Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Topic: "Information Technology"

    80 publications with a total of 619 open recommendations including 32 priority recommendations
    Director: Susan Fleming
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: The Administrator of NHTSA should determine a completion date for the agency's website consolidation effort. (Recommendation 1)

    Agency: Department of Transportation: National Highway Traffic Safety Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of NHTSA should, while the agency continues its website consolidation effort, take interim steps to improve the usability of the auto recall areas of NHTSA.gov by addressing the website usability difficulties we identified. (Recommendation 2)

    Agency: Department of Transportation: National Highway Traffic Safety Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    3 open recommendations
    Recommendation: The Director of OMB should continue to identify and report to Congress on the status of the top 10 high priority information technology programs and the extent to which USDS is involved in the programs, as was done in June 2015 and June 2016. In doing so, the Director should ensure that these reports are issued quarterly. (Recommendation 1)

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of OMB should ensure that the Federal CIO is directly involved in the oversight of high priority programs. (Recommendation 2)

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of OMB should continue to report on the status of USDS projects. In doing so, the Director should ensure that the reports are issued quarterly. (Recommendation 3)

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    19 open recommendations
    Recommendation: The Secretary of Energy should ensure that the CIO of Energy reports major IT investment information related to incremental development accurately in accordance with OMB guidance. (Recommendation 1)

    Agency: Department of Energy
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Agriculture should ensure that the CIO of U.S. Department of Agriculture (USDA) reports major IT investment information related to incremental development accurately in accordance with OMB guidance. (Recommendation 2)

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner of the Social Security Administration (SSA) should ensure that the CIO of SSA reports major IT investment information related to incremental development accurately in accordance with OMB guidance. (Recommendation 3)

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Housing and Urban Development (HUD) should ensure that the CIO of HUD establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 4)

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of the Interior should ensure that the CIO of Interior updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development, consistent with OMB guidance. (Recommendation 5)

    Agency: Department of the Interior
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Attorney General of the United States should ensure that the CIO of Justice establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 6)

    Agency: Department of Justice
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Labor should ensure that the CIO of Labor updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 7)

    Agency: Department of Labor
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of State should ensure that the CIO of State updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 8)

    Agency: Department of State
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Agriculture should ensure that the CIO of USDA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 9)

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Veterans Affairs (VA) should ensure that the CIO of VA updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 10)

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of the Environmental Protection Agency (EPA) should ensure that the CIO of EPA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 11)

    Agency: Environmental Protection Agency
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of the General Services Administration (GSA) should ensure that the CIO of GSA updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 12)

    Agency: General Services Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of the National Aeronautics and Space Administration (NASA) should ensure that the CIO of NASA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 13)

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the National Science Foundation (NSF) should ensure that the CIO of NSF updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 14)

    Agency: National Science Foundation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chairman of the Nuclear Regulatory Commission (NRC) should ensure that the CIO of NRC establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 15)

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the Office of Personnel Management (OPM) should ensure that the CIO of OPM updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 16)

    Agency: Office of Personnel Management
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of the Small Business Administration (SBA) should ensure that the CIO of SBA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 17)

    Agency: Small Business Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of SSA updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 18)

    Agency: Social Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of the U.S. Agency for International Development (USAID) should ensure that the CIO of USAID establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 19)

    Agency: United States Agency for International Development
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    3 open recommendations
    Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to task an integrated project team, made up of an IT project manager and business owner, with including specific actions in the Public Health and Medical Situational Awareness Strategy Implementation Plan for conducting all activities required to establish and operate the network.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to task the integrated project team with developing a project management plan that includes measurable steps--including a timeline of tasks, resource requirements, estimates of costs, and performance metrics--that can be used to guide and monitor HHS's actions to establish the network defined in the plans.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to conduct all IT management and oversight processes related to the establishment of the network in accordance with Enterprise Performance Life Cycle Framework guidance, under the leadership of the HHS CIO.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    3 open recommendations
    Recommendation: The Chief Executive Officer should direct the Chief Information Officer to take steps needed to ensure that system requirements are defined to align with the business needs of CNCS's future risk-based grants monitoring process (Recommendation 1).

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chief Executive Officer should direct the Chief Information Officer to ensure that the system development project schedule identifies in the baseline both planned and actual dates for completing all project-level activities, and can be used to monitor and measure progress of the grant monitoring system project (Recommendation 2).

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Chief Executive Officer should direct the Chief Information Officer to ensure that test plans are defined and implemented to include the second version of the grant monitoring system in all stages of testing during development, and results of initial stages are approved before conducting subsequent test stages (Recommendation 3).

    Agency: Corporation for National and Community Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    6 open recommendations
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that state-based marketplace annual sustainability plans, to the extent possible, have complete 5-year budget forecasts. (Recommendation 1)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that all state-based marketplaces provide required annual financial audit reports which are in accordance with generally accepted government auditing standards. (Recommendation 2)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that marketplace IT self-sustainability risk assessments are based on fully defined measurable terms, a clear categorization process, and a defined response to high risks. (Recommendation 3)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that states develop, update, and follow performance measurement plans that allow the states to continuously identify and assess the most important IT metrics for their state marketplaces. (Recommendation 4)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to conduct operational analysis reviews and systematically monitor the performance of states' marketplace IT systems using key performance indicators. (Recommendation 5)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that metrics collected from states to monitor marketplaces' operational performance link to performance goals and include baselines and targets to monitor progress. (Recommendation 6)

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    20 open recommendations
    Recommendation: As most agencies lack plans to meet OMB's data center optimization targets by the end of fiscal year 2018, it is increasingly likely that these agencies will require additional time to achieve the data center consolidation and optimization goals required by FITARA and OMB guidance. In order to provide agencies with additional time to meet OMB's data center optimization targets and achieve the related cost savings, Congress should consider extending the time frame for the data center consolidation and optimization provisions of FITARA beyond their current expiration date of October 1, 2018.

    Agency: Congress
    Status: Open

    Comments: When we determine what steps the Congress has taken, we will provide updated information.
    Recommendation: To better ensure that agencies complete important DCOI planning documentation and that the initiative improves governmental efficiency and achieves intended cost savings, the Director of OMB should direct the Federal chief information officer to formally document a requirement for agencies to include plans, as part of existing OMB reporting mechanisms, to implement automated monitoring tools at their agency-owned data centers.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Commerce
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Energy
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of the Interior
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Justice
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Labor
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of the Treasury
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Department of State
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: General Services Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Small Business Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

    Agency: Office of Personnel Management
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    5 open recommendations
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to update FMCSA's IT strategic plan to include well-defined goals, strategies, measures, and timelines for modernizing its systems.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to ensure that the IT investment process guidance lays out the roles and responsibilities of all working groups and individuals involved in the agency's governance process.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to finalize the restructure of the Office of Information Technology, including fully defining the roles and responsibilities of the CIO.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to ensure that appropriate governance bodies review all IT investments and track corrective actions to closure.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the modernization of FMCSA's IT systems, the Secretary of Transportation should direct the FMCSA Administrator to ensure that required operational analyses are performed for Aspen, Motor Carrier Management Information System, Sentri 2.0, and Unified Registration System on an annual basis.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: David A. Powner
    Phone: (202) 512-9286

    4 open recommendations
    Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to identify performance metrics and associated targets for the goals and objectives in the department's IT strategic plans, including the Information Resources Management strategic plan and the Health Information Strategic Plan, as they relate to the delivery of health IT and the VHA mission.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on our report, VA concurred with our recommendation and described planned coordination with the Office of Information and Technology and the Veterans Health Administration to develop or revise and maintain performance metrics that support the strategic and health information technology goals and objectives. The department plans to revise performance metrics to align to new goals and objectives by June 2018.
    Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to ensure that the department-level investment review structure is implemented as planned and that guidance on the IT governance process is documented and identifies criteria for selecting new investments, and reselecting investments currently operational at VHA.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on our report, VA concurred with our recommendation and provided meeting minutes for its Portfolio Investment Management Board and a document describing the proposed alignment and interdependencies between the 11 governance boards. We will continue to monitor the implementation of the proposed relationships and review any additional guidance issued that further describes the process used by the governance boards for selecting and reselecting information technology investments.
    Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to identify additional performance metrics to align with VHA's core business functions, and then use these metrics to determine the extent to which the department's IT systems support performance of VHA's mission.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on our report, VA concurred with our recommendation. In addition, the department outlined steps it intends to take to address our recommendation. These steps include developing a set of core metrics to provide continuous input into investment portfolio decisions and establishing a methodology for ensuring that information technology investments are aligned to business needs and that expected outcomes are defined prior to making the investments. The department plans to complete this work by September 2018. We will continue to monitor VA's progress on these efforts.
    Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to ensure that unmet IT needs identified by key program areas--pharmacy benefits management, scheduling, and community care--are addressed appropriately and that related business functions are supported by IT systems to the extent required.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In comments on our report, VA concurred with our recommendation. The department has described its intention to ensure that unmet information technology needs for the pharmacy benefits management, scheduling, and community care program areas are addressed appropriately during fiscal year 2018 budget formulation. We will follow-up with VA to ascertain what needs have been addressed, closed, or reprioritized for each program office during fiscal year 2018.
    Director: Valerie Melvin
    Phone: (202) 512-6304

    6 open recommendations
    Recommendation: To provide clinicians and pharmacists with improved tools to support pharmacy services to veterans and reduce risks to patient safety, the Secretary of Veterans Affairs should direct the Assistant Secretary for Information and Technology and the Under Secretary for Health to establish and implement a plan for updating the pharmacy system to address the inefficiencies with viewing patient medication data in the Outpatient Pharmacy application and between the pharmacy application and viewers.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and in August 2017 stated that it had identified $4 million in fiscal year 2018 to establish a pharmacy graphical user interface. According to the department, it plans to complete its action in response to this recommendation by June 2018.
    Recommendation: To provide clinicians and pharmacists with improved tools to support pharmacy services to veterans and reduce risks to patient safety, the Secretary of Veterans Affairs should direct the Assistant Secretary for Information and Technology and the Under Secretary for Health to complete a plan for the implementation of an approach to data standardization that will support the capability for clinicians and pharmacists to view complete DOD data and receive order checks that consistently include DOD data.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred in principle with our recommendation and in August 2017 stated that it plans to implement the electronic health record system that is being deployed by DOD, which will present VA clinicians with complete DOD data and the ability to perform order checks on DOD data. In parallel, the department is continuing and expanding the implementation of data standardization. According to the department, it plans to complete its action in response to this recommendation by October 2019.
    Recommendation: To provide clinicians and pharmacists with improved tools to support pharmacy services to veterans and reduce risks to patient safety, the Secretary of Veterans Affairs should direct the Assistant Secretary for Information and Technology and the Under Secretary for Health to conduct an assessment to determine to what extent interoperability of VA's pharmacy system with DOD's pharmacy system is impacting transitioning service members.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and in May 2017 stated that the health executive committee would complete an assessment to determine the extent interoperability with DOD's pharmacy system is impacting transitioning service members. According to the department, it planned to complete its actions in response to this recommendation by September 2017. We will update the status of this recommendation when VA provides documentation of its interoperability assessment to us.
    Recommendation: To provide clinicians and pharmacists with improved tools to support pharmacy services to veterans and reduce risks to patient safety, the Secretary of Veterans Affairs should direct the Assistant Secretary for Information and Technology and the Under Secretary for Health to develop and execute a plan for implementing the capability to send outbound e-prescriptions to non-VA pharmacies, in accordance with National Council for Prescription Drug Programs standards.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and in August 2017 stated that it will review its plan for e-prescribing functionality after it has signed a contract to adopt the electronic health record system that is being deployed by DOD. According to the department, it plans to complete its action in response to this recommendation by March 2018.
    Recommendation: To provide clinicians and pharmacists with improved tools to support pharmacy services to veterans and reduce risks to patient safety, the Secretary of Veterans Affairs should direct the Assistant Secretary for Information and Technology and the Under Secretary for Health to ensure that the department's evaluation of alternatives for electronic health records includes consideration for additional generation level 3 capability such as navigating from an alert to medication order in the electronic health record system.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and in August 2017 stated that it had entered into contract negotiations to acquire and deploy a level 3 electronic health record system that is expected to address pharmacy functions. The department plans to award this contract in December 2017. We will update the status of this recommendation when VA provides documentation of its evaluation of alternatives to us.
    Recommendation: To provide clinicians and pharmacists with improved tools to support pharmacy services to veterans and reduce risks to patient safety, the Secretary of Veterans Affairs should direct the Assistant Secretary for Information and Technology and the Under Secretary for Health to reassess the priority for establishing an inventory management capability to monitor and update medication levels and track when to reorder medications.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: VA concurred with our recommendation and in August 2017 stated that it will reassess the prioritization of medication inventory management after a contract for adoption of the electronic health record system is signed in December 2017. According to the department, it plans to complete its action in response to this recommendation by June 2018.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    6 open recommendations
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to update the department's IT Acquisition Review governance process to increase the number of contracts and agreements (associated with both major and non-major investments) that are reviewed by the CIO and appropriate delegates.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the specific staff or positions currently within the department's IT acquisition cadre; and (2) assessing whether these staff and positions address all of the specialized skills and knowledge needed, as outlined in OMB's Office of Federal Procurement Policy's guidance for developing an IT acquisition cadre.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable).

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with this recommendation. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
    Director: David Powner
    Phone: (202) 512-9286

    29 open recommendations
    Recommendation: To better ensure that federal data center optimization efforts improve governmental efficiency and achieve cost savings, the Director of OMB should direct the Federal CIO to provide the necessary oversight to ensure that each agency completes their DCOI strategic plan in accordance with OMB's guidance implementing Federal Information Technology Acquisition Reform provisions (FITARA).

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) has not yet taken any actions to implement our recommendation. We will continue to monitor OMB's progress in implementing this recommendation.
    Recommendation: To better ensure that federal data center optimization efforts improve governmental efficiency and achieve cost savings, the Director of OMB should direct the Federal CIO to provide the necessary oversight to ensure that agency reporting of achieved data center consolidation and optimization cost savings and avoidances is consistent across all reporting mechanisms, including quarterly data submissions and agency DCOI strategic plans.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) has not yet taken any actions to implement our recommendation. We will continue to monitor OMB's progress in implementing this recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and described planned actions to address it. Specifically, the department stated that it will continue to aggregate its data center inventory and update its DCOI strategic plan by OMB's April 17, 2017, submission deadline. We reviewed the updated DCOI strategic plan and found that the department included planned savings figures for fiscal years 2016 through 2018 and achieved figures for 2016. However, Commerce did not include $517 million in historical savings that the department previously reported to the Office of Management and Budget, as was required to be included in the plan. Additionally, the department's chief information officer statement, regarding compliance with Federal Information Technology Acquisition Reform Act reporting requirements, is not yet publicly available, as is required. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Social Security Administration
    Status: Open

    Comments: The Social Security Administration agreed with our recommendation and described planned actions to address it. Specifically, the agency noted that it will continue to economize and evolve its data center optimization management and will continue to encourage open dialog and information exchange between agencies to achieve efficiencies and enhanced data center operations government-wide. We will continue to monitor the agency's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of Interior agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of Treasury has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Department of State
    Status: Open

    Comments: The Department of State agreed with our recommendation and described planned actions to address it. Specifically, the department described plans to acquire, subject to funding availability, automated monitoring tools for its enterprise data centers. It also described plans to engage OMB to rebaseline the closure target for its non-tiered data centers located outside the United States, based on the department's mission needs. In addition, the department noted that it is in the process of identifying the number of server rooms in the United States that meet the DCOI definition of a data center. We will continue to monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency described planned actions to address our recommendation. Specifically, the agency stated that it will update its data center optimization initiative strategic plan to include elements not reflected in the 2016 submission and will complete the plan to the extent feasible. We will continue to monitor the agency's progress in taking these actions.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration agreed with our recommendation and described planned actions to address it. Specifically, the agency stated that it would provide OMB with an update to the agency's DCOI strategic plan that would address missing elements and any identified challenges. We will continue to monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Small Business Administration
    Status: Open

    Comments: The Small Business Administration agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: The Nuclear Regulatory Commission disagreed with our recommendation. We will continue to monitor the agency's efforts to address the recommendation.
    Recommendation: The following 17 agencies (the Secretaries of the Departments of Commerce, Defense, Energy, Health and Human Services, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs; the Attorney General; and the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration) should each take action to complete the missing elements in their respective DCOI strategic plan, including addressing any identified challenges, and submit their completed strategic plan to OMB.

    Agency: United States Agency for International Development
    Status: Open

    Comments: The U.S. Agency for International Development described planned actions to address our recommendation. Specifically, the agency stated it would take action to complete the missing elements in its DCOI strategic plan, including addressing any identified challenges, and submit the completed strategic plan to OMB. We will continue to monitor the agency's progress in taking these actions.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and described planned actions to address it. Specifically, the department stated that it will, through the integrated data collection process, continue to collect and report all initiatives resulting in cost savings and avoidances to ensure IT savings are being captured and realized. We will monitor the department's efforts to address this recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of Interior agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with, but has not yet taken action to implement, our recommendation. We will monitor the department's efforts to address our recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of Treasury has not yet taken action to implement our recommendation. We will continue to monitor the department's efforts to address the recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Department of State
    Status: Open

    Comments: The Department of State agreed with our recommendation and described planned actions to address it. Specifically, the department described plans to acquire, subject to funding availability, automated monitoring tools for its enterprise data centers. It also described plans to engage OMB to rebaseline the closure target for its non-tiered data centers located outside the United States, based on the department's mission needs. In addition, the department noted that it is in the process of identifying the number of server rooms in the United States that meet the DCOI definition of a data center. We will continue to monitor the department's efforts to address our recommendation.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency described planned actions to address our recommendation. Specifically, the agency stated that it is working toward consistent reporting on cost savings and avoidances in future reporting submissions and is finalizing a cost analysis methodology to be applied to its data center optimization initiative strategy. The agency further stated that it would ensure consistent use of the process for all reporting queries. We will continue to monitor the agency's progress in taking these actions.
    Recommendation: Finally, the following 11 agencies (the Secretaries of the Departments of Commerce, Education, Health and Human Services, Interior, Labor, State, Transportation, and Treasury; the Administrators of the Environmental Protection Agency, General Services Administration, and the U.S. Agency for International Development) should also each take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans.

    Agency: United States Agency for International Development
    Status: Open

    Comments: The U.S. Agency for International Development described planned actions to address our recommendation. Specifically, the agency stated it would, in accordance with OMB, take action to ensure that the amounts of achieved data center cost savings and avoidances are consistent across all reporting mechanisms, including the quarterly data submissions and DCOI strategic plans. We will continue to monitor the agency's progress in taking these actions.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    3 open recommendations
    Recommendation: To help improve the management of DOD's MAIS programs, the Secretary of Defense should direct the Secretary of the Army to direct the program manager for Global Combat Support System-Army Increment 1 to establish standard operating procedures for managing risks that include guidance for establishing thresholds and bounds for key risk areas.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the management of DOD's MAIS programs, the Secretary of Defense should direct the Secretary of the Air Force to direct the program manager for Air and Space Operations Center-Weapon System Increment 10.2 to develop an overall risk mitigation plan to guide the implementation of individual risk mitigation and contingency plan activities.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the management of DOD's MAIS programs, the Secretary of Defense should direct the Secretary of the Air Force to direct the program manager for Joint Space Operations Center, Mission System Increment 2 to appoint a chief developmental tester to oversee systems testing and integration activities.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carolyn Yocom
    Phone: (202) 512-7114

    2 open recommendations
    Recommendation: To help ensure that its efforts to increase patients' electronic access to health information are successful, the Secretary of HHS should direct ONC to develop performance measures to assess outcomes of key efforts related to patients' electronic access to longitudinal health information. Such actions may include, for example, determining whether the number of providers that participate in these initiatives have higher rates of patient access to electronic health information.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure that its efforts to increase patients' electronic access to health information are successful, the Secretary of HHS should direct ONC to use the information these performance measures provide to make program adjustments, as appropriate. Such actions may include, for example, assessing the status of program operations or identifying areas that need improvement in order to help achieve program goals related to increasing patients' ability to access their health information electronically.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Valerie Melvin
    Phone: (202) 512-6304

    1 open recommendations
    Recommendation: To increase the likelihood that its IT investments develop reliable cost estimates, the Secretary of HUD should finalize, and ensure the implementation of, guidance that incorporates the best practices called for in the GAO Cost Estimating and Assessment Guide.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In April 2017, HUD reported that the department concurred with the recommendation and noted that the Office of the Chief Information Officer (OCIO) intends to establish cost estimation guidance for IT projects within its IT Management Framework Guide, incorporating appropriate best practices from the GAO Cost Estimating and Assessment Guide. HUD anticipates completing the OCIO IT Management Framework guidance that is intended to incorporate cost estimating principles for IT projects by September 1, 2017.
    Director: Allison Bawden
    Phone: (202) 512-7215

    6 open recommendations
    Recommendation: To preserve the balance between the importance of repaying federal student loan debt and protecting a minimum level of Social Security benefits put in place by the Debt Collection Improvement Act of 1996, Congress should consider modifying Social Security administrative offset provisions, such as by authorizing the Department of the Treasury to annually index the amount of Social Security benefits exempted from administrative offset to reflect changes in the cost of living over time.

    Agency: Congress
    Status: Open

    Comments: As of August 2017, Congress has not yet taken action on this matter.
    Recommendation: To improve program design for Social Security offsets and related relief options, the Secretary of Education should inform affected borrowers of the suspension of offset and potential consequences if the borrower does not take action to apply for a TPD discharge. Such information could include notification that interest continues to accrue and that offsets may resume once their disability benefits are converted to retirement benefits.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education does not currently notify borrowers of the suspension of offset, but plans to implement a process to do so in the future using a new mailing sent to affected borrowers by their default servicer. The current budget situation does not allow for this type of enhancement, and it is not clear when that will change. In the interim, the agency is exploring alternative notification approaches that could be put in place prior to the implementation of an automated solution. We will monitor the agency's progress.
    Recommendation: To improve program design for Social Security offsets and related relief options, the Secretary of Education should revise forms sent to borrowers already approved for a TPD discharge to clearly and prominently state that failure to provide annual income verification documentation during the 3-year monitoring period will result in loan reinstatement.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education stated that the current Office of Management and Budget (OMB) TPD-Post discharge forms contain the recommended language in the first bullet of the Earned Income Section. In order to more clearly provide this information they recommended that the new OMB form, which is in its public comment period, (1) use a larger font size for the form and (2) use "plain language." GAO will consider closing this recommendation when the agency has completed this effort.
    Recommendation: To improve program design for Social Security offsets and related relief options, the Secretary of Education should evaluate the feasibility and benefits of implementing an automated income verification process, including determining whether the agency has the necessary legal authority to implement such a process.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education stated that over the next six months, they are committed to working with SSA to determine the feasibility and benefits of implementing an automated income verification process. The verification will address both the legal authority to implement such a process as well as operational and budgetary feasibility. We will monitor the agency's progress.
    Recommendation: To improve program design for Social Security offsets and related relief options, the Secretary of Education should inform borrowers about the financial hardship exemption option and application process on the agency's website, as well as the notice of offset sent to borrowers.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education agrees with the recommendation and said that they will include this change in upcoming revisions to the agency's web content. The agency reported that the Notice of Offset to borrowers is sent by Treasury and that they will share this recommendation with Treasury and discuss possible changes to the notice. We will consider closing this recommendation when the agency has completed this effort.
    Recommendation: To improve program design for Social Security offsets and related relief options, the Secretary of Education should implement an annual review process to ensure that only eligible borrowers are exempted from offset for financial hardship on an ongoing basis.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education reported that it plans plan to fully automate their process for tracking hardships and other exceptions from offset. However, due to competing priorities and funding limitations, full implementation of these improvements have not been scheduled. As they fully implement this process, they will review complementary strategies to assist borrowers in complying with annual reporting requirements. We will monitor the agency's progress.
    Director: Powner, David A
    Phone: (202) 512-9286

    5 open recommendations
    including 2 priority recommendations
    Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Commerce should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process; (2) develop competency and staffing requirements; (3) assess competency and staffing needs regularly; (4) assess gaps in competencies for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, cross-functional training of acquisition and program personnel, a career path for program managers, and special hiring authorities, if justified and cost-effective; (7) monitor the department's progress in addressing IT competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: The department has not yet provided its written response to this recommendation. We will continue to monitor the department's progress in implementing the recommendation.
    Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Defense should require the Chief Information Officer, the Under Secretary of Defense for Personnel and Readiness, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) develop competencies for all staff; (2) assess competency needs regularly for all positions; (3) assess gaps in competencies for all components of the workforce; (4) develop strategies and plans to address gaps in competencies; (5) implement activities that address gaps, including developing a program management career path, if justified and cost-effective; (6) monitor the department's progress in addressing competency gaps identified for IT staff; and (7) report to department leadership on progress in addressing competency gaps.

    Agency: Department of Defense
    Status: Open

    Comments: The department has provided a written response to this recommendation and we are currently evaluating it.
    Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Health and Human Services should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process inclusive of all staff; (2) develop staffing requirements for all positions; (3) assess staffing needs regularly; (4) assess gaps in competencies and staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, if justified and cost-effective; (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The department has provided a written response to this recommendation and we are currently evaluating it.
    Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Transportation should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish a time frame for when the department is to finalize its draft workforce planning process and maintain that process; (2) develop staffing requirements for all positions; (3) assess competency and staffing needs regularly for all positions; (4) assess gaps in staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, cross-functional training of acquisition and program personnel, a career path for program managers, and use of special hiring authorities, if justified and cost-effective;e (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

    Agency: Department of Transportation
    Status: Open
    Priority recommendation

    Comments: The department agreed with the recommendation and stated that it plans to fully implement the recommendation by December 2019. To fully implement this recommendation, DOT should prioritize the completion of its IT workforce planning process and then begin implementing the process in phases based on the availability of resources.
    Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of the Treasury should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process; (2) develop competency and staffing requirements for all positions; (3) assess competency and staffing needs regularly; (4) assess gaps in competencies and staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing for all components of the workforce; (6) implement activities that address gaps, including a career path for program managers and special hiring authorities, if justified and cost-effective; (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps for all components of the workforce.

    Agency: Department of the Treasury
    Status: Open

    Comments: The department has not yet provided its written response to this recommendation. We will continue to monitor the department's progress in implementing the recommendation.
    Director: Nancy Kingsbury
    Phone: (202) 512-2700

    5 open recommendations
    including 2 priority recommendations
    Recommendation: To support its strategic and open data goals, the Director of OPM should improve the availability of the EHRI payroll data--for example, by preparing the data for analytics, making them available through online tools such as FedScope, and including them among the EHRI data sources on the OPM website and Data.gov.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: On 4/21/2017 OPM provided a status update based on our inclusion of this rec in the priority rec letter. "As communicated in our December 6, 2017, letter to the Comptroller General, OPM is developing a comprehensive strategy to improve the availability of EHRI payroll data for analytics. We have started an effort to standardize payroll data elements by engaging with the payroll subject matter experts through the shared service providers. We will keep GAO informed as we make additional progress."
    Recommendation: To improve internal controls for data quality, the Director of OPM should update EHRI payroll database documentation to be consistent with current field definitions and requirements, including the Guide to Human Resources Reporting and the Guide to Data Standards, Part B.

    Agency: Office of Personnel Management
    Status: Open

    Comments: No specific updates on this rec, but it would be addressed in the "comprehensive strategy to improve the availability of EHRI payroll data for analytics" that is noted in OPM's response to the priority recommendation.
    Recommendation: To improve internal controls for data quality, the Director of OPM should consistently monitor system-generated error and edit check reports and ensure that timely action is taken to address identified issues.

    Agency: Office of Personnel Management
    Status: Open
    Priority recommendation

    Comments: On 4/21/17 OPM provided an update to their 60 day letter in response to our inclusion of this rec in the priority letter to OPM. Very soon, we will begin implementing follow-up activities with shared service centers and agencies regarding issues identified with the payroll data they submit to EHRI. We are also evaluating the feasibility of incorporating automated methods to validate agency data, to the extent possible. We will keep GAO informed as we make additional progress.
    Recommendation: To integrate the payroll data into the larger suite of EHRI databases, the Director of OPM should develop a schedule for executing these plans.

    Agency: Office of Personnel Management
    Status: Open

    Comments: No specific updates on this rec, but it would be addressed in the "comprehensive strategy to improve the availability of EHRI payroll data for analytics" that is noted in OPM's response to the priority recommendation.
    Recommendation: To integrate the payroll data into the larger suite of EHRI databases, the Director of OPM should evaluate existing internal control activities and develop new control activities for EHRI payroll data, such as implementing transactional edit checks that leverage the information in the other EHRI datasets.

    Agency: Office of Personnel Management
    Status: Open

    Comments: No specific updates on this rec, but it would be addressed in the "comprehensive strategy to improve the availability of EHRI payroll data for analytics" that is noted in OPM's response to the priority recommendation.
    Director: David Powner
    Phone: (202) 512-9286

    25 open recommendations
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: United States Agency for International Development
    Status: Open

    Comments: We plan to follow up on the agency's actions to implement this recommendation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Agriculture
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Education
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Commerce
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Energy
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Social Security Administration
    Status: Open

    Comments: In its comments on a draft of our report, SSA agreed with our recommendation. Subsequent to SSA informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of the Interior
    Status: Open

    Comments: We plan to follow up on the department's actions to implement this recommendation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Transportation
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Labor
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of the Treasury
    Status: Open

    Comments: The department said it had no comments on our draft report and recommendation. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Department of State
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In its comments on a draft of our report, EPA generally agreed with our recommendation. Subsequent to EPA informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: In its comments on a draft of our report, NASA concurred with our recommendation. Subsequent to NASA informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: National Science Foundation
    Status: Open

    Comments: NSF stated that it had no comments on our draft report and recommendation. We will plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Small Business Administration
    Status: Open

    Comments: In comments on a draft of our report, SBA said the report captures its current posture. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: In comments on a draft of our report, NRC stated that it generally agreed with the report. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

    Agency: Office of Personnel Management
    Status: Open

    Comments: In its comments on a draft of our report, OPM concurred with our recommendation. Subsequent to OPM informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Defense should direct the responsible official to modify the department's existing processes to collect and review cost, technical, and business information for the enterprise and business IT systems within the Enterprise Information Environment Mission Area applications which are currently not reviewed as part of the department's process for business systems.

    Agency: Department of Defense
    Status: Open

    Comments: In comments on a draft of our report, the department disagreed with our recommendation. We plan to follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Homeland Security should direct the department's CIO to identify one high-cost function it could collect detailed cost, technical, and business information for and modify existing processes to collect and review this information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of the Interior should direct the department's CIO to document and implement a plan for establishing policy that would define a standard analytical technique for rationalizing the investment portfolio.

    Agency: Department of the Interior
    Status: Open

    Comments: We plan to follow up on the department's actions to implement this recommendation.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Labor should direct the department's CIO to consider a segmented approach to further rationalize and identify a function for which it would modify existing processes to collect and review application-specific cost, technical, and business value information.

    Agency: Department of Labor
    Status: Open

    Comments: In its comments on a draft of our report, the department concurred with our recommendation. Subsequent to the department informing us that it has taken action to implement the recommendation, we will follow up.
    Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Director of the National Science Foundation should direct the CIO to consistently document evaluations for all applications and report cost information for them in the roadmap or other documentation.

