions taken.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Director of the Office of Personnel Management should direct the CIO to report on the agency's progress in consolidating the help desk consolidation and IT asset inventory to shared services as part of the OMB integrated data collection quarterly reporting until completed.

    Agency: Office of Personnel Management
    Status: Open

    Comments: In August 2014, the Office of Personal Management (OPM) stated that a project initiated under the former Chief Information Officer's guidance deals specifically with help desk consolidation. OPM also stated it had leveraged the Remedy tool to integrate the IT asset inventory function as part of the help desk and that many of the IT asset inventory functions were now automated as part of this effort. The agency established May 2015 as a target for fully implementing the recommendation. We plan to follow up with OPM to find out about the status of actions taken to address this recommendation.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the Small Business Administration should direct the CIO to develop a complete commodity IT baseline.

    Agency: Small Business Administration
    Status: Open
    Priority recommendation

    Comments: In a recent GAO review examining whether agencies have complete inventories of business and enterprise IT systems (which represent 2 of the 3 categories of assets called for in the commodity IT baseline), SBA provided an inventory which it acknowledged did not include all systems or represent all offices. (Note: the review was summarized in GAO-16-511 issued in September 2016.) The agency noted that it was working with its offices to complete the inventory and hoped to finalize it and establish processes for updating the inventory, including possibly automating its data gathering abilities. In May 2017, SBA provided an update on the status of actions to address the recommendation. We are currently reviewing the documentation provided to determine whether SBA has fully addressed the recommendation.
    Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Administrator of the Small Business Administration should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) establish targets for commodity IT spending reductions and deadlines for meeting those targets; (3) target duplicative systems or contracts that support common business functions for consolidation; and (4) establish a process to identify those potential investments and a schedule for eliminating them from the portfolio.

    Agency: Small Business Administration
    Status: Open

    Comments: In June 2015, SBA stated it believed the action items would be addressed as part of its actions to implement the provisions of the Federal Information Technology Acquisition Reform Act. We reviewed the agency's December 2015 plan for implementing the law and an April 2016 update but did not find evidence of actions to address the items in the recommendation. In May 2017, SBA provided an update on the status of actions to address the recommendation. We are currently reviewing the documentation provided to determine whether SBA has fully addressed the recommendation.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Commissioner of the Social Security Administration should direct the CIO to develop a complete commodity IT baseline.

    Agency: Social Security Administration
    Status: Open

    Comments: In September 2014, the Social Security Administration (SSA) reported that the instruction set for its Special Expense Item process through which all non-labor IT dollars go now includes the definition of commodity IT baseline, and the requirement to identify all commodity IT baseline funds requested. SSA also stated it will report the commodity IT baseline results for fiscal year 2015 in its November integrated data collection report. We are reviewing the instruction set for the Special Expense Item process and SSA's November integrated data collection report to verify SSA's reported actions.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Commissioner of the Social Security Administration should direct the CIO to report on the agency's progress in consolidating the geospatial architecture to a shared service as part of the OMB integrated data collection quarterly reporting until completed.

    Agency: Social Security Administration
    Status: Open

    Comments: In August 2015, the Social Security Administration (SSA) reported that it had migrated its geospatial architecture to a shared service in September 2014 and was complying with OMB reporting requirements. In July 2016, the agency provided e-mail messages and meeting minutes documenting various stages of the migration as evidence that it was completed as planned. However, SSA did not provide evidence of reporting to OMB. We are following up with SSA to obtain this evidence.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of State should direct the CIO to reflect 100 percent of information technology investments in the department's enterprise architecture.

    Agency: Department of State
    Status: Open

    Comments: According to the Department of State, since August 2014 all major and non-major IT investments and corresponding assets have been captured in enterprise architecture artifacts. We will follow up with the department to obtain documentation supporting this claim.
    Recommendation: To improve the department's implementation of PortfolioStat, in future reporting to OMB, the Secretary of State should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) establish targets for commodity IT spending reductions and deadlines for meeting those targets; (3) move at least two commodity IT areas to shared services; (4) target duplicative systems or contracts that support common business functions for consolidation; and (5) establish a process to identify those potential investments and a schedule for eliminating them from the portfolio.

