3.0 INFRASTRUCTURE Infrastructure focuses on the areas of facilities, security and technology usage. The Library faces some unique and time-urgent issues in these areas which are treated in detail in the following sections. 3.1 FACILITIES The Library's operations are inherently facility intensive. Without adequate facilities, there would be nowhere to store and review the Library's collection of printed materials, films, and recordings. More importantly, the Library's need for adequate space is constantly growing. The recognition of the inter-relationship between mission and the facilities required to support the mission is critical to the Library's future success. 3.1.1 Background The Library of Congress is primarily housed in three buildings on Capitol Hill. The Jefferson Building, a turn-of-the-century facility built in the Neo-classical style, is the centerpiece of the Library and houses the Main Reading Room and a variety of collection items. The Adams Building is a Federal-style building housing the science and technology collections. And the Madison Building, built in the late 20th century Modern style, houses most of the Library's operations and service units, its Law Library, the National Digital Library, and several classifications of collections. The Library bears no rental or maintenance costs for these facilities as those costs are borne by the Architect of the Capitol. The Jefferson and Adams Buildings are nearing the completion of a 10-year, $80 million renovation. The Madison Building is nearing the end of its 20-year economic life. The Library does receive appropriated funds to pay $2.6 million for Capitol Hill janitorial services and $4.7 million for the General Services Administration (GSA) Rent System (RS) rates for the use of off-site facilities (Landover Center Annex, Taylor Street Annex, Market Street Annex, and Buzzard Point). The Suitland and Wright-Patterson Air Force Base facilities are used by the Library for nitrate film storage and preservation. These outlying facilities house a mix of collections storage and Library operational functions. The planning, design, construction, maintenance and management of these facilities is performed by a combination of the Library, and the Architect of the Capitol, the GSA, and the U.S. Air Force. Collections storage space availability is a Library-wide issue, one that has a clear impact on the Library of Congress' ability to carry out its mission of collecting, storing, and preserving general and special collections. Available space to store the Library's continuously growing collections has nearly run out. In 1992, the Library predicted that the General Collections would reach "gridlock" in 1994 in the Jefferson Building and soon thereafter in the Adams Building. Space for motion picture film was expected to be exhausted in 1993 and recorded sound collections would be out of space in 1994. In addition, it was predicted that several million items would need to be relocated to off-site storage to accommodate the Manuscript Division staff for arrearage reduction. The Prints and Photographs Division collections, scheduled to move to off -site storage to make room for processing staff in 1993, are still awaiting space. And the Rare Book and Special Collections Division shelf space is currently filled to capacity.1 Many of the predictions made in 1992 have now been realized and the space shortage is projected to intensify as collections continue to grow at a rate of 300,000 items per year. At that rate, the Library's collections will exceed the predicted storage capacity of the only construction project currently approved by Congress, the Fort Meade Storage facility, before it is completed in 1999. In spite of this fragmented environment, facilities planning has improved its efforts toward the identification and evaluation of short and long term collection storage requirements. These planning activities, however, have been heavily influenced by Congress and program funding for additional storage space was not granted until FY1993.2 The Library has also completed several detailed planning analyses for relocating some Capitol Hill collections into high density off-site storage facilities as part of their planning process for the primary storage needs of the Librarys collections. It is important to understand where facilities planning and management activities fit into the overall Library organization. The Library's Integrated Support Services (ISS) Office is responsible for all functions relating to procurement, contracting, and material activities; space planning and space utilization; facility management, and custodial oversight of Library buildings and leased space; interior design; environmental health, safety, and fire protection; occupational health; management of mail, freight, and transportation services; physical and electronic security of Library buildings, collections, and information; and emergency preparedness. These activities are organized into seven divisions. Each of the seven Division Chiefs serves on the ISS management team and is under the general policy direction of the ISS Director.3 The ISS Director reports directly to an Associate Librarian of Congress and serves on the Senior Management Reporting Group. Exhibit 3-1 identifies all of the components of ISS that are involved in facilities planning and management for the Library. EXHIBIT 3-1 INTEGRATED SUPPORT ORGANIZATION CHART Facilities planning and management activities are primarily accomplished in two of the