    Agency: National Science Foundation
    Status: Open

    Comments: NSF stated that it had no comments on our draft report and recommendation. We will plan to follow up.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the National Institute of Standards and Technology Cybersecurity Framework.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should update technical assistance that is provided to covered entities and business associates to address technical security concerns.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should revise the current enforcement program to include following up on the implementation of corrective actions.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS neither concurred nor nonconcurred with the recommendation but plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish performance measures for the Office of Civil Rights (OCR) audit program.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS concurred with the recommendation and plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish and implement policies and procedures for sharing the results of investigations and audits between OCR and Centers for Medicare & Medicaid Services to help ensure that covered entities and business associates are in compliance with the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: HHS neither concurred nor nonconcurred with the recommendation but plans to implement it. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Director: David A. Powner
    Phone: (202) 512-9286

    12 open recommendations
    Recommendation: In order to improve the accuracy of IT Dashboard incremental development data, the Director of OMB should direct the Federal Chief Information Officer (CIO) to clarify existing guidance regarding what IT investments are and are not subject to requirements on the use of incremental development and how CIOs should report the status of projects that are not subject to these requirements.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) has taken initial steps to implement our recommendation. Specifically, OMB's June 2016 annual capital planning guidance for fiscal year 2018 included instructions on what types of investments were required to adhere to incremental development requirements related to the delivery of usable functionality. The guidance stated that all software development projects are required to produce usable functionality at intervals of no more than six months. Further, all major development projects within investments are required to use modular/agile principles. However, OMB's guidance still lacks direction on how CIOs are to report the status of nonsoftware projects, as we recommended. In the absence of our recommended guidance clarification, OMB is at risk of agencies continuing to be unclear about how nonsoftware development investment data are to be reported on the Dashboard, increasing the risk that data on the IT Dashboard will not always be accurate. We will continue to evaluate OMB's progress in clarifying its guidance and considering a change to provide more detailed guidance related to the reporting of nonsoftware development investment data.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the Enterprise Business Management Office within the Office of the Chief Information Officer will validate each investment reported on the Dashboard and work with program officials to ensure they appropriately update the data for the IT Dashboard. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education (Education) concurred with our recommendation and stated that the department will ensure that the data is kept current using their IT portfolio management process. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce (Commerce) concurred with our recommendation and stated that these changes would be incorporated into the department?s Dashboard reporting. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (Defense) partially concurred with our recommendation and stated that the department is taking action to update the Dashboard data as appropriate. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) concurred with our recommendation. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation (Transportation) concurred with our recommendation and stated the department was committed to ensuring the information on the IT Dashboard reflects up to date information. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the quality of the seven departments' information on project incremental delivery reported to the IT Dashboard, the Secretaries of Commerce, Defense, Education, Health and Human Services, Homeland Security, Transportation, and the Treasury should direct their CIOs to review major IT investment project data reported on the IT Dashboard and update the information as appropriate in the following areas: (1) whether the project is in-progress or complete; (2) whether the project is a software development project or not; and (3) the status of the delivery of functionality every 6 months, ensuring that these data are consistent across all reporting channels.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury (Treasury) did not comment on our recommendation. However, after our report was issued in August 2016, the IT Dashboard was not publicly updated from the end of August 2016 until the end of May 2017, during the formulation of the President's budget request. Now that the Dashboard is being publicly updated again, we will continue to analyze and monitor the department's progress in updating investment information on the Dashboard and the implementation of our recommendation.
    Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education (Education) concurred with our recommendation to establish a departmentwide certification policy. Education officials reported in March 2017 that the department will complete changes to its guidance by November 2017. However, until this guidance is finalized, Education will not be able to fully ensure adequate implement of, or benefit from, incremental development practices. We will continue to evaluate Education's progress in implementing this recommendation.
    Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (Defense) did not concur with our recommendation, stating that its existing guidance was adequate in this area. However, in August 2016, Defense issued its fiscal year 2018 budget submission guidance which required each component CIO to certify that IT investments were adequately implementing incremental development. The component CIOs were to document the certification in a statement of compliance memorandum, using their agency's letterhead, and submit the memorandum to the Defense CIO. Defense officials report that this same guidance will be added to the Financial Management Regulations during summer 2017. Until this annual guidance has been updated and incorporated into the department's standing policies, Defense is at risk of overlooking this requirement in subsequent years. We will continue to evaluate Defense's progress in implementing this recommendation.
    Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) concurred with our recommendation to establish a departmentwide certification policy. However, HHS officials reported in April 2017 that they did not have a timeframe for when the department's new certification guidance would be completed. Until this guidance is finalized, HHS will not be able to fully ensure adequate implement of, or benefit from, incremental development practices. We will continue to evaluate HHS's progress in implementing this recommendation.
    Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury (Treasury) did not comment on our recommendations. Further, Treasury officials reported in March 2017 that it had no plans to revise its policies, as we recommended. Until the department establishes a CIO certification policy, Treasury will not be able to fully ensure adequate implement of, or benefit from, incremental development practices. We will continue to evaluate Treasury's progress in implementing this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    5 open recommendations
    Recommendation: To effectively measure 18F's performance, the Administrator of GSA should direct the Commissioner for the Technology Transformation Service to ensure that goals and associated performance measures are outcome-oriented and that performance measures have targets, including (1) performance measures and targets tied to fully recovering program costs; and (2) goals, performance measures, and targets for how the program will achieve its mission after September 2016.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration (GSA) agreed with, and has begun to take steps to implement, this recommendation. Specifically, GSA developed a quarterly performance report for fiscal year 2017 that includes an outcome-oriented goal for 18F as well as associated performance measures and targets. According to a Technology Transformation Service official, GSA plans to expand its quarterly performance report for fiscal year 2018 to reflect additional 18F goals and performance measures, including measures tied to fully recovering program costs. We will continue to evaluate GSA's progress in implementing this recommendation.
    Recommendation: To effectively measure 18F's performance, the Administrator of GSA should direct the Commissioner for the Technology Transformation Service to assess actual results for each performance measure.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration (GSA) agreed with, and has begun to take steps to implement, this recommendation. Specifically, GSA developed a quarterly performance report for fiscal year 2017 that includes an outcome-oriented goal for 18F as well as associated performance measures with targets. Additionally, GSA has assessed actual results of the performance measures for the first two quarters of fiscal year 2017. According to a Technology Transformation Service official, GSA plans to expand its quarterly performance report for fiscal year 2018 to include additional 18F goals and performance measures. We will continue to evaluate GSA's progress in implementing this recommendation.
    Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to ensure that all goals and associated performance measures are outcome-oriented and that performance measures have targets.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in its December 2016 report to Congress, OMB developed three goals for U.S. Digital Service (USDS): (1) rethink how the federal government builds and buys digital services; (2) expand the use of common, platforms, services, and tools; and (3) bring top technical talent into public service. In addition, OMB established performance measures with targets for its third goal and for each of the program's major projects. However, OMB has not established performance measures for the first two USDS goals. Further, the program's third goal is not outcome-oriented. We will continue to evaluate OMB's progress in implementing this recommendation.
    Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to assess actual results for each performance measure.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in its December 2016 report to Congress, OMB assessed the results of performance measures for one of the U.S. Digital Service (USDS) program's goals--bring top technical talent into public service--and for each of the program's major projects. However, OMB has not established performance measures for the other two USDS goals--rethink how the federal government builds and buys digital services; and expand the use of common, platforms, services, and tools. We will continue to evaluate OMB's progress in implementing this recommendation.
    Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to update USDS policy to clearly define the responsibilities and authorities governing the relationships between CIOs and the digital service teams and require existing agency digital service teams to address this policy. In doing so, the Federal Chief Information Officer should ensure that this policy is aligned with relevant federal law and OMB guidance on CIO responsibilities and authorities.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. In particular, OMB updated its digital service team policy to require that teams appropriately inform their chief information officers (CIO) regarding U.S. Digital Service (USDS) projects. However, the policy does not describe the responsibilities or authorities governing the relationships between CIOs and digital service teams. We will continue to evaluate OMB's progress in implementing this recommendation.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    7 open recommendations
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to update the CEDCAP program office cost estimate to reflect the current status of the program as soon as appropriate information becomes available.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In May 2017, the Census Bureau provided summary documentation that included the fiscal year 2015 through 2021 estimated lifecycle costs for the Census Enterprise Data Collection and Processing (CEDCAP) program; however, this information lacked the level of detail needed to determine whether the cost estimate reflects the current status of the program. In addition, in June 2017, the Bureau developed a draft version of the CEDCAP Cost Analysis Requirements Description (CARD), which included descriptions of technical and programmatic features of the program and is intended to serve as the basis for preparing the Program Office Estimate and the Independent Cost Estimate. However, as of August 2017, the CARD had not yet been finalized. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to ensure that updates to the status of risks are consistently documented for CEDCAP's Internet and Mobile Data Collection and Survey (and Listing) Interview Operational Control projects.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In August 2017, the Census Bureau provided risk management documentation, including a risk management plan and risk review board meeting minutes. However, this information did not include updated risk registers that documented risk status for the Census Enterprise Data Collection and Processing (CEDCAP) Internet and Mobile Data Collection and Survey (and Listing) Interview Operational Control projects. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: TTo ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to ensure that CEDCAP's Internet and Mobile Data Collection, Survey (and Listing) Interview Operational Control, and Centralized Operational Analysis and Control projects establish detailed risk mitigation plans on a consistent basis and that the Internet and Mobile Data Collection and Centralized Operational Analysis and Control projects establish trigger events for all relevant risks.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In August 2017, the Census Bureau provided risk management documentation, including a risk management plan and risk review board meeting minutes. However, this documentation did not include detailed risk mitigation plans for risks related to the Census Enterprise Data Collection and Processing (CEDCAP) Internet and Mobile Data Collection, Survey (and Listing) Interview Operational Control, and Centralized Operational Analysis and Control projects. The Bureau's risk management documentation also did not include trigger events for all relevant risks for the Internet and Mobile Data Collection and Centralized Operational Analysis and Control projects. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to define, document, and implement a repeatable process to establish complete alignment between CEDCAP and 2020 Census programs by, for example, maintaining a single dependency schedule.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation, but has not yet taken steps to implement it. In August 2016, we reported that several issues can result from the lack of a single dependency schedule, including the need to manually identify activities, the inability to be dynamically responsive to change, and a limited ability to ensure that both the Census Enterprise Data Collection and Processing (CEDCAP) and 2020 Census program are planning and measuring their activities according to the same agreed upon timeframe. However, as of August 2017, the Bureau had not yet established a single dependency schedule to ensure complete alignment between the CEDCAP and 2020 Census programs. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to establish a comprehensive and integrated list of all interdependent risks facing the CEDCAP and 2020 Census programs, and clearly identify roles and responsibilities for managing this list.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation, but has not yet taken steps to implement it. In August 2016, we reported that several issues can result from the lack of an integrated risk register, including inconsistencies in tracking and managing interdependent risks, redundant efforts to manage risks, and potentially conflicting risk mitigation efforts. As of August 2017, the Census Bureau had not yet developed an integrated risk register for the Census Enterprise Data Collection and Processing (CEDCAP) and 2020 Census programs or documented the roles for managing it. Instead, Bureau officials stated that they flag risks in the risk register that affect both programs. However, as of August 2017, the Bureau had not provided evidence that relevant risks for both programs are flagged in the risk registers. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to identify when the 74 requirements related to redistricting data program and data products and dissemination will be tested.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In June 2017, Census Bureau officials stated that, as part of the 2018 End-to-End Census Test, program-level integration testing of the requirements related to the redistricting program and the data products and dissemination are planned to occur from April 3, 2018, to August 1, 2018. However, as of August 2017, the Bureau had not provided supporting documentation for its plans for program-level integration testing of the requirements related to the redistricting program and data products and dissemination. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Recommendation: To ensure that the Bureau is better positioned to deliver CEDCAP, the Secretary of Commerce should direct the Director of the Census Bureau to make developing a better understanding of and identifying requirements related to non-ID response validation a high and immediate priority, or consider alternatives to avoid late definition of such requirements.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation and has taken initial steps to implement it. In April 2017, the Census Bureau documented high-level milestones related to implementing a fraud detection process in an initial effort to better understand non-ID response validation. However, as of August 2017, the Bureau had not finalized the fraud detection process or documented milestones for implementing the non-ID response validation process. We will continue to monitor and evaluate the Bureau's progress in implementing this recommendation.
    Director: Valerie Melvin
    Phone: (202) 512-6304

    4 open recommendations
    Recommendation: To address weaknesses in the department's financial management systems modernization efforts, the Secretary of HUD should direct the Chief Financial Officer to work with the Chief Information Officer in managing subsequent initiatives to define a high-level depiction of the IT systems anticipated in the future state, a description of the operations that must be performed and who must perform them, and an explanation of where and how the operations are to be carried out.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In May 2017, HUD's Deputy Chief Information Officer reported that that the office was managing multiple enterprise-level initiatives no longer classified as financial management modernization efforts, but which are intended to address certain previously reported financial systems modernization needs. The department provided early high-level requirements and a solution architecture for one such initiative, including a future requirement to support data required for HUD's financial reporting needs from Treasury. However, HUD does not yet have a plan to develop a high-level concept of operations for IT systems anticipated in the future state. We intend to follow up on HUD's actions.
    Recommendation: To address weaknesses in the department's financial management systems modernization efforts, the Secretary of HUD should direct the Chief Financial Officer to work with the Chief Information Officer in managing subsequent initiatives to develop comprehensive plans for scope, schedule and cost.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In May 2017, the department provided an early project oversight plan and critical task schedule for one initiative related to enterprise data management, but these plans are not comprehensive and do not include, among other things, detailed cost estimates. We intend to follow up on HUD's actions.
    Recommendation: To address weaknesses in the department's financial management systems modernization efforts, the Secretary of HUD should direct the Chief Financial Officer to work with the Chief Information Officer in managing subsequent initiatives to ensure requirements are fully documented and traceable.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In March 2017, the department reported that the Chief Financial Officer and the Chief Information Officer intend to partner on future departmental financial management systems modernization efforts to fully document requirements and trace requirements to the functionality in the modernized system. In May 2017, department officials reported that the subsequent initiatives underway were following an Agile process yielding product-release backlogs as documentation of requirements for ongoing initiatives. They provided the initial backlog for an enterprise data management initiative. However, HUD could not demonstrate that these requirements were complete and traceable to mission needs. We intend to follow up on HUD's actions.
    Recommendation: The Secretary of HUD should also direct the Deputy Secretary to ensure that the Chief Information Officer takes action to improve IT governance control activities used for monitoring programs and identifying needed corrective actions, and strengthen investment oversight by improving coordination with stakeholders and alignment among IT modernization efforts.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In March 2017, the department reported on its fiscal year 2016 updates to charters of its IT governance boards, which provide oversight of all its IT investments, including financial management initiatives, and noted that business cases for proposed development and modernization initiatives had been discussed at governance meetings. HUD also reported that it had set up steering committees to supplement board governance and monitoring two enterprise-level modernization efforts and planned to apply mechanisms, such as project health assessments, intended to establish effective investment oversight. However, HUD has not yet demonstrated that the updated governance control activities have improved program monitoring and identified any needed corrective actions or that planned oversight mechanisms have improved coordination with stakeholders or alignment of modernization efforts. We intend to follow up on HUD's actions to ensure that planned improvements to governance and oversight mechanisms are effectively implemented and institutionalized.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    9 open recommendations
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD Chief Information Officer (CIO), and other entities, as appropriate, to develop a detailed JIE scope statement that is verified by stakeholders and approved by the Executive Committee.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had made progress in implementing the recommendation. Specifically, the department developed a draft Joint Information Environment (JIE) scope statement that can provide the context and framework for reporting, tracking, and controlling JIE activities. According to written comments on the status of the recommendation provided by the department in July 2017, this scope statement will be presented to the JIE Executive Committee in August 2017 for approval. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to establish a plan for managing, documenting, and communicating scope.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had made progress in implementing the recommendation. Specifically, the department developed a draft JIE scope statement, which documents the scope of JIE and describes how updates to its scope will be periodically reviewed and approved. According to written comments on the status of the recommendation provided by the department in July 2017, the draft will be presented to the JIE Executive Committee in August 2017 for approval. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable JIE cost estimate and baseline, consistent with the best practices described in this report.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had not implemented the recommendation. According to written comments on the status of the recommendation provided by the department, it developed cost baselines for two components of JIE. However, it did not develop cost estimates for the other JIE components. Specifically, the JIE Executive Committee approved the cost estimate for the Joint Regional Security Stacks in April 2017. In addition, the department's comments stated that the cost baseline for the Mission Partner Environment-Information System (MPE-IS) was included in the MPE-IS Business Case Analysis and presented to the department's Office of Cost Assessment and Program Evaluation in July 2016. We are in the process of reviewing the cost estimates for these components. The department further stated that as solutions for other JIE efforts are established, their cost baselines will be added as appropriate.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JIE schedule management plan and reliable schedule, consistent with practices described in this report.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the department had not implemented the recommendation. We will continue to monitor the department's efforts to address this recommendation by periodically requesting and evaluating updated information.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JRSS schedule management plan and reliable JRSS schedule and schedule baseline, consistent with practices described in this report.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had not fully implemented this recommendation. In March 2017, the JIE Executive Committee approved a schedule baseline for the Non-secure Internet Protocol Router network component of JRSS. In addition, the Executive Committee memo approving this schedule baseline indicated that the Executive Committee planned to review and approve a schedule baseline for the Secure Internet Protocol Router network component of JRSS by the end of fiscal year 2017. However, the department has not demonstrated that it has a schedule management plan or that its schedule was developed consistent with the practices described in our report.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to complete an assessment to determine the number of staff and the specific skills and abilities needed to effectively achieve JIE, consistent with the workforce planning practices described in this report.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had not implemented the recommendation. In its June 2016 written comments on a draft of our report, the department stated that the National Institute of Standards and Technology and the Office of Personnel Management were to publish a coding structure in response to the Federal Cybersecurity Workforce Assessment Act of 2015. DOD stated that this structure would inform steps DOD planned to take to identify the type of personnel and specific skills required to support enterprise operations and services and the government capabilities needed to effectively achieve JIE. However, as of July 2017, the department had not demonstrated that it has taken action to implement our recommendation.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a strategy for conducting JIE security assessments that describes the resources needed to execute the strategy, responsible organizations, and a schedule to complete the assessments.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department had not implemented the recommendation. We will continue to monitor the department's efforts to address this recommendation by periodically requesting and evaluating updated information.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a strategy and schedule to transition JRSS to the Risk Management Framework, and develop the security plan required by the new framework.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, the Department of Defense had not implemented this recommendation. In January 2017, the Joint Regional Security Stacks (JRSS) program received a six-month provisional Risk Management Framework Authority to Operate. According to a July 2017 update from the department on the status of this recommendation, the JRSS program management office was in the process of requesting another six-month provisional authority to operate. However, the department has not developed a strategy and schedule to complete transition of JRSS to the Risk Management Framework or developed the security plan required by the framework.
    Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable Joint Regional Security Stacks (JRSS) cost estimate and baseline, consistent with practices described in this report.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense had taken steps to address the recommendation and we are in the process of reviewing documentation the department provided in July 2017 to determine if it sufficiently addresses the recommendation. Specifically, in April 2017, the JRSS program office documented the methodology, ground rules, and assumptions, among other things, used to develop the cost estimate we reviewed in our report, and the JIE Executive Committee established the estimate as its JRSS cost baseline. We are in the process of reviewing the cost estimate documentation and will update this status after completing the review.
    Director: Carol C. Harris
    Phone: (202) 512-4456

    9 open recommendations
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of the Department of Homeland Security (DHS) should direct the Director of USCIS to direct the USCIS Chief Information Officer (CIO), in coordination with the DHS CIO and the Chief of the Office of Transformation Coordination (OTC), to review and update, as needed, existing policies and guidance and consider additional controls to complete planning for software releases prior to initiating development and ensure software meets business expectations prior to deployment.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, the U.S. Citizenship and Immigration Services (USCIS) within the Department of Homeland Security (DHS) had taken steps to address this recommendation. In particular, in June 2017, USCIS provided an updated policy, dated April 2017, governing planning and deploying software releases. USCIS also demonstrated partial compliance with that policy. For example, it provided some release planning review documentation for recent releases that are required by the updated policy, including readiness review memos for releases 7.2 and 8.1. However, USCIS did not demonstrate that the program responsible for developing the USCIS Electronic Immigration System (USCIS ELIS) was consistently following its updated policy. For example, USCIS did not demonstrate that the program was completing all planning activities prior to initiating development, as called for in its updated policy. Moreover, the agency did not demonstrate compliance with its previous policy for all software releases planned and deployed since our July 2016 report. We will continue to work with USCIS to monitor actions the agency is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to consistently implement the principles of the framework adopted for Agile software development.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in May 2017, USCIS provided updated policy governing the development of software releases, dated April 2017, along with release planning artifacts specific to USCIS ELIS. The updated policy included an appendix devoted to generally accepted agency practices and applying Agile principles in the agency. However, USCIS had not clearly indicated if USCIS ELIS was to implement the practices described in the policy. For example, the updated policy did not require program compliance with the generally accepted agency practices. Moreover, supporting artifacts from the release planning process did not always define a commitment to a particular development methodology or set of development practices. For example, the team process agreements, which describe how members of individual teams will work with each other, did not indicate if developers were to adhere to the practices described in updated USCIS policy. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to define and consistently execute appropriate roles and responsibilities for individuals responsible for development activities consistent with its selected development framework.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in June 2017, USCIS provided updated policy, dated April 2017, governing the development of software releases and release planning artifacts. The updated policy and release documentation defined some roles and responsibilities that were previously only described by USCIS in its informal November 2014 management model, such as the authority and responsibility of a product owner. However, program documentation and policy did not define all of the roles and responsibilities. For example, program documentation and policy did not define the roles and responsibilities of a facilitator, or Scrum Master, which is a position identified in leading practices for software development using Scrum, the development methodology previously identified by the program. In addition, USCIS did not demonstrate that it had defined and committed to an updated development methodology for software releases. Such a defined methodology will impact expectations for the roles and responsibilities in software development. Without such a defined methodology or approach to Agile software development, it is not clear if roles and responsibilities defined by previously documented approach to Agile software development are still applicable for the current development approach. Moreover, documentation associated with program releases and updated policy did not define all of the roles and responsibilities for positions described by USCIS in its May 2017 written response to GAO. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to identify all system users and involve them in release planning activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, DHS and USCIS had not provided information demonstrating that the department has addressed this recommendation. In October 2016, DHS provided a written response stating that the USCIS Office of Information Technology and Office of Transformation Coordination were working closely with the various USCIS directorates to obtain and integrate feedback through regular review sessions with the end users and through additional end user testing. However, as of July 2017, DHS and USCIS have not provided new information about the status of this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to write user stories that identify user roles, include estimates of complexity, take no longer than one sprint to complete, and describe business value.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had provided GAO with documentation intended to demonstrate that the agency had taken steps to address this recommendation. For example, in May 2017, USCIS provided updated policy governing the development of software releases along with release planning artifacts specific to USCIS ELIS and an Independent Verification and Validation assessment. The agency also provided a series of backlogs that captured user stories for some software releases. In addition, the Independent Verification and Validation assessment indicated that the program was tracking user story quality as part of assessing whether value was continuously discovered and aligned to the mission. However, the assessment report provided to GAO indicated a negative trend for this outcome. Moreover, USCIS policy no longer set expectations regarding user story development. In addition, supporting artifacts from the release planning process did not always define a commitment to a particular development methodology, which is turn impacts the expectations for writing user stories. Finally, backlogs provided by USCIS did not cover all releases in development since our July 2016 report and did not include enough detail to assess all aspects of the user story process (e.g., story size and user involvement). We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to establish outcomes for Agile software development.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in April 2017, USCIS issued updated policy governing software development at the agency. The updated policy included an appendix devoted to generally accepted agency practices and applying Agile principles in the agency. This appendix also included a set of ten outcomes associated with using Agile practices at USCIS. For example, outcomes included that value is continuously discovered and aligned to the mission. However, the updated policy did not require program compliance with the practices and principles described in the appendix. Moreover, the agency did not demonstrate that USCIS ELIS had committed to achieving a specific set of outcomes for Agile software development, such as the outcomes described in the USCIS policy. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To provide reasonable assurance that the program executes Agile software development for USCIS ELIS consistent with its own policies and guidance and follows applicable leading practices, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update, as needed, existing policies and guidance and consider additional controls to monitor program performance and report to appropriate entities through the collection of reliable metrics.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in May 2017, USCIS provided updated policy governing the development of software that called for teams to prepare an Operations Monitoring Plan or dashboard showing the practices, tools, and measures that will monitor applications in production. The agency also provided a series of documents from internal systems and processes intended to monitor performance, such as a product dashboard for analyzing code quality (i.e., SonarQube) and a report from its Independent Verification and Validation team. However, the program was undergoing a re-baseline and had yet to document updated cost, schedule, and performance expectations against which to monitor. Moreover, the agency did not demonstrate that other metrics, such as customer satisfaction and team velocity, were being reliably collected. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To help manage the USCIS ELIS system, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update existing policies and guidance and consider additional controls to conduct unit and integration, and functional acceptance tests, and code inspection consistent with stated program goals.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, USCIS had taken steps to address this recommendation. For example, in May 2017, USCIS provided artifacts from internal systems in place to monitor software development performance. These metrics monitored aspects of testing, such as code quality and code coverage. However, the program did not provide an updated Test and Evaluation Master Plan, which is a document it will produce as part of its ongoing effort to re-baseline. A Test and Evaluation Master Plan sets the testing expectations for the program as agreed upon with its stakeholders in DHS and USCIS. The updated plan will provide a basis for further evaluation of the steps DHS and USCIS have taken to address this recommendation. Moreover, the agency did not demonstrate that functional acceptance tests were being conducted in accordance with stated program goals. For example, the agency did not provide acceptance criteria or the associated tests demonstrating that user stories passed the defined acceptance criteria. We will continue to work with USCIS to obtain additional documentation about actions it is taking to address this recommendation.
    Recommendation: To help manage the USCIS ELIS system, the Secretary of DHS should direct the Director of USCIS to direct the USCIS CIO, in coordination with the DHS CIO and the Chief of OTC, to review and update existing policies and guidance and consider additional controls to develop complete test plans and cases for interoperability and end user testing, as defined in the USCIS Transformation Program Test and Evaluation Master Plan, and document the results.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of July 2017, DHS and USCIS had not provided information demonstrating that they had addressed this recommendation. In October 2016, DHS provided a written response indicating that an internal process for revisiting the USCIS ELIS Test and Evaluation Master Plan had been initiated, with participation from all relevant stakeholder groups. A Test and Evaluation Master Plan sets the testing expectations for the program as agreed upon with its stakeholders in DHS and USCIS. The updated plan will provide a basis for further evaluation of the steps DHS and USCIS have taken to address this recommendation. The letter also stated that USCIS had begun to work on a policy for new interoperability test procedures. Moreover, the letter added that end user testing is a continuing activity, including providing feedback of observed issues into the development queue, with the slow launch of the naturalization capabilities in USCIS ELIS being a model. However, as of July 2017, DHS and USCIS had not provided new information about the status of this recommendation. We will continue to work with DHS and USCIS to obtain additional documentation about actions they are taking to address this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    3 open recommendations
    Recommendation: To help IRS improve its process for determining IT funding priorities and to provide timely information on the progress of its investments, the Commissioner of IRS should direct the Chief Technology Officer to establish, document, and implement policies and procedures for selecting new and reselecting ongoing business systems modernization activities, consistent with IRS's process for prioritizing operations support priorities, which addresses (1) prioritization and comparison of IT assets against each other, (2) criteria for making selection and prioritization decisions, and (3) ensuring IRS executives' final funding decisions on IT proposals are based on IRS's prioritization process.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In April 2017, IRS stated that it had several process improvements underway that would impact its documentation of policies and procedures for prioritizing business systems modernization activities. The agency committed to addressing the recommendation by December 2017.
    Recommendation: To help IRS improve its process for determining IT funding priorities and to provide timely information on the progress of its investments, the Commissioner of IRS should direct the Chief Technology Officer to modify existing processes for Foreign Account Tax Compliance Act (FATCA) and Return Review Program (RRP) for measuring work performed by IRS staff to incorporate best practices, including accounting for actual work performed and using the level of effort measure sparingly.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In April 2017, IRS reported that it was continuing to examine methods for modifying existing processes to measure work performed by IRS staff for the Foreign Account Tax Compliance Act and Return Review programs. We are monitoring IRS's efforts as part of an ongoing review of the agency's information technology operations.
    Recommendation: To help IRS improve its process for determining IT funding priorities and to provide timely information on the progress of its investments, the Commissioner of IRS should direct the Chief Technology Officer to report on actual costs and scope delivery at least quarterly for the Customer Account Data Engine 2 and the Affordable Care Act Administration. For these investments, IRS should develop metrics similar to FATCA and RRP.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS began reporting on actual costs and scope delivery at least quarterly using metrics similar to FATCA and RRP and provided the quarterly reports for fiscal year 2016 and the first two quarters of fiscal year 2017 to GAO. As of September 2017, the agency had not implemented the recommendation for the Affordable Care Act Administration investment because it did not see the benefit in doing so given that development work was minimal. We are following up with IRS on this as part of an ongoing review of the agency's information technology operations.
    Director: David A. Powner
    Phone: (202) 512-9286

    22 open recommendations
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Education
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address it. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Energy
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that the Office of the CIO will update the CIO's OMB IT Dashboard Standard Operating Procedure to include the evaluation and assessment of active risks. This effort is to be completed by the end of December 2016. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department agreed with this recommendation and, in a written response, stated that it plans to address this recommendation with the following actions: (1) developing a method to review and assign ratings for active risks that will be incorporated into CIO ratings and (2) integrating the risk rating methodology into a new process for all major investments' CIO ratings. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it is amending its current monthly review process to ensure that risks are factored into its IT Dashboard CIO ratings. VA expects to complete this effort during the first quarter of 2017. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Department of State
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address the recommendation. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

    Agency: Office of Personnel Management
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Defense, Education, and Homeland Security; and the Commissioner of the Social Security Administration should direct their CIOs to update their CIO ratings at least as frequently as required in OMB's guidance.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) disagreed with this recommendation. In its written response, the Department noted that its semi-annual reporting is consistent with FITARA requirements and is documented in its OMB-approved FITARA Implementation Plan. After the publication of our report in June 2016, OMB issued its "Fiscal Year 2018 IT Budget-Capital Planning Guidance." This guidance removes the mandatory reporting frequency, but states that OMB expects that the CIOs would evaluate and rate their investments at specific times, including when the investment business cases are submitted to OMB in the agency budget request and when the business cases are prepared for the President's Budget release. In light of this new guidance, we analyzed the Department's update frequency for its 34 major investments (as listed on the IT Dashboard in June 2017). From June 2016 through May 2017, we found that 26 of the investments' ratings were updated once: in May 2017. The other 8 investments were not updated during this timeframe. Prior to this, the last DOD rating updates were made in March 2016, over a year beforehand. This analysis shows that DOD is not adhering to either its own semi-annual reporting requirements or to OMB's expectations. As such, we are not closing the recommendation at this time. We will continue to monitor the IT Dashboard for changes to DOD's update frequency. We maintain that frequent rating updates help ensure that the information on the Dashboard is timely and accurately reflects recent changes. Without such updates, the CIO ratings on the IT Dashboard may not reflect the current level of investment risk.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that the Office of the CIO Enterprise Business Management Office is updating its program assessment guideline. The updated guideline will include risk-based scores as the basis for its investment ratings. The Department expects to release this new guideline by the end of December 2016. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Agriculture
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Education
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address it. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department agreed with our recommendation and, in a written response, stated that the CIO has revised the IT Dashboard assessment criteria to directly incorporate the degree of risk represented in the investments' Business Case documents. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Defense
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Energy
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that the Office of the CIO will update its IT Dashboard Standard Operating Procedure to include an active risk sub-criteria comprised of probability and impact scores. This effort is to be completed by the end of December 2016. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. According to HHS, these risk areas reflect both internal and external risks that affect an investment's ability to accomplish its goals. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Social Security Administration
    Status: Open

    Comments: The agency partially agreed with our recommendation and, in a written response, stated that its CIO rating criteria includes a review of the level of risk facing an investment relative to that investment's ability to accomplish its goals. The written statement also notes that the CIO receives regular updates from key stakeholders on investment risks and mitigation plans. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of the Treasury
    Status: Open

    Comments: When we confirm what actions have been taken, we will update the recommendation status.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department agreed with the recommendation and, in a written response, stated that it plans to require investment managers to assess operational risks detailing the probability and impact of pending threats to success. VA expects to complete this effort during the first quarter of 2017. We will continue to monitor the implementation of this recommendation.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Department of State
    Status: Open

    Comments: The Department agreed with the recommendation, but has not provided an update on its actions to address the recommendation. When we confirm what actions have been taken, we will update.
    Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The agency disagreed with the recommendation and has not provided an update on its actions to address the recommendation. We will continue to monitor the implementation of this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    16 open recommendations
    including 4 priority recommendations
    Recommendation: The Director of OMB should identify and publish a specific goal associated with its non-provisioned O&M spending measure.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The agency agreed with the recommendation. In April 2017, OMB indicated that it has been working with agencies on their Strategic Plans and associated performance goals and measures, but that it would be premature to say whether there would be a specific goal on its non-provisioned O&M spending measure. We will continue to monitor the implementation of this recommendation.
    Recommendation: The Director of OMB should commit to a firm date by which its draft guidance on legacy systems will be issued, and subsequently direct agencies to identify legacy systems and/or investments needing to be modernized or replaced.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The agency agreed with the recommendation. In April 2017, OMB stated that it was updating the draft guidance on legacy systems and were unable to provide a date when they would be issuing it. We will continue to monitor the implementation of this recommendation.
    Recommendation: To monitor whether existing investments are meeting the needs of their agencies, the Secretaries of Commerce and the Treasury should direct the respective agency CIO to ensure that required analyses are performed on investments in the operations and maintenance phase.

    Agency: Department of Commerce
    Status: Open

    Comments: The agency agreed with the recommendation. In a May 2017 written update, the agency stated that it had updated its Capital Planning and Investment Control handbook with instructions on conducting operational analyses. However, the agency was unable to demonstrate that operational analyses were being completed on an annual basis, as required. We will continue to monitor the implementation of this recommendation.
    Recommendation: To monitor whether existing investments are meeting the needs of their agencies, the Secretaries of Commerce and the Treasury should direct the respective agency CIO to ensure that required analyses are performed on investments in the operations and maintenance phase.

    Agency: Department of the Treasury
    Status: Open

    Comments: The agency had no comment on the recommendation. In June 2017, Treasury provided an update on the IRS's efforts to ensure that operational analyses are performed on investments in the operations and maintenance phase. However, the recommendation is intended to address issues at the department level and not just at the IRS. Treasury declined to provide an update at the department level. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The agency agreed with the recommendation and in July 2017 stated that the department has drafted a Legacy Systems Modernization Framework. DHS is waiting for OMB?s draft guidance to be issued to ensure compliance. As a result, they now estimate this will be completed by December 2017. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Agriculture
    Status: Open

    Comments: The agency agreed with the recommendation. As of May 2017, the agency stated that it had taken steps to improve its overall IT governance processes, and in particular, its oversight of legacy systems. These steps included, implementing its FITARA strategy, creating a Cloud Strategy and Policy Office, and two new executive oversight groups. In addition, the agency stated that it planned to complete an IT Modernization Plan in calendar year 2018. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Commerce
    Status: Open

    Comments: The agency agreed with the recommendation. In May 2017, the agency stated that it was continuously assessing its current IT portfolio for opportunities to retire or modernize its mission critical legacy systems. Specifically, Commerce stated that it had identified two candidate systems for modernization--the National Weather Service Telecommunications Gateway and the USPTO Examiner Automated Search Tool. However, it is unclear how these plans will relate to OMB's guidance. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Defense
    Status: Open

    Comments: The agency partially concurred with the recommendation, and stated that it would continue to identify, prioritize, and manage legacy systems that should be modernized or replaced, based on existing DOD policies, using existing department processes, consistent to the extent practicable with OMB's draft guidance. In June 2017, the department stated that its position has not changed; the department believes that no corrective actions are necessary or planned. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Energy
    Status: Open
    Priority recommendation

    Comments: The department partially agreed with the recommendation and in a September 2017 update stated that the department had conducted a survey of the oldest hardware, software, and programming languages currently in use. They noted that the Office of the Chief Information Officer is in the process of gathering additional information regarding legacy systems and documenting a plan to modernize them. They further stated that such a plan will take considerable time to develop since the vast majority of systems are not within the direct control of the CIO. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The agency agreed with the recommendation and in a September 2016 written update stated that the Office of the CIO is working to identify and plan to modernize or replace IT systems. As of July 2017, the agency had not responded to requests for updates on the implementation of this recommendation. We will continue to monitor this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Social Security Administration
    Status: Open

    Comments: The agency agreed with the recommendation and as of July 2017, the agency stated that it was working on finishing its Information Technology Modernization Plan that outlines 5 major applications that it plans to update. However, since OMB had not yet issued its legacy system guidance, it is unknown whether this plan is consistent with OMB's guidance. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Justice
    Status: Open

    Comments: The agency had no comment on the recommendation and in a June 2017 update stated that the department has identified legacy systems to be modernized or replaced (the National Instant Background Check System (retired in 2016), SENTRY, and Uniform Crime Reporting System). The department stated that it is developing modernization plans. The department also plans to incorporate any forthcoming guidance from OMB on legacy systems. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Transportation
    Status: Open

    Comments: The agency agreed with the recommendation and stated that work is underway to identify systems in need of modernization and upgrade. The department anticipated being able to close the recommendation 90 days after OMB issues guidance on legacy systems. Further, in a recent update, the agency stated that it had recently started a project to create an integrated inventory of Transportation's systems. According to the agency, through this project, it has been able to identify duplication and opportunities to create efficiencies. The next phase of this project is a future state diagram and a roadmap to show planned modernizations and possible divestments of legacy systems. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of the Treasury
    Status: Open
    Priority recommendation

    Comments: The agency had no comment on the recommendation. In a June 2017, Treasury provided an update on the IRS's efforts to modernize the IRS's legacy systems. However, the recommendation is intended to address issues at the department level and not just at the IRS. Treasury declined to provide an update at the department level. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of Veterans Affairs
    Status: Open
    Priority recommendation

    Comments: The agency agreed with the recommendation. As of May 2017, the agency stated that it was completing the initial phase of an assessment to provide a qualitative and definitive list of systems which meet criteria for retirement and/or decommission. This assessment will review the complexity of work per system, and provide a rough order of magnitude cost estimate on a system-by-system basis. Further, in an October 2017 updated, VA stated that it is in the process of decommissioning the BDN and PAID systems mentioned in our report. The decommissioning of BDN was estimated to cost $100 million and be completed by 2019. The agency stated that as of June 2016, PAID was no longer being used for human resources transactions. PAID is still being used as a data repository for human resources and payroll data to support financial and other business systems until VA's Time and Attendance system is fully deployed. The agency did not provide a time frame for PAID's total retirement. We will continue to monitor the implementation of this recommendation.
    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: The agency agreed with the recommendation and stated that it plans to work with OMB upon the publication of OMB's guidance to identify opportunities for modernization. In an April 2017 update, the agency stated that it had extended plans to replace the systems mentioned in the report by several years. As of August 2017, the agency stated that it had finalized a new capital planning guide which includes investment review policy to identify opportunities for modernization and away from legacy systems. However, it is too soon to tell if it is in line with OMB's forthcoming guidance. We will continue to monitor the implementation of this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    4 open recommendations
    Recommendation: Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to establish a plan to address the limitations in the program's efforts to test security controls, including ensuring that any changes in the system's inventory do not materially affect test results.