    Agency: Department of State
    Status: Open

    Comments: In August 2014, the Department of State reported taking several actions to address the action plan elements we determined had not been fully described in our review. For example, it provided the Integrated Logistics Management System and the Global IT Modernization program as examples of two commodity IT investments it had moved to shared services and reported that it instituted review processes to identify duplicative efforts within the IT portfolio. The department, however, did not state whether it had reported these actions to OMB, which was the focus of our recommendation. We will follow up with the department on this.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of State should direct the CIO to report on the department's progress in consolidating the Foreign Affairs Network and content publishing and delivery services to shared services as part of the OMB integrated data collection quarterly reporting until completed.

    Agency: Department of State
    Status: Open

    Comments: In August 2014, the Department of State reported that it had completed the content publishing and delivery services initiative and was reporting on its progress in consolidating the Foreign Affairs Network initiative to shared services through the OMB budget process. We plan to follow up with the agency to obtain supporting documentation.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Transportation should direct the CIO to report on the department's progress in consolidating the Enterprise Messaging to shared services as part of the OMB integrated data collection quarterly reporting until completed.

    Agency: Department of Transportation
    Status: Open

    Comments: In September 2015, the department reported that it had discontinued its effort to migrate the Enterprise Messaging program to shared services because it was no longer cost-effective. We plan to follow up with the department on this matter.
    Recommendation: To improve the department's implementation of PortfolioStat, in future reporting to OMB, the Secretary of the Treasury should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO and (2) establish criteria for identifying wasteful, low-value, or duplicative investments.

    Agency: Department of the Treasury
    Status: Open

    Comments: In September 2014, the Departmnent of the Treasury provided information on its efforts to address its action plan elements, including (1) establishing a general approach to reviewing new investment requests that considers risk, value, and cost; and (2) driving Treasury's IT investment portfolio toward common platforms whenever possible. However, the department did not address whether it was reporting on these efforts to OMB, which was the focus of our recommendation. We will follow up with the department on this.
    Recommendation: To improve the department's implementation of PortfolioStat, as the department finalizes and matures its enterprise architecture and valuation methodology, the Secretary of the Treasury should direct the CIO to utilize these processes to identify whether there are additional opportunities to reduce duplicative, low-value, or wasteful investments.

    Agency: Department of the Treasury
    Status: Open

    Comments: The department described several examples of processes it had in place to identify opportunities to reduce duplicative, low-value or wasteful investments, including annual reviews of each major IT investment and monthly portfolio reviews. We plan to follow up with the department to obtain supporting documentation.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of the Treasury should direct the CIO to develop support for the estimated savings for fiscal years 2013 to 2015 for the DoNotPay Business Center, Fiscal IT Data Center Consolidation and Business Process Management Status initiatives.

    Agency: Department of the Treasury
    Status: Open

    Comments: The department provided documentation related to its DoNotPay Business Center, Fiscal IT Data Center Consolidation, and Business Process Management Status initiatives. We are reviewing the information provided and plan to follow up with the department as appropriate.
    Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the U.S. Agency for International Development should direct the CIO to reflect 100 percent of information technology investments in the agency's enterprise architecture.