seven divisions: Facility Services and ISS Directorate. Facility Services provides services to management and staff regarding space planning and space management of Library facilities. In so doing, they plan, design, and coordinate construction, alterations, and operations of the Librarys facilities; provide interior design, provide space requirements and conduct space inspections; provide labor and moving support; provide custodial services and manage the food services program and the operation of public spaces for special events. Facility Services is also the Library's primary liaison with the Architect of the Capitol (AOC). ISS Directorate develops facility requirements and provides project planning services to Library management, staff, and various management committees that are responsible for determining and planning long term collections storage requirements. This service includes developing design requirements and cost justification for the Fort Meade Storage Facility project, projecting the Library's storage space requirements, interfacing with Congressional appropriations committees to obtain project approvals, and working with the AOC to integrate requirements into the design of a facility. 3.1.2 Methodology BoozaAllen's assessment of the Library's facilities planning and management decision making process is based upon face-to-face interviews, with among others, personnel from Facility Services, ISS Directorate, Library Collections Management, Congressional staff, and the Architect of the Capitol. Our interviews were conducted with senior-level managers including an Associate Librarian of Congress, ISS Division Chiefs, Chief of the Collections Management Division, and senior Congressional and Congressional committee staff members. On our many site tours, we interviewed various Reading Room and Collections Managers including the Law Library, Rare Books, Motion Pictures and Recorded Sound, Prints and Photographs, the Hispanic Collection, Nitrate Film Storage, and others. We also met with facilities planning and management staff from our benchmarking sources at The Smithsonian Institution, Harvard University, The Massachusetts Institute of Technology, and the National Archives and Records Administration (NARA) to gather information for identifying "best practices." These benchmarking site visits revealed that only NARA had developed a comprehensive facilities planning program that was directly tied to the organization's overall strategic plan. None of the others gave their facilities program much emphasis, but they did not and are not expected to realize the magnitude of continued growth as that projected for the Library of Congress. In the course of our assessment of the Library of Congress facilities issues, we conducted an extensive literature search. In addition to the materials provided by the General Accounting Office, we collected and reviewed many facilities planning and management specific materials. The types of documents reviewed included budget requests, strategic plans, implementation goals, facilities regulations, project procedures, growth projections, prioritization and scheduling methodologies, space rental agreements, internal infrastructure planning memorandums, square footage allocation reports, comprehensive long-range space plans, remote storage space plans and reports, organizational structure and responsibilities, facilities operational reports, comprehensive facility and space standards, monthly Library/AOC coordination meeting minutes, and various official correspondence among and between the Library, Congress, and the AOC. The focus of our investigation centered on the following five objectives: (1) Assess the Library's current approach to strategic facilities decisions as it relates to the Library's collection policies (2) Analyze the Library's Capitol Hill facilities' use and define the Library's facilities strategy in terms of centralized versus decentralized control (3) Assess the working relationships between the Library, AOC, and Congress as it relates to facilities planning and management (4) Compare and contrast the Library's facilities strategy development, planning, and management to the way industry and other similar institutions conduct business and provide recommendations relating to the enhancement of facilities planning and management decisions and facilities utilization strategies (5) Conduct a case study of the Fort Meade Storage Facility project to chart the events that led up to project approval and execution and identify the roles of key decision makers (the Fort Meade Case Study is presented in Volume 2). We were unable to address the second objective because the Library was unable to provide adequate facilities utilization data with which to conduct the analysis. 