    Agency: Department of Commerce
    Status: Open

    Comments: NOAA agreed with our recommendation and has established a plan to address the limitations we identified in the program's efforts to test security controls. NOAA's plan outlines several actions, and the agency plans to complete these actions by Summer 2017. We will continue to evaluate NOAA's progress in implementing its planned actions.
    Recommendation: Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to, when establishing plans of action and milestones to address critical and high risk vulnerabilities, schedule the completion dates within 30 days, as required by agency policy.

    Agency: Department of Commerce
    Status: Open

    Comments: NOAA agreed with our recommendation and has established a plan to address it. This plan includes multiple actions that are to be completed by the end of July 2017. We will continue to evaluate NOAA's progress.
    Recommendation: Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to ensure that the agency and program are tracking and closing a consistent set of incident response activities.

    Agency: Department of Commerce
    Status: Open

    Comments: NOAA agreed with our recommendation and has made progress in addressing it. Specifically, NOAA developed a pilot of a new incident tracking and reporting system to manage its response activities. NOAA plans to complete additional steps to implement this recommendation. We will continue to evaluate NOAA's progress in addressing this recommendation.
    Recommendation: Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to evaluate the costs and benefits of different launch scenarios for the Polar Follow-on program based on updated satellite life expectancies to ensure satellite continuity while minimizing program costs.

    Agency: Department of Commerce
    Status: Open

    Comments: NOAA agreed with this recommendation and provided some documentation on its efforts to evaluate different launch scenarios. However, the agency has not yet provided all of the documentation needed to confirm that this recommendation has been addressed. We continue to work with NOAA to obtain and review the documentation needed to address this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    6 open recommendations
    Recommendation: To ensure that agencies are provided with more complete guidance for contracts for cloud computing services, the Director of OMB should include all ten key practices in future guidance to agencies.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We are following up with OMB on its service level agreement (SLA) guidance to agencies.
    Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretary of Defense should direct the appropriate officials to ensure key practices are fully incorporated for cloud services as the contracts and associated SLAs expire. These efforts should include updating the Department of Defense memorandum on acquiring cloud services and current Defense Acquisition Regulations System to more completely include the key practices.

    Agency: Department of Defense
    Status: Open

    Comments: We are following up with DOD on updating their service level agreement (SLA) guidance.
    Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We are following up with DHS on the finalization of its service level agreement (SLA) guidance.
    Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We are following up with HHS on their service level agreement (SLA) guidance.
    Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

    Agency: Department of the Treasury
    Status: Open

    Comments: We are following up with Treasury on their service level agreement (SLA) guidance.
    Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: We are following up with VA on their service level agreement (SLA) guidance.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    5 open recommendations
    Recommendation: To ensure that FEMA's IT systems can adequately support its ability to respond to major disasters, the Secretary of DHS should direct the FEMA Administrator to define the scope, implementation strategy, and schedule of the agency's overall modernization approach, with related goals and measures for effectively overseeing the effort. At a minimum, the agency should update its IT strategic plan and complete its modernization plan.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security concurred with this recommendation, and reported on actions taken to update its IT Modernization Plan such as conducting cross-functional work sessions to establish an actionable implementation roadmap in line with agency priorities. However, as of April 2017, we have not yet obtained evidence that FEMA has fully updated its IT strategic plan and completed its modernization plan to address the weaknesses identified in our report. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure that FEMA's IT systems can adequately support its ability to respond to major disasters, the Secretary of DHS should direct the FEMA Administrator to establish time frames for current and future IT workforce planning during its modernization efforts and ensure all regions and offices are included in these initiatives.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security concurred with, and has taken steps to implement our recommendation. For example, the department stated that FEMA completed the assessment of skills gap and identified and prioritized the skills required to staff and sustain the core competencies required to successfully implement FEMA's IT modernization efforts. However, we have not yet validated the agency actions to establish time frames for current and future IT workforce planning during its modernization efforts. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure that FEMA adequately manages the selected emergency management systems, the FEMA Administrator should direct the DAIP, EMMIE, and IPAWS program offices, in conjunction with the FEMA CIO, to implement complete program plans that define overall budget and schedule, key deliverables and milestones, assumptions and constraints, description and assignment of roles and responsibilities, staffing and training plans, and an approach for maintaining these plans.

    Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
    Status: Open

    Comments: The Department of Homeland Security concurred with our recommendation and in response updated its program management plans that support the program offices of the Disaster Assistance Improvement Plan, Emergency Management Mission Integrated Environment, and Integrated Public Alert and Warning System. The program plans addressed some of the weaknesses we identified in our report. For example, the program management plans identified and described the overall program management processes and methods to be used during all phases of projects and defined key deliverables and milestones, roles and responsibilities, staffing and training and an approach for maintaining the plans. However, the plans did not clearly define the knowledge and skills needed to carry out the program or provide sufficient details on the budget and scheduling for the programs under review. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure that FEMA adequately manages the selected emergency management systems, the FEMA Administrator should direct the DAIP, EMMIE, and IPAWS program offices, in conjunction with the FEMA CIO, to implement a system integration plan that include all systems to be integrated with the system, roles and responsibilities for all relevant participants, the sequence and schedule for every integration step, and how integration problems are to be documented and resolved.

    Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
    Status: Open

    Comments: The Department of Homeland Security concurred with, and has taken steps to implement our recommendation. For example, the department reported that the system owner for DAIP, EMMIE, and IPAWS programs have updated their respective system integration plans to address the risks identified within the recommendation. In addition, the agency provided documentation such as the IPAWS Integrated Logistics Support Plan, as well as the quality control plan, and test execution plans for both the DAIP and EMMIE programs. However, we have not yet completed our analysis and validated the agency actions on this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: As part of the effort of improving IT management at the three programs, the FEMA Administrator should direct the CIO to ensure that FEMA policy for managing IT programs includes guidance for implementing the key management practices.

    Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
    Status: Open

    Comments: The Department of Homeland Security concurred with the recommendation. In its November 2016 update, FEMA reported that the System Owner for DAIP, EMMIE, and IPAWS have updated their respective IT management program and plans and coordinated with the FEMA CIO to address the risks identified within the recommendation. However, we have not yet validated the agency actions on this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    6 open recommendations
    Recommendation: To help improve the management of MAIS programs, the Secretary of the Army should direct the Tactical Mission Command program manager to develop a requirements management plan to document and manage its requirements process.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: The Department of Defense concurred with our recommendation. We have requested documentation regarding the status of implementing this recommendation. As of April 2017, we have not received a response from the department to our request. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help improve the management of MAIS programs, the Secretary of the Navy should direct the Common Aviation Command and Control System program manager to identify weaknesses in the requirements traceability process and take corrective actions to manage the traceability of requirements to the respective lower-level requirements, and periodically evaluate work products, including the requirements management plan, and update them in accordance with the requirements guidance.

    Agency: Department of Defense: Department of the Navy
    Status: Open

    Comments: The Department of Defense concurred with our recommendation. We have requested documentation regarding the status of implementing this recommendation. As of April 2017, we have not received a response from the department to our request. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help improve the management of MAIS programs, the Secretary of the Air Force should direct the Defense Enterprise Accounting and Management System program manager to address weaknesses in its controls for ensuring that all software requirements are tested and validated before deployment of new software releases.

    Agency: Department of Defense: Department of the Air Force
    Status: Open

    Comments: The Department of Defense concurred with our recommendation. We have requested documentation regarding the status of implementing this recommendation. As of April 2017, we have not received a response from the department to our request. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help improve the management of MAIS programs, the Director of OMB should instruct the Federal Chief Information Officer (CIO) to add the Under Secretary of Defense for AT&L as a responsible party to DOD's MAIS entries on the Federal IT Dashboard website, alongside the CIO, to publicly disclose the responsible party for the acquisition performance management of MAIS programs.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget did not agree with the recommendation, but stated it would work with the Department of Defense to address it. In April 2017, the Department of Defense stated that it is reorganizing the office of the Under Secretary of Defense for AT&L and its responsibilities. We will continue to follow up with the department subsequent to the reorganization in an effort to determine the party responsible for the acquisition performance management of MAIS programs and OMB's efforts to disclose the responsible party on the Federal IT Dashboard.
    Recommendation: To help improve the management of MAIS programs, the Secretary of Defense should examine the MAIS critical change reporting process to identify root causes for delays and implement corrective actions for the timely delivery of critical change reports.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense concurred with our recommendation. We have requested documentation regarding the status of implementing this recommendation. As of April 2017, we have not received a response from the department to our request. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To help improve the management of MAIS programs, the Secretary of Defense should develop a mechanism for monitoring whether MAIS programs with late reports are restricted from obligating funds and in turn ensuring compliance with the Antideficiency Act.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense concurred with our recommendation. We have requested documentation regarding the status of implementing this recommendation. As of April 2017, we have not received a response from the department to our request. We will continue to monitor the department's progress in implementing this recommendation.
    Director: David Powner
    Phone: (202) 512-9286

    26 open recommendations
    including 1 priority recommendation
    Recommendation: To better ensure that federal data center consolidation and optimization efforts improve governmental efficiency and achieve cost savings, the Secretaries of the Departments of the Interior, State, Transportation, and the Treasury; the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration and Small Business Administration; the Directors of the National Science Foundation and Office of Personnel Management; and the Chairman of the Nuclear Regulatory Commission should take action to address challenges in establishing, and to complete, planned data center cost savings and avoidance targets for fiscal years 2016 through 2018.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation (Transportation) agreed with our recommendation, and has taken initial steps to implement it. In April 2016, the department stated in correspondence to GAO that it's Office of the Chief Information Officer (OCIO) was actively engaging with the department's Operating Administrations and was reconciling its original cost savings and avoidance targets to develop and update a yearly calculation as part of Transportation's multi-year strategy to consolidate and optimize its data centers. The department added that periodic updates would be provided to OCIO leadership and the CIO Council, with reconciled cost savings and avoidance targets for fiscal years 2017 and 2018 expected to be updated by September 30, 2016. However, as of July 2017, Transportation has not updated its Data Center Optimization Strategic Plan to include planned cost savings and avoidances targets for fiscal years 2016 through 2018. We will continue to monitor and evaluate the department's progress in implementing this recommendation and update accordingly.
    Recommendation: To better ensure that federal data center consolidation and optimization efforts improve governmental efficiency and achieve cost savings, the Secretaries of the Departments of the Interior, State, Transportation, and the Treasury; the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration and Small Business Administration; the Directors of the National Science Foundation and Office of Personnel Management; and the Chairman of the Nuclear Regulatory Commission should take action to address challenges in establishing, and to complete, planned data center cost savings and avoidance targets for fiscal years 2016 through 2018.

    Agency: Department of State
    Status: Open

    Comments: The Department of State agreed with our recommendation, and has taken initial steps to implement it. In June 2016, the department stated in correspondence to GAO that it was in the process of reviewing pending guidance on the Office of Management and Budget's Data Center Optimization Initiative (DCOI). The department further stated that once the DCOI guidance was issued, the department would update its targets and finalize a plan to more adequately address cost savings and avoidance targets for fiscal years 2016 through 2018. However, as of July 2017, the department has not updated its Data Center Optimization Strategic Plan to include planned cost savings and avoidances targets for fiscal years 2016 through 2018. We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: To better ensure that federal data center consolidation and optimization efforts improve governmental efficiency and achieve cost savings, the Secretaries of the Departments of the Interior, State, Transportation, and the Treasury; the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration and Small Business Administration; the Directors of the National Science Foundation and Office of Personnel Management; and the Chairman of the Nuclear Regulatory Commission should take action to address challenges in establishing, and to complete, planned data center cost savings and avoidance targets for fiscal years 2016 through 2018.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency (EPA) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, EPA stated in correspondence to GAO that it planned to establish a single data center within each of several specific geographical areas. For each data center selected for retention, the agency stated that it planned to make upgrades to address any potential capacity or performance issues, but noted that the specific plans for each data center slated for consolidation were under development. EPA stated that the resulting total cost savings were under assessment and had not yet been determined. However, as of July 2017, EPA has not updated its Data Center Optimization Strategic plan to include planned cost and savings and avoidances targets for fiscal years 2016 through 2018. We will continue to monitor and evaluate the agency's progress in implementing this recommendation.
    Recommendation: To better ensure that federal data center consolidation and optimization efforts improve governmental efficiency and achieve cost savings, the Secretaries of the Departments of the Interior, State, Transportation, and the Treasury; the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration and Small Business Administration; the Directors of the National Science Foundation and Office of Personnel Management; and the Chairman of the Nuclear Regulatory Commission should take action to address challenges in establishing, and to complete, planned data center cost savings and avoidance targets for fiscal years 2016 through 2018.

    Agency: National Science Foundation
    Status: Open

    Comments: The National Science Foundation has not yet taken steps to implement our recommendation. As of July 2017, National Science Foundation has not updated its Data Center Optimization Strategic plan to included planned cost and savings and avoidances targets for fiscal years 2016 through 2018. We will continue to monitor and evaluate the agency's progress in implementing this recommendation.
    Recommendation: To better ensure that federal data center consolidation and optimization efforts improve governmental efficiency and achieve cost savings, the Secretaries of the Departments of the Interior, State, Transportation, and the Treasury; the Administrators of the Environmental Protection Agency, National Aeronautics and Space Administration and Small Business Administration; the Directors of the National Science Foundation and Office of Personnel Management; and the Chairman of the Nuclear Regulatory Commission should take action to address challenges in establishing, and to complete, planned data center cost savings and avoidance targets for fiscal years 2016 through 2018.

    Agency: Small Business Administration
    Status: Open

    Comments: The Small Business Administration agreed with our recommendation, but has not yet taken steps to implement it. As of July 2017, the Small Business Administration has not updated its Data Center Optimization Strategic plan to included planned cost and savings and avoidances targets for fiscal years 2016 through 2018. We will continue to monitor and evaluate the agency's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security (DHS) agreed with our recommendation, and has taken initial steps to implement it. In April 2016, the department stated in correspondence to GAO that its Office of the Chief Information Officer (OCIO) developed a scorecard to track progress for each of the data center optimization areas. According the department's scorecard, the department reported meeting 3 of 10 optimization targets, but did not meet the remaining 7 targets. DHS's OCIO noted that they would update this scorecard quarterly in alignment with Federal Data Center Consolidation Initiative data collection. DHS's OCIO expected to complete implementation of this recommendation by November 30, 2016. However, as of July 2017, DHS reports on the Office of Management and Budget's (OMB) IT Dashboard that it does not yet meet any of the five data center optimization metric targets that OMB currently requires agencies to report against (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Department of Agriculture generally agreed with our recommendation, and has taken initial steps to implement it. Specifically, as of July 2017, the department reports on the Office of Management and Budget's (OMB) IT Dashboard that it meets one (server virtualization) of the five data center optimization metric targets that OMB currently requires agencies to report against. However, the department also reports that it does not yet meet the remaining four targets (server utilization and monitoring, energy metering, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation, and has taken initial steps to implement it. In May 2016, the department stated in correspondence to GAO that it will work with its bureaus to develop and publish an annual strategic plan. The strategic plan will, among other things, describe a list of specific planned actions to improve data center optimization progress. For example, the department stated that, to increase facility utilization, the Bureau of Economic Analysis is co-locating computing resources within the Census Bureau's Bowie Computer Center. Further, Census planned to market the Bowie Computer Center as an opportunity for government-wide co-location. In addition, the department stated that the National Oceanic and Atmospheric Administration is building greater network capacity to National Weather Service forecast offices and will aim to reduce the number of local systems at forecast offices that are currently considered data centers (122 in total). However, as of July 2017, the Department of Commerce reports on the Office of Management and Budget's (OMB) IT Dashboard that it does not yet meet any of the five data center optimization metric targets that OMB currently requires agencies to report against. We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense (DOD) agreed with our recommendation, and has taken initial steps to implement it. In June 2016, the department stated in correspondence to GAO that it is considering several actions to improve optimization progress in the areas that we reported as not meeting the Office of Management and Budget's (OMB) established targets. For example, DOD stated that it is moving toward on-premises and off-premises commercial cloud hosting services to enable migration of workloads to more efficient environments intended to improve the virtualization and density metrics. Further, the department stated that its Chief Information Officer is working directly with the services to reconcile the instances of multiple Installation Processing Nodes on individual bases, posts, camps, and stations. DOD also stated that all of these actions will enable the closure of additional data centers, increase efficiencies in all categories, and drive greater savings. However, as of July 2017, the Department of Defense reports on the OMB IT Dashboard that it does not yet meet any of the five data center optimization metric targets that OMB currently requires agencies to report against. We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy (Energy) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, Energy stated in correspondence to GAO that it had established an enterprise-wide Data Center Working Group that is chartered to identify best practices in data center metering, optimization, consolidation and cloud migration (and to support these practices throughout the department). According to Energy, this working group is intended to serve as a focus group for communicating information related to the Federal Information Technology Acquisition Reform Act (FITARA), departmental strategy and implementation, and the Office of Management and Budget (OMB) requirements for data centers, as well as to provide summary data center performance status to all members. However, as of July 2017, Energy reports on OMB's IT Dashboard that it does not yet met any of the five data center optimization metric targets that OMB currently requires agencies to report against. We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: The Department of Housing and Urban Development (HUD) agreed with our recommendation, and has taken steps to implement it. In May 2016, the department stated in correspondence to GAO that its ability to attain the Office of Management and Budget's (OMB) established target value for the three remaining optimization metrics would require the department to further consolidate data center resources and migrate from contractor-owned and operated data centers to multi-tenant, shared data centers. The department further stated that this effort would be accomplished under the HUD Enterprise and Architecture Transition initiative that was restructuring infrastructure services and was targeting data center migrations to be completed by July 2017. The department also stated that it expected to be able to provide fiscal year 2017 optimization metrics data that met or exceeded OMB's target values by February 2018. However, as of July 2017, the department states that, due to data center migration dependencies on two smaller infrastructure transition projects, the data center migration project schedule is delayed until the first quarter of fiscal year 2018. We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services agreed with our recommendation, and has taken initial steps to implement it. In May 2016, the department stated in correspondence to GAO that it would work to improve the data center optimization metrics that did not meet the Office of Management and Budget's (OMB) established targets. The department further stated that it expected to have a more detailed approach available through a Data Center Strategy, which was expected before the end of fiscal year 2016 . However, as of July 2017, the department reports on OMB's IT Dashboard that it meets only one (power usage efficiency) of the five data center optimization metric targets OMB currently requires agencies to report against. The department further reports that it does not meet the remaining four targets (related to server utilization and monitoring, energy metering, server virtualization, and data center facility space). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Social Security Administration
    Status: Open

    Comments: The Social Security Administration agreed with our recommendation, and has taken initial steps to implement it. In April 2016, the agency stated in correspondence to GAO that it was in the process of transitioning to a new data center. While undergoing this transition, the agency stated that it was working to optimize its new data center and will have the capability to report on the Office of Management and Budget's optimization targets once the transition is complete. The agency expected to complete these steps by September 2016. As of July 2017, SSA reports on the Office of Management and Budget's (OMB) IT Dashboard that it meets three (energy metering, data center facility space and power usage efficiency) of the five data center optimization metric targets that OMB currently requires agencies to report against. However, SSA reports that it does not meet the remaining two targets (related to server utilization and monitoring, and server virtualization). We will continue to monitor and evaluate the agency's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of the Interior (Interior) agreed with our recommendation, and has taken initial steps to implement it. In April 2016, the department stated in correspondence to GAO that its Office of the Chief Information Officer (OCIO) was developing data center optimization metrics to measure bureau and office progress in meeting optimization targets. The department added that these metrics would become part of the 2016 OCIO Organizational Assessment, a scorecard used to measure bureau and office progress against predefined targets. However, as of July 2017, Interior reports on the Office of Management and Budget's (OMB) IT Dashboard that it does not yet meet any of the five data center optimization metric targets that OMB currently requires agencies to report against (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice (Justice) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, Justice stated in correspondence to GAO that it was developing plans to migrate the remaining non-core data centers to the department's three Core Enterprise Facilities (CEFs) and/or commercial cloud services by the end of fiscal year 2019. The department added that, as these migrations occur, its data center footprint and facility utilization should continue to improve and the percentage of servers and operating systems residing in the CEFs should significantly exceed federal data center consolidation targets. Justice also stated that it engaged with external representatives to perform an energy efficiency assessment at its core enterprise facility in Virginia, which resulted in significant improvements at the data center and improved the overall power usage efficiency across the department's core data centers. However, as of July 2017, Justice reported on the Office of Management and Budget's (OMB) IT Dashboard that it does not meet any of the five data optimization metric targets that OMB currently requires agencies to report against (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation (Transportation) agreed with our recommendation, and has taken initial steps to implement it. In April 2016, Transportation stated in correspondence to GAO that it centralized its data center consolidation efforts in fiscal year 2015 and, in early fiscal year 2016, completed reconciliation of its actual and planned data centers closures, as well as related performance data. The department also stated that it planned to continue towards measuring and making improvements to meet the Office of Management and Budget's (OMB) data center optimization performance metric targets. Transportation noted that periodic updates provided to its Office of the Chief Information Officer leadership and the Chief Information Officer Council would identify challenges in meeting the Office of Management and Budget's optimization metric targets. However, as of July 2017, Transportation reports on OMB's IT Dashboard that it does not meet any of the five data optimization metric targets that OMB currently requires agencies to report against (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, power usage efficiency). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor (Labor) agreed with this recommendation, and has taken initial steps to implement it. In April 2016, the department stated in correspondence to GAO that it had closed 23 percent of its data centers and, by the end of 2019, the department plans to close 61 percent of its data centers. Further, Labor stated that it has made significant progress in the development of a fully virtualized common operating environment. According to the department, these efforts are designed to improve optimization metrics performance. However, as of July 2017, the department reports on the Office of Management and Budget's (OMB) IT Dashboard that it does not yet met any of the five data center optimization metric targets that OMB currently requires agencies to report against (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury (Treasury) generally agreed with our recommendation, and has taken initial steps to implement it. However, as of July 2017, Treasury reports on the Office of Management and Budget's (OMB's) IT Dashboard that it does not met any of the five data optimization metric targets that OMB currently requires agencies to report against (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of Veterans Affairs
    Status: Open
    Priority recommendation

    Comments: The Department of Veterans Affairs (VA) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, the department stated in correspondence to GAO that it had not yet taken action to improve optimization progress in the areas that we reported as having weaknesses. Specifically, the department stated that the Office of Management and Budget (OMB) was in the process of changing the fiscal year 2016 through 2018 closure targets and data center optimization metrics under the Federal Information Technology Acquisition Reform Act, which it planned to complete by the end of July 2016. Upon receipt of the targets, VA stated that it needed to assess the impact on strategies already under way, which it planned to complete by mid-fiscal year 2017. As of July 2017, the department reports on OMB's IT Dashboard that it meets only one (power usage efficiency) of the five data center optimization metric targets that OMB currently requires agencies to report against. In addition, the department reports that it does not meet the remaining four targets (related to server utilization and monitoring, energy metering, server virtualization, and data center facility space). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Department of State
    Status: Open

    Comments: The Department of State agreed with our recommendation, and has taken initial steps to implement it. In June 2016, the department stated in correspondence to GAO that it planned to follow the Office of Management and Budget's (OMB) guidance on optimizing data centers and would take action to improve the defined areas that Data Center Optimization Initiative identifies. Specifically, as of July 2017, the department reports on OMB's IT Dashboard that it meets only one (power usage efficiency) of the five data center optimization metric targets that OMB currently requires agencies to report against. However, the department reported that it does not meet the remaining four targets (related to server utilization and monitoring, energy metering, server virtualization, and data center facility space). We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency agreed with our recommendation, and has taken initial steps to implement it. In May 2016, the agency stated in correspondence to GAO that it had directed data center stakeholders to place an emphasis on virtualizing physical servers and moving server-based applications to the cloud or a core data center. The agency added that the estimated increase for each optimization metric would be determined after data consolidation plans were finalized. As of July 2017, EPA reports on the Office of Management and Budget's (OMB) IT Dashboard that it meets three (energy metering, server virtualization, and power usage efficiency) of the five data center optimization metric targets OMB currently requires agencies to report against. However, EPA reports that it does not yet met the remaining two targets (related to server utilization and monitoring, and data center facility space). We will continue to monitor and evaluate the agency's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: General Services Administration
    Status: Open

    Comments: The General Services Administration (GSA) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, the agency stated in correspondence to GAO that it had developed an action plan to improve optimization progress. For example, GSA's action plan stated that the agency planned to create a new inventory of their data centers in order to establish a baseline to help in planning for data center closures, as well as collecting more accurate data for cost saving calculations. The agency also planned to create a new and better cost saving model and noted that it planned to refresh the cost model semi-annually. Finally, GSA intended to improve the required metrics set forth by the Office of Management and Budget (OMB) by eliminating physical machines and increasing virtualization whenever possible. As of July 2017, GSA reports on OMB's IT Dashboard that it meets one (server utilization and monitoring) of the five data center optimization metric targets that OMB currently requires agencies to report against. However, GSA reports that it does not meet the remaining four targets (related to energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the agency's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, NASA stated in correspondence to GAO that it planned to develop improvement strategies for each deficient metric and hold meetings with all of the data center owners to explain the improvement strategies and further educate the data center owners on how to create efficiencies. NASA added that the anticipated completion for this is July 2017. However, as of July 2017, NASA reports on the Office of Management and Budget's (OMB) IT Dashboard that it does not meet any of the five data optimization metric targets that OMB currently requires agencies to report against (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the agency's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: The Nuclear Regulatory Commission (NRC) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, NRC stated in correspondence to GAO that it was pursuing development of a hybrid data center that will allow many data center functions to be performed in the cloud, allowing for more optimization, including the ability to better meet optimization targets (including those related to both cost savings and optimization) established by the Office of Management and Budget (OMB) through the Data Center Optimization Initiative. As of July 2017, NRC reports on OMB's IT Dashboard that it meets one (server virtualization) of the five data center optimization metric targets that OMB currently requires agencies to report against. However, the agency reports that it does not meet the remaining four targets (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the agency's progress in implementing this recommendation.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: Office of Personnel Management
    Status: Open

    Comments: The Office of Personnel Management (OPM) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, OPM stated in correspondence to GAO that it was committed to meeting the targets associated with the agency's data center optimization efforts. The agency added that challenges would be addressed as plans evolved to meet current targets and within current funding. As of July 2017, OPM reports on the Office of Management and Budget's (OMB) IT Dashboard that it meets only one (server virtualization) of the five data center optimization metric targets that OMB currently requires agencies to report against. However, the agency reports that it does not meet the remaining four targets (related to server utilization and monitoring, energy metering, server virtualization, data center facility space, and power usage efficiency). We will continue to monitor and evaluate the agency's progress in implementing this recommendation and update accordingly.
    Recommendation: The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMB's established targets, including addressing any identified challenges.

    Agency: United States Agency for International Development
    Status: Open

    Comments: The U.S. Agency for International Development (USAID) agreed with our recommendation, and has taken initial steps to implement it. In May 2016, USAID stated in correspondence to GAO that it was planning to take action to improve progress in the remaining two areas that we reported as not meeting the Office of Management and Budget's (OMB) optimization targets, including addressing any identifying challenges. The agency noted that its target completion date for implementing our recommendation was February 2017. However, as of July 2017, USAID reports on OMB's IT Dashboard that it does not yet meet the server utilization and monitoring metric target, which is the only metric applicable to USAID. We will continue to monitor and evaluate the department's progress in implementing this recommendation.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    11 open recommendations
    Recommendation: To ensure that the HRIT investment receives necessary oversight and attention, the Secretary of Homeland Security should direct the Under Secretary of Management to ensure that the HRIT executive steering committee is consistently involved in overseeing and advising HRIT, including approving key program management documents, such as HRIT's operational plan, schedule, and planned cost estimate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS provided documentation demonstrating that the HRIT executive steering committee is consistently involved in overseeing and advising HRIT in response to our recommendation. DHS also provided documentation demonstrating that the Executive Steering Committee approved HRIT's operational plan for fiscal years 2016-2018. However, DHS still needs to demonstrate that the HRIT ESC has approved the schedule and cost estimate for HRIT.
    Recommendation: To address HRIT's poor progress and ineffective management, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Human Capital Officer to direct the HRIT investment to update and maintain a schedule estimate for when DHS plans to implement each of the strategic improvement opportunities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to HRIT officials, in response to our recommendation, DHS has developed an implementation plan, including a schedule estimate, for addressing HRIT's strategic improvement opportunities. We will continue to follow-up with them for documentation of this implementation plan.
    Recommendation: To address HRIT's poor progress and ineffective management, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Human Capital Officer to direct the HRIT investment to develop a complete life-cycle cost estimate for the implementation of HRIT.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In response to our recommendation, DHS prepared an independent cost estimate for the HRIT investment. When developing this estimate, the cost estimators made many assumptions about HRIT's strategic improvement opportunities that had not yet been defined, such as the scope and the preliminary acquisition strategies for each. We will continue to follow-up with DHS for supporting documentation for this estimate in order to better understand it.
    Recommendation: To address HRIT's poor progress and ineffective management, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Human Capital Officer to direct the HRIT investment to document and track all costs, including components' costs, associated with HRIT.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with the recommendation and is working to implement it. While DHS provided certain cost tracking information for HRIT, this information was incomplete and did not demonstrate ongoing tracking of all costs. We will continue to follow-up with DHS to obtain additional documentation.
    Recommendation: To address HRIT's poor progress and ineffective management, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Human Capital Officer to direct the HRIT investment to update and maintain the department's human resources system inventory.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS provided its updated human resources systems inventory that it developed in response to our recommendation. According to officials, the list is reviewed and updated on an annual basis or as-needed when a system is deployed or retired. We will continue to monitor this recommendation to ensure that DHS is maintaining this inventory.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to establish a time frame for deciding whether PALMS will be fully deployed at the Federal Emergency Management Agency (FEMA) and the U.S. Coast Guard (USCG), and determine an alternative approach if the learning and/or performance management capabilities of PALMS are deemed not feasible for the U.S. Immigration and Customs Enforcement, FEMA, the Transportation Security Administration, or USCG.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS officials stated that PALMS will not be fully deployed at FEMA, USCG, ICE, or TSA. The officials stated that future Human Resources Information Technology (HRIT) programs will include enhancing learning management and performance management capabilities. Officials stated that the details related to these efforts are to be discussed in the HRIT strategic improvement opportunity implementation plan. We will continue to follow-up with DHS for documentation of this plan.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to develop a comprehensive life-cycle cost estimate, including all government and contractor costs, for the PALMS program.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS officials stated that the PALMS program will move into an operations and maintenance phase once the PALMS learning management capabilities are deployed to U.S. Secret Service. As such, DHS does not plan to develop an updated life-cycle cost estimate (LCCE) for PALMS. We will continue to follow-up with DHS for documentation of PALMS's actual costs, including government costs.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to develop and maintain a single comprehensive schedule that includes all government and contractor activities, and includes all planned deployment milestones related to performance management.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In response to our recommendation, the PALMS program office updated its integrated master schedule. However, this schedule has not been appropriately maintained. We will continue to follow-up with DHS officials on this recommendation.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to track and monitor all costs associated with the PALMS program.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS concurred with the recommendation and is working to implement it. DHS provided certain cost tracking information for PALMS, but this information did not include government costs or certain past PALMS costs, such as 2017 costs for the Federal Law Enforcement Training Centers' ongoing use of PALMS. We will continue to follow-up with DHS officials on this recommendation.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to document PALMS's progress and milestone reviews, including all issues and corrective actions discussed.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In response to our recommendation, DHS is documenting certain PALMS progress reviews. We have requested documentation related to U.S. Secret Service's deployment of PALMS, to determine whether the Service conducted and documented a milestone review prior to deploying the system.
    Recommendation: To improve the Performance and Learning Management System (PALMS) program's implementation of IT acquisition best practices, the Secretary of Homeland Security should direct the Under Secretary of Management to direct the Chief Information Officer to direct the PALMS program office to establish a comprehensive risk log that maintains an aggregation of all up-to-date risks (including both government- and vendor-identified)and associated mitigation plans. Additionally, within the comprehensive risk log, the PALMS program office should (1) identify and document planned completion dates for each risk mitigation step (where appropriate), and (2) prioritize the risks by determining each risk's relative priority and overall risk level.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In response to our recommendation, DHS updated its PALMS risk register. However, this register was not comprehensive. We will continue to follow-up with DHS officials on this recommendation.
    Director: Valerie Melvin
    Phone: (202) 512-6304

    2 open recommendations
    Recommendation: To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, goals, and objectives, the Commissioner of FDA should require the CIO to establish schedules and milestones for completing a version of an IT strategic plan that incorporates elements to align the plan's strategies with agency-wide priorities; includes results-oriented goals and performance measures that support the agency's mission, along with targets for measuring the extent to which outcomes of IT initiatives support FDA's ability to achieve agency-wide goals and objectives; identifies key IT initiatives that support the agency's goals; and describes interdependencies among the initiatives.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: FDA concurred with the recommendation and stated that the agency plans to implement it. We contacted the agency in March 2017 and have requested documents regarding FDA's actions to address the recommendation. We are waiting to receive the documents. We will update the status of the agency's actions after we receive and evaluate their response.
    Recommendation: To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, goals, and objectives, the Commissioner of FDA should require the CIO to implement the plan to ensure that expected outcomes of the agency's key IT initiatives are achieved.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: FDA concurred with the recommendation and stated that the agency plans to implement it. We contacted the agency in March 2017 and have requested documents regarding FDA's actions to address the recommendation. We are waiting to receive the documents. We will update the status of the agency's actions after we receive and evaluate their response.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    7 open recommendations
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of Homeland Security should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology, and nuclear sectors' cybersecurity progress.

    Agency: Department of Homeland Security
    Status: Open

    Comments: DHS has released updated sector-specific plans for the chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology, and nuclear reactors sectors. The plans include a section on measuring effectiveness based on the plan development guidance. The plans provide expected metrics to track the progress of sector activities and state that the outcomes will be reported through the National Annual Reporting process as well as through the quadrennial plan update. Because the metrics are new and annual reporting has not yet occurred, DHS has not provided evidence of metrics data collected and reported to address the challenges. We will continue to follow-up to determine how performance measures have been implemented and what reporting is available based on those measures.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of the Treasury should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the financial services sector's cybersecurity progress.