    Agency: United States Agency for International Development
    Status: Open

    Comments: In response to this recommendation, in September 2014, USAID provided GAO its guidance for establishing an IT asset inventory consistent with Federal Information Systems Management Act requirements and its guidance for purchasing equipment and services which are compliant with agency standards. In October 2015, USAID also stated that it regularly updates its enterprise architecture through maintenance of its information systems inventory and evaluation of future investments. In March 2017, the agency provided GAO documentation supporting its efforts to maintain its information systems inventory and evaluate future investments. However, USAID did not show how these activities help ensure that investments are all included in the enterprise architecture. GAO is following up with the agency on this matter.
    Recommendation: To improve the department's implementation of PortfolioStat, in future reporting to OMB, the Secretary of Veterans Affairs should direct the CIO to fully describe the following PortfolioStat action plan element: target duplicative systems or contracts that support common business functions for consolidation.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In a December 2015 update to the status of this recommendation, the department stated it was changing its governance processes and organizational structures for IT portfolio, system, project and requirements management to strengthen its ability to identify and eliminate/consolidate duplicative systems or contracts. The department recently reported that these new processes and organizations were established in the Spring of 2016, including a new strategic sourcing approach which should assist in addressing our recommendation. We are following up with the department to obtain evidence of this approach.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Veterans Affairs should direct the CIO to report on the department's progress in consolidating the dedicated fax servers to a shared service as part of the OMB integrated data collection quarterly reporting until completed.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In December 2015, the department reported that it would no longer pursue the initiative because an analysis performed in fiscal year 2014 indicated very little, if any cost savings to be achieved. The agency, however, did not provide evidence regarding any related reporting to OMB. We are following up with the department to obtain this evidence.
    Recommendation: To improve the department's implementation of PortfolioStat, as the department matures its enterprise architecture process, the Secretary of Veterans Affairs should direct the CIO to make use of it, as well as the valuation model, to identify whether there are additional opportunities to reduce duplicative, low-value, or wasteful investments.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In December 2015, the department stated it was changing its governance processes and organizational structures for IT portfolio, system, project and requirements management to strengthen its ability to identify and eliminate/consolidate duplicative systems or contracts. The department recently reported that these new processes and organizations were established in the Spring of 2016. We are following up with the department to find out how they are incorporating the use of the enterprise architecture and value model to identify opportunities to reduce duplicative, low-value, or wasteful investments.
    Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Veterans Affairs should direct the CIO to develop detailed support for the estimated savings for fiscal years 2013 to 2015 for the Server Virtualization, Eliminate Dedicated Fax Servers Consolidation, Renegotiate Microsoft Enterprise License Agreement, and one CPU policy initiatives.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In December 2015, the department reported that the scope of the Server Virtualization initiative was increased and that the cost avoidance estimates were being revised accordingly. It also reported that the Elimination of Analog Fax Lines initiative was no longer being pursued because an analysis found that it would result in very little, if any, cost savings. In regards to the Renegotiate Microsoft Enterprise License Agreement initiative, the department reported that total savings over a 5-year period were renegotiated but did not provide supporting documentation. Lastly, the department reported that a new economic justification for the One CPU Policy initiative was being developed based on a consolidation strategy, and would be provided when completed. We are following up with the department to obtain documentation supporting its reported actions.
    Director: Melvin, Valerie C
    Phone: (202) 512-6304

    2 open recommendations
    Recommendation: To help ensure the success of FDA's modernization efforts, the Commissioner of FDA should direct the CIO to, in completing the assessment of Mission Accomplishments and Regulatory Compliance Services (MARCS), develop an integrated master schedule (IMS) that (1) identifies which legacy systems will be replaced and when; (2) identifies all current and future tasks to be performed by contractors and FDA; and (3) defines and incorporates information reflecting resources and critical dependencies.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: In commenting on our report, the Department of Health and Human Services neither agreed nor disagreed with our recommendations. However, in response to this recommendation, FDA officials developed an integrated master schedule (IMS) for the Mission Accomplishment and Regulatory Compliance System, along with corresponding sub-project schedules. The officials also provided explanations of their approach for updating the schedules and estimating resources that are reflected in the schedules, and evidence that the agency is updating the schedule regularly. However, the IMS did not identify all legacy systems to be replaced, did not trace all tasks and contractor subproject schedules, and did not include information reflecting the use of government resources. In 2016, we requested that FDA provide an update on their efforts to address these limitations. As of September 2017, the agency restructured MARCS into two projects and notified us that it was working to establish an IMS for each. FDA officials expect to complete the schedules by the end of calendar year 2017. Until FDA takes steps to address the noted deficiencies, it will lack key information needed for determining what work remains and for identifying and addressing potential problems, thus increasing risks to the success of the agency's modernization efforts. We will continue to work with the Department to address this recommendation.
    Recommendation: To help ensure the success of FDA's modernization efforts, the Commissioner of FDA should direct the CIO to monitor progress of MARCS against the integrated master schedule IMS.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: In commenting on the report, the Department of Health and Human Services neither agreed nor disagreed with our recommendations. However, in response to this recommendation, FDA officials provided a baseline schedule, integrated master schedule (IMS), and sub-project schedules intended to be used to monitor progress of the agency's efforts to implement changes to the Mission Accomplishment and Regulatory Compliance System (MARCS). Nonetheless, while the IMS is updated regularly, it contains data anomalies, and FDA has not documented reasons for changes to the schedule. Consequently, the schedule does not include complete and reliable information needed for monitoring progress of the system investment. As of September 2017, the agency restructured MARCS into two projects and notified us that it was working to establish an IMS for each. FDA officials expect to complete the schedules by the end of calendar year 2017, and to use the schedules to continually monitor the status of the projects. Until FDA takes steps to address deficiencies noted in the IMS for MARCS, it will continue to lack key data needed to monitor progress of the implementation of the system, and increase the risks of this key component of the agency's modernization efforts. We will continue to work with the Department to address this recommendation.