3.1.3 Findings and Conclusions The facilities planning and management sections within Facility Services provide a full range of service-oriented functions designed around the user's needs. They implement the majority of these functions in an environment where direction, which is often conflicting, is received from several sources and where key resources (especially space and personnel) are severely restricted. Operating in this environment directly affects their ability to respond efficiently and effectively to customer's requests for services. In spite of this situation, they have consistently been able to quickly mobilize available resources to accommodate user changes or new directions, accommodating special events and rapidly emerging programs such as the NDL. All this, however, is often at the cost of other requirements that were quickly reprioritized. The critical shortage of space that has been identified and documented by the Library several times in recent years is symptomatic of a larger problem: the Library does not treat facilities planning and management as an integral part of its mission. As a result, it is restricting its own ability to locate materials for readers and the collection materials are subject to damage and deterioration because they do not have the proper storage environment. Furthermore, the demand for additional space and the need to remedy quality and environmental problems in older leased facilities, such as the nitrate-based film storage facilities in Suitland, Maryland, are increasingly impacting all collections programs at the library. Related to this problem is the inability of the Library to obtain the necessary Congressional program approval and subsequent funding for its ever-increasing storage space requirements. Multiple planning scenarios have been developed by the Library to satisfy partial storage space requirements; however, these scenarios have never been tied together in a comprehensive plan and consequently have not been approved, in spite of the fact that the Librarian has testified before Congress attesting to the criticality of space needs. Efforts at securing program approval have largely failed; the one exception being the Fort Meade Storage Facility project. BoozaAllen's facilities management assessment revealed the following significant findings and conclusions: 1. The Library does not have a Strategic Facilities Plan that includes a comprehensive plan for the efficient and economic management of the facilities which house collections. Although there have been some isolated planning studies and reports that define short and long-term collection storage needs, there is no comprehensive, integrated Library-wide strategic facilities plan. For instance, the Library has completed the following studies and reports: 1989 Statistical Survey of Current and Projected Collections Space Needs for the Year 2000 1990 A Plan for the Library of Congress Collections Storage Facility 1991 Special Collections Space Needs Assessment 1992 Report on High Density Storage Facilities 1992 Library Strategic Plan 1992 Collections Storage Plan 1992 Committee on the Study of Future Space Needs for Book Collections Report. These documents collectively describe the Library's collections storage problems in both the general and special collections, forecast the growth of collections, and identify both long and short term solutions for locating additional space. Although these planning studies and reports are important, a clear and comprehensive facilities strategy which provides a solid foundation for making decisions and obtaining project approvals and funding is missing. Exhibit 3-2 assesses the current availability of essential strategic planning components. EXHIBIT 3-2 Strategic Facilities Plan Component Matrix Availability Component Not Available Partially Developed Fully Developed Facilities mission Formal goals and objectives C Facilities strategy for each facility Preservation strategy C Collections strategy, etc. C Building use statistics C Facility space management standards Qualitative and quantitative standards C Administrative room space C Conference room space C Lunchrooms/break rooms C Restrooms C Exhibit space C Stack space C Media storage C Vault room space C General storage areas C Processing area C Research room space, etc. C Baseline data Current space conditions C Space forecasts C Quantity and quality standards vs. actual conditions C Adjusted capacity C Projected space costs C Analysis of what each facility requires to meet standards C Long term space forecast C Facility options Facility options to provide quality and quantity standards C Cost estimates for implementing options C Fiscal and operational options Budgetary impact to the Library C Operational issues C The absence of a comprehensive process to guide facilities planning and management decisions is further highlighted by the fact that the Library has no short or long term strategy to transition out of the Suitland film vaults facility. The Library has clearly stated that nitrate film storage has been troublesome over the last 15 years and the GSA has requested that the Library vacate the Suitland film vaults. The Library's Safety Services Division said that the Suitland and the Wright- Patterson Air Force Base facilities should be vacated due to deteriorating conditions. Even with the serious facility problem clearly understood, one of Collections Services' top 10 priorities is to acquire significant amounts of additional nitrate film without a clear, well- developed plan and comprehensive approach to resolution of the associated facility problem.4 The efforts involving the study of a potential site in Culpepper, Virginia, are only investigatory at this point and not part of a planned effort to address this issue. Without a comprehensive strategic facilities plan, there is no formal process in place to: (1) Describe the inter-relationship between the mission of the Library and the facilities operations that are required to support the mission (2) Define Library-wide space management standards to apply to individual facilities and function types (3) Identify facilities options for meeting space requirements (4) Fully develop feasible alternatives. Additionally, the placement of Facilities in the Library's organizational structure does not support a strategic facilities decision-making process (see finding number 7.) which is impacting the Library's ability to provide a coordinated strategic facilities planning framework. 