    Agency: Department of the Treasury
    Status: Open

    Comments: The 2015 sector-specific plan for the financial services sector includes a section on measuring the effectiveness of sector activities; however, the plan does not include specific metrics. The plan refers to working groups and meetings of sector stakeholders as mechanisms to track sector progress. No specific metrics and associated reports of outcomes have been provided to address overcoming the challenges of monitoring the sector's cybersecurity progress. We will continue to monitor financial services sector activities and determine any specific metrics and related reports developed and implemented to track and report on the sector's cybersecurity progress.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Departments of Agriculture and Health and Human Services released an update to the food and agriculture sector-specific plan for 2015. The plan states the sector's lack of an overarching mechanism to measure and evaluate risk mitigation activities and the challenge of obtaining performance measurement data from non-federal partners. However, the plan notes a goal of evaluating the progress of individual protective programs and strategies. No metrics or reports of outcomes have been provided to address the challenge of monitoring the sector's cybersecurity progress. We will continue to follow up to determine whether USDA and HHS have developed and implemented mechanisms to measure the outcomes of their sector cybersecurity-related activities.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Departments of Agriculture and Health and Human Services released an update to the food and agriculture sector-specific plan for 2015. The plan states the sector's lack of an overarching mechanism to measure and evaluate risk mitigation activities and the challenge of obtaining performance measurement data from non-federal partners. However, the plan notes a goal of evaluating the progress of individual protective programs and strategies. No metrics or reports of outcomes have been provided to address the challenge of monitoring the sector's cybersecurity progress. We will continue to follow up to determine whether HHS has developed and implemented mechanisms to measure the outcomes of its sector cybersecurity-related activities.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Homeland Security and Transportation (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the transportation systems sector's cybersecurity progress.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The co-Sector-Specific Agencies (SSAs) for the Transportation Systems Sector, DHS (TSA and Coast Guard) and the Department of Transportation, provided an update on efforts to develop sector cybersecurity metrics. The update described measures under consideration such as tracking the number of sector stakeholders receiving cybersecurity products, monitoring the usefulness of products through satisfaction surveys, and tracking attendance at sector events and seminars encompassing cybersecurity. The co-SSAs plan to report sector cyber activities, progress, and relevant metrics annually through the Critical Infrastructure National Annual Report and through quadrennial updates to the sector-specific plan. The latest sector-specific plan was released in 2015. The proposed metrics have not been formalized in a strategy or plan. We will continue to monitor and evaluate efforts to formalize and implement the proposed metrics to determine whether they address the intent of the recommendation.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Homeland Security and Transportation (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the transportation systems sector's cybersecurity progress.

    Agency: Department of Transportation
    Status: Open

    Comments: The co-Sector-Specific Agencies (SSAs) for the Transportation Systems Sector, DHS (TSA and Coast Guard) and the Department of Transportation, provided an update on efforts to develop sector cybersecurity metrics. The update described measures under consideration such as tracking the number of sector stakeholders receiving cybersecurity products, monitoring the usefulness of products through satisfaction surveys, and tracking attendance at sector events and seminars encompassing cybersecurity. The co-SSAs plan to report sector cyber activities, progress, and relevant metrics annually through the Critical Infrastructure National Annual Report and through quadrennial updates to the sector-specific plan. The latest sector-specific plan was released in 2015. The proposed metrics have not been formalized in a strategy or plan. We will continue to monitor and evaluate efforts to formalize and implement the proposed metrics to determine whether they address the intent of the recommendation.
    Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Administrator of the Environmental Protection Agency should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the water and wastewater systems sector's cybersecurity progress.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The 2015 water and wastewater sector-specific plan includes a segment on measuring the effectiveness of sector activities that describes the overall principles for collecting data and using the National Annual Report data calls as a tool for assessing performance and reporting on progress within the sector. However, the plan does not state specific measures and the agency acknowledged in its response to our report that it does not collect performance metrics on the effectiveness of its cybersecurity programs for the sector. According to agency officials, the development of performance metrics in collaboration with sector partners is underway. We will continue to follow up to identify any specific metrics developed and implemented and resulting outcome-based reports.
    Director: Linda Kohn
    Phone: (202) 512-7114

    3 open recommendations
    Recommendation: To ensure effective implementation of the Inclusion Policy in a manner consistent with the Revitalization Act's provisions regarding the design of certain clinical trials, the NIH Director should examine approaches for aggregating more detailed enrollment data at the disease and condition level, and report on the status of this examination to key stakeholders and through its regular biennial report to Congress on the inclusion of women in research.

    Agency: Department of Health and Human Services: Public Health Service: National Institutes of Health
    Status: Open

    Comments: NIH agreed with our recommendation and began discussions in November 2015 regarding conducting these types of analyses. In April and May 2016, NIH officials identified a preliminary strategy for summarizing inclusion data at the disease and condition level. As of August 2017, NIH officials said that due to potential data limitations, NIH will continue to refine methods of reporting at this level, and the agency plans to report enrollment data at the disease and condition level in its next triennial NIH report to Congress, covering fiscal years 2015-2017, to be drafted in fiscal year 2018.
    Recommendation: To ensure effective implementation of the Inclusion Policy in a manner consistent with the Revitalization Act's provisions regarding the design of certain clinical trials, the NIH Director should, on a regular basis, systematically collect and analyze summary data regarding awardees' plans to conduct analyses of potential sex differences, such as the proportion of trials being conducted that intend to analyze differences in outcomes for men and women.

    Agency: Department of Health and Human Services: Public Health Service: National Institutes of Health
    Status: Open

    Comments: In August 2017, NIH reiterated that the agency has established a number of policies and processes to ensure that sex differences are considered in the design of research, but has not taken action specific to this recommendation. We continue to believe that thoughtful, useful analysis and summary reporting would improve NIH's oversight of this aspect of the Inclusion Policy.
    Recommendation: To ensure effective implementation of the Inclusion Policy in a manner consistent with the Revitalization Act's provisions regarding the design of certain clinical trials, the NIH Director should report on this summary data and the results of this analysis in NIH's regular biennial report to Congress on the inclusion of women in research.

    Agency: Department of Health and Human Services: Public Health Service: National Institutes of Health
    Status: Open

    Comments: NIH agreed with our recommendation in commenting on our report. In August 2017, NIH reiterated that the agency has established a number of policies and processes to ensure that sex differences are considered in the design of research, but has not taken action specific to this recommendation. We continue to believe that thoughtful, useful analysis and summary reporting would improve NIH's oversight of this aspect of the Inclusion Policy.
    Director: Timothy J. DiNapoli
    Phone: (202) 512-4841

    13 open recommendations
    including 6 priority recommendations
    Recommendation: To improve efforts to strategically source IT services within the Army, the Secretary of the Army should direct its strategic sourcing accountable official to conduct a comprehensive analysis of Army IT services spending to determine the extent to which requirements can be addressed by Computer Hardware, Enterprise Software and Solutions (CHESS) or other strategic sourcing approaches, and based on this analysis, consider opportunities to reduce duplicative contracts.

    Agency: Department of Defense: Department of the Army
    Status: Open
    Priority recommendation

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Army, the Secretary of the Army should direct its strategic sourcing accountable official to implement utilization metrics and mandatory use or consideration policies.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Army, the Secretary of the Army should direct its strategic sourcing accountable official to develop guidance and overarching goals and metrics for savings.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Army, the Secretary of the Army should direct its strategic sourcing accountable official to conduct a review of the benefits and disadvantages of standardized labor categories for CHESS or future contracts.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Navy, the Secretary of the Navy should direct its strategic sourcing accountable official to conduct a comprehensive analysis of IT services spending to determine the extent to which requirements can be addressed by the existing contracts or other strategic sourcing approaches and based on this analysis, reduce duplicative contracts.

    Agency: Department of Defense: Department of the Navy
    Status: Open
    Priority recommendation

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Navy, the Secretary of the Navy should direct its strategic sourcing accountable official to implement utilization metrics and monitor agency efforts to comply with the Navy's existing use policies for IT services.

    Agency: Department of Defense: Department of the Navy
    Status: Open

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Air Force, the Secretary of the Air Force should direct its strategic sourcing accountable to conduct a comprehensive analysis of IT services spending to determine the extent to which requirements can be addressed by Network-Centric Solutions (NETCENTS) or other strategic sourcing approaches, and based on this analysis, reduce duplicative contracts.

    Agency: Department of Defense: Department of the Air Force
    Status: Open
    Priority recommendation

    Comments: DOD concurred with our three recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Air Force, the Secretary of the Air Force should direct its strategic sourcing accountable to implement utilization metrics.

    Agency: Department of Defense: Department of the Air Force
    Status: Open

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Air Force, the Secretary of the Air Force should direct its strategic sourcing accountable to develop guidance and overarching goals and metrics for savings.

    Agency: Department of Defense: Department of the Air Force
    Status: Open

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within the Air Force, the Secretary of the Air Force should direct its strategic sourcing accountable to conduct a review of the benefits and disadvantages of standardized labor categories for primary strategic sourcing vehicles such as NETCENTS.

    Agency: Department of Defense: Department of the Air Force
    Status: Open

    Comments: DOD concurred with our recommendations. To fully implement these recommendations, DOD should complete analyses of information technology services spending, reduce duplicative contracts where appropriate, and establish metrics to monitor progress and assess compliance with existing IT services use policies.
    Recommendation: To improve efforts to strategically source IT services within NASA, the Administrator of NASA should direct its strategic sourcing accountable official to use its 2014 spend analysis to determine the extent to which requirements can be addressed by the IT Infrastructure Integration Program or other strategic sourcing approaches, and based on this analysis, reduce duplicative contracts.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA agreed with this recommendation. To fully implement it, NASA needs to successfully implement its planned actions, including (1) implement new strategic sourcing policies in the NASA federal acquisition regulation supplement, (2) revise the 2014 spend analysis by December 14, 2017, and (3) require strategic sourcing of IT services by December 2018 for services such as mobile communications, telecommunications, cloud computing, and seat management.
    Recommendation: To improve efforts to strategically source IT services within NASA, the Administrator of NASA should direct its strategic sourcing accountable official to implement utilization metrics and mandatory use policies.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA partially agreed with this recommendation. Specifically, NASA agreed to establish metrics, but sought to employ mandatory consideration policies, where applicable, instead of mandatory use policies. We agreed that the proposed approach would meet the intent of our recommendation. To fully implement this recommendation, NASA needs to successfully implement its planned actions, including (1) revising the NASA strategic sourcing guide to include establishment of utilization metrics, and (2) issuing updated strategic sourcing policies in the NASA federal acquisition regulation supplement to include mandatory use policies.
    Recommendation: To improve efforts to strategically source IT services within NASA, the Administrator of NASA should direct its strategic sourcing accountable official to develop guidance and overarching goals and metrics for savings.

    Agency: National Aeronautics and Space Administration
    Status: Open
    Priority recommendation

    Comments: NASA agreed with this recommendation. To fully implement this recommendation, NASA needs to successfully implement its planned actions, including (1) issuing updated strategic sourcing policies in the NASA federal acquisition regulation supplement, (2) updating its strategic sourcing website, and (3) updating the NASA strategic sourcing guide to include the setting of goals or baselines as a method of evaluating the strategic sourcing approach.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    2 open recommendations
    Recommendation: To improve the oversight of states' marketplace IT projects, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to ensure that all CMS senior executives from IT and business units who are involved in the establishment of state marketplace IT projects review and approve funding decisions for these projects.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In 2015, Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) concurred with the recommendation. The department, in its agency comments, stated that it already included senior executives in its funding decisions for these projects. However, as noted in our report, CMS did not provide evidence that key senior executives from CCIIO, CMCS, and OTS were involved in various funding decisions associated with the states' IT projects. For example, CMS did not demonstrate that senior-level executives from all relevant business and IT units were involved in the initial approval of grant awards or the release of restricted IT funds from marketplace grants as states progressed with their projects. In addition, CMS did not provide evidence of senior executive involvement in the approval of Medicaid funds for marketplace IT projects. Furthermore, as of March 10, 2017, CMS still had not provided evidence that it had taken such actions to support the implementation of this recommendation. By ensuring such executive involvement, CMS would increase accountability for decisions to fund states' IT projects and ensure that these decisions are well informed in order to make efficient use of federal funds.
    Recommendation: To improve the oversight of states' marketplace IT projects, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to ensure that states have completed all testing of marketplace system functions prior to releasing them into operation.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In 2015, Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) concurred with the recommendation. The department noted that it would continue to follow its guidelines to determine if state marketplace system functions are ready for release. The department added that it would work closely with state-based marketplaces to improve their systems and verify that system requirements are met and fully tested before approving them for release into production. While CMS drafted guidance to update its process in June 2016, which required states to submit certain testing reports and supporting documentation, as of March 10, 2017, the agency had not provided evidence that it had determined that state systems had been sufficiently tested for release into operations.
    Director: David Powner
    Phone: (202) 512-9286

    17 open recommendations
    Recommendation: To better ensure that agencies' IT savings are being reinvested in the most efficient and effective manner possible, the Director of OMB should direct the Federal CIO to ensure that agencies complete their reinvestment plans, in accordance with established requirements, and maintain those plans on an ongoing basis.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with, and has taken initial steps to implement, our recommendation. In May 2016, OMB released updated guidance for agency's quarterly data submissions that noted the importance of providing savings reinvestment information. Specifically, OMB strongly encouraged agencies to provide reinvestment information where feasible, including a description of the activities that were funded using any savings achieved. OMB further noted that failing to provide such information might result in an agency being unable to accurately track its reinvestments. However, the May 2016 guidance notes that providing this reinvestment information is not required. As of May 2017, OMB had not yet updated its guidance for agencies quarterly data submissions to require reinvestment information. We will continue to evaluate OMB's progress in implementing this recommendation.
    Recommendation: To better ensure that agencies' IT savings are being reinvested in the most efficient and effective manner possible, the Director of OMB should direct the Federal CIO to require agencies to track actual reinvestment performance and define performance targets for agencies' reinvestments, as done previously.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) generally agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2017, OMB had not issued additional guidance to require agencies to track actual reinvestment performance or defined performance targets for agencies' reinvestments. We will continue to evaluate OMB's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Agriculture should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Department of Agriculture agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2017, the department's integrated data collection submission to the Office of Management and Budget had not been updated to include reinvestment plans for all reported cost savings and avoidance initiatives. For example, the department reported about $25 million in cost savings and avoidances related to its data center consolidation efforts, but did not include plans regarding how these savings would be reinvested. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, as part of any future update to the department's information resource management strategic plan or equivalent document, the Secretary of Commerce should direct the CIO to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) in accordance with OMB's guidance.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2017, the department had not updated its IT Resource Management Strategic plan to include the approach to reinvesting savings from the consolidation of commodity IT resources. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Commerce should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2017, the department's integrated data collection submission to the Office of Management and Budget had not been updated to include reinvestment plans for all reported cost savings and avoidance initiatives. For example, the department reported about $26 million in cost savings and avoidances related to its server virtualization efforts, but did not include plans regarding how these savings would be reinvested. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Defense should direct the Defense CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense partially agreed with our recommendation and has taken initial steps to implement it. Specifically, as of May 2017, the department reported approximately $331.4 million in data center consolidation cost savings in its quarterly integrated data collection submission to the Office of Management and Budget. Although the department's submission notes that it plans to reinvest these savings in the agency's core mission, it did not provide any further detail regarding these reinvestment plans. In addition, the department did not report any information technology cost savings and avoidance initiatives related to its business system modernization efforts, which it had previously reported to GAO as an area with substantial savings. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: In addition, to improve the U.S. Army Corps of Engineers' IT savings reinvestment plans, the Secretary of Defense should direct the Secretary of the Army, as part of any future update to the U.S. Army Corps of Engineers' IRM strategic plan or equivalent document, to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) in accordance with OMB's guidance.

    Agency: Department of Defense
    Status: Open

    Comments: The U.S. Army Corps of Engineers agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2017, the agency had not yet updated its Information Resources Management Strategic Plan to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Health and Human Services should direct the CIO, as part of any future update to the department's IRM strategic plan or equivalent document, to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) in accordance with OMB's guidance.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) agreed with, and has taken initial steps to implement, our recommendation. Specifically, in November 2015, the department stated that its Office of the Chief Information Officer will include reinvestment strategies in its next update of the HHS Information Resource Management Strategic Plan. According to the department, the updated strategic plan was expected to be completed by the end of September 2016. However, as of May 2017, the agency had not yet updated its Information Resources Management Strategic Plan to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Homeland Security should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2017, the department's integrated data collection submission to the Office of Management and Budget had not been updated to include reinvestment plans for all reported cost savings and avoidance initiatives. For example, the department did not include reinvestment plans for two cost avoidances strategies related to the Office of Management and Budget's PortfolioStat initiative that have resulted approximately $96 million in cost avoidances. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Housing and Urban Development should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: The Department of Housing and Urban Development agreed with, and has taken initial steps to implement, our recommendation. Specifically, as of May 2017, the department updated its integrated data collection submission to include reinvestment plans for one of the seven cost savings and avoidance initiatives reported. However, the six remaining initiatives, with savings and avoidances totaling approximately $6 million, did not include reinvestment plans. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's tracking of reinvestments, the Secretary of Labor should direct the CIO to use existing governance mechanisms and any improvements resulting from the implementation of FITARA to improve tracking of how savings have been reinvested.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor has taken initial steps to implement our recommendation. As of November 2015, the department stated that it was planning improvements in the area of information technology (IT) investment management in accordance with the Office of Management and Budget's June 2015 guidance for implementing the December 2014 IT reform law (commonly referred to as the Federal Information Technology Acquisition Reform Act or FITARA). The department added that these improvements would include the tracking of how savings have been reinvested. Subsequently, in May 2016, the department finalized its FITARA Implementation Plan. While the implementation plan discusses planned actions to improve the Chief Information Officer's involvement in agency IT budget requests, acquisition requests, and program management, it did not specifically discuss planned actions to improve the tracking of how information technology savings have been reinvested. In addition, as of May 2017, the department had not documented any FITARA implementation milestones that discussed making improvements in the tracking of how savings are reinvested. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of State should direct the CIO, as part of any future update to the department's IRM strategic plan or equivalent document, to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) in accordance with OMB's guidance.

    Agency: Department of State
    Status: Open

    Comments: The Department of State has not yet taken steps to implement our recommendation. Specifically, as of May 2017, the agency had not yet updated its Information Technology Strategic Plan to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of the Treasury should direct the CIO, as part of any future update to the department's IRM strategic plan or equivalent document, to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) in accordance with OMB's guidance.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury has not yet taken steps to implement our recommendation. Specifically, as of May 2017, the agency had not yet updated its Information Resources Management Strategic Plan to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of the Treasury should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to use any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Department of the Treasury
    Status: Open

    Comments: The Department of the Treasury has not yet taken steps to implement our recommendation. Specifically, as of May 2017, the department's integrated data collection submission did not include reinvestment plans for all reported cost savings and avoidance initiatives. For example, the department reported about $1.07 billion in cost savings and avoidances from its information technology infrastructure efficiency initiatives, but did not provide information regarding how it plans to reinvest these savings and avoidances. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Veterans Affairs should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs agreed with, and has taken initial steps to implement, our recommendation. Specifically, in November 2015, the department's Chief of Staff stated that the Office of Information and Technology was working to establish an office to closely monitor program performance, schedule, return on investment, and total cost of ownership, which will enable reinvestment opportunities. However, as of May 2017, the department's integrated data collection submission did not include reinvestment plans for all of the reported cost savings and avoidance initiatives. For example, the department reported about $177 million in cost savings and avoidances from the renegotiation of an enterprise agreement for software licenses, but did not provide information regarding how it plans to reinvest these savings and avoidances. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: To improve the agency's IT savings reinvestment plans, the Administrator of the Environmental Protection Agency should direct the CIO to ensure that the agency's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2017, the agency's integrated data collection submission did not include reinvestment plans for all of the reported cost savings and avoidance initiatives. For example, the agency reported about $3 million in cost savings and avoidances related to two shared services initiatives, but did not provide information regarding how it plans to reinvest these savings and avoidances. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To improve the agency's IT savings reinvestment plans, the Director of the Office of Personnel Management should direct the CIO, as part of any future update to the agency's IRM strategic plan or equivalent document, to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) in accordance with OMB's guidance.

    Agency: Office of Personnel Management
    Status: Open

    Comments: The Office of Personnel Management (OPM) agreed with our recommendation, but has not yet taken action to implement it. Specifically, in November 2015, OPM's Acting Director stated that information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) would be included in future updates to OPM's Strategic IT Plan. However, as of May 2017, the agency had not yet updated its strategic plan to include this information. We will continue to evaluate the OPM's progress in implementing this recommendation.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    1 open recommendations
    Recommendation: To help ensure that the department can better achieve business process reengineering and enterprise architecture outcomes and benefits, the Secretary of Defense should utilize the results of our portfolio manager survey to determine additional actions that can improve the department's management of its business process reengineering and enterprise architecture activities.

    Agency: Department of Defense
    Status: Open

    Comments: DOD developed a plan, using the results of our survey, to improve the department's management of its business process reengineering and enterprise architecture activities; however, key milestones have not yet been completed. Specifically, in January 2017, the department issued a business enterprise architecture (BEA) improvement plan. The plan was intended to address BEA usability and deficiencies in information supporting the investment management process. As part of the plan, the department identified opportunities to address the results of our survey. For example, according to the plan, our survey results were utilized to identify opportunities for improving management and integration of existing enterprise business processes and investments; assessing duplication early in the analysis phase and finding process and capability reuse across the department; and providing a federated BEA information environment and capabilities to discover and exchange information from other sources. The plan included delivering three major capabilities. As of September 2017, the Office of the Deputy Chief Management Officer stated that the delivery dates for the three capabilities were as follows: Business Capability Acquisition Cycle content ingest and investment reviews by June 2018; process and system reviews within and across domains by June 2018; and development and integration of functional strategies by December 2018. Further, the office stated that dates were subject to a contract being awarded. We will continue to monitor the department's efforts to implement the recommendation.
    Director: David Powner
    Phone: (202) 512-9286

    5 open recommendations
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to establish and implement an improvement plan to guide the agency in adopting recognized best practices and following agency policy.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA developed a Strategic IT Roadmap to assist the agency's business and IT leadership in prioritizing IT investments. In addition, FSA stated that it will develop and document a comprehensive improvement plan that is to delineate tactical steps, timelines, and performance metrics to track incremental progress in adopting recognized best practices and program management capabilities. We will continue to monitor the agency's progress in documenting and implementing its improvement plan.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in developing and managing system requirements before proceeding with any further system development to deliver previously envisioned MIDAS functionality. Specifically, the Administrator should ensure that requirements are complete, unambiguous, and prioritized; commitment to requirements is obtained through a formal requirements baseline; differences (or gaps) between the requirements and capabilities of the intended solution (including commercial off-the-shelf solutions) are analyzed; strategies to address any gaps are developed; and requirements are traced forward and backward among development products.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA reported that it will improve the rigor and adherence to requirements management processes for all IT projects, utilizing processes and tools that will support the integrity of the requirements throughout the lifecycle, to ensure that requirements are complete, formally baselined, gaps are analyzed, and fully traceable forward and backward. FSA also noted that it is pursuing an enhanced, more comprehensive governance structure that will further support its commitment to increasing rigor and adherence to defined requirements management processes. We will continue to monitor the agency's implementation of these efforts.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in planning and monitoring projects. Specifically, the Administrator should ensure that project plans include predefined expectations for cost, schedule, and deliverables before proceeding with any further system development; updates to the project plan are made through change control processes; and progress against the project plan, including work performed by contractors, is monitored.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA noted that it began an initiative to improve the agency's use of capital planning guidance from the Office of Management and Budget and would prepare corrective action plans to address identified weaknesses in fiscal year 2016. FSA also noted that it was conducting a series of training classes on capital planning and IT project management across the agency, developing a risk management program, and strengthening the use of earned value management. We will continue to monitor the agency's progress on its project planning efforts.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in system testing. Specifically, the Administrator should establish well-defined test plans before proceeding with any further system development, and ensure that testing of (a) individual system components, (b) the integration of system components, and (c) the end-to-end system are conducted.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA stated that going forward the agency will adhere to recognized best practices and agency policy in pursuing consistent or increased rigor around system testing. The agency noted that it plans to demonstrate that its testing capabilities are consistent and repeatable across all FSA IT projects. We will continue to monitor the agency's implementation of these efforts.
    Recommendation: In order to institutionalize sound IT management practices and build FSA's IT management capacity while improving service to the Nation's farmers and ranchers, the Secretary of Agriculture should direct the FSA Administrator to adhere to recognized best practices and agency policy in executive-level IT governance before proceeding with any further system development. Specifically, an executive-level governance board should (1) review and approve a comprehensive business case that includes a life cycle cost estimate, a cost-benefit analysis, and an analysis of alternatives for proposed solutions that are to provide former MIDAS requirements prior to their implementation; (2) ensure that any programs that are to accommodate former MIDAS requirements are fully implementing the IT program management disciplines and practices identified in this report; (3) conduct a post-implementation review and document lessons learned for the MIDAS investment; and (4) reassess the viability of the MIDAS technical solution before investing in further modernization technologies.

    Agency: Department of Agriculture
    Status: Open

    Comments: FSA stated that, as part of its organizational transformation efforts, the CIO is evaluating its governance structure and updating the charter for the agency-wide IT investment review board with the support of the agency's Executive Leadership Council. FSA also noted that it will adhere to the department's governance framework and processes. We will continue to monitor the agency's implementation of these efforts and how they address our recommendation.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    3 open recommendations
    Recommendation: To improve Transformation Program governance, the Secretary of DHS should direct the Under Secretary for Management to ensure that the Acquisition Review Board is effectively monitoring the Transformation Program's performance and progress toward a predefined cost and schedule; ensuring that corrective actions are tracked until the desired outcomes are achieved; and relying on complete and accurate program data to review the performance of the Transformation Program against stated expectations.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of August 2017, the Department of Homeland Security (DHS) had demonstrated that it had taken steps to address this recommendation, but additional steps were needed. Since we issued this recommendation in May 2015, the Office of Program Accountability and Risk Management (PARM), which serves as the Acquisition Review Board (ARB) executive secretariat and is to oversee DHS's acquisition portfolio, in coordination with the Office of the Chief Information Officer, has actively increased program oversight. For example, beginning in May 2015, the U.S. Citizenship and Immigration Services (USCIS) demonstrated that it submitted data supporting cost, schedule, and technical performance metrics to DHS on a monthly basis. The ARB has also held a number of meetings to discuss the Transformation Program and issued associated Acquisition Decision Memoranda with related action items. In addition, in February 2016, PARM demonstrated that DHS developed a procedure to help ensure acquisition decision memorandum actions, including corrective actions, are tracked until the desired outcomes are achieved. However, as of August 2017, the USCIS Transformation Program was in breach of its previously approved schedule expectations and was taking a strategic pause in developing new software while working to re-baseline cost and schedule expectations. During this strategic pause, the program is working to complete various action items assigned by the Acquisition Review Board, including completing an updated Release Roadmap and submitting it to PARM no later than December 29, 2017; updated Lifecycle Cost Estimate and providing it to the Cost Analysis Division no later than December 29, 2017; updated Test and Evaluation Master Plan and submitting it to the Office of Test and Evaluation no later than January 31, 2018; and an updated Acquisition Program Baseline and providing it to PARM no later than December 29, 2017. We will continue to monitor DHS?s efforts to re-baseline the USCIS Transformation Program and the Acquisition Review Board's efforts to monitor the Transformation Program's performance and progress toward a predefined cost and schedule; ensure that corrective actions are tracked until the desired outcomes are achieved; and rely on complete and accurate program data to review the performance of the Transformation Program against stated expectations until and after a new baseline is established.
    Recommendation: To improve Transformation Program governance, the Secretary of DHS should direct the DHS Under Secretary for Management, in coordination with the Director of US Citizenship and Immigration Services, to ensure that the Executive Steering Committee is effectively monitoring the Transformation Program's performance and progress toward a predefined cost and schedule and relying on complete and accurate program data to review the performance of the Transformation Program against stated expectations.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of August 2017, the Department of Homeland Security (DHS) had demonstrated that it had taken steps to address this recommendation, but additional steps were needed. More specifically, as of July 2016, the U.S. Citizenship and Immigration Services (USCIS) Transformation program office provided evidence that the Executive Steering Committee (ESC) continued to discuss cost, schedule, and operational performance metrics as part of the program's ESC meetings. However, as of August 2017, the USCIS Transformation Program was in breach of its previously approved schedule expectations and was taking a strategic pause in developing new software while working to re-baseline its cost and schedule expectations. During this strategic pause, the program is working to complete various action items assigned by the Acquisition Review Board, including completing an updated Release Roadmap and submitting it to the Office of Program Accountability and Risk Management (PARM) no later than December 29, 2017; updated Lifecycle Cost Estimate and providing it to the Cost Analysis Division no later than December 29, 2017; updated Test and Evaluation Master Plan and submitting it to the Office of Test and Evaluation no later than January 31, 2018; and an updated Acquisition Program Baseline and providing it to PARM no later than December 29, 2017. In addition, according to the program?s August 2017 Acquisition Decision Memorandum, the ESC has been transformed into a component-only body with no headquarters involvement, and the program was to establish a Program Management Integrated Product Team, which was to meet bi-weekly beginning in September 2017. We will continue to monitor DHS's efforts to re-baseline the USCIS Transformation Program, the impact of changes to the ESC, and the ESC?s efforts to effectively monitor the Transformation Program's performance and progress toward a predefined cost and schedule and rely on complete and accurate program data to review the performance of the Transformation Program against stated expectations until and after a new program baseline is established.
    Recommendation: To help ensure that assessments prepared by the Office of the Chief Information Officer in support of the department's updates to the federal IT Dashboard more fully reflect the current status of the Transformation Program, the Secretary of DHS should direct the department's Chief Information Officer to use accurate and reliable information, such as operational assessments of the new architecture and cost and schedule parameters approved by the Under Secretary of Management.

    Agency: Department of Homeland Security
    Status: Open

    Comments: As of September 2017, the Department of Homeland Security (DHS) had demonstrated that it had taken steps to address this recommendation, but additional steps were needed. In particular, in February 2016, the DHS Office of the Chief Information Officer (OCIO), in coordination with the Office of Program Accountability and Risk Management (PARM), had consolidated the department's Investment Management System and Next Generation Periodic Reporting System tools into a single enterprise information management and repository system named Investment Evaluation, Submission, and Tracking (INVEST). According to the department, this effort should improve the reliability of the metrics used by OCIO's Enterprise Business Management Office (EBMO), as well as the other line of business and component program offices, and ensure data integrity. The data reported in INVEST include cost, schedule, and operational performance metrics that are to align with the OMB's Information Technology (IT) Dashboard reporting requirements. In addition, as of September 2017, the program was listed as a high-risk program on the federal IT dashboard, in contrast to its April 2015 rating of medium risk. However, as of August 2017, the program was in breach of its previously approved schedule expectations and was taking a strategic pause in developing new software while working to re-baseline its cost and schedule expectations. We will continue to monitor DHS?s efforts to re-baseline the USCIS Transformation Program and the Office of the Chief Information Officer's efforts to use accurate and reliable information to update the federal IT dashboard until and after a new program baseline is established.
    Director: David Powner
    Phone: (202) 512-9286

    5 open recommendations
    Recommendation: To better ensure that the PortfolioStat initiative improves governmental efficiency and achieves cost savings, the Director of OMB should direct the Federal CIO to ensure that its reports to Congress about the results of IT reform efforts accurately reflect savings generated from all PortfolioStat initiatives, including those associated with FDCCI.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In July 2016, we followed up with OMB on its efforts to address this recommendation. As of September 1, 2016, we were still waiting for the agency's response.
    Recommendation: To better ensure that the PortfolioStat initiative improves governmental efficiency and achieves cost savings, the Director of OMB should direct the Federal CIO to track agencies' planned savings and use them as a baseline for measuring reported actual savings.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In July 2016, we followed up with OMB on its efforts to address this recommendation. As of September 1, 2016, we were still waiting for the agency's response.
    Recommendation: To better ensure that the PortfolioStat initiative improves governmental efficiency and achieves cost savings, the Director of OMB should direct the Federal CIO to require agencies to document specifically how the cost savings achieved from PortfolioStat have been reinvested.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In July 2016, we followed up with OMB on its efforts to address this recommendation. As of September 1, 2016, we were still waiting for the agency's response.
    Recommendation: To better ensure that the PortfolioStat initiative improves governmental efficiency and achieves cost savings, the Director of OMB should direct the Federal CIO to establish time frames for completing assigned PortfolioStat action items and hold agencies accountable for meeting those time frames.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In July 2016, we followed up with OMB on its efforts to address this recommendation. As of September 1, 2016, we were still waiting for the agency's response.
    Recommendation: The Secretary of Defense should direct the Chief Information Officer to revisit the 25 cost initiatives GAO reported in GAO-14-65 to identify those that have achieved savings and cost avoidances and report those savings and avoidances to OMB.

    Agency: Department of Defense
    Status: Open

    Comments: In March 2016, during our review of federal agencies' efforts to rationalize their portfolio of software applications, the department reported that it does not collect data specifically on savings and cost avoidance associated with the business and enterprise IT applications that comprise most of the 25 cost initiatives reported in GAO-14-65. We will continue to follow up with the department on this recommendation.
    Director: Joel Willemssen
    Phone: (202) 512-6253

    2 open recommendations
    Recommendation: To help ensure that the Copyright Office makes improvements to its current IT environment, the Librarian of Congress should direct the Register of Copyrights to, for current and proposed initiatives to improve the IT environment at the Copyright Office, develop plans including investment proposals that identify the business problem, a proposed solution, the expected benefits, how the solution aligns with the Library's strategic plan, an initial 3-year cost estimate, and expected funding sources, and bring those to the Library's IT Steering Committee for review, as required by Library policy.

    Agency: Library of Congress
    Status: Open

    Comments: In commenting on our draft report, the Copyright Office neither agreed nor disagreed with our recommendation. Subsequently, the Copyright Office has begun to take steps to address this recommendation. For example, in November 2015 Copyright submitted to the Library's IT Steering Committee plans for three new fiscal year 2017 IT initiatives aimed at improving current systems, such as technical upgrades to the electronic (eCO) registration system. For each initiative, the office developed plans that identified the business problems, proposed solutions, expected benefits, alignment with the Library's strategic plan, initial 3-year cost estimates, and expected funding sources. In November 2016, the Librarian of Congress directed all top-level IT staff in the Library's various service units, including the Copyright CIO, to be detailed to the Library's OCIO. Subsequently, in April 2017 Library and Copyright Office officials stated that the Copyright Office, in coordination with the Library OCIO, will develop IT investment proposals for fiscal year 2018, including proposals for modernizing the Copyright Office's IT systems. We will continue to evaluate the Copyright Office's efforts to address our recommendation.
    Recommendation: To help ensure that the Copyright Office makes improvements to its current IT environment, the Librarian of Congress should direct the Register of Copyrights to develop an IT strategic plan that includes the office's prioritized IT goals, measures, and timelines, and is aligned with the Library's ongoing strategic planning efforts.