2. Data sharing, project planning, communication, and coordination among organizational groups is insufficient. Within ISS, Facility Services, ISS Directorate, Safety Services, and Security components work independently rather than as a team. For instance, the ISS Directorate's facility database, composed of Computer- Aided Design (CAD) files and space utilization data, was not made available to Facilities Services during the lengthy down time which occurred when their only system crashed during our study. Nor do Facility Services, ISS Directorate, and Security exchange facilities data to ensure all data sets are up-to-date. The data sets of both the ISS Directorate' and Security are based on 1989 information. Facility Services and Safety Services acknowledge little involvement with the planning and development of the Fort Meade Storage Facility project. Volume 2 of this report contains a case study of the Fort Meade project. They also expressed concern that relevant environmental site impacts are not adequately addressed. Outside of ISS, collections managers and service units often make operational decisions with respect to facilities space and environmental issues without consulting ISS. One of the more significant examples occurred when film collection managers acquired a large collection of American films from the late 1890s to the 1950s from Australia and stored them at the Suitland facility. Safety Services learned of the film collection from a 1994 article in The Washington Post. 5 Upon investigation, it was discovered that the Suitland vaults' safe storage capacity was greatly exceeded. Film canisters were even stored on the floor due to a lack of shelving space a serious fire and life safety hazard. 3. The Librarys facilities planning and management workflow is decentralized. Facilities planning and management functions are decentralized; there is no central space management structure or one manager responsible for overall facility requirements planning within the Library. The lack of a central space management structure prevents the Librarian from turning to a single manager when additional space is required. This was evident when BoozaAllen team members requested space occupancy and utilization information for the Library's Capitol Hill facilities from Facility Services. Facility Services had to request from each service unit a marked-up set of hardcopy drawings that delineate the types of collections or the service unit that is housed on each floor. Only the service units could provide this type of space utilization data. Furthermore, once the space data were received, Facility Services had to manually transfer the data to full-size hardcopy drawings. This work flow is further decentralized because decision making authority is delegated to various Library committees for determining space usage. The current organizational structure supports a planning process that includes anywhere from 50 to 100 Library groups in the decision making process, all of which are concerned with their own requirements rather than with a coordinated and timely facilities program based on a sound strategy. The Chief of Staff makes the ultimate planning decisions or arbitrates space issues between groups. It is apparent that collection managers and service units act as "owners" of the space as opposed to "tenants" and that they are more concerned with their own programmatic requirements than with a timely and coordinated facilities program. This "ownership" places Facility Services in a purely reactive mode. As further evidence of a segmented and disjointed workflow, we found that there is no integrated work request or project tracking system within the Library or across ISS. Facility Services does track work requests, maintain project schedules, and monitor the progress of projects; however, the tracking system is not 100 percent automated and is not accessible outside of Facility Services. They produce a quarterly work request status report for the ISS Director to use and disseminate; however, there is no formal channel of dissemination or management review across organizations. Safety Services (a facilities function within ISS) has no way of tracking project status to identify planned moves in order to commence fire protection evaluations or to identify when they should get involved with a project. This disjointed work flow lends itself to bypassing established procedures. Some service units even call the AOC directly to initiate a work request or obtain information on projects. 