    Agency: Library of Congress
    Status: Open

    Comments: In commenting on our draft report, the Copyright Office neither agreed nor disagreed with our recommendation. In November 2016, the Librarian of Congress directed all top-level IT staff in the Library's various service units, including the Copyright Chief Information Officer (CIO), to be detailed to the Library's Office of the CIO. In light of this organizational realignment, in May 2017 the Library's Office of the CIO and the Copyright Office stated that they will be working in coordination to address our recommendation. We will continue to evaluate the Library and Copyright's efforts to address our recommendation.
    Director: Joel C. Willemssen
    Phone: (202) 512-6253

    24 open recommendations
    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should establish a time frame for developing a complete and reliable enterprise architecture that accurately captures the Library's current IT environment, describes its target environment, and outlines a strategy for transitioning from one to the other, and develop the architecture within the established time frame.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to address, this recommendation. Specifically, according to Library officials, they have developed a schedule and processes for developing an architecture that describes the current and target IT environments. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should establish a time frame for implementing a Library-wide assessment of IT human capital needs and complete the assessment within the established time frame. This assessment should, at a minimum, analyze any gaps between current skills and future needs, and include a strategy for closing any identified gaps.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in July 2016 the Library engaged the Office of Personnel Management (OPM) to develop and conduct a skills assessment of the Library's IT workforce. According to Library officials, OPM led a focus group with IT specialists to review and revise competency and skill lists for IT positions. In June 2017, OPM administered a gap analysis survey to all IT specialists, supervisors, managers, and leaders within the Library. According to Library officials, the Library is developing a strategy for closing gaps identified in the survey results. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement a process for linking IT strategic planning, enterprise architecture, and IT investment management.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Library developed a template for IT investment proposals that calls for investment managers to provide information on how the investments align with the Library's IT strategic plan and enterprise architecture. Additionally, in February 2017, the Library provided us with IT investment proposals for 19 fiscal year 2017 investments. To the Library's credit, the proposals describe how many of the investments align with the IT strategic plan and enterprise architecture. However, we also identified instances where the alignment with the IT strategic plan and enterprise architecture was not included in the proposals or was not clearly defined. In a written response, the Library stated that the inconsistencies were attributable to manual processes for collecting the information and that it is working to make improvements to these processes for the fiscal year 2018 investments. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement policies and procedures for reselecting investments that are already operational.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include reselecting investments that are already operational. Additionally, in October 2016 the Librarian approved the Library's fiscal year 2017 IT investment plan, which describes $145 million in planned IT spending on systems across the Library that are both operational and in development. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement policies and procedures for ensuring that investment selection decisions have an impact on decisions to fund investments.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include ensuring that investment selection decisions have an impact on decisions to fund investments. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should ensure that appropriate governance bodies review all investments that meet defined criteria.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include ensuring that appropriate governance bodies review all investments that meet defined criteria. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should require investments in development to submit complete investment data (i.e., cost and schedule variances and risk management data) in quarterly reports submitted to the ITSC.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include requiring investments in development to submit complete investment data in quarterly reports submitted to the Information Technology Steering Committee. Additionally, officials stated that the Library has begun to require IT investments to submit quarterly reports with complete investment data, including cost and schedule variances and risk management data. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies for developing a comprehensive inventory of IT assets.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. The Library is revising its asset management policy to improve its process for developing and maintaining its inventory of IT assets. Additionally, the Office of the CIO engaged a contractor to perform a full inventory of its IT assets in September 2017. Further, the Library is working to reconcile the results of this IT asset inventory with the information in its asset management system. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies and procedures consistent with the key practices on portfolio management, including (1) defining the portfolio criteria, (2) creating the portfolio, and (3) evaluating the portfolio.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives relating to IT investment management, to include key practices on portfolio management. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should complete and implement an organization-wide policy for risk management that includes key practices as discussed in this report, and within the time frame the Library established for doing so.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, it is drafting several policies and directives to relating to IT investment management, to include requiring investments to identify and review risks. Additionally, in February 2017, the Library provided us with risk management information for 19 fiscal year 2017 investments. To its credit, the Library generally identified, documented, evaluated, and categorized risks for each of the 19 investments. However, the Library did not always document the context and consequences of occurrence for all risks and did not describe mitigation plans for all risks. In a written response, the Library noted that it will improve the guidance for risk management, providing examples that should ultimately elicit more useful information for the IT Steering Committee to make decisions or take action when necessary. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for requirements development that includes key practices as discussed in this report.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for requirements development. Further, the Project Management Office has finalized detailed guidance for the Library on requirements development. We are reviewing this information to determine the extent to which the guidance includes key practices for requirements development. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for developing cost estimates that includes key practices as discussed in this report.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing and maintaining project schedules. Further, the Project Management Office has finalized detailed guidance for the Library on developing and maintaining project schedules. We are reviewing this information to determine the extent to which the guidance includes key practices for developing and maintaining project schedules. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish a time frame for finalizing and implementing an organization-wide policy for developing and maintaining project schedules that includes key practices as discussed in this report, and finalize and implement the policy within the established time frame.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a Project Management Office within the Office of the Chief Information Officer (OCIO) and tasked the office with communicating and enforcing Library requirements for project management and systems development. Additionally, according to the Library, it is working to give the OCIO's Project Management Office the authority to establish organization-wide policy for developing and maintaining project schedules. Further, the Project Management Office is drafting detailed guidance for the Library on developing and maintaining project schedules. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should revise information security policy to require system security plans to describe common controls, and implement the policy.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, the Information Technology Security Group reviewed all system security plans to ensure that they are complete. After the completion of this review, in August 2017 the Library provided us with system security plans for nine key systems. To its credit, the plans describe many of the common controls (i.e., where a system relies on controls established for another system) on which the systems relied. However, we also identified instances where the plans included conflicting information about whether certain controls are being implemented by the system, are inherited from another system, or are not being implemented. According to the Library, in August 2017 it hired additional information system security officers in order to improve the Library's management of information security, including information security planning. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should ensure that all system security plans are complete, including descriptions of how security controls are implemented and justifications for why controls are not applied.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, the Library?s Information Technology Security Group reviewed all system security plans to ensure that they are complete. After completing this review, in August 2017 the Library provided us with system security plans for nine key systems. Each of the plans generally includes descriptions of how security controls are implemented and justifications for why controls are not applied. However, we also identified instances where the plans included conflicting information about whether certain controls are being implemented. According to the Library, in August 2017 it hired additional information system security officers in order to improve the Library's management of information security, including information security planning. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should conduct comprehensive and effective security testing for all systems within the time frames called for by Library policy, to include assessing security controls that are inherited from the Library's information security program.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, in August 2015 the Library began monthly security testing and vulnerability scans for servers, networks, and workstations. Additionally, in November 2015 the Library finalized guidance for its continuous monitoring program, which includes the establishment of ongoing security controls assessments for each system. The Library began to implement this guidance in fiscal year 2016 and plans to complete the steps necessary to implement this recommendation by June 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should ensure that remedial action plans for identified security weaknesses are consistently documented, tracked, and completed in a timely manner.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in August 2017, the Library provided us with remedial action plans for key Library systems. The Library has generally documented and tracked remedial action plans for these key systems and has completed many. However, we also identified instances of remedial actions that, as of August 2017, had yet to be completed and were past their expected completion date. According to the Library, in August 2017 it hired additional information system security officers in order to improve the Library's management of information security, including management of remedial action plans. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should finalize and implement guidance on continuous monitoring to ensure that officials are informed when making authorization decisions about the risks associated with the operations of the Library's systems.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in October 2015 the Library finalized its guidance on security assessment and authorization, which requires authorizing officials to review the security status of information systems on an ongoing basis to determine whether the risk of operating the system remains acceptable. The Library began to implement this guidance in fiscal year 2016 and plans to complete the steps necessary to implement this recommendation by June 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should develop contingency plans for all systems that address key elements.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in December 2016 the Library finalized an IT system contingency planning template that generally addresses key elements of National Institute of Standards and Technology guidance. Additionally, in April 2017 the Library required that contingency plans be established for all systems by September 2017. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should establish and implement a process for comprehensively identifying and tracking whether all personnel with access to Library systems have taken required security and privacy training.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. According to Library officials, the OCIO is developing a process to track user accounts, including contractors and volunteers, on Library systems to ensure completion of required annual IT Security Training. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should establish a time frame for finalizing and implementing the Library's standard contract sections for information security and privacy requirements, and finalize and implement the requirements within that time frame.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. In April and September 2016 the Library provided us with IT contracts that included some, but not all, of the standard contract sections required by Library policy. In February 2017, the Library provided us with newly awarded IT contracts, each of which included the required information security and privacy sections. Further, according to the Library, it plans to incorporate its required information security and privacy provisions into its existing contracts for IT services as the Library exercises options for these contracts. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To help ensure that services provided by ITS meet the needs of the Library's service units, the Librarian should finalize and implement a Library-wide policy for developing service-level agreements that (1) includes service-level targets for agreements with individual service units and (2) covers services in a way that best meets the need of both ITS and its customers, including individual service units.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in September 2016 the Library?s Office of the CIO finalized a new service catalog that captures its IT services. The catalog identifies 21 categories of IT services that are available to Office of the CIO customers (e.g., data network management, IT service desk, and website support) and describes applicable service-level targets relating availability, fulfillment, and response. Additionally, between May 2016 and May 2017, the Office of the CIO executed memorandums of understanding with the six main Library units. Each memorandum establishes roles and responsibilities for specialized application and services that the Office of the CIO provides to those units. Further, the Library's Office of the CIO is developing a directive on its memorandums of understanding and plans to brief its customers on that directive in November 2017. The Library plans to complete the steps necessary to implement this recommendation by December 2017. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: To help ensure that services provided by ITS meet the needs of the Library's service units, the Librarian should document and execute a plan for improving customer satisfaction with ITS services that includes prioritized improvement projects and associated resource requirements, schedules, and measurable goals and outcomes.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Office of the Chief Information Officer has begun drafting a customer satisfaction improvement plan. The Library expects this plan to be finalized by December 2017. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Recommendation: In addition, to help ensure an efficient and effective allocation of the agency's IT resources, the Librarian should conduct a review of the Library's IT portfolio to identify duplicative or overlapping activities and investments, including those identified in our report, and assess the costs and benefits of consolidating identified IT activities and investments.

    Agency: Library of Congress
    Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Library is drafting several policies and directives to relating to IT investment management, to include reviewing the Library's IT portfolio to identify duplicative or overlapping activities and investments. In addition, according to Library officials, the Library has taken a number of steps to reduce duplicative IT activities. For example, in March 2015 we reported that the Office of Security and Emergency Preparedness (OSEP) managed its own network independent of the Library's central IT provider. However, in June 2017 the Library reported that the Office of the CIO is managing the OSEP network. Further, the Library plans to assess the costs and benefits of consolidating potentially duplicative email and network services identified in our March 2015 report. The Library plans to complete the steps necessary to implement this recommendation by March 2018. We will continue to evaluate the Library's progress in implementing this recommendation.
    Director: Carol R.Cha
    Phone: (202) 512-4456

    2 open recommendations
    Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics to require MAIS programs to establish their first acquisition program baseline within 2 years of beginning work on the programs.

    Agency: Department of Defense
    Status: Open

    Comments: The Department developed a draft process document that states that business system (e.g. financial management, logistics management) programs should start development on at least one release within 24 months after programs have identified the needed capabilities and received approval to conduct further analysis into the potential delivery of the capabilities. We will follow-up with the Department for the final process document and guidance, when available.
    Recommendation: The Secretary of Defense should direct the Secretary of the Army to direct the Army (Financial Management and Comptroller) to complete a plan for conducting auditability testing of LMP Increment 2 functionality to ensure that such testing occurs prior to the LMP program management office deploying future functionality.

    Agency: Department of Defense
    Status: Open

    Comments: According to DOD officials, in response to our recommendation, the department developed a plan to conduct system testing on LMP Increment 2 in accordance with the Federal Information System Controls Audit Manual. The officials stated that the department's plan was to conduct this testing both prior to and after the deployment of new functionality to users. We have requested additional information and documentation from DOD regarding these LMP Increment 2 test plans in order to determine whether the testing associated with auditability of the system was to be conducted before deployment to users.
    Director: David Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: To improve the reliability and reporting of investment performance information and management of selected major investments, the Commissioner of the IRS should direct the Chief Technology Officer to modify reporting of the Affordable Care Act Administration testing status to senior management to include a comprehensive report on all impacted systems--including an explanation for why impacted systems were not tested at a particular level--and ensure this reporting is aligned with the manner in which testing is being performed.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS disagreed with this recommendation at the time we made it stating that it followed a rigorous risk-based process for planning the tests of ACA-impacted systems, including the types and levels of testing, and that it had comprehensive reporting for the filing season 2015 release, which included ACA impacted systems. However, as noted in our report, our review of ACA Testing Review Checkpoint reports and filing season reports, which officials stated were used to provide comprehensive reports to senior managers, did not identify the status of testing for all systems impacted by ACA Releases 5.0 and 6.0. We therefore concluded that the recommendation was still valid. As of July 2017, IRS had not changed its position. We will be following up with the agency to discuss the recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    3 open recommendations
    Recommendation: To better facilitate the coordination of--and accountability for--the estimated billions of dollars in federal geospatial investments, to reduce duplication, and, specifically, to make progress toward an effective national infrastructure and to improve oversight on federal spending on geospatial data and assets, the Director of OMB should improve oversight of progress on the NSDI by requiring federal agencies to report on their efforts to establish and implement policies for identifying geospatial metadata on the Geospatial Platform and their procedures for utilizing the Marketplace feature of the Geospatial Platform before making new investments in geospatial data.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: As of September 7, 2017, OMB had not yet taken steps to require all federal agencies that invest in geospatial data to report on their efforts to establish and implement policies and procedures for utilizing the Geospatial Platform before making new investments in geospatial data. OMB officials in stated in December 2016 that they were in discussion with the Federal Geographic Data Committee (FGDC) on how to best address this issue, possibly in future guidance. On September 7, 2017, OMB officials stated that there have been no changes to the status of this recommendation, but that they anticipate the recommendation will be considered further once the new FGDC Steering Committee leadership and membership are in place; and the NSDI Strategic Plan actions and the potential for a new geospatial policy update are determined. However, OMB did not provide anticipated dates for these activities.
    Recommendation: To better facilitate the coordination of--and accountability for--the estimated billions of dollars in federal geospatial investments, to reduce duplication, and to help ensure the success of departmental efforts to improve geospatial coordination and reduce duplication, the Secretary of Agriculture should direct the designated senior agency official for geospatial information to develop and implement internal procedures to ensure that it accesses the Geospatial Platform Marketplace before it expends funds to collect or produce new geospatial data to determine (1) whether the information has already been collected by others and (2) whether cooperative efforts to obtain the data are possible.

    Agency: Department of Agriculture
    Status: Open

    Comments: The United States Department of Agriculture (Agriculture) issued a departmental regulation in August 2016 covering enterprise geospatial data management. The regulation applies to all Agriculture agencies, organizations and contractors, and addresses all geospatial authoritative data sources. It states that all Agriculture agencies and staff offices will follow documented procedures approved by the Office of the Chief Information Officer (OCIO) to conduct a formal search of the Geospatial Marketplace prior to expending funds for geospatial data acquisitions. However, Agriculture has yet to provide the OCIO-approved documented procedures, or evidence of their implementation. According to an Agriculture official in July 2017, the new procedures are under review, and they hope to have implemented them by the end of December 2017.
    Recommendation: To increase coordination between various levels of government and reduce duplication of effort, resources, and costs associated with collecting and maintaining accurate address data, Congress should consider assessing the impact of the disclosure restrictions of Section 9 of Title 13 and Section 412 of Title 39 of the U.S. Code in moving toward a national geospatial address database. If warranted, Congress should consider revising those statutes to authorize the limited release of addresses, without any personally identifiable information, specifically for geospatial purposes. Such a change, if deemed appropriate, could potentially result in significant savings across federal, state, and local governments.

    Agency: Congress
    Status: Open

    Comments: There has been no legislative action identified as of August 16, 2017. Addressing this action, which GAO suggested in February 2015, could increase coordination between various levels of government and reduce duplication of effort, resources, and costs associated with collecting and maintaining accurate address data.
    Director: Melvin, Valerie C
    Phone: (202) 512-6304

    1 open recommendations
    Recommendation: To ensure that the federal government's and states' investments in information systems result in outcomes that are effective in supporting efforts to save funds through the prevention and detection of improper payments in the Medicaid program, the Secretary of Health and Human Services should direct the Administrator of CMS to require states to measure quantifiable benefits, such as cost reductions or avoidance, achieved as a result of operating information systems to help prevent and detect improper payments. Such measurement of benefits should reflect a consistent and repeatable approach and should be reported when requesting approval for matching federal funds to support ongoing operation and maintenance of systems that were implemented to support Medicaid program integrity purposes.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: In comments on our report, agency officials agreed with this recommendation and provided information on CMS's plans to use a template to track cost savings resulting from state Medicaid offices' use of information systems for program integrity purposes. In April 2017, CMS officials said that they were no longer planning to use the template to gather information from the states, because of the varied approaches that states take to implement systems support for program integrity purposes. The officials stated that they are developing an alternative approach for capturing this information from the states, which will be provided to us when completed. We will continue to monitor CMS's progress toward addressing the recommendation.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    5 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and ensure that the executive-level investment review board meets as outlined in its charter, documents criteria for use by the other boards, and distributes its decisions to appropriate stakeholders.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: As of April 2017, HUD had not provided information demonstrating that the department has addressed this recommendation. HUD reported that it established a new executive-level investment review board (i.e. the Executive Operations Committee) that replaced the board discussed in our report. However, as of April 2017, the department had not yet documented criteria the Committee had established for use by other boards or provided evidence of how this new committee would distribute decisions made to appropriate stakeholders.
    Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish and maintain a complete set of governance policies, establish time frames for establishing policies planned but not yet developed, and update key governance documents to reflect changes made to established practices.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: As of April 2017, the department had taken steps to address this recommendation. In 2015, HUD updated its Project Planning and Management policy and confirmed that the remaining policies to be developed were the IT Risk Policy and the IT Performance Management Policy. HUD also reported that the department planned to revise additional existing policies, including the IT Management Framework Policy, IT Capital Management Policy, IT Project Planning & Management Policy, IT Governance Policy, and IT Strategic Planning Policy. As of April 2017, the department had finalized a Risk Policy but reported it was still working on additional policy updates anticipated to be finalized during 2017.
    Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish an IT investment selection process that includes (1) articulating how reviews of project proposals are to be conducted; (2) planning how data (including cost estimates) are to be developed and verified and validated; (3) establishing criteria for how cost, schedule, and project risk are to be analyzed; (4) developing procedures for how proposed projects are to be compared to one another in terms of investment size (cost), project longevity (schedule), technical difficulty, project risk, and cost-benefit analysis; and (5) ensuring that final selection decisions made by senior decision makers and governance boards are supported by analysis, consider predefined quantitative measures, and are consistently documented.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: As of April 2017, HUD had not provided information demonstrating that the department has addressed this recommendation. In 2015, HUD reported that it had begun using a new tool to support its IT selection process. As of April 2017, the department had reported on improvements to its investment process but had not yet provided evidence of specific actions or plans aimed at ensuring the five IT selection processes highlighted in this recommendation would be addressed.
    Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish a well-defined process that incorporates key practices for overseeing investments, including (1) monitoring actual project performance against expected outcomes for project cost, schedule, benefit, and risk; (2) establishing and documenting cost-, schedule-, and performance-based thresholds for triggering remedial actions or elevating project review to higher-level investment boards; and (3) conducting post-implementation reviews to evaluate results of projects after they are completed.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: As of April 2017, the department had taken steps to address this recommendation. Specifically, in April 2016, HUD provided evidence of actions taken toward developing new processes for investment oversight practices. Specifically, the department created processes for conducting project health assessments and weekly project management meetings intended to monitor, among other things, actual performance against expected outcomes, and to establish thresholds for triggering remedial actions or elevating projects for additional review. As of April 2017, the department had not provided evidence that these new processes were fully established and institutionalized.
    Recommendation: To establish an enterprise-wide view of cost savings and operational efficiencies generated by investments and governance processes, the Secretary of Housing and Urban Development should direct the Deputy Secretary and Chief Information Officer to place a higher priority on identifying governance-related cost savings and efficiencies and establish and institutionalize a process for identifying and tracking comprehensive, high-quality data on savings and efficiencies resulting from IT investments and the IT governance process.

    Agency: Department of Housing and Urban Development
    Status: Open
    Priority recommendation

    Comments: As of April 2017, the department had taken steps to address this recommendation. Specifically, in April 2016, HUD provided examples of cost savings that the department had identified by "scrubbing" existing contracts during the fiscal year 2015 budget formulation process, along with copies of a template that it designed and used to help identify such savings. As of April 2017, the department had not yet provided evidence that it had formally established policies and procedures or taken other actions to institutionalize a process for identifying and providing an enterprise-wide view of IT-related cost savings and operational efficiencies.
    Director: David A. Powner
    Phone: (202) 512-9286

    10 open recommendations
    including 2 priority recommendations
    Recommendation: The Secretaries of HHS, the Interior, Justice, and Labor, and the Administrators of GSA and NASA should complete action plans for addressing their challenges in reporting cost savings, as discussed in this report.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services agreed with, and has taken initial steps to implement, our recommendation. In June 2015, the department reported that it had begun an effort to calculate the tangible cost savings and avoidances derived from closing over 50 data centers as part of its data center consolidation efforts. As of March 2017, the department reported that it had closed a total of 74 data centers and had identified $6.64 million in cost savings and avoidances, which is approximately $2.30 million more than what we reported in September 2014. However, the identified cost savings does not include any savings from fiscal years 2015 or 2016. Accordingly, we conclude the department has not yet completed efforts to address challenges in calculating cost savings and avoidances. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of HHS, the Interior, Justice, and Labor, and the Administrators of GSA and NASA should complete action plans for addressing their challenges in reporting cost savings, as discussed in this report.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of the Interior agreed with, and has taken initial steps to implement, our recommendation. Specifically, in December 2014, the Interior's Deputy Assistant Secretary for Policy, Management and Budget established a series of steps toward addressing our recommendation. The steps include, for example, consolidating and streamlining data center consolidation reporting processes, developing a template that all department bureaus and offices are required to use, and issuing a directive requiring consistent reporting for all data center cost savings and avoidances. In addition, the department submitted a Data Center Optimization Initiative strategic plan to the Office of Management and Budget (OMB) in September 2016. In the plan, the department reported closing 53 data centers and achieving $4.4 million in cost savings and avoidances in fiscal year 2016. However, the plan does not indicate how the department will address identified challenges nor does it indicate whether the department has successfully implemented its directive on consistent monitoring of cost savings and avoidances. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of HHS, the Interior, Justice, and Labor, and the Administrators of GSA and NASA should complete action plans for addressing their challenges in reporting cost savings, as discussed in this report.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor agreed with, and has taken initial steps to implement, our recommendation. In September 2015, the department stated that its Office of the Chief Information Officer was working to develop an enterprise data center inventory as part of the department-wide Data Center Consolidation Initiative Working Group. In September 2016, the department submitted its Data Center Optimization Initiative plan to the Office of Management and Budget. The plan reported that the department had closed 28 non-tiered data centers in fiscal year 2016 and indicated that the department had historical cost savings of $4.85 million to date. However, as of March 2017, the department had not yet reported any resulting cost savings or avoidances in its quarterly report to OMB. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Department of Agriculture agreed with, and has taken initial steps to implement, our recommendation. In September 2014, we found that the department reported fiscal year 2012 through 2015 cost savings and avoidances of $244.17 million to GAO, but had only reported $71.20 million to the Office of Management and Budget (OMB)--a difference of approximately $172.97 million. Moreover, as of March 2017, the department still had not yet fully reported its savings to OMB, as we recommended. Specifically, the department had reported a total of about $25.07 million in cost savings and avoidances to OMB from fiscal years 2012 to 2016--an amount that is approximately $219.1 million short of the total savings and avoidances that the department had reported to GAO as of September 2014. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: DOD concurred with, and has taken initial steps to implement, our priority recommendation. In March 2016, we determined that the department had identified a total of about $1.07 billion in data center consolidation cost savings from fiscal year 2012 through 2016. However, as of March 2017, the department had not yet fully reported its savings to the Office of Management and Budget, as we recommended. Specifically, as of June 2016, the department reported $859 million in savings to the Office of Management and Budget--an amount $211 million less than the $1.07 billion previously reported to us. However, as of March 2017, the department only reported $331 million to the Office of Management and Budget--a decrease of $528 million and $739 million less than what was previously reported to us. In light of the department's considerable planned savings, and the significant decrease in what is being reported, full and accurate reporting by the department is critical toward ensuring that the Office of Management and Budget and Congress have the ability to oversee DOD's progress against key data center consolidation initiative goals.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of the Interior agreed with, and has taken initial steps to implement, our recommendation. In September 2014, we found that the department had reported fiscal year 2012 to 2015 cost savings and avoidances of $84.42 million to GAO, but had only reported $13.59 million to OMB--a difference of approximately $70.83 million. Moreover, as of February 2017, the department had not yet fully reported its savings to OMB, as we recommended. Specifically, the department had reported a total of about $13.61 million in cost savings and avoidances to OMB from fiscal years 2012 to 2016--an amount that is approximately $70.81 million short of the total savings and avoidances that the department had reported to GAO as of September 2014. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with our recommendation, but had not yet taken steps to implement it. In September 2014, we found that the department had reported fiscal year 2012 to 2015 cost savings and avoidances of $140.18 million to GAO, but had only reported $7.36 million to OMB--a difference of approximately $132.82 million. However, in February 2017, the department had still only reported a total of $4.89 million in data center consolidation savings and avoidance to OMB. We will continue to evaluate the department's progress in implementing this recommendation.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Department of the Treasury
    Status: Open
    Priority recommendation

    Comments: Treasury did not comment on this recommendation and has not comprehensively reported cost savings and avoidances, as we recommended. For example, as of March 2017, Treasury had reported about $1.14 billion in data center consolidation-related cost avoidances in its quarterly report to OMB--an increase of about $734 million compared to a previous report. However, the department has not yet reported to OMB other cost avoidances totaling about $210 million that the department had previously reported to us. We will continue to monitor Treasury's progress against this recommendation.
    Recommendation: The Secretaries of Agriculture, Commerce, Defense, Energy, the Interior, Transportation, the Treasury, and Department of Veterans Affairs; the Administrators of the Environmental Protection Agency and NASA; and the Director of the Office of Personnel Management should direct responsible officials to report all data center consolidation cost savings and avoidances to OMB in accordance with established guidance.

    Agency: Office of Personnel Management
    Status: Open

    Comments: The Office of Personnel Management agreed with our recommendation, but has not yet taken steps to implement it. In September 2014, we found that the agency had reported fiscal year 2012 to 2015 cost savings and avoidances of $3.40 million to GAO, but had not reported any of its savings and avoidances to the Office of Management and Budget as required. As of March 2017, the agency had not yet reported any data center consolidation cost savings and avoidances to the Office of Management and Budget. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To better ensure that the Federal Data Center Consolidation Initiative (FDCCI) improves governmental efficiency and achieves cost savings, the Director of OMB should direct the Federal chief information officer (CIO) to utilize the existing PortfolioStat review sessions to assist the Department of Health and Human Services (HHS), Interior, Justice, Labor, the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) in identifying data center consolidation cost savings opportunities.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) agreed with, and has taken initial steps to implement, our recommendation. Specifically, in June 2015, OMB issued a memorandum that discussed the fiscal year 2015 PortfolioStat requirements, including that agencies should hold PortfolioStat sessions on a quarterly basis (versus annually, as done previously) with OMB, the agency chief information officer, and other attendees. The memorandum also stated that, during these sessions, agencies are expected to discuss a strategy to reduce duplication and waste within the IT portfolio of the agency, identify projected cost savings resulting from such strategy, and identify ways to increase the efficiency and effectiveness of IT investments, among other things. However, as of March 2017, several agencies were still reporting limited savings from their consolidation efforts. For example, the Department of Transportation reported closing 146 data centers through February 2017, but had reported only $4.9 million in savings. As another example, the Department of Labor reported closing 25 data centers through February 2017, but reported no resulting cost savings. Until OMB assists these agencies with limited or no cost savings reported, they may not be able to identify the full extent of savings from their consolidation efforts. We will continue to evaluate OMB's progress in implementing this recommendation.
    Director: David Powner
    Phone: (202) 512-9286

    8 open recommendations
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to ensure that all IT investments are assessed for suitability for migration to a cloud computing service.

    Agency: Department of Agriculture
    Status: Open

    Comments: We are in the process of reviewing agency documentation and waiting for additional supporting documentation.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to ensure that all IT investments are assessed for suitability for migration to a cloud computing service.

    Agency: Department of the Treasury
    Status: Open

    Comments: We contacted the agency and are awaiting its response on the status of efforts to implement this recommendation.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to ensure that all IT investments are assessed for suitability for migration to a cloud computing service.

    Agency: Department of State
    Status: Open

    Comments: The Department of State established a requirement for completing a cloud computing service alternatives analysis for all new projects, and that existing IT projects be evaluated for the viability to migrate to a cloud computing environment. Further, the department established key factors for consideration when selecting applications for migration to a cloud environment. However, State has not yet evaluated a majority of its IT investments for cloud alternatives. The department said it plans to complete evaluations for some of these investments by the end of FY2017, but has not yet established plans to evaluate over a third of its investments.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to ensure that all IT investments are assessed for suitability for migration to a cloud computing service.

    Agency: Small Business Administration
    Status: Open

    Comments: We are waiting for a response from SBA on the status of efforts to implement this recommendation.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to establish evaluation dates for those investments identified in this report that have not been assessed for migration to the cloud.

    Agency: Department of Agriculture
    Status: Open

    Comments: We are in the process of waiting for additional department documentation.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to establish evaluation dates for those investments identified in this report that have not been assessed for migration to the cloud.

    Agency: Department of the Treasury
    Status: Open

    Comments: We are waiting for a response from the department on the status of efforts to implement this recommendation.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to establish evaluation dates for those investments identified in this report that have not been assessed for migration to the cloud.

    Agency: Department of State
    Status: Open

    Comments: The Department of State established a requirement for completing a cloud computing service alternatives analysis for all new projects, and that existing IT projects be evaluated for viability to migrate to a cloud computing environment. Further, the department established key factors for consideration when selecting applications for migration to a cloud environment. However, the department has not yet established evaluation dates for the vast majority of the investments that have not been assessed for migration to the cloud. Specifically, the department plans to complete evaluations for some of these investments by the end of fiscal year 2017, but does not plan to do so for most of them.
    Recommendation: To help ensure continued progress in the implementation of cloud computing services, the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury; and the Administrators of the General Services Administration and Small Business Administration should direct their respective Chief Information Officers to establish evaluation dates for those investments identified in this report that have not been assessed for migration to the cloud.

    Agency: Small Business Administration
    Status: Open

    Comments: We are waiting for a response from the department on the status of efforts to implement this recommendation.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    3 open recommendations
    including 2 priority recommendations
    Recommendation: To improve the completeness and accuracy of data submissions to the USASpending.gov website, the Director of the Office of Management and Budget, in collaboration with Treasury's Fiscal Service, should clarify guidance on (1) agency responsibilities for reporting awards funded by non-annual appropriations; (2) the applicability of USASpending.gov reporting requirements to non-classified awards associated with intelligence operations; (3) the requirement that award titles describe the award's purpose (consistent with our prior recommendation); and (4) agency maintenance of authoritative records adequate to verify the accuracy of required data reported for use by USASpending.gov.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open
    Priority recommendation

    Comments: As of July 2017, OMB and Treasury were working to implement the DATA Act, which includes several provisions that may address these recommendations once fully implemented. 1) OMB staff said they continue to deliberate on agency responsibilities for reporting awards funded by non-annual appropriations. 2) OMB staff provided a Frequently Asked Question (FAQ) addressing the applicability of USASpending.gov reporting requirements for recipient information related to classified or sensitive information. GAO reviewed the FAQ and determined that additional guidance is still needed to ensure complete reporting of unclassified awards as required by FFATA. 3) OMB staff have agreed that it will be important to clarify guidance on how agencies can report on award titles that appropriately describes the awards' purposes and noted that they are working on providing additional guidance to agencies as part of their larger DATA Act implementation efforts. 4) OMB released policy guidance in May 2016 (MPM 2016-03) that identifies the authoritative sources for reporting procurement and award data. However, GAO's review of this policy guidance determined that it does not address the underlying source that can be used to verify the accuracy of non-financial procurement data or any source for data on assistance awards.
    Recommendation: To improve the completeness and accuracy of data submissions to the USASpending.gov website, the Director of the Office of Management and Budget, in collaboration with Treasury's Fiscal Service, should develop and implement a government-wide oversight process to regularly assess the consistency of information reported by federal agencies to the website other than the award amount.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open
    Priority recommendation

    Comments: As part of their DATA Act implementation efforts, OMB issued policy guidance in May 2016 (MPM 2016-03) that identifies authoritative systems to validate agency spending information. The guidance also directs agency DATA Act Senior Accountable Officials (SAOs) to provide a quarterly assurance regarding the data reported to USASpending.gov and specifies that this assurance should leverage data quality and management controls established in statute, regulation, and Federal-wide policy and be aligned with the internal control and risk management strategies in Circular A-123, and provides information on how agency DATA Act SAOs are to provide assurances over the spending data reported to USASpending.gov. In addition, Treasury's broker is to provide an additional set of validation rules to further ensure the proper formatting of data submitted to USAspending.gov. OMB staff noted that OMB and Treasury had prioritized the linking of financial data to award data as a means of addressing the issue of unreported awards we previously identified. We agree that linking financial and award data can help agencies identify gaps in reporting. However, as of July 2017, OMB did not identify any new or revised processes aimed at addressing the accuracy concerns we addressed other than citing agencies' responsibility to certify the accuracy of their data.
    Recommendation: To improve the completeness of foreign recipient data on the USASpending.gov website, the Chief Executive Officer of the Millennium Challenge Corporation should direct responsible officials within the Corporation's Department of Administration and Finance to report spending information on all assistance award programs to USASpending.gov for prior and future fiscal years in accordance with statutory requirements and OMB guidance.

    Agency: Millennium Challenge Corporation
    Status: Open

    Comments: The Millennium Challenge Corporation has begun reporting awards made in fiscal year 2015. As of July 2017, it has not yet reported awards for previous fiscal years, as we had recommended. We will continue to follow up.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    100 open recommendations
    including 2 priority recommendations
    Recommendation: To ensure the effective management of software licenses, the Secretary of Agriculture should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of Agriculture
    Status: Open

    Comments: In written comments to our report, the Department of Agriculture concurred with our recommendation. In July 2017, Agriculture reported on actions taken to address this recommendation, including the development of a draft software license management policy to address Information Technology Asset Management (ITAM) procedures and practices. We will follow-up with the department to monitor its progress in completing an agency-wide comprehensive policy for the management of software licenses.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Agriculture should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Department of Agriculture agreed with our recommendation and, in July 2017 reported that it has established a comprehensive software license inventory. We will request additional information to validate the extent to which Agriculture addressed this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Agriculture should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Department of Agriculture agreed with our recommendation. In July 2017, Agriculture reported on actions taken to address this recommendation. For example, Agriculture reported that it uses the Bigfix network management tool to track software. We will request additional information to validate the extent to which Agriculture regularly tracks and maintains the department's inventory of software licenses; and analyzes software data to inform decision making.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Agriculture should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Department of Agriculture agreed with our recommendation. In July 2017, Agriculture reported on actions taken to address this recommendation. For example, agriculture reported that it continues to analyze existing contracts to show their utilization. We will request additional information to validate the extent to which Agriculture analyzes agency-wide software license data to identify opportunities to reduce costs and better inform investment decision making.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Agriculture should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Agriculture
    Status: Open

    Comments: In July 2017, Agriculture reported on actions taken to address this recommendation. For example, Agriculture reported that members of its Category Management Team have worked with GSA over the past year to better understand the terms and conditions of vendors, such as Oracle and Microsoft. In addition, Agriculture reported that the members maintain a Contracting Officer's Representative certification and attend continuous training on software procurement, contracting laws regulations and negotiations. We will request additional information to validate the extent to which Agriculture provided appropriate agency personnel with sufficient software license management training.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Commerce should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce concurred with our recommendation. In April 2017, the department reported that it has established an integrated project team (IPT) team with representation from the bureau enterprise architecture teams to develop a methodology of managing software licenses across the department. In addition, Commerce reported that the IPT is chartered to refine the department's software licenses policy over time and provide guidance in establishing an enterprise license software management practice. We will continue to monitor the department's progress in implementing a comprehensive software license management policy.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Commerce should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce partially concurred with our recommendation. In April 2017, the department reported that it has established an integrated project team (IPT) with representation from the bureau enterprise architecture teams to develop a methodology of managing licenses across the department. In addition, the department reported that the IPT is chartered to refine the software policy over time and provide guidance in establishing an enterprise license management practice. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Commerce should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Commerce
    Status: Open
    Priority recommendation

    Comments: The Department of Commerce partially concurred with our recommendation. In April 2017, Commerce reported that it has conducted an inventory of software licenses through a data call and inventory collection template. Commerce also reported that it is evaluating how to automate the inventory process by leveraging the portfolio of deployed network discovery tools for identifying installed licensed products, collating and ingesting the information into a repository for maintenance and reporting of the data. We will continue to monitor the department's progress in implementing automated discovery and inventory tools in support of its department-wide software license inventory.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Commerce should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce partially concurred with our recommendation. In April 2017, Commerce reported that it has conducted an inventory of software licenses through a data call and inventory collection template. Commerce also reported that it is evaluating how to automate the inventory process by leveraging the portfolio of deployed network discovery tools for identifying installed licensed products, collating and ingesting the information into a repository for maintenance and reporting of the data. We will continue to monitor the department's progress in implementing automated discovery and inventory tools in support of its department-wide software license inventory.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Commerce should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce partially concurred with our recommendation. In April 2017, the department reported that it has established an integrated project team (IPT) with representation from the bureau enterprise architecture teams to develop a methodology of managing licenses across the department. In addition, the department reported that the IPT is chartered to refine the software policy over time and provide guidance in establishing an enterprise license management practice. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Commerce should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce partially concurred with our recommendation. In April 2017, the department reported that it has established an integrated project team (IPT) with representation from the bureau enterprise architecture teams to develop a methodology of managing licenses across the department. In addition, the department reported that the IPT is chartered to refine the software policy over time and provide guidance in establishing an enterprise license management practice. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Defense should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified

    Agency: Department of Defense
    Status: Open

    Comments: In March 2016, the Department of Defense reported that it was in the process of developing policy and guidance for software license management with issuance expected by the end of fiscal year 2017. As of July 2017, the department did not provide additional information. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Defense should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Defense
    Status: Open

    Comments: In March 2016, the Department of Defense (DOD) reported on actions to implement a more centralized software license management approach. For example, the department reported that the DOD CIO is leveraging the DOD Enterprise Software Initiative and joint enterprise license agreement efforts centrally managed by the Defense Information Systems Agency to coordinate centralized acquisitions for licenses that are commonly purchased across DOD. The DOD CIO also issued a memorandum on November 16, 2015 directing department-wide migration to the Microsoft Windows 10 Operating System by January 2017 for all Windows-based desktop and laptop computers, which will support an enterprise approach for centrally coordinating software license management. However, as of July 2017, the department did not provide additional information. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Defense should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense partially concurred to develop comprehensive inventory for the management of software licenses. In March 2016, DOD reported on actions to implement a comprehensive inventory using automated tools. For example, DOD reported that it has completed a software inventory license reporting plan and continues to automate security domains for asset management and plans to implement automated support and processes for software license management processes in Fiscal Year 2020. However, as of July 2017, the department did not provide additional information. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Defense should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense partially concurred with this recommendation to develop a comprehensive inventory for the management of software licenses. In March 2016, DOD reported on actions to implement this recommendation. For example, DOD reported that it has completed a software inventory license reporting plan and continues to automate security domains for asset management and plans to implement automated support and processes for software license management processes in Fiscal Year 2020. However, the department did not provide additional information as of July 2017. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Defense should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: The Department of Defense concurred with this recommendation. DOD made progress in implementing this recommendation by analyzing Fiscal Year 2013 selected software inventory data from 31 of 32 components. However, as of October 2016, DOD had not yet fully implemented this recommendation because it had not established automated discovery and inventory tools to maintain and track a comprehensive inventory of licenses, which are needed to fully and routinely analyze agency-wide software licensing data. Further, the department did not provide additional information as of July 2017. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Defense should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Defense
    Status: Open

    Comments: The Department of Defense concurred with this recommendation. In March 2016, DOD reported on actions to implement this recommendation. For example, DOD added a new webinar training session on software license management and developed a two-day in-person training course on "Strategic Vendor Management" that introduces participants to category management best practices for commercial software. DOD also reported that it expects to establish additional training on software license management by the end of fiscal year 2016. However, the department did not provide updated information as of July 2017. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Education should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education concurred with this recommendation. In August 2016, the Department provided evidence that it has developed agency-wide policy that addresses six of the seven elements that a comprehensive software licensing policy should specify. However, as of August 2017, the department did not provide evidence that its policy specifically addresses the analysis of software license data such as usage to inform decision making. We will follow up with the agency to obtain additional information on its software licensing policy and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Education should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education concurred with this recommendation. In August 2016, the department reported that it regularly analyzes agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making. For example, the department said that it manually analyzes software data by comparing data in the software inventory database with requests for software acquisitions. However, as of August 2017, the department did not provide documentation on its analysis of agency-wide software license data or on the extent to which this information was used to inform investment decisions to identify opportunities to reduce costs. We will follow-up with the department to obtain documentation supporting actions to fully implement this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Education should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education concurred with this recommendation. The department has made progress in implementing this recommendation by providing its staff with software license training, including training on its software tracking database. In addition, the department's Software Asset Management and Acquisition Policy (SAMA) require employees to take training on the SAMA policy and computer software piracy. However, as of August 2017, the department did not demonstrate that it offers training in other important areas specific to software license management, such as contract terms and conditions, laws, and regulations. We will continue to monitor the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Energy should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of Energy
    Status: Open

    Comments: In the Department of Energy's written comments the agency neither agreed nor disagreed with our recommendation, but stated it has taken a number of steps to aggregate software licensing. In March 2017, Energy reported that it had developed an agency-wide comprehensive policy for the management of software licenses. In addition, the department reported that the policy encourages the consolidation of software package acquisition, volume purchasing arrangements, enterprise wide agreements and best practices in software implementation. However, the department has not yet provided documentation of its policy. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Energy should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Energy
    Status: Open

    Comments: In the Department of Energy's written comments the agency neither agreed nor disagreed with our recommendation, but stated it had taken a number of steps to aggregate software licensing, and at that time had no plans to centralize software licensing. In March 2017, the department reported that it's Office of the Chief Information Officer's Enterprise Wide Agreement (EWA) program host periodic conference calls with key IT representatives across the department's complex and recommend common software for consideration by the EWA program. In addition, the department reported that its Office of Management, Strategic Programs Division holds meetings throughout the department to facilitate a centralized management approach towards purchasing. However, the department has not provided evidence that it employs a centralized software management approach that is coordinated and integrated with key personnel for the majority of the agency's software licenses spending and/or enterprise-wide licenses. We will continue to monitor the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Energy should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Energy
    Status: Open

    Comments: In the Department of Energy's written comments the agency neither agreed nor disagreed with our recommendation, but stated it had taken a number of steps to aggregate software licensing, and at that time had no plans to centralize software licensing. In March 2017, the department reported that it's Office of the Chief Information Officer's Enterprise Wide Agreement (EWA) program hosts periodic conference calls with key IT representatives across the department's complex and recommend common software for consideration by the EWA program. In addition, the department reported that its Office of Management, Strategic Programs Division holds meetings throughout the department to facilitate a centralized management approach towards purchasing. However, the department has not provided evidence that it employs a centralized software management approach that is coordinated and integrated with key personnel for the majority of the department's software licenses spending and/or enterprise-wide licenses. We will continue to monitor the department's progress in implementing this recommendation
    Recommendation: To ensure the effective management of software licenses, the Secretary of Energy should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Energy
    Status: Open

    Comments: In Energy's written comments the agency neither agreed nor disagreed with our recommendation. In March 2017, DOE reported on actions to implement this recommendation. Consistent with the Act's provisions, Energy is working with GSA on providing usage data and support needed for the establishment of government-wide software contracts. The agency noted that it continues to use Continuous Monitoring and Diagnostic tools to inventory and consolidate software usage and eliminate unnecessary maintenance support costs. We have not yet validated agency actions on this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Energy should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Energy
    Status: Open

    Comments: In the Department of Energy's written comments the agency neither agreed nor disagreed with our recommendation, but stated it has taken a number of steps to aggregate software licensing. In March 2017, Energy stated that it is analyzing agency-wide software data through the CIO's Enterprise Wide Agreement program which hosts periodic conference calls with key IT representatives across Energy. However, Energy has not provided evidence that it is fully analyzing agency-wide software license data to inform investment decisions and identify opportunities to reduce costs. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Energy should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Energy
    Status: Open

    Comments: In Energy's written comments the agency neither agreed nor disagreed with our recommendation. In March 2017, the department noted that training for employees is managed on an office-by-office basis as part of the Individual Development and Training Needs Assessment Process and those individuals needing such training can be self-identified or identified by their supervisor for training. We will follow up with Energy to obtain documentation on its software license management training.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Health and Human Services should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) neither agreed nor disagreed with this recommendation. We have requested documentation regarding implementation of this recommendation, and as of July 2017, are awaiting a response. We will follow up with HHS to obtain supporting documentation and continue monitoring its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Health and Human Services should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) neither agreed nor disagreed with this recommendation. We have requested documentation regarding implementation of this recommendation, and as of July 2017, are awaiting a response. We will follow up with HHS to obtain supporting documentation and continue monitoring its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Health and Human Services should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) neither agreed nor disagreed with this recommendation. We have requested documentation regarding implementation of this recommendation, and as of July 2017, are awaiting a response. We will follow up with HHS to obtain supporting documentation and continue monitoring its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Health and Human Services should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) neither agreed nor disagreed with this recommendation. We have requested documentation regarding implementation of this recommendation, and as of July 2017, are awaiting a response. We will follow up with HHS to obtain supporting documentation and continue monitoring its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Health and Human Services should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) neither agreed nor disagreed with this recommendation. We have requested documentation regarding implementation of this recommendation, and as of July 2017, are awaiting a response. We will follow up with HHS to obtain supporting documentation and continue monitoring its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Health and Human Services should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) neither agreed nor disagreed with this recommendation. We have requested documentation regarding implementation of this recommendation, and as of July 2017, are awaiting a response. We will follow up with HHS to obtain supporting documentation and continue monitoring its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Homeland Security should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, the Department of Homeland Security (DHS) reported that it is in the process of implementing the Continuous Diagnostics and Mitigation (CDM) tool that enables industry best practices and standards for software license management. DHS also reported that the CDM implementation will facilitate normalization efforts across DHS by defining common software license and maintenance requirements. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Homeland Security should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, the Department of Homeland Security (DHS) reported that it is in the process of implementing the Continuous Diagnostics and Mitigation (CDM) tool that enables industry best practices and standards for software license management. DHS also reported that the CDM implementation will provide DHS with an automated capability for IT hardware and software asset discovery; IT asset inventory tracking; software inventory normalization; software license optimization; data sharing capabilities, and thus ensure full compliance with the requirement to maintain a continual agency-wide inventory of software licenses. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Homeland Security should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, the Department of Homeland security (DHS) reported that it is in the process of implementing the Continuous Diagnostics and Mitigation (CDM) tool that enables industry best practices and standards for software license management. DHS also reported that the tracking of software assets and inventory will be implemented as CDM is rolled out to each DHS Component. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Homeland Security should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, the Department of Homeland Security (DHS) reported that it is in the process of implementing the Continuous Diagnostics and Mitigation (CDM) tool that enables industry best practices and standards for software license management. DHS also reported that CDM tracking of software assets and inventory will be implemented as CDM is rolled out to each DHS Component. The CDM tool will provide DHS with an automated capability for IT hardware and software asset discovery; IT asset inventory tracking; software inventory normalization; software license optimization; data sharing capabilities, and thus ensure full compliance with the requirement to maintain a continual agency-wide inventory of software licenses, including all licenses purchased, deployed, and in use, as well as spending on subscription services. As this data is captured the DHS OCIO, OSDO will analyze the software license data to track cost, usage, benefits to establish spending data that allows to the Department to perform trend analysis. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Housing and Urban Development should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In written comments to our report, HUD agreed to take executive actions to address our recommendation and noted steps the agency plans to take. In its May 2017 update, HUD stated that the department developed a draft policy that will implement policies and responsibilities for managing software licenses and a software license consolidation plan to enable maintenance and enforcement of the software license management policy. In addition, the department reported that it appointed a software license manager who is the single point of contact for software license management. According to HUD, the targeted completion for implementing this recommendation is the first quarter of 2018. We will follow-up with the Department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Housing and Urban Development should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In May 2017, HUD reported that its Office of the Chief information Officer (CIO) has achieved full operational capability for the agency's Federal Asset Management Enterprise System (FAMES) and began to populate the FAMES with information on the agency's software assets in January 2017. However, HUD noted that it still needs to implement and test the PRISM interface with the FAMES which the agency expects to be completed by the end of fiscal year 2017. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Housing and Urban Development should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In written comments to our report, HUD agreed to take executive actions to address our recommendation. In its May 2017 update, HUD reported on actions taken to implement this recommendation including the development of a GAP analysis to support acquisition and deployment of an automated software license management capability. According to HUD, this capability will provide the CIO with the data necessary to identify opportunities to reduce cost, implement IT commodity-consolidated acquisitions and buy licenses in bulk. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Housing and Urban Development should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In written comments to our report, HUD agreed to take executive actions to address our recommendation and noted steps the agency plans to take. In May 2017, HUD reported that the agency has worked with the Department of Defense (DOD) to offer DOD Enterprise Software Initiative (ESI) sponsored software license management training to staff and continues to work with peer agencies to identify opportunities to access required software management skills and other required training. HUD reported that its target completion for addressing this recommendation is the first quarter of 2018. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Interior should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of the Interior
    Status: Open

    Comments: The Department of Interior (DOI) agreed with this recommendation. In March 2017, DOI reported that the department has drafted a comprehensive policy that is comprised of the core elements of software management. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Interior should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of the Interior
    Status: Open

    Comments: In March 2017, DOI reported that the department is working on a comprehensive management approach for accounting for and managing IT Software Assets, and that this approach includes roles and responsibilities. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Interior should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of the Interior
    Status: Open

    Comments: In written comments to our report, the Department of Interior (DOI) concurred with our recommendation. In March 2017, DOI reported that the department was working on a comprehensive management approach for accounting for and managing IT Software Assets. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Interior should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of the Interior
    Status: Open

    Comments: In written comments to our report, the Department of Interior concurred with our recommendation. In March 2017, DOI reported that the department was working on a comprehensive management approach for accounting for and managing IT Software Assets. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Interior should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making

    Agency: Department of the Interior
    Status: Open

    Comments: In written comments to our report, the Department of Interior concurred with our recommendation. In March 2017, DOI reported that the department is working on a comprehensive management approach for accounting for and managing IT Software Assets. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Interior should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of the Interior
    Status: Open

    Comments: In written comments to our report, the Department of Interior partially concurred with our recommendation to provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management. In March 2017, DOI reported that the department DOI does and will continue to provide software license management training to agency personnel on contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management as appropriate. We will follow-up with the department to obtain supporting documentation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Justice should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of Justice
    Status: Open

    Comments: In its June 2015 statement of actions to address our recommendations, the Department of Justice reported that it was pursuing a number of initiatives focused on improving Software License management. We contacted the department in July 2017 and are awaiting a response on the current status of efforts to implement this recommendation. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Justice should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Justice
    Status: Open

    Comments: The Department reported in June 2015 that it has taken initial steps to address our recommendations. For example, it reported using technology tools to pull software data being used within the infrastructure and to identify what software is not being used. We contacted the department in July 2017 and are awaiting a response on the current status of efforts to implement this recommendation. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Justice should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Justice
    Status: Open

    Comments: The Department in June 2015 reported that it has initiated steps to establish a comprehensive inventory of software licenses by using automated tools. We contacted the department in July 2017 and are awaiting a response on the current status of efforts to implement this recommendation. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Justice should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Justice
    Status: Open

    Comments: The Department has taken initial steps to regularly track and maintain a comprehensive inventory of software licenses. For example, the Department reported in June 2015, that it is managing a comprehensive inventory for major suppliers and exploring enterprise agreements with key suppliers to ensure compliance. We contacted the department in July 2017 and are awaiting a response on the current status of efforts to implement this recommendation. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Justice should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Justice
    Status: Open

    Comments: The Department reported in June 2015 that it has taken initial steps to analyze agency-wide software license data by providing better governance of software utilization to derive cost savings and by developing Enterprise License Agreements to achieve savings from processes across the components. We contacted the department in July 2017 and are awaiting a response on the current status of efforts to implement this recommendation. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Justice should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Justice
    Status: Open

    Comments: The Department reported in June 2015 that it has taken initial steps to provide training to appropriate agency personnel. For example, in the department's Vendor Management Calls they provide training on processes and the use of tools, including contract terms, negotiations, laws and regulations, acquisition, security planning and configuration management. We contacted the department in July 2017 and are awaiting a response on the current status of efforts to implement this recommendation. We will continue to evaluate the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Labor should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Labor
    Status: Open

    Comments: In June 2017, the Department of Labor (DOL) reported that it plans to continue researching for an automated tool to identify, track and maintain the agency's software license inventory. We will continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Labor should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Labor
    Status: Open

    Comments: In June 2017, the Department of Labor (DOL) reported that it plans to continue researching for an automated tool to identify, track and maintain the agency's software license inventory. We will continue to monitor its progress in implementing this recommendation
    Recommendation: To ensure the effective management of software licenses, the Secretary of Labor should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Labor
    Status: Open

    Comments: In June 2017, the Department of Labor (DOL) reported that it was planning to assemble a cross-functional team before the end of fiscal year 2017 to evaluate solutions and tools for automated software management and to identify opportunities for enterprise-wide software agreements. We will continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Labor should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Labor
    Status: Open

    Comments: In June 2016, the Department of Labor reported that it now has one individual certified in software management and intends to provide training to additional staff over the next year. In June 2017, Labor reported on progress in implementing this recommendation. Specifically, Labor noted that it has two additional personnel with configuration management and software library certifications to help ensure effective management of software licenses. We will continue to monitor its progress in providing appropriate agency personnel with sufficient training on managing software licenses.
    Recommendation: To ensure the effective management of software licenses, the Secretary of State should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation. In July 2017, the department reported that its existing department policy identifies a single office within the department for managing the enterprise software licensing agreements. However, the department did not provide evidence that it addressed the weaknesses identified in our report including policies establishing a comprehensive inventory, analyses of software license data, training on management of software licenses, goals and objectives, and consideration of the software license life-cycle phases. We will follow-up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of State should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with our recommendation. In July 2017, the department reported that existing policy identifies roles and responsibilities for key stakeholders in the acquisition of software including the CIO and systems owners. However, the department did not provided evidence that it addressed the weaknesses identified in our report including employing a centralized management approach to the software licenses that had been managed on a bureau by bureau basis. We will follow-up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of State should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with, and has taken steps to implement our recommendation. In July 2017, the department reported that it currently has insight into procurement information as well as a broad range of software inventory information available via the department's current network monitoring toolset and purchasing system. In addition, the department stated that it is in the process of implementing the Continuous Diagnostics and Mitigation (CDM) initiative spearheaded by the Department of Homeland Security. According to the department, the CDM is expected to provide an improved, more consolidated, user-friendly, and actionable view into software license data on its network. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of State should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with, and has taken steps to implement our recommendation. In July 2017, the department reported that it currently has insight into procurement information as well as a broad range of software inventory information available via the department's current network monitoring toolset and purchasing system. In addition, the department stated that it is in the process of implementing the Continuous Diagnostics and Mitigation (CDM) which is expected to become the department's automated tool to track its software inventory. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of State should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with, and has taken steps to implement our recommendation. In July 2017, the department reported that it currently conducts software licenses analysis on a contract-by-contract basis, with a focus on the highest-dollar contracts. In addition, the department stated that the implementation of Continuous Diagnostics and Mitigation (CDM) automated tool is expected to provide a baseline of inventory, usage, and trending data that combined with our acquisition insight will permit decision makers to identify opportunities for future centralized, enterprise agreements. We will continue to monitor the department's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of State should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of State
    Status: Open

    Comments: The Department of State concurred with, and has taken steps to implement our recommendation. In July 2017, the department reported that it has provided software license management training to the agency's Information Resource Management and acquisition personnel and that the agency plans to provide more relevant software license training in the future. We will follow-up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Transportation should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of Transportation
    Status: Open

    Comments: In February 2017, DOT stated that it has developed a policy addressing components of centralized management and management of software licenses through the entire life cycle. In addition, DOT updated its policy to address regularly tracking licenses using automated tools, analyzing license data to inform investment decision making, providing license management training to personnel, and establishing goals and objectives of the program. However, while DOT's Order 1351.21 states that each Enterprise License Agreement will be accompanied by a licensed management portal to provide department-wide transparency on how many licenses are available and when licenses need to be renewed, the policy did not include details on procedures for establishing a comprehensive inventory by identifying and collecting information about software license agreements using automated discovery and inventory tools. We will follow up with the department to obtain evidence of the department-wide implementation of this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Transportation should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Transportation
    Status: Open

    Comments: In February 2017, DOT reported that the Federal Information Technology Acquisition Reform Act (FITARA) guidance requires the department to maintain a continual agency-wide inventory of software licenses. However, DOT did not provide evidence that it had established a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses. We will follow-up with the department to obtain evidence of the implementation of this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Transportation should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Transportation
    Status: Open

    Comments: In February 2017, the Department of Transportation (DOT) noted that it was following guidance under the Federal Information Technology Acquisition Reform Act (FITARA). However, DOT did not provide evidence that it is regularly tracing and maintaining a comprehensive inventory of software licenses. We will follow up with the department to obtain evidence of the department-wide implementation of this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Transportation should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Transportation
    Status: Open

    Comments: In February 2017, the Department of Transportation (DOT) noted that it was following guidance under the Federal Information Technology Acquisition Reform Act (FITARA). However, DOT did not provide evidence that it analyzes agency-wide software license data to identify opportunities to reduce cost and inform decisions. We will follow up with the department to obtain evidence of the department-wide implementation of this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Transportation should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Transportation
    Status: Open

    Comments: In February 2017, the Department of Transportation (DOT) reported that its Office of the Chief Information Officer (OCIO) is piloting the Staff Training Education and Professional Development Program (STEP) for all OCIO employees. The courses cover areas such as contracting and negotiations, laws and regulations and security training. However, DOT reported that the training is not specific to software licensing, although elements of software management are covered in full through the offerings within the STEP program. We will follow up with the department to obtain evidence of the department-wide implementation of this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Treasury should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Department of the Treasury
    Status: Open

    Comments: In its July 2016 statement on corrective actions to address our recommendations, Treasury reported that it continues to be dependent on the rollout of the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program. According to Treasury, once implemented the CDM capabilities will enhance the department's security posture and provide the department with capabilities for automatically collecting software and hardware inventories. Treasury stated that it will then work with its bureaus to develop common procedures, policies and capabilities for auditing and tracking software inventories. In March and September of 2017, we contacted the department and are awaiting a response on the status of efforts to implement this recommendation. We will follow-up with Treasury to monitor its progress in implementing this recommendation and obtain supporting documentation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Treasury should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of the Treasury
    Status: Open

    Comments: In its July 2016 statement on corrective actions to address our recommendations, Treasury reported that it continues to be dependent on the rollout of the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program. According to Treasury, once implemented the CDM capabilities will enhance the department's security posture and provide the department with capabilities for automatically collecting software and hardware inventories. Treasury stated that it will then work with its bureaus to develop common procedures, policies and capabilities for auditing and tracking software inventories. In March and September of 2017, we contacted the department and are awaiting a response on the status of efforts to implement this recommendation. We will follow-up with Treasury to monitor its progress in implementing this recommendation and obtain supporting documentation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Treasury should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of the Treasury
    Status: Open

    Comments: In its July 2016 statement on corrective actions to address our recommendations, Treasury reported that it continues to be dependent on the rollout of the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program. According to Treasury, once implemented the CDM capabilities will enhance the department's security posture and provide the department with capabilities for automatically collecting software and hardware inventories. Treasury stated that it will then work with its bureaus to develop common procedures, policies and capabilities for auditing and tracking software inventories. In March and September of 2017, we contacted the department and are awaiting a response on the status of efforts to implement this recommendation. We will follow-up with Treasury to monitor its progress in implementing this recommendation and obtain supporting documentation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Treasury should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of the Treasury
    Status: Open

    Comments: In its July 2016 statement on corrective actions to address our recommendations, Treasury reported that it continues to be dependent on the rollout of the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program. According to Treasury, once implemented the CDM capabilities will enhance the department's security posture and provide the department with capabilities for automatically collecting software and hardware inventories. Treasury stated that it will then work with its bureaus to develop common procedures, policies and capabilities for auditing and tracking software inventories. In March and September of 2017, we contacted the department and are awaiting a response on the status of efforts to implement this recommendation. We will follow-up with Treasury to monitor its progress in implementing this recommendation and obtain supporting documentation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Treasury should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of the Treasury
    Status: Open

    Comments: In its July 2016 statement on corrective actions to address our recommendations, Treasury reported that it continues to be dependent on the rollout of the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program. According to Treasury, once implemented the CDM capabilities will enhance the department's security posture and provide the department with capabilities for automatically collecting software and hardware inventories. Treasury stated that it will then work with its bureaus to develop common procedures, policies and capabilities for auditing and tracking software inventories. Treasury also stated that these tools, policies and procedures will allow the department to study usage and better inform future procurement needs to minimize cost and duplication. In March and September of 2017, we contacted the department and are awaiting a response on the status of efforts to implement this recommendation. We will follow-up with Treasury to monitor its progress in implementing this recommendation and obtain supporting documentation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of the Treasury should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of the Treasury
    Status: Open

    Comments: In its July 2016 statement on corrective actions to address our recommendations, Treasury reported that it continues to be dependent on the rollout of the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program. In March and September of 2017, we contacted the department and are awaiting a response on the status of efforts to implement this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Veterans Affairs should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In written comments to our report, the Department of Veterans Affairs (VA) agreed with our recommendation. In September 2017, VA provided information on actions taken to address our recommendation. However, we have not yet validated agency actions on this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Veterans Affairs should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In written comments to our report, the Department of Veteran Affairs (VA) agreed with our recommendation. In September 2017, VA provided information on actions taken to address our recommendation. However, we have not yet validated agency actions on this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Veterans Affairs should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In written comments to our report, the Department of Veterans Affairs (VA) agreed with our recommendation. In September 2017, VA provided information on actions taken to address our recommendation. However, we have not yet validated agency actions on this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Secretary of Veterans Affairs should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In written comments to our report, the Department of Veterans Affairs (VA) agreed with our recommendation and reported that it made progress in providing software asset management (SAM) training to all personnel responsible for overseeing software enterprise license agreement (ELA) management. In September 2017, VA provided information on actions taken to address our recommendation. However, we have not yet validated agency actions on this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In June 2017, Environment Protection Agency (EPA) reported that it is currently taking steps to develop a comprehensive policy that will address a centralized management program of licenses, an analysis to inform decision making, education and training goals and overall management throughout the lifecycle. In addition, EPA stated that it is still leveraging the efforts of the Continuous Diagnostics and Mitigation project as well as its Office of Acquisition Management's consolidation of its Microsoft suite. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In June 2017, the Environment Protection Agency (EPA) reported that it is currently taking steps to develop a comprehensive policy that will address a centralized management program of licenses. In addition, EPA stated that it is still leveraging the efforts of the Continuous Diagnostics and Mitigation project as well as leveraging its Office of Acquisition Management's consolidation of enterprise licenses. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In June 2017, EPA reported that it is currently leveraging its Continuous Diagnostics and Mitigation program for a comprehensive software license inventory. EPA also reported that this comprehensive inventory will be provided via an automated dashboard. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In June 2017, the Environment Protection Agency (EPA) reported that it is currently leveraging its Continuous Diagnostics and Mitigation program for an automated tool that will establish a comprehensive software license inventory. EPA We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In June 2017, the Environment Protection Agency reported that it is currently leveraging its Continuous Diagnostics and Mitigation program for a comprehensive software license inventory. that will be available by the second quarter of fiscal year 2017. EPA also stated that it has consolidated six of the agency's eight major software license contracts. In addition, EPA reported that it is currently conducting an analysis of licenses and maintenance with regards to category management to determine the current spend environment and visibility within the agency to develop strategies for addressing each platform. We will follow up with the agency to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: In June 2017, the Environment Protection Agency (EPA) reported that it is working to develop a robust training curriculum that addresses all software license requirements including but not limited to negotiations, laws and regulations, and contract terms and conditions department wide. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Adminitrator of the National Aeronautics and Space Administration should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) has taken steps to implement our recommendation. In July 2017, NASA reported that the agency currently owns an enterprise software license management tool for the Office of the Chief Engineer and that the Office of the Chief Information Office will be coordinating with stakeholders to pursue expanding the use of this system NASA-wide. NASA anticipates completing this effort by the end of the fiscal year 2017.
    Recommendation: To ensure the effective management of software licenses, the Adminitrator of the National Aeronautics and Space Administration should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) has taken steps to implement our recommendation. In July 2017, NASA reported that the agency currently owns an enterprise software license management tool for the Office of the Chief Engineer and that the Office of the Chief Information Office will be coordinating with stakeholders to pursue expanding the use of this system NASA-wide. NASA anticipates completing this effort by the end of the fiscal year 2017. We will continue to monitor NASA's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the National Science Foundation should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

    Agency: National Science Foundation
    Status: Open

    Comments: In March 2017, NSF reported on actions taken to implement this recommendation. For example, the agency reported that in July 2015 NSF issued a new acquisition policy that provides the Chief Information Officer central oversight authority for IT acquisitions including software agreements. However, the guidance does not specify policies on managing software licenses for regularly tracking and maintaining software licenses to assist the agency in implementing decisions throughout the software license management life cycle, analyzing software usage and other data to make cost-effective decisions and providing training relevant to software license management. We will continue to monitor the agency's progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the National Science Foundation should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: National Science Foundation
    Status: Open

    Comments: In March 2017, NSF reported that it continues to regularly track and maintain a comprehensive inventory of software licenses. For example, NSF reported that in 2015 the agency implemented an automated tool to capture, track and report on software licenses. In addition, NSF reported that it is implementing a Continuous Diagnostic and Mitigation (CDM) capabilities to further consolidate and centralize management of the agency's software asset inventory in an automated way. However, NSF did not provide documentation showing that it regularly tracks and maintains its inventory using automated tools and metrics. We will follow-up with the agency to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the National Science Foundation should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: National Science Foundation
    Status: Open

    Comments: In March 2017, NSF reported on its progress in analyzing agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making. However, NSF did not provide documentation demonstrating that it analyzed agency-wide software license data to inform investment decisions and identify opportunities to reduce costs. We will follow-up with the agency to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the National Science Foundation should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: National Science Foundation
    Status: Open

    Comments: In March 2017, NFS reported that the agency is committed to providing software license training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management. However, NFS did not provide documentation showing that this training include aspects of sufficient software license management training such as contract terms and conditions or negotiations. We will follow-up with the agency to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Chairman of the Nuclear Regulatory Commission should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: The Nuclear Regulatory Commission (NRC) has taken steps to implement this recommendation. For example, in March 2017, NRC reported that the agency's Software Manager is in the process of developing the NRC Software Management Centralization Plan to meet NRC's business needs and to ensure compliance with applicable Federal mandates and guidelines, including those from the Office of Management and Budget, the Federal Information Technology Acquisition Reform Act, the Federal Information Security Management Act, and from the National Institute of Standards and Technology. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Chairman of the Nuclear Regulatory Commission should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: In March 2017, the Nuclear Regulatory Commission (NRC) stated that a manual effort is underway to gather and verify data associated with the software on the list to complete a comprehensive inventory of software licenses. NRC also reported that it has developed requirements for an information technology asset management tool to support the establishment of a comprehensive inventory of software licenses using automated tools. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Chairman of the Nuclear Regulatory Commission should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: In March 2017, the Nuclear Regulatory Commission (NRC) stated that a manual effort is underway to gather and verify data associated with the software on the list to complete a comprehensive inventory of software licenses. NRC also reported that it has developed requirements for an information technology asset management tool to support the establishment of a comprehensive inventory of software licenses using automated tools. Upon deployment of an automated tool, NRC reported that it will be able to regularly track and maintain a comprehensive inventory of all software licenses. We plan to follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Chairman of the Nuclear Regulatory Commission should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: In March 2017, the Nuclear Regulatory Commission (NRC) reported that the agency will analyze agency-wide software license data after it deploys an automated tool. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Chairman of the Nuclear Regulatory Commission should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: In March 2017, the Nuclear Regulatory Commission (NRC) reported that the agency plans to provide software license management training to all key personnel. NRC also reported that its software training is currently being developed by the Office of Management and Budget, the Federal Acquisition Institute and the Defense Acquisition University. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with this recommendation and in September 2015, reported that it had developed a guide to capture enterprise architecture (EA) lifecycle activities including software licensing management, acquisition, and requirements during several points of the project lifecycle. We contacted the agency and, as of September 2017, are awaiting a response on the current status of efforts to implement this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with this recommendation and in September 2015 reported that it is finalizing a revised Life Cycle Management draft policy which will use stage gate reviews to evaluate the progress of projects including software licenses throughout the agency. According to OPM, once the new policy is approved, OPM subject matter experts will review project documentation during stage gates reviews to make written recommendations on whether projects should continue. OPM's Investment Review Board will then review that recommendation and other procurement documentation to make a final recommendation to the OPM Director. We contacted the agency and, as of September 2017, are awaiting a response on the current status of efforts to implement this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with this recommendation and in September 2015 OPM reported that it acquired an enterprise architecture repository tool and is collecting information on its software applications. OPM also reported that it is assembling and performing quality reviews on hardware and software lists currently maintained in spreadsheets, in its EA Systems database, and Remedy database in order to consolidate the entire hardware and software asset inventory. We contacted the department and, as of September 2017, are awaiting a response on the current status of efforts to implement this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with this recommendation and in September 2015 OPM reported that it acquired an enterprise architecture repository tool and is collecting information on its software applications. We contacted the department and, as of September 2017, are awaiting a response on the current status of efforts to implement this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

    Agency: Office of Personnel Management
    Status: Open

    Comments: In written comments to our report, OPM concurred with our recommendations and noted actions the agency plans to take. We contacted the department and, as of September 2017, are awaiting a response on the current status of efforts to implement this recommendation.
    Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

    Agency: Office of Personnel Management
    Status: Open

    Comments: In written comments to our report, OPM concurred with our recommendations and noted actions the agency plans to take. We contacted the department and, as of September 2017, are awaiting a response on the current status of efforts to implement this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    3 open recommendations
    Recommendation: The Director of the Office of Management and Budget should direct the Federal Chief Information Officer to update, and clearly and explicitly issue incremental development guidance that addresses the following three components: (1) requires projects associated with major IT investments to deliver incremental functionality at least every 12 months, with the exception of the three types of investments identified in this report; (2) specifies how agencies are to define the project functionality that is to be delivered; and (3) requires agencies to define a process for enforcing compliance with incremental functionality delivery, such as the use of TechStat sessions.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: The Office of Management and Budget (OMB) agreed with our recommendation to update and issue incremental guidance, but disagreed that the time frame for incremental delivery should be changed to every 12 months. Subsequently, OMB began to take steps to address aspects of our recommendation. Specifically, in June 2014, OMB updated its information technology (IT) budget guidance to, among other things, define project functionality as any changes to an IT system that primarily provides new or improved capability to the end user. Additionally, in June 2015, OMB issued its guidance on how agencies are to implement December 2014 federal IT acquisition reform legislation. As part of that guidance, OMB required CIOs to ensure that all acquisition strategies and acquisition plans that include IT apply adequate incremental development principles. However, as of June 2017, OMB's annually updated IT budget capital planning guidance still requires that projects associated with major IT investments deliver functionality every 6 months, rather than every 12 months, as we recommended. In the absence of our recommended delivery time frame change, OMB is at risk of continuing to require functionality to be delivered in a time frame that we found to be unrealistic for many IT investments based on their current levels of performance. We will continue to evaluate OMB's progress in implementing the recently issued guidance and in considering a change in how often projects are to deliver functionality.
    Recommendation: The Secretaries of Defense, Health and Human Services, Homeland Security, and Transportation should modify, finalize, and implement their agencies' policies governing incremental development to ensure that those policies comply with OMB's guidance, once that guidance is made available.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) has begun to take steps to address this recommendation. Specifically, in January 2015, HHS established a working group on incremental development in order to define a methodology for more rapid development. Further, HHS officials reported in April 2017 that the department was working to finalize its new guidance on incremental development and CIO certification as required by OMB guidance but could not provide a time frame for when the policy would be finalized. Until HHS finalizes and implements its incremental development policy, its information technology expenditures are more likely to produce sub-optimal results. We will continue to evaluate HHS's progress in implementing this recommendation.
    Recommendation: When updating their policies, the Secretaries of Defense, Health and Human Services, Homeland Security, and Transportation should consider the factors identified in this report as enabling and inhibiting incremental development.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services (HHS) has begun to take steps to address this recommendation. Specifically, in January 2015, HHS established a working group on incremental development in order to define a methodology for incremental development that would address the factors identified in the report. Further, HHS officials reported in April 2017 that the department was working to finalize its new guidance on incremental development and CIO certification as required by OMB guidance but could not provide a time frame for when the policy would be finalized. Until HHS updates and implements its incremental development policy, its information technology expenditures are more likely to produce sub-optimal results. We will continue to evaluate HHS's progress in implementing this recommendation.
    Director: David A. Powner
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: To improve the reliability of reported cost and schedule variance information for major investments, the Commissioner of IRS should direct the Chief Technology Officer to ensure that projected cost and schedule variances for in-process activities are updated monthly, for the six investments for which we reviewed monthly updates, consistent with OMB and Treasury reporting requirements, by ensuring investment staff have a consistent understanding of the information to be included in monthly reports.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: To address this recommendation, in October 2014, IRS provided training to its project staff, which focused on, among other things, the monthly update of investment performance information. In addition, in fiscal year 2016, IRS began using a tool to track performance information, including progress in meeting cost and schedule goals for ongoing investments, for two investments in development. IRS is now expanding the use of this tool to other investments. As of November 2017, we were reviewing the implementation of the tool as part of an ongoing review of IRS's information technology operations. We will determine whether IRS's implementation of the tool fully addresses this recommendation.
    Director: Carol R. Cha
    Phone: (202) 512-4456

    1 open recommendations
    Recommendation: To better ensure that the Defense Agencies Initiative (DAI) implements effective risk management and information technology (IT) acquisition best practices, the Secretary of Defense should direct the Director of the Defense Logistics Agency to direct the DAI program office to establish a comprehensive risk log that includes all up-to-date risks with evaluations and categorizations that comply with DLA's defined parameters; and associated mitigation plans.