4. The Library lacks a comprehensive and integrated facilities database. Due to the absence of a comprehensive and integrated facilities database, facility personnel do not have quick and easy access to a single, integrated, or technically accurate facilities information data set. As a result, facility personnel are basing decisions on information that is outdated and that varies across divisions. Facilities planning and space management decisions are not being optimized. At least five separate, incompatible, duplicative, and in one instance, inaccessible, facilities databases, all in various degrees of accuracy, are being used to make facilities decisions. The Facilities Design and Construction Division's drawing database includes architectural drawings for the three Capitol Hill buildings detailed to the partition level. The ISS Directorate's drawing database includes the architectural, structural, mechanical, and electrical drawings of the same three Capitol Hill buildings along with the GSA leased facilities. Design and Construction Divisions' drawings are current for partition information; however, the ISS Directorate's drawings have not been updated since 1989. The Security Division also has a complete drawing database of all Library facilities that was downloaded from ISS Directorate's system. These drawings have never been updated. The AOC has a standalone drawing database that is the most current data set for the architectural, structural, mechanical, and electrical drawings of the Capitol Hill facilities. Finally, various service units have unique versions of drawing databases that are used in space management. All of these databases have duplicate data sets in various stages of accuracy (floorplans, occupant information, wall/partition locations), and run on different operating systems and/or platforms. Critical facilities information that exists in isolation at all levels within the Library - strategic, facilities planning, and facilities operations, is not being integrated into a centralized database for organization-wide sharing: ISS Directorate's optimization of facility assets and strategic planning for future needs through fundamental "what-if" scenarios could be accomplished more efficiently and effectively with a comprehensive and integrated facilities database. Facility Services and Facility Design and Construction Divisions. It is especially critical that these designers and project managers have up-to- date information because their day-to-day operations depend on it. Because they do not control whether vital facilities information is shared Library-wide, they are unable to quickly and easily develop detailed and accurate inventories of space and assets, develop occupancy plans, quickly locate vacant space and other available resources. Design and Construction needs to work from a common set of data with the AOC, Safety, and Human Resources as the Library assesses, quantifies, and deals with the improvements that are needed to conform to the provisions and requirements of the Occupational Safety and Health Act of 1970 (29 U.S.C. 651 et seq.) and with the Americans with Disabilities Act of 1990 (42 U.S.C. 12101 et seq.). Facility Operations and other facility managers. Coordination across the organization is negatively affected because facility managers do not share scheduled or unscheduled space modification information through electronic work requests and job plans across the organization. The mainframe-based Computer-Aided Design system that is currently used by Facility Services is the only repository of space related, graphic information that includes individual office or work spaces. The architectural floor plan drawings that have been developed with this CAD system are critical to Facility Service' operations and are intended to be maintained and made available to users of facility information. For various reasons, the drawings in the system have not been maintained and are not readily accessible. BoozaAllen made several unsuccessful attempts over a two-month period to obtain essential CAD drawings which depict space utilization of Library facilities in a format suitable for use with a Personal Computer (PC) platform. These fundamental problems have been further exacerbated by the fact that the mainframe platform is obsolete, and due to the small customer base remaining in the industry, it is difficult and costly to obtain system support and maintenance. In an effort to remedy the situation, the Facility Service' systems administrator has initiated a contract to transition the entire system to a PC-based, Windows NT platform. Once this becomes fully operational, and drawings have been updated and validated, a limited group of authorized facility users within the Facilities Design and Construction Division will be able to easily and conveniently access these drawings through networked PC's. Although this effort represents a significant step in the right direction, the Capitol Hill buildings account for only part of the overall Library of Congress infrastructure, and their use by Facility Service represents only a partial segment of users that require access to this type of data. ISS Directorate, the Security department, as well as some service units, and even the AOC, all need access to this information. Unfortunately, these different groups all use different tools and systems to maintain and manage assigned areas of responsibility, each utilizing redundant CAD drawing files in varying degrees of completeness and accuracy. 