    Agency: Department of Defense
    Status: Open

    Comments: The Defense Logistics Agency established a risk log for DAI that includes risk evaluations and categorizations, and associated mitigation plans. We will continue monitoring the program's implementation of this recommendation to ensure that the agency is periodically reviewing the status of each risk and updating DAI's risk log and mitigation plans, as intended by the recommendation.
    Director: Linda T. Kohn
    Phone: (202) 512-7114

    2 open recommendations
    Recommendation: To address challenges that affect the ability of providers to electronically exchange health information, the Secretary of Health and Human Services should direct CMS and ONC to develop and prioritize specific actions that HHS will take consistent with the principles in HHS's strategy to advance health information exchange.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: As of August 28, 2014, HHS provided some information indicating that it had begun the process of developing milestones with time frames for its actions toward advancing exchange, and that it plans to make them publicly available. Because HHS has only just begun the process and has not provided documentation, these actions are in progress and therefore not complete. We will follow up in fiscal year 2015 to gather additional information to determine if the actions fully address the recommendation.
    Recommendation: To address challenges that affect the ability of providers to electronically exchange health information, the Secretary of Health and Human Services should direct CMS and ONC to develop milestones with time frames for the actions to better gauge progress toward advancing exchange, with appropriate adjustments over time.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: As of August 28, 2014, HHS provided some information indicating that it had begun the process of developing milestones with time frames for its actions toward advancing exchange, and that it plans to make them publicly available. Because HHS has only just begun the process and has not provided documentation, these actions are in progress and therefore not complete. We will follow up in fiscal year 2015 to gather additional information to determine if the actions fully address the recommendation.
    Director: Valerie C. Melvin
    Phone: (202) 512-6304

    2 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure effective management and modernization of HUD's IT environment, the Secretary of Housing and Urban Development should direct the department's Chief Information Officer to establish a means for evaluating progress toward institutionalizing management controls and commit to time lines for activities and next steps.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: As of April 2017, HUD had not yet established a means for evaluating progress toward institutionalizing IT management controls. According to HUD officials, the department expects to evaluate the controls through an update to its IT Management Framework scheduled to be completed during fiscal year 2017.
    Recommendation: To ensure effective management and modernization of HUD's IT environment, the Secretary of Housing and Urban Development should direct the department's Chief Information Officer to define the scope, implementation strategy, and schedule of its overall modernization approach, with related goals and measures for effectively overseeing the effort.

    Agency: Department of Housing and Urban Development
    Status: Open
    Priority recommendation

    Comments: In August 2016, HUD officials reported that the department was taking actions intended to establish a new, stronger enterprise approach for IT development and operations. As of April 2017, the department reported that it was in phase 2 of a 4-phase application assessment initiative expected to address this recommendation. However, HUD has not yet provided evidence of how the new approach is expected to define the scope, implementation strategy, and schedule for modernizing the department's IT.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    17 open recommendations
    Recommendation: To make government-wide computer matching program planning efforts more consistent, the Director of OMB should revise guidance on computer matching to clarify whether front-end verification queries are covered by the Computer Matching Act.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To make government-wide computer matching program planning efforts more consistent, the Director of OMB should direct agencies to address all key elements when preparing cost-benefit analyses.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To make government-wide computer matching program planning efforts more consistent, the Director of OMB should ensure that agencies receive assistance in implementing computer matching programs as envisioned by the act.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Agriculture should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Agriculture
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Agriculture should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Agriculture
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Agriculture should ensure the DIB performs annual reviews and submits annual reports on the agency's computer matching activities, as required by the act.

    Agency: Department of Agriculture
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Education should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education stated that it has already developed policies and procedures for preparing cost-benefit analyses related to computer matching agreements (CMA). The agency believes these analyses already incorporate the appropriate key elements, although it continues to reexamine them in the interest of continuous improvement. ED also noted that not all key elements apply to every computer matching program. For example, the agency did not think it appropriate to address the recovery of improper payments and debts for matching programs to establish eligibility. However, we believe all key elements should be addressed in cost benefit analyses, even if only to note that certain types of benefits have been considered and determined not to be applicable in the specific circumstances of a given computer matching program. Without a thorough assessment, the Data Integrity Board may not have sufficient information to determine whether a thorough cost analysis has been conducted. In 2017, the agency provided three cost benefit analyses from recent CMAs that include personnel and computer costs.
    Recommendation: To improve the implementation of the act, the Secretary of Health and Human Services should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Health and Human Services should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet received information needed to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Labor should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Labor
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Labor should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Labor
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Labor should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Department of Labor
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Veterans Affairs should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Administrator of Social Security should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Social Security Administration
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Director: Powner, David A
    Phone: (202) 512-9286

    3 open recommendations
    Recommendation: To better ensure that the Dashboard provides meaningful ratings and reliable investment data, the Director of OMB should direct the Federal CIO to make accessible regularly updated portions of the public version of the Dashboard (such as CIO ratings) independent of the annual budget process.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: Although the Federal CIO did not agree or disagree with our recommendation, OMB has taken initial steps to implement it. Specifically, OMB recently updated the Dashboard with a number of changes, and OMB officials stated in 2015 that they intended for the Dashboard to be able to show updates throughout the year. That said, OMB has yet to implement this recommendation. Specifically, OMB did not publish updates to the public version of the Dashboard during the fiscal year 2018 budget formulation process, starting at the end of August 2016. We will continue to monitor the Dashboard to determine if portions of the public version of the Dashboard (such as CIO ratings) are available throughout the year. Maintaining the availability of these data is important for increasing the utility of the Dashboard as a tool for greater IT investment oversight and transparency.
    Recommendation: To better ensure that the Dashboard provides accurate ratings, the Secretary of Commerce should direct the department CIO to ensure that the department's investments are appropriately categorized in accordance with existing statutes and that major IT investments are included on the Dashboard.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce disagreed with this recommendation. In written correspondence, the Department noted that, although it is no longer reporting three of the 10 investments reviewed for this engagement on the IT Dashboard, it is maintaining oversight through monthly Dashboard-like assessments. As of July 28, 2016, the Department stated that it did not have plans to re-categorize these three particular investments as IT and report the data on the IT Dashboard. We continue to believe that this recommendation has merit and will monitor the Department's efforts to maintain oversight for these investments.
    Recommendation: To better ensure that the Dashboard provides accurate ratings, the Secretary of Energy should direct the department CIO to ensure that the department's investments are appropriately categorized in accordance with existing statutes and that major IT investments are included on the Dashboard.

    Agency: Department of Energy
    Status: Open

    Comments: While the Department of Energy had agreed with this recommendation, in subsequent written correspondence, it explained that five of the eight investments noted by GAO as being IT were no longer being reported in the IT Portfolio on the Dashboard. Instead, the Department was reporting these data to OMB via an alternative reporting mechanism specific to high performance computing. In addition, the Department noted that the remaining three investments were deconsolidated or downgraded into non-major investments, or eliminated by funding and, as such, these investments will not be included on the Dashboard. However, we continue to believe that this recommendation has merit and that the remaining investments are more properly classified as IT. We will continue to monitor the Department's efforts to maintain oversight for these investments.
    Director: Powner, David A
    Phone: (202) 512-9286

    1 open recommendations
    Recommendation: The Secretary of Health and Human Services should direct appropriate officials to assess whether it would be cost effective to consolidate the remaining functions of the Medicare coverage determination systems.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We contacted the department and are awaiting a response on its efforts to implement this recommendation.
    Director: Powner, David A
    Phone: (202)512-9286

    1 open recommendations
    Recommendation: The Secretaries of Agriculture and Commerce should address the weaknesses in agency- and bureau-led TechStat processes and management outlined in this report.

    Agency: Department of Agriculture
    Status: Open

    Comments: The agency partially agreed with our assessment of the agency's TechStat process, but has not yet implemented our recommendation. At the time of our review, we identified several weaknesses in the agency's TechStat processes and management, including holding bureau-led TechStats, incorporating TechStats in its capital planning and governance structure, providing training on TechStats, and consistently capturing action steps, deadlines, and responsibilities in its TechStat memorandums. In an April 2017 update, the agency stated that it had not held any TechStats in 2016, but had identified several candidates for TechStats within the next 6 months. In addition, the agency plans to update its capital planning documents to include the TechStat program in late summer 2017. In addition, it has not finalized its TechStat training documentation, but plans to complete the documentation in late summer 2017. We will continue to monitor the implementation of this recommendation.
    Director: Melvin, Valerie C
    Phone: (202)512-6304

    2 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that HUD effectively and efficiently manages its modernization efforts aimed at improving its IT environment to support mission needs, the Secretary of Housing and Urban Development should direct the Deputy Secretary to establish a plan of action that identifies specific time frames for correcting the deficiencies highlighted in this report for both its ongoing projects, as applicable, and its planned projects, to include (1) developing charters that define what constitutes project success and establish accountability, (2) finalizing deliverable-oriented work breakdown structures and associated dictionaries that define the detailed work needed to accomplish project objectives, (3) completing comprehensive project management plans that reflect cost and schedule baselines and fully incorporate subsidiary management plans, (4) establishing requirements management plans that include prioritization methods to be applied and metrics for determining how products address requirements, (5) completing matrixes to include requirements traceability from mission needs through implementation, and (6) establishing strategies to guide how acquisitions are managed in accordance with other processes and that performance metrics are established.

    Agency: Department of Housing and Urban Development
    Status: Open
    Priority recommendation

    Comments: HUD did not agree or disagree with, but stated it had planned actions intended to address, our recommendation. As of April 2017, HUD provided evidence of its updated project planning and management process, including requirements for improvements to project charters and management plans, but we have not yet seen evidence that HUD's actions have fully addressed deficiencies in other project management documentation.
    Recommendation: To improve development and use of the department's project management framework, the Secretary should direct the Customer Care Committee to review the role and responsibilities of the Technical Review Subcommittee and ensure that the department's governance structure operates as intended and adequately oversees the management of all of its modernization efforts.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: HUD agreed with our recommendation and reported plans for the Customer Care Committee to review the roles and responsibilities of the Technical Review Subcommittee. As of March 2017, HUD had finalized an updated Subcommittee charter. We are reviewing changes made to the charter and plan to observe the Subcommittee's operation under the revised guidance.
    Director: Melvin, Valerie C
    Phone: (202) 512-6304

    6 open recommendations
    Recommendation: To effectively implement key components of DOD's business systems modernization program, the Secretary of Defense should direct the Deputy Chief Management Officer to define by when and how the department plans to develop an architecture that would extend to all defense components and include, among other things, (a) information about the specific business systems that support business enterprise architecture (BEA) business activities and related system functions; (b) business capabilities for the Hire-to-Retire and Procure-to-Pay business processes; and (c) sufficient information about business activities to allow for more effective identification of potential overlap and duplication.

    Agency: Department of Defense
    Status: Open

    Comments: As of September 2017, the Department of Defense (DOD) had taken steps to address the recommendation; however, more steps are needed to meet its intent. For example, as of July 2015, the department had taken steps to improve the integration of business enterprise architecture (BEA) information with other existing information. This integration was intended to allow DOD to identify information such as mapping of existing business systems to individual BEA system functions. In addition, in January 2017, the department issued a plan to improve the usefulness of the architecture by delivering three major capabilities, including the ability to conduct process and system reviews within and across domains, which can help better identify potential duplication and overlap, by January 2017. The plan also included other activities that may help support the identification of duplication and overlap, such as developing a federated ontology for BEA data structures, migrating legacy architecture data into the federated ontology, and defining requirements to enable extensible data structures for future updates, by June 2016. However, the department has not developed the ontology or delivered the capability to conduct process and system reviews within and across domains. An official from the Office of the Deputy Chief Management Officer stated in September 2017 that the BEA ontology work is ongoing and that a plan for moving the existing BEA content to the new framework is in development. The official also stated that delivery of the capability to conduct process and system reviews within and across domains is now planned for June 2018, depending on contract award. However, DOD has not updated its BEA improvement plan to reflect the revised delivery dates. In addition, the department also has not identified the business capabilities associated with the Hire-to-Retire and Procure-to-Pay business processes. The department continues to update its business architecture, but it has not demonstrated that it has defined by when and how it plans to develop an architecture that would extend to all defense components and include business capabilities for the Hire-to-Retire and Procure-to-Pay business processes.
    Recommendation: To effectively implement key components of DOD's business systems modernization program, the Secretary of Defense should direct the Deputy Chief Management Officer to ensure that the functional strategies include all of the critical elements identified in DOD investment management guidance, including performance measures to determine progress toward achieving the goals that incorporate all of the attributes called for in the department's guidance.

    Agency: Department of Defense
    Status: Open

    Comments: As of August 2017, the Department of Defense (DOD) had taken some steps to address the intent of this recommendation. However, more remains to be done to fully address the intent of the recommendation. For example, we reported in July 2015 that the department established performance measures in its functional strategies that addressed at least some of the five attributes called for in DOD guidance. In particular, all of the fiscal year 2015 functional strategies identified examples of quantitative metrics. However, not all functional strategies identified metrics that addressed the other attributes. As of August 2017, this continues to be the case. For example, the fiscal year 2017 human resources management functional strategy did not address prior year business outcomes and initiatives progress, as required by the February 2015 investment management guidance.
    Recommendation: To effectively implement key components of DOD's business systems modernization program, the Secretary of Defense should direct the Deputy Chief Management Officer to select and control its mix of investments in a manner that best supports mission needs by (a) documenting a process for evaluating portfolio performance that includes the use of actual versus expected performance data and predetermined thresholds; (b) ensuring that portfolio assessments are conducted in key areas identified in our IT investment management framework: benefits attained; current schedule; accuracy of project reporting; and risks that have been mitigated, eliminated, or accepted to date; and (c) ensuring that the documents provided to the Defense Business Council as part of the investment management process include critical information for conducting all assessments.

    Agency: Department of Defense
    Status: Open

    Comments: As of August 2017, the Department of Defense had not addressed the recommendation. In February 2017, the department issued DOD Instruction 5000.75, Business Systems Requirements and Acquisition, to assist in managing defense business systems. Further, in April 2017, the department updated its investment management guidance. However, neither the instruction nor the revised guidance call for a process for evaluating portfolio performance that includes the use of actual versus expected performance data and predetermined thresholds. The instruction and the revised guidance also do not specify a process for ensuring that portfolio assessments are conducted in key areas identified in our information technology investment management framework: benefits attained; current schedule; accuracy of project reporting; and risks that have been mitigated, eliminated, or accepted to date. Further, the department has not demonstrated that it has ensured that documents provided to the Defense Business Council (i.e., the investment review board) include critical information for conducting assessments, such as information about system scalability to support additional users or new features in the future and cost in relationship to return on investment.
    Recommendation: To effectively implement key components of DOD's business systems modernization program, the Secretary of Defense should direct the Deputy Chief Management Officer to implement and use the BEA and business process reengineering compliance assessments more effectively to support organizational transformation efforts by (a) disclosing relevant information about known weaknesses, such as BEA and business process reengineering compliance weaknesses for systems that were not certified or certified with qualifications in annual reports to Congress; (b) establishing milestones by which selected validations of BEA compliance assertions are to be completed; and (c) ensuring that appropriate business process reengineering assertions have been completed on all investments submitted for the fiscal year 2014 certification reviews prior to the certification of funds.

    Agency: Department of Defense
    Status: Open

    Comments: As of August 2017, the Department of Defense (DOD) has taken steps to address the intent of the recommendation; however, more remains to be done. For example, the 2015 Congressional Report on Defense Business Operations included some information consistent with our recommendation. In particular, it contained information about weaknesses for systems that were certified with qualifications. The report stated that the department conditionally approved 29 military department and 30 defense agency requests pending Defense Business Council (DBC) approval of their problem statements. The report also cited the specific systems that were conditionally approved pending approval of their problem statements. In addition, in February 2017, the department issued an instruction (DOD Instruction 5000.75, Business Systems Requirements and Acquisition). The instruction requires that the certifying official verify that a capability is aligned with the business enterprise architecture (BEA) prior to a decision to proceed with a solutions analysis phase. The instruction also requires the certifying official to validate that sufficient business process reengineering (BPR) has been conducted to determine that a business system is required. The Office of the Deputy Chief Management Officer (DCMO) explained in August 2017 that the office reviews BEA compliance assertions in BEA compliance reporting tools, and if any issues are found with the assertions they are documented in investment decision memos. In addition, for BPR assertions, the office stated that DCMO portfolio leads review the assertions to determine if a system has required documentation. For those that have no plan of action or BPR assertions, according to the office, the DCMO team works with the domain or portfolio owners to ensure that a plan of action is documented. However, the department did not provide evidence to demonstrate that BEA assertions have been validated for selected investments or that BPR assertions have been validated for all its investments as part of its last annual certification process.
    Recommendation: To effectively implement key components of DOD's business systems modernization program, the Secretary of Defense should direct the Deputy Chief Management Officer to develop a skills inventory, needs assessment, gap analysis, and plan to address identified gaps as part of a strategic approach to human capital planning for the Office of the Deputy Chief Management Officer.

    Agency: Department of Defense
    Status: Open

    Comments: As of September 2017, the Department of Defense (DOD) had not addressed this recommendation; and the Office of the Deputy Chief Management Officer (DCMO) stated that it does not plan to address it. Specifically, it said that the department did not concur with the recommendation, and that, further, it had been overcome by other events. According to DOD officials, the recommendation has been overcome by several reorganizational changes, including one based on reviews of the department's business processes and systems. The Office of the DCMO stated that the department used a skills inventory, needs assessment, and gap analysis to do these reorganizations, and there are no open positions beyond those occurring from normal attrition. However, the Office of the DCMO did not provide evidence of the skills inventory, needs assessment and gap analysis that it said it used in its reorganizations. We still consider the recommendation to be valid and will continue to monitor its implementation as part of our periodic assessments of DOD efforts to manage its defense business systems.
    Recommendation: The Secretary of Defense should direct the appropriate authority to ensure that complete documentation, such as root cause analyses, assessments of existing interfaces for reuse opportunities, and performance metrics related to the reengineering efforts, is provided as part of the fiscal year 2014 certification and approval process for the Integrated Personnel and Pay System - Army (IPPS-A), Integrated Personnel and Pay System - Navy (IPPS-N), Air Force Integrated Personnel and Pay System (AF-IPPS), and Integrated Electronic Health Record (iEHR) investments.

    Agency: Department of Defense
    Status: Open

    Comments: As of September 2017, the Department of Defense (DOD) had taken some steps to address the intent of this recommendation, and other aspects of the recommendation have been overcome by events. However, more work is needed to demonstrate that the department has more fully addressed the intent of our recommendation. For example, in July 2015, we reported that the department demonstrated that it had completed documentation, such as root cause analyses, assessments of existing interfaces for reuse opportunities, and performance metrics related to the reengineering efforts, and that the documentation was provided as part of the certification and approval process for the Air Force Integrated Personnel and Pay System investment. However, since we made the recommendation, the department has changed its approach to evaluating business process reengineering for its defense business systems. As a result of this change, the department requires different documentation than the documentation required when we prepared our report. The department now requires business process reengineering to be documented in a problem statement. In particular, the December 2014 DOD problem statement guidance requires a description of and validation that a thorough review of the business process reengineering was conducted, and no longer specifically requires root cause analyses, assessments of existing interfaces for re-use opportunities, or performance metrics related to reengineering efforts. Regarding the Integrated Personnel and Pay System - Army, in September 2017, the department demonstrated that it had completed a March 2016 description of its business process reengineering efforts and provided supporting documentation as part of its review and certification process. However, as of September 2017, the department had not demonstrated that complete documentation related to reengineering efforts has been submitted as part of its annual certification and approval process for the Integrated Personnel and Pay System-Navy (IPPS-N) investment. According to an Official from the Office of the Deputy Under Secretary of the Navy (Management), the department expects the IPPS-N problem statement to be complete by the end of September 2017. Regarding the Integrated Electronic Health Record investment, the Office of the Deputy Chief Management Officer stated that the department does not plan to conduct business process reengineering because the investment is now in sustainment, and the department does not require business process reengineering for systems in sustainment.
    Director: Gomez, Jose A
    Phone: (202) 512-3841

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that EPA maximizes its limited resources and addresses the statutory, regulatory, and programmatic needs of EPA program offices and regions when IRIS toxicity assessments are not available, and once demand for the IRIS Program is determined, the EPA Administrator should direct the Deputy Administrator, in coordination with EPA's Science Advisor, to develop an agencywide strategy to address the unmet needs of EPA program offices and regions that includes, at a minimum: (1) coordination across EPA offices and with other federal research agencies to help identify and fill data gaps that preclude the agency from conducting IRIS toxicity assessments, and (2) guidance that describes alternative sources of toxicity information and when it would be appropriate to use them when IRIS values are not available, applicable, or current.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of August 2017, EPA's Integrated Risk Information System (IRIS) Program officials stated that IRIS assessments that support policy and regulatory decisions for EPA's programs and regions, and state agencies, are being consolidated into a new portfolio to optimize the application of best available science and technology. According to IRIS Program officials, the new portfolio is being shaped for use by many EPA program and regional offices, states, and other federal agencies. IRIS Program officials told us that they expect these changes to significantly increase the number of completed assessments. GAO will update this recommendation after receiving documentation that elaborates on the new portfolio, or other efforts, that strengthen coordination across EPA offices and with other federal research agencies to help identify and fill data gaps, and describe alternative sources of information, consistent with the intent of the original recommendation.
    Director: Powner, David A
    Phone: (202)512-9286

    3 open recommendations
    Recommendation: To improve the reliability of reported cost and schedule variance information for the seven major investments we reviewed, the Acting Commissioner of IRS should direct the Chief Technology Officer to improve the reliability of cost estimates by addressing the weaknesses we identified in this report so that each investment at least substantially meets each of the characteristics of a reliable cost estimate.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: We followed up on the status of IRS's actions to address this recommendation for the Customer Account Data Engine (CADE) 2, the Return Review Program (RRP), and IRS.gov, the three investments with significant planned expenditures for development in fiscal year 2017, according to data reported on the Federal IT dashboard (the remaining four investments in our 2013 review are primarily in operations and maintenance based on the same IT dashboard data). We selected CADE 2, RRP, and IRS.gov because they would benefit most from improvements to cost estimates given their life cycle stage. In the Summer of 2017, IRS provided documentation to demonstrate actions taken to address the weaknesses we had identified with the CADE 2, and RRP cost estimates. We are currently analyzing this information. For IRS.gov, IRS told us the investment had been in operations and maintenance for several years and was therefore not producing the cost documentation that is typically associated with development efforts. We requested documentation supporting this claim and as of September 2017 were waiting to receive it.
    Recommendation: To improve the reliability of reported cost and schedule variance information for the seven major investments we reviewed, the Acting Commissioner of IRS should direct the Chief Technology Officer to improve the extent to which schedules are well-constructed and controlled by addressing the weaknesses we identified in this report so that each investment at least substantially meets each of these characteristics.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: We followed up on the status of IRS's actions to address this recommendation for the Customer Account Data Engine (CADE) 2, the Return Review Program (RRP), and IRS.gov, the three investments with significant expenditures planned for development in fiscal year 2017, according to data reported on the Federal IT dashboard (the remaining four investments in our 2013 review are primarily in operations and maintenance based on the same IT dashboard data). We selected CADE 2, RRP, and IRS.gov because they would benefit most from improvements to schedule estimates given their life cycle stage. In the Summer of 2017, IRS provided documentation to demonstrate actions taken to address the weaknesses we had identified with the CADE 2, and RRP schedule estimates. We are currently analyzing this documentation. For IRS.gov, IRS told us the investment had been in operations and maintenance for several years and was therefore not producing the schedule estimates that are typically associated with development efforts. We requested documentation supporting this claim and as of September 2017 were waiting to receive it.
    Recommendation: To improve the reliability of reported cost and schedule variance information for the seven major investments we reviewed, the Acting Commissioner of IRS should direct the Chief Technology Officer to develop and implement guidance that specifies best practices--such as including evaluating critical path (for projected schedule), using earned value management data, evaluating the performance of completed work and comparing it to the remaining budget, assessing commitment values for material needed to complete remaining work, and estimating future conditions--to consider when determining projected cost and schedule amounts.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In June 2016, we reported on IRS's development and implementation of its Investment Performance Tool for tracking cost, schedule and scope metrics for its IT investments. At the time, IRS was using the tool for two investments. As of September 2017, we were reviewing the agency?s use of the tool as part of an ongoing review. We plan to further examine the use of the tool and the supporting guidance to determine the extent to which they address this recommendation.
    Director: Mctigue Jr, James R
    Phone: (202) 512-7968

    2 open recommendations
    including 1 priority recommendation
    Recommendation: The Acting Commissioner of the Internal Revenue Service should direct appropriate officials to develop a long-term strategy to improve web services provided to taxpayers, in accordance with Howto.gov and other federal guidance outlined in our report. To accomplish this, the IRS should establish a numerical or other measureable goal to improve taxpayer satisfaction and a timeframe for achieving it.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS has made progress in improving its online services strategy, as we recommended, but as of March 2017, IRS has not yet completed its efforts. IRS's strategy has evolved from a singular focus on on-line services to a more comprehensive strategy of taxpayer interaction through all service channels. In February 2016, IRS announced an agency-wide Future State Initiative, which in part, aims to deliver service improvements across different taxpayer interactions such as individual online accounts assistance, exams, and collections. In July 2016, the official responsible for IRS's on-line office reported that the agency is working towards developing an overall customer service satisfaction goal as part of the IRS Future State Initiative. The official said that this goal is broadly meant to cover various ways the public interacts with IRS, including web, phone, correspondence and walk in. In November 2016, IRS provided documentation on the goals of the Future State Initiative. However, this documentation does not include specific numerical targets for the performance measures that IRS expects to achieve for each goal or a timeline to achieve those goals. As of March 2017, IRS is continuing to incorporate a customer service satisfaction goal in its upcoming strategic plan.
    Recommendation: The Acting Commissioner of the Internal Revenue Service should direct appropriate officials to develop a long-term strategy to improve web services provided to taxpayers, in accordance with Howto.gov and other federal guidance outlined in our report. To accomplish this, the IRS should develop business cases for all new online services, describing the potential benefits and costs of the project, and use them to prioritize future projects.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: IRS has made progress in improving its online services strategy, as we recommended, but as of March 2017, IRS has not yet completed its efforts. IRS's strategy has evolved from a singular focus on on-line services to a more comprehensive strategy of taxpayer interaction through all service channels. In February 2016, IRS announced an agency-wide Future State Initiative, which in part, aims to deliver service improvements across different taxpayer interactions such as individual online accounts assistance, exams, and collections. In addition, IRS revised its business case template in 2014 to include, among other things, a discussion of costs, benefits, and risks of future projects, consistent with our recommendation. However, IRS did not use the template to develop its Online Account business case, which it provided to us as an example in September 2015. We reviewed IRS documentation and found that the business case contained some of the information we recommended, such as high level time frames, but was missing other information, such as the benefits and costs of the project. Further, it is unclear how IRS plans to use the business case to prioritize future projects. In March 2016, IRS reported they implemented a new process for online investments that requires details on expected benefits and costs to be reviewed by the senior executives for prioritization and follow-up. As of March 2017, we requested additional documentation concerning this process. Analyses of benefits and costs can help agencies decide which new projects to start in a manner that maximizes the benefits derived from agency resources.
    Director: Melvin, Valerie C
    Phone: (202) 512-6304

    1 open recommendations
    Recommendation: To better ensure that GCSS-Army implements effective risk management and project monitoring and control practices, the Secretary of Defense should direct the Secretary of the Army to direct the GCSS-Army program office to specify the roles and responsibilities of the IV&V agent to ensure that it acts as a third party that validates and verifies the risks and mitigation plans developed by the program office and system integrator.

    Agency: Department of Defense
    Status: Open

    Comments: According to officials from Army's Program Executive Office Enterprise Information Systems in July 2017, the Army is working to draft an updated independent verification and validation policy in response to our recommendation. These officials expected the policy to be signed by the Program Executive Officer later this summer. We will continue to follow-up with the Army regarding this draft policy and the implementation of this recommendation.
    Director: Powner, David A
    Phone: (202) 512-9286

    5 open recommendations
    including 1 priority recommendation
    Recommendation: To ensure that major steady state IT investments are being adequately analyzed, the Secretaries of Defense, Veterans Affairs, and the Treasury should direct appropriate officials to develop an OA policy, annually perform OAs on all investments, and ensure the assessments include all key factors.

    Agency: Department of Defense
    Status: Open

    Comments: DOD has stated it is developing OA policy, but has yet to provide a timeframe for when it will be completed. In addition, we are waiting for fiscal year 2016 OAs.
    Recommendation: To ensure that major steady state IT investments are being adequately analyzed, the Secretaries of Defense, Veterans Affairs, and the Treasury should direct appropriate officials to develop an OA policy, annually perform OAs on all investments, and ensure the assessments include all key factors.

    Agency: Department of the Treasury
    Status: Open
    Priority recommendation

    Comments: The Department of Treasury has developed an OA policy and is currently performing OAs on investments. However, we are waiting for fiscal year 2016 investment OAs to determine if all key factors are being met.
    Recommendation: To ensure that major steady state IT investments are being adequately analyzed, the Secretaries of Defense, Veterans Affairs, and the Treasury should direct appropriate officials to develop an OA policy, annually perform OAs on all investments, and ensure the assessments include all key factors.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: We are waiting for VA to provide its finalized OA policy and for fiscal year 2016 OAs.
    Recommendation: The Secretaries of Homeland Security and Health and Human Services should direct their Chief Information Officers to ensure OAs are performed annually on all major steady state investments and the assessments include all key factors.

    Agency: Department of Homeland Security
    Status: Open

    Comments: The Department of Homeland Security has updated their OA policy and is currently performing OAs on investments. We received fiscal year 2016 OAs for CBP but are waiting for the rest of the departments OAs for FY2016.
    Recommendation: The Secretaries of Homeland Security and Health and Human Services should direct their Chief Information Officers to ensure OAs are performed annually on all major steady state investments and the assessments include all key factors.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We are waiting for HHS's fiscal year 2016 OAs.
    Director: Cha, Carol
    Phone: (202) 512-3000

    33 open recommendations
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Department of Agriculture has not implemented this recommendation. In January 2017, the department provided an action plan that indicated it would address the recommendation by November 2017.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce has not implemented this recommendation. We reported in September 2012 that the department had established metrics to measure and report outcomes associated with its enterprise architecture program, such as information technology cost savings, but it had yet to establish a method (i.e. steps to be followed) for measuring such outcomes. In April 2017, a department liaison reported that the Office of the Chief Information Officer had developed an initial draft of an enterprise architecture value measurement plan. However, as of August 2017, the department had not demonstrated that the plan had been finalized.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

    Agency: Department of Defense
    Status: Open

    Comments: As of August 2017, the Department of Defense had not addressed our recommendation for either of the department's enterprise architectures we reviewed in 2012. With respect to the DOD enterprise architecture, we reported in 2012 that, according to officials, DOD's approach to establishing a method and metrics for measuring enterprise architecture strategic mission value (outcomes and benefits) would be accomplished through the development and publication of a DOD instruction and an enterprise architecture management plan. In particular, DOD's June 2012 draft instruction on enterprise architecture called for establishing metrics for assessing the effectiveness of the enterprise architecture to provide information that contributes to mission effectiveness and efficiency. In addition, the draft Enterprise Architecture Management Plan called for the development of metrics to assess the use of enterprise architecture, provided examples of potential metrics, including reduction in redundancies in DOD's portfolio, and called for the development of baseline and target threshold values for each selected metric. The plan also stated that the DOD CIO and architecture organization were to determine the final set of metrics and threshold values based on the resources available to assess the metrics. However, according to a March 2016 memo from the Deputy Chief Information Officer for Information Enterprise to the DOD Inspector General, the department no longer planned to publish an instruction related to enterprise architecture and considered our recommendation closed. The memo also described structures and processes for developing, managing, and applying DOD's architecture that it said fulfilled what would have been the intent of a DOD instruction on enterprise architecture, including governance, requirements, acquisition, portfolio management, and budgeting. However, the memo did not discuss measuring architecture outcomes. With respect to its business enterprise architecture, in August 2016, the department stated that it did not have a systematic methodology for measuring the business value of its business enterprise architecture. Department officials noted that our July 2015 report "DOD Business Systems Modernization: Additional Action Needed to Achieve Intended Outcomes" (GAO-15-627) concluded that the business enterprise architecture has yielded limited value. The officials stated that internal department management assessments and component feedback supported these determinations. The department also stated that it used our report as a key method for measuring enterprise architecture outcomes and is acting on the results. Specifically, the department stated that senior management has directed changes to the department's Business Enterprise Architecture program. However, as of August 2017, the department had not provided documentation indicating that it planned to establish an approach for measuring business enterprise architecture outcomes. We will continue to follow up on the department's efforts to address this recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

    Agency: Department of Defense: Department of the Air Force
    Status: Open

    Comments: As of August 2017, the Department of the Air Force had not implemented this recommendation. As of September 2016, the department reported architecture-related outcomes, to top agency officials, including the numbers of defense business systems decommissioned. However, the department did not demonstrate that it had established an approach, including metrics and a documented method, to measure enterprise architecture outcomes. We will continue to monitor the Air Force's efforts to implement this recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

    Agency: Department of Defense: Department of the Navy
    Status: Open

    Comments: The Department of the Navy has partially implemented this recommendation. Specifically, the department demonstrated that it had established a metric to measure the percentage of server-based systems and applications that are virtualized annually. However, the department has yet to demonstrate that it documented the steps to be followed for measuring this virtualization. In October 2015, Navy developed a plan of actions and milestones to address elements in GAO's Enterprise Architecture Management Maturity Framework, including the element focused on measuring and reporting enterprise architecture outcomes, by September 2017. We will continue to monitor the Navy's efforts to implement this recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: The Department of the Army has taken steps to address this recommendation, but much more remains to be done. Specifically, since we reported in September 2012 that one of the department's three segment architectures had established a metric and a method to measure architecture outcomes, one of the remaining segments had established metrics, but it had not documented the steps to measure the metrics. The other remaining segment had yet to establish metrics and a method to measure architecture outcomes. Specifically, in December 2013, the Generating Force segment (now known as the Business Mission Area) developed an Army Business Management Strategy, which included metrics to measure the number of business systems retired over five years and cost savings and avoidance through use of the Army's business enterprise architecture. However, the department had not demonstrated that it had documented the steps to measure the metrics. In addition, the Operating Force segment has not demonstrated that it had established metrics and a method to measure architecture outcomes. In September 2015, the Army developed a plan of actions and milestones to address elements of GAO's Enterprise Architecture Management Maturity Framework, including the element focused on measuring and reporting enterprise architecture outcomes, by September 2017. We will continue to monitor the Army's efforts to implement this recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy has not implemented our recommendation. In March 2017, the department's Office of the Chief Information Officer reported that the department was evaluating actions to better integrate enterprise architecture practices into the department's information technology strategic planning, capital planning and investment control, and program management processes. The Office of the Chief Information Officer further reported that the department expected to develop a plan to measure and report architecture outcomes by the end of fiscal year 2017.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice has not taken sufficient steps to implement our recommendation. In June 2014, the department established metrics associated with the department's enterprise architecture (e.g., cost savings/avoidance gained through consolidated systems). However, as of August 2017, the department had not provided evidence that it had documented a method for measuring the metrics, or that it plans to do so. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor has not implemented this recommendation. In July 2017, the department stated that, by the end of fiscal year 2018, it would include the adoption and implementation of measurable enterprise architecture outcomes as part of upcoming information technology strategic planning efforts. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

    Agency: Department of the Treasury
    Status: Open

    Comments: As of August 2017, the Department of the Treasury had not implemented our recommendation. We reported in September 2012 that the department had established enterprise architecture metrics, but that it had not established a methodology for measuring its architecture outcomes. In June 2016, the department reported that it did not plan to establish an approach to measure architecture outcomes. Specifically, the department stated that it measured cost, schedule, and operational outcomes, but it did not attribute these measures to any practice, such as architecture. Nonetheless, we continue to believe that it is important to measure the value of its enterprise architecture and we will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

    Agency: Department of State
    Status: Open

    Comments: The Department of State has yet to implement this recommendation. In June 2017, the department's Information Resource Management GAO liaison stated that the department was in the process of developing an enterprise architecture plan. According to the liaison, the plan is to include a structured approach to capturing, evaluating, and assessing relevant performance related data. The liaison also that the target completion date for the plan is June 2018.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: As of August 2017, the Environmental Protection Agency had not implemented this recommendation and did not have a specific plan to do so. In March 2014, the agency submitted its Enterprise Roadmap to the Office of Management and Budget, which included metrics associated with potential outcomes related to its enterprise architecture efforts, such as cost savings gained from consolidating and sharing services. However, the agency had not established steps to be followed for measuring architecture outcomes. More recently, according to its May 2015 Enterprise Roadmap, the agency no longer planned to measure architecture-related outcomes. We will continue to monitor the agency's efforts to implement the recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) has taken steps to implement this recommendation, but more remains to be done. In December 2013, NASA issued Enterprise Architecture Procedures, which stated that key enterprise architecture metrics, such as cost savings and reduction of duplication, would be established. The procedures also stated that NASA's Chief Architect was to work with internal and external stakeholders to develop and mature metrics that provide information on enterprise architecture benefits and clearly illustrate progress or deficiencies in key areas. In January 2017, an official from NASA's Office of the Chief Information Officer described steps that NASA was taking to establish an approach for measuring architecture outcomes. However, as of August 2017, NASA had not demonstrated that it has documented a method and metrics for measuring outcomes.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

    Agency: National Science Foundation
    Status: Open

    Comments: As of March 2017, the National Science Foundation had not implemented this recommendation. The agency stated that it is committed to measuring and reporting enterprise architecture results and outcomes and that it continues to adopt the Office of Management and Budget's recommended approach to enterprise architecture measurement. However, the agency did not provide supporting documentation. We will continue to monitor its efforts to implement the recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

    Agency: Small Business Administration
    Status: Open

    Comments: The Small Business Administration (SBA) has not implemented our recommendation or established a plan to do so. In April 2014 and May 2015, SBA submitted to the Office of Management and Budget its Enterprise Roadmap, which included metrics associated with the agency's enterprise architecture, such as cost savings gained from consolidating systems. However, as of August 2017, the agency had yet to document the steps to be followed for measuring architecture outcomes. In July 2016, a Program Manager from the SBA Office of Congressional and Legislative Affairs stated that, going forward, progress for the SBA enterprise architecture program was expected to be limited because of limited labor resources. Nevertheless, we will continue to monitor the agency's efforts to implement the recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

    Agency: Office of Personnel Management
    Status: Open

    Comments: The Office of Personnel Management has not implemented this recommendation. In September 2016, the agency's Office of Internal Oversight and Compliance reported that it planned to develop an enterprise architecture strategic plan in the third quarter of fiscal year 2017. The plan was to include application rationalization metrics and a method for measurement. However, as of August 2017, the agency had not demonstrated that it had addressed the recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

    Agency: Department of Agriculture
    Status: Open

    Comments: The Department of Agriculture has not yet implemented this recommendation. In January 2017, the department provided its action plan to address the recommendation by November 2017.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

    Agency: Department of Commerce
    Status: Open

    Comments: The Department of Commerce has not implemented this recommendation. In November 2012, the department reported architecture outcomes, such as information technology cost savings, to top agency officials. However, the department has not reported architecture outcomes again to top agency officials or to the Office of Management and Budget. In April 2017, a department liaison reported that the Office of the Chief Information Officer had developed an initial draft enterprise architecture value measurement plan, which the department expected to complete by May 2017. In addition, the official reported that the department was in the process of developing a communication plan, by May 2017, to brief executive leadership on architecture value measurement on a regular basis. However, as of August 2017, the department had not demonstrated that these plans had been finalized.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

    Agency: Department of Defense
    Status: Open

    Comments: As of August 2017, the Department of Defense (DOD) had not implemented this recommendation for either of the department's enterprise architectures we reviewed in 2012. With respect to the DOD enterprise architecture, the department had not measured and reported architecture outcomes and benefits. We reported in 2012 that, according to DOD officials, the implementation of an instruction on enterprise architecture and an enterprise architecture management plan would allow the benefits of architecture to be measured and reported. However, according to a March 2016 memo from the Deputy Chief Information Officer for Information Enterprise to the DOD Inspector General, the department no longer planned to publish an instruction related to enterprise architecture and considered our recommendation closed. The memo also described structures and processes for developing, managing, and applying DOD's architecture, including governance, requirements, acquisition, portfolio management, and budgeting. However, the memo did not discuss measuring and reporting enterprise architecture outcomes. With respect to its business enterprise architecture, in August 2016, the department stated that it did not have a systematic methodology for measuring the business value of its business enterprise architecture. Department officials further stated that our July 2015 report "DOD Business Systems Modernization: Additional Action Needed to Achieve Intended Outcomes" (GAO-15-627) concluded that the business enterprise architecture had yielded limited value. As a result of our report, the department stated that senior management had directed changes to the department's Business Enterprise Architecture program. However, as of August 2017, the department had not provided documentation indicating that it planned to establish an approach for measuring and reporting business enterprise architecture outcomes. We will continue to follow up on the department's efforts to address this recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

    Agency: Department of Defense: Department of the Navy
    Status: Open

    Comments: The Department of the Navy has not implemented this recommendation. Specifically, the department has not demonstrated that it has measured and reported enterprise architecture outcomes and benefits to top agency officials. In October 2015, the department developed a plan of actions and milestones to address elements in GAO's Enterprise Architecture Management Maturity Framework, including the element focused on measuring and reporting enterprise architecture results and outcomes by September 2017. We will continue to monitor the Navy's efforts to implement this recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

    Agency: Department of Energy
    Status: Open

    Comments: The Department of Energy has not yet implemented the recommendation. In March 2017, the department's Office of the Chief Information Officer reported that the department is evaluating actions to better integrate enterprise architecture practices into the department's information technology strategic planning, capital planning and investment control, and program management processes. The Office of the Chief Information Officer also reported that the department expects to develop a plan to measure and report architecture outcomes by the end of fiscal year 2017 and to have routine measures and reporting in place during fiscal year 2018.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

    Agency: Department of Justice
    Status: Open

    Comments: The Department of Justice has not sufficiently implemented our recommendation. Although the department reported cost savings through use of its enterprise architecture, as of August 2017, it has not provided documentation to support that the cost savings have been reliably measured.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

    Agency: Department of Labor
    Status: Open

    Comments: The Department of Labor has not implemented this recommendation. In July 2017, the department stated that it planned to include, by the end of fiscal year 2018, the adoption and implementation of measurable enterprise architecture outcomes as part of upcoming information technology strategic planning efforts. We will continue to monitor the department's efforts to implement the recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

    Agency: Department of the Treasury
    Status: Open

    Comments: As of August 2017, the Department of the Treasury had not measured and reported enterprise architecture outcomes in accordance with our recommendation. Moreover, in June 2016, the department reported that it does not plan to do so. In September 2012, we reported that the department had reported architecture outcomes; however the metrics had not been periodically measured and reported. Subsequently, in its February 2014 Information Technology Enterprise Roadmap, the department reported a reduction in infrastructure spending as a percentage of its information technology budget from fiscal year 2010 through fiscal year 2013 and attributed the results to enterprise architecture. However, the department did not demonstrate that it had reliably measured the outcome. Specifically, it did not provide supporting documentation. In June 2016, the department reported that it did not plan to establish an approach to measure and report architecture outcomes. Nonetheless, we continue to believe our recommendation is warranted and will monitor the department's efforts to implement it.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs has not implemented this recommendation. In July 2017, the department stated that in the fall of 2016, the Chief Information Officer instituted a new information technology governance framework and established the Architecture Board that is responsible for overseeing all aspects of the department's architecture. According to the department, as of July 2017, the board was formulating enterprise architecture priorities, including the measurement and reporting of architecture outcomes and benefits. The department anticipated that priority enterprise architecture measures and reporting requirements would be established by the end of fiscal year 2017, and that actual reporting to the board will begin by December 2017.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

    Agency: Department of State
    Status: Open

    Comments: The Department of State has not implemented our recommendation. According to the department's Information Resource Management GAO liaison, the department will complete an updated enterprise architecture plan and establish desired performance outcomes by December 2017.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: The Environmental Protection Agency has not implemented this recommendation. In March 2014, the agency submitted to the Office of Management and Budget its Enterprise Roadmap, which identified outcomes associated with its enterprise architecture efforts. For example, the agency reported cost savings achieved in fiscal year 2013 related to consolidating and sharing services. However, the agency did not demonstrate that it reliably measured the outcome (i.e., it did not provide supporting documentation). More recently, according to its May 2015 Enterprise Roadmap, the agency no longer planned to measure architecture-related outcomes. As of August 2017, the agency had not demonstrated that it had taken additional actions to address this recommendation. Nonetheless, we continue to believe that it is important that the agency measure the value of its enterprise architecture and will monitor its efforts to implement the recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

    Agency: National Aeronautics and Space Administration
    Status: Open

    Comments: The National Aeronautics and Space Administration (NASA) has not implemented this recommendation. In February 2017, the agency reported that enterprise architecture performance outcomes were being refined for incorporation into its 2017 Information Resource Management Strategic Plan. However, as of August 2017, NASA had not demonstrated that it has measured and reported architecture outcomes.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

    Agency: National Science Foundation
    Status: Open

    Comments: As of March 2017, the National Science Foundation had not implemented this recommendation. The agency stated that it is committed to measuring and reporting enterprise architecture results and outcomes and that it continues to adopt the Office of Management and Budget's recommended approach to enterprise architecture measurement. However, the agency did not provide supporting documentation. We will continue to monitor its efforts to implement the recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

    Agency: Small Business Administration
    Status: Open

    Comments: As of August 2017, the Small Business Administration had not implemented this recommendation. Specifically, it had not demonstrated that it has measured architecture outcomes. In July 2016, the agency reported that, going forward, desired progress for its enterprise architecture program was expected to be limited because of limited labor resources. Nevertheless, we will continue to monitor the agency's efforts to implement the recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

    Agency: Office of Personnel Management
    Status: Open

    Comments: The Office of Personnel Management (OPM) has not implemented this recommendation. In September 2016, OPM's Office of Internal Oversight and Compliance reported that the agency planned to develop an enterprise architecture strategic plan in the third quarter of fiscal year 2017, which was to include measuring and reporting application rationalization metrics to OPM senior executives and the Office of Management and Budget. However, as of August 2017, the agency had not demonstrated that it had addressed the recommendation.
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Health and Human Services and Housing and Urban Development should ensure that enterprise architecture outcomes are periodically measured and reported to top agency officials.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The Department of Health and Human Services has not implemented this recommendation, or provided a plan to do so. As of August 2017, it had not demonstrated that it had measured architecture metrics that it had established in its April 2014 Enterprise Roadmap. We will continue to monitor the department's efforts to implement the recommendation
    Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, and to assist agencies in measuring and reporting outcomes achieved through enterprise architecture, the Director of OMB should ensure that the planned December 2012 guidance for enterprise architecture value measurement and reporting includes (1) sufficient details on the method and metrics that agencies could use to measure their architecture program's value and (2) a requirement for agencies to include in their April 2013 enterprise roadmap submissions a measurement method (i.e., steps to be followed) and metrics, and report on the outcomes and benefits achieved through enterprise architecture.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: As of July 2017, the Office of Management and Budget (OMB) had not fully addressed our recommendation. In March 2013, the office required agencies to submit annually an Enterprise Roadmap, which was to include an appendix on enterprise architecture outcomes. To prepare the appendix, the office provided agencies with a template to document architecture metrics and measurement methods. The template included examples of outcome metrics and a field where agencies were to document measurement methods. However, OMB did not provide details on the methods that agencies could use to measure architecture outcomes or require that agencies include the steps to be followed for measuring outcomes. Furthermore, as of July 2016, OMB no longer required agencies to submit a report of enterprise architecture outcomes. According to OMB's Integrated Data Collection guidance, the Office of the Federal Chief Information Officer reviewed the information requested from agencies and reduced it in an effort to reduce the reporting burden on agencies. Nonetheless, we continue to believe that it is important that OMB assist agencies in measuring outcomes achieved through enterprise architecture and require that outcomes be reported, in order to enhance agencies' ability to realize enterprise architecture benefits.
    Director: Draper, Debra A
    Phone: (202) 512-7114

    2 open recommendations
    Recommendation: To clarify IT requirements within the Executive Agreement, to enable VA and DOD to make an informed recommendation about whether the FHCC should continue after the end of the demonstration, and to provide useful information for other integrations that may be considered in the future, the Secretaries of Veterans Affairs and Defense should develop plans with clear definitions and specific deliverables, including time frames for two IT capabilities-documentation of patient care to support medical and dental operational readiness and outpatient appointment enhancements-and formalize these plans, for example, by incorporating them into the Executive Agreement.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: As of July 2017, VA and DOD officials have not implemented this recommendation. GAO considers it to be open. We will update the status of this recommendation when we receive additional information.
    Recommendation: To clarify IT requirements within the Executive Agreement, to enable VA and DOD to make an informed recommendation about whether the FHCC should continue after the end of the demonstration, and to provide useful information for other integrations that may be considered in the future, the Secretaries of Veterans Affairs and Defense should develop plans with clear definitions and specific deliverables, including time frames for two IT capabilities-documentation of patient care to support medical and dental operational readiness and outpatient appointment enhancements-and formalize these plans, for example, by incorporating them into the Executive Agreement.

    Agency: Department of Defense
    Status: Open

    Comments: As of July 2017, VA and DOD officials have not implemented this recommendation. GAO considers it to be open. We will update the status of this recommendation when we receive additional information.
    Director: Melvin, Valerie C
    Phone: (202)512-6304

    1 open recommendations
    Recommendation: To ensure that DOD continues to implement the full range of institutional management controls needed to address its business systems modernization high-risk area, the Secretary of Defense should ensure that the Deputy Secretary of Defense, as the department's Chief Management Officer, establish a policy that clarifies the roles, responsibilities, and relationships among the Chief Management Officer, Deputy Chief Management Officer, DOD and military department Chief Information Officers, Principal Staff Assistants, military department Chief Management Officers, and the heads of the military departments and defense agencies, associated with the development of a federated business enterprise architecture (BEA). Among other things, the policy should address the development and implementation of an overarching taxonomy and associated ontologies to help ensure that each of the respective portions of the architecture will be properly linked and aligned. In addition, the policy should address alignment and coordination of business process areas, military department and defense agency activities associated with developing and implementing each of the various components of the BEA, and relationships among these entities.

    Agency: Department of Defense
    Status: Open

    Comments: As of September 2017, the Department of Defense had taken steps to address the intent of our recommendation, but had not issued a policy that addresses the various elements called for in our recommendation. For example, in January 2017, the department issued a business enterprise architecture improvement plan, which included providing, among other capabilities, the ability to conduct process and system reviews within and across domains by January 2017. The plan also included delivering a federated ontology for business enterprise architecture data structures by June 2016. However, as of September 2017, the Office of the Deputy Chief Management Officer stated that work to develop the federated ontology was ongoing. In addition, the delivery date of the capability for conducting process and system reviews within and across domains had changed to June 2018. Further, the office stated that date was subject to a contract being awarded. In addition, as of September 2017, the department had not established policy that clarified the roles, responsibilities, authorities, and relationships between the Deputy Chief Management Officer and military department officials responsible for the business enterprise architecture and its federation or provided details of an overarching taxonomy to be used across the enterprise. We will continue to monitor the department's efforts to implement the recommendation.
    Director: Melvin, Valerie C
    Phone: (202) 512-6304

    2 open recommendations
    Recommendation: To help ensure the success of FDA's modernization efforts, the Commissioner of FDA should direct the CIO to, in completing the assessment of Mission Accomplishments and Regulatory Compliance Services (MARCS), develop an integrated master schedule (IMS) that (1) identifies which legacy systems will be replaced and when; (2) identifies all current and future tasks to be performed by contractors and FDA; and (3) defines and incorporates information reflecting resources and critical dependencies.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: In commenting on our report, the Department of Health and Human Services neither agreed nor disagreed with our recommendations. However, in response to this recommendation, FDA officials developed an integrated master schedule (IMS) for the Mission Accomplishment and Regulatory Compliance System, along with corresponding sub-project schedules. The officials also provided explanations of their approach for updating the schedules and estimating resources that are reflected in the schedules, and evidence that the agency is updating the schedule regularly. However, the IMS did not identify all legacy systems to be replaced, did not trace all tasks and contractor subproject schedules, and did not include information reflecting the use of government resources. In 2016, we requested that FDA provide an update on their efforts to address these limitations. As of September 2017, the agency restructured MARCS into two projects and notified us that it was working to establish an IMS for each. FDA officials expect to complete the schedules by the end of calendar year 2017. Until FDA takes steps to address the noted deficiencies, it will lack key information needed for determining what work remains and for identifying and addressing potential problems, thus increasing risks to the success of the agency's modernization efforts. We will continue to work with the Department to address this recommendation.
    Recommendation: To help ensure the success of FDA's modernization efforts, the Commissioner of FDA should direct the CIO to monitor progress of MARCS against the integrated master schedule IMS.

    Agency: Department of Health and Human Services: Food and Drug Administration
    Status: Open

    Comments: In commenting on the report, the Department of Health and Human Services neither agreed nor disagreed with our recommendations. However, in response to this recommendation, FDA officials provided a baseline schedule, integrated master schedule (IMS), and sub-project schedules intended to be used to monitor progress of the agency's efforts to implement changes to the Mission Accomplishment and Regulatory Compliance System (MARCS). Nonetheless, while the IMS is updated regularly, it contains data anomalies, and FDA has not documented reasons for changes to the schedule. Consequently, the schedule does not include complete and reliable information needed for monitoring progress of the system investment. As of September 2017, the agency restructured MARCS into two projects and notified us that it was working to establish an IMS for each. FDA officials expect to complete the schedules by the end of calendar year 2017, and to use the schedules to continually monitor the status of the projects. Until FDA takes steps to address deficiencies noted in the IMS for MARCS, it will continue to lack key data needed to monitor progress of the implementation of the system, and increase the risks of this key component of the agency's modernization efforts. We will continue to work with the Department to address this recommendation.
    Director: Shames, Lisa R
    Phone: (202) 512-3841

    1 open recommendations
    Recommendation: To reduce the cost of the crop insurance program, Congress may wish to consider limiting the subsidy for premiums that an individual farmer can receive each year or reducing the subsidy for all farmers participating in the program, or both limiting and reducing these subsidies.

    Agency: Congress
    Status: Open

    Comments: As of December 2016, Congress has not taken action to implement this matter.
    Director: Trimble, David C
    Phone: 202-512-9338

    5 open recommendations
    including 4 priority recommendations
    Recommendation: To better ensure the credibility of IRIS assessments by enhancing their timeliness and certainty, the EPA Administrator should require the Office of Research and Development to assess the feasibility and appropriateness of the established time frames for each step in the IRIS assessment process and determine whether different time frames should be established, based on complexity or other criteria, for different types of IRIS assessments.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of Fall 2017, EPA's Integrated Risk Information System (IRIS) Program officials told GAO that IRIS assessments that support policy and regulatory decisions for EPA's programs and regions, and state agencies, are being consolidated into a new portfolio to optimize the application of best available science and technology. According to IRIS Program officials, the IRIS workflow will be reoriented and timelines and resources will be tailored to fit the intended purpose of the IRIS assessment. This approach was presented to EPA's Science and Technology Policy Council in July 2017 and was presented to the Science Advisory Board's Chemical Assessment Advisory Committee in September 2017 for their consideration and evaluation. In addition, according to EPA IRIS officials, there were improvements in project management for IRIS assessments, such as working with IRIS assessment chemical managers individuals who manage IRIS assessments to develop timelines and a system that tracks the portfolio of IRIS products in development, to allow the IRIS Program to more effectively use resources across assessment projects and ensure timely delivery of products. GAO continues to believe that these efforts show important progress, but that EPA needs to continue to determine whether different time frames should be established for different types of assessments, and the feasibility and appropriateness of the established time frames.
    Recommendation: To better ensure the credibility of IRIS assessments by enhancing their timeliness and certainty, the EPA Administrator should require the Office of Research and Development, should different time frames be necessary, to establish a written policy that clearly describes the applicability of the time frames for each type of IRIS assessment and ensures that the time frames are realistic and provide greater predictability to stakeholders.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of Fall 2017, EPA's Integrated Risk Information System (IRIS) Program officials told GAO that they met with the Science Advisory Board's Chemical Assessment Advisory Committee in September 2017 to discuss responses to this recommendation. After the meeting, EPA's IRIS Program officials expect to issue a public statement that will emphasize the new portfolio approach to chemical evaluation and reflect that IRIS milestones will be varying based on the scale and type of assessment needed. EPA's IRIS Program officials told GAO that these activities will also provide the Program an opportunity to evaluate whether additional training on project management has provided the consistency in planning and delivery that was expected. GAO continues to believe that EPA has made progress and we will continue to review information provided by EPA as the agency works to ensure that the time frames are realistic and provide greater predictability to stakeholders.
    Recommendation: To ensure that current and accurate information on chemicals that EPA plans to assess through IRIS is available to IRIS users--including stakeholders such as EPA program and regional offices, other federal agencies, and the public--the EPA Administrator should direct the Office of Research and Development to annually publish the IRIS agenda in the Federal Register each fiscal year.

    Agency: Environmental Protection Agency
    Status: Open

    Comments: As of Fall 2017, EPA's Integrated Risk Information System (IRIS) Program officials told GAO that starting in 2017, on an annual basis, the IRIS Program is reviewing the information in the December 2015 Multi-Year Agenda to ensure that it remains responsive to GAO's recommendation. According to IRIS Program officials, this process was informal in 2017 but will be formalized starting in 2018 and updates to the Multi-Year Agenda will be published on the IRIS website and disseminated appropriately. GAO continues to believe that current and accurate information on the chemicals EPA plans to assess through IRIS should be made available to IRIS users. As the program continues its work, GAO will monitor EPA's progress to determine if information is provided annually in the Federal Register.
    Recommendation: To ensure that current and accurate information on chemicals that EPA plans to assess through IRIS is available to IRIS users--including stakeholders such as EPA program and regional offices, other federal agencies, and the public--the EPA Administrator should direct the Office of Research and Development to indicate in published IRIS agendas which chemicals EPA is actively assessing and when EPA plans to start assessments of the other listed chemicals.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of Fall 2017, EPA's Integrated Risk Information System (IRIS) Program officials told GAO that starting in 2017, on an annual basis, the IRIS Program is reviewing the information in the December 2015 Multi-Year Agenda to ensure that it remains responsive to GAO's recommendation. According to IRIS Program officials, this process was informal in 2017, but will be formalized starting in 2018, and updates to the Multi-Year Agenda will be published on the IRIS website and disseminated appropriately. EPA IRIS Program officials stated that they received feedback from the Science Advisory Board's Chemical Assessment Advisory Committee in September 2017. IRIS officials intend to publish an updated Agenda that will list which chemicals EPA is actively assessing and when EPA plans to start assessments of the other listed chemicals. GAO continues to believe that annually providing current and accurate information on chemicals that EPA plans to assess through the IRIS program is critical for IRIS users as well as specifically identifying which chemicals EPA is actively assessing and when EPA plans to start assessments of the other listed chemicals.
    Recommendation: To ensure that current and accurate information on chemicals that EPA plans to assess through IRIS is available to IRIS users--including stakeholders such as EPA program and regional offices, other federal agencies, and the public--the EPA Administrator should direct the Office of Research and Development to update the IRIS Substance Assessment Tracking System (IRISTrack) to display all current information on the status of assessments of chemicals on the IRIS agenda, including projected and actual start dates, and projected and actual dates for completion of steps in the IRIS process, and keep this information current.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of August 2017, EPA's Integrated Risk Information System (IRIS) Program officials stated that starting in 2017, on an annual basis, the IRIS Program is reviewing the information in the December 2015 Multi-Year Agenda to ensure that it remains responsive to GAO's recommendation. According to EPA IRIS Program officials, this process was informal in 2017 but will be formalized starting in 2018, and updates to the Multi-Year Agenda will be published on the IRIS website and disseminated appropriately. EPA IRIS Program officials stated that they received feedback from the Science Advisory Board's Chemical Assessment Advisory Committee in September 2017. Officials indicated that after the feedback is received, the IRIS website will be updated with information consistent with GAO's recommendation, such as projected and actual start dates. GAO will monitor EPA's progress, and consider whether updates are annually providing current and accurate information on chemicals that EPA plans to assess through the IRIS program, as necessary for IRIS users.
    Director: Melvin, Valerie C
    Phone: (202)512-6304

    3 open recommendations
    Recommendation: To enhance VA's effort to successfully fulfill its forthcoming plans for the outpatient scheduling system replacement project and the HealtheVet program, the Secretary of Veterans Affairs should direct the CIO to ensure implementation of a requirements management plan that reflects leading practices for requirements development and management. Specifically, implementation of the plan should include analyzing requirements to ensure they are complete, verifiable, and sufficiently detailed to guide development, and maintaining requirements traceability from high-level operational requirements through detailed low-level requirements to test cases.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In written comments on our report, VA concurred with this recommendation and in August 2014, identified initial actions the department had taken in response. Specifically, as part of its plans to issue a request for proposals to acquire a replacement scheduling system under its Medical Appointment Scheduling System (MASS) project, VA developed a Business Requirements Document that defines its specific business needs, capabilities, features, and constraints. Additionally, the department reported that it intends to manage and document requirements using processes supported by a Web-based tool called Rational Doors. In August 2015, VA's Office of Acquisition, Logistics, and Construction awarded a contract for the MASS project. However, in April 2016, the department paused MASS to evaluate an alternative project to enhance its legacy scheduling system. Subsequently, in early 2017, the department restarted the MASS project. Nevertheless, as of June 2017, the department had not developed a requirements management plan for MASS. Thus, the MASS project has not yet reached the point where the effectiveness of the requirements management activities we recommended can be assessed.
    Recommendation: To enhance VA's effort to successfully fulfill its forthcoming plans for the outpatient scheduling system replacement project and the HealtheVet program, the Secretary of Veterans Affairs should direct the CIO to adhere to the department's guidance for system testing including (1) performing testing incrementally and (2) resolving defects of average and above severity prior to proceeding to subsequent stages of testing.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: In written comments on our report, VA concurred with this recommendation and stated that testing was managed using documented, repeatable processes that are included in the department's ProPath Web-based tool. According to the Acting Deputy Chief Information Officer for Product Development, the Medical Appointment Scheduling System (MASS) project is expected to incorporate Agile software development practices, including the use of incremental testing. In August 2015, the department awarded a contract for the MASS project that included task orders for the development of test plans. However, in April 2016, the department paused MASS to evaluate an alternative to enhance its legacy scheduling system. In early 2017, the department restarted the MASS project, but as of June 2017, had not developed a test plan for MASS. Thus, the project has not yet reached the point where adherence to the department's system testing guidance can be assessed.
    Recommendation: To enhance VA's effort to successfully fulfill its forthcoming plans for the outpatient scheduling system replacement project and the HealtheVet program, the Secretary of Veterans Affairs should direct the CIO to ensure that the policies and procedures VA is establishing to provide meaningful program oversight are effectively executed and that they include (1) robust collection methods for information on project costs, benefits, schedule, risk assessments, performance metrics, and system functionality to support executive decision making; (2) the establishment of reporting mechanisms to provide this information in a timely manner to department IT oversight control boards; and (3) defined criteria and documented policies on actions the department will take when development deficiencies for a project are identified.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: The Department of Veterans Affairs concurred with this recommendation and identified various actions it has taken in response. Specifically, the department awarded a contract for its Medical Appointment Scheduling System (MASS) project in August 2015. However, in April 2016, it paused MASS to evaluate an alternative to enhance its legacy scheduling system. In June 2017, VA reported that the MASS project had been resumed and indicated that it would adhere to the department's Veteran-focused Intake Process (VIP), which is intended to ensure oversight, accountability, and traceability of all program activity. Also, the department reported that MASS had met its first VIP milestone, Critical Decision 1, in January 2017. However, key future activities, including product development and testing, have not yet been demonstrated, while VIP milestones (e.g., Critical Decision 2), have not yet been met. Thus, MASS has not reached the point where the effectiveness of project oversight can be fully assessed.
    Director: Trimble, David C
    Phone: (202)512-6225

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To develop timely chemical risk information that EPA needs to effectively conduct its mission, the Administrator, EPA, should require the Office of Research and Development to re-evaluate its draft proposed changes to the IRIS assessment process in light of the issues raised in this report and ensure that any revised process periodically assesses the level of resources that should be dedicated to this significant program to meet user needs and maintain a viable IRIS database.

    Agency: Environmental Protection Agency
    Status: Open
    Priority recommendation

    Comments: As of August 2017, EPA's Integrated Risk Information System (IRIS) Program officials told GAO that they are in the process of directly reviewing program and regional office priority needs annually and will then evaluate the December 2015 Multi-Year Agenda and realign resources and priories as needed. EPA IRIS Program officials stated that this review will occur in 2017, and subsequently they plan to receive feedback from the Science Advisory Board's Chemical Assessment Advisory Committee in September 2017. After the feedback is received, they will formalize this process starting in 2018. When GAO receives documentation regarding the periodic assessments of resources that should be dedicated to the program to meet user needs and to maintain a viable IRIS database, GAO will reevaluate the status of this recommendation.