5. The Library does not have an integrated project prioritization process. An integrated, Library-wide prioritization process has not been established. This issue was initially addressed in the 1989 Arthur Young Management study. The purpose of a project prioritization process is to establish organization-wide priorities, assign individuals to high priority work, and manage work backlog. The Arthur Young Management study recommended the establishment of such a project prioritization process. The study also recommended that all ISS departments, service units, and Library management be included in the process of assigning priorities and allocating resources based on those priorities.6 Library of Congress managers, particularly those within Facility Services, commented that planning and executing work assignments is difficult and disorganized. New projects are continuously forced into the queue ahead of other projects already in the pipeline which results in project delays. According to Facility Services, initial steps were taken to introduce a prioritization process; however, procedures were never fully developed or implemented due to organizational changes within ISS that left the issue of implementation responsibilities in question. The failure to appropriately set priorities is increasing the time and cost required to plan, design, and execute user requests for space design and modification because resources are not being efficiently allocated based on priorities. Continuously shifting priorities is causing designers to stop work on a particular project for weeks on end in order to work on a new, higher-priority project. This frequently causes AOC shop work to come to a halt and the reassignment of resources to other projects which causes costly delays of all facilities design and construction projects. Facility Services has specifically identified numerous examples of work stoppages, lengthy delays, and reassignment of resources, including a daycare center project that took priority and nearly stopped AOC shop activities on other projects. Another example cited was the completion of a room in the poetry area which caused work stoppages on other projects. These examples illustrate the loss of work management control resulting from the inability to set priorities and deal with them in an organized fashion. 6. The Library does not have comprehensive space management standards. Space utilization for each facility varies across service units and functions. The lack of approved and promulgated corporate space standards inhibits the establishment of a realistic baseline to assess this variance. The lack of such standards also prevents the development of defensible space requirements that can be used to evaluate facility options, address identified needs for increased capacity, develop short and long range planning options for additional facilities, and assess the budgetary impact of space on the Library. As a result, the efficiency and equitable distribution of current space use cannot be determined, and therefore controlled, and a supporting, auditable projection of additional space requirements cannot be made. Space management standards would help to control increased space requirements and costs. The Facility Services Division has developed facilities space management standards for the Madison Building administrative offices and conference rooms and furniture standards for the Madison, Jefferson, and Adams buildings.7 However, there are no uniform space standards for Library- unique functions such as stack space, media storage, general storage areas, reading rooms, and processing areas. This lack of comprehensive space management standards is demonstrated in the Library's 23 reading rooms which are all configured to use space differently. An example of a good space management standard for a textual research room is: "A 600 square foot area is necessary. Qualitatively, the room must be climate controlled, with appropriate air filtration. Special security, lighting, and acoustics considerations are required, and the furniture must be suitable."8 Although the Library has developed detailed stack space analyses for the Fort Meade Storage Facility project, they are not being further developed into comprehensive space standards that can be used for existing facilities. 7. The ISS Facility Services Department has assumed a reactive role in terms of facilities operations. Facilities decisions come from multiple, uncoordinated sources such as the numerous committees that are frequently formed to evaluate and establish facilities requirements. In addition, the various service units establish their own facility space requirements and make their demands known to ISS. This multiplicity of decision-making authorities greatly complicates the coordination and execution of planning efforts across the organization. The Fort Meade case study in Volume 2 of this report further demonstrates reactive planning involving a new off-site storage facility. Instead of ISS taking the lead on providing technical expertise for these facilities decisions and assuming accountability, they have assumed a reactive management role. 8. A complex division of responsibility creates problems for making timely facility decisions and divides the responsibility for space planning and project implementation. Facility Services coordinates with three separate organizations: Library Management, Service Unit Managers, and the AOC, who often have conflicting priorities. In addition, ISS Directorate interfaces with these same organizations as well as with Congressional oversight and appropriations committees for planning and executing facilities projects. ISS's horizontal organization contrasts with the Library's vertical decision making process. This structure requires a high level of communication, coordination, and data sharing across divisional groups in order to operate efficiently and effectively. Unfortunately, this coordination is not happening, resulting in voids, overlaps, and suboptimizations - a counter-productive effect on the facilities planning and management process. Exhibit 3-3 identifies all of the groups involved in facilities planning, management, and oversight for the Library. EXHIBIT 3-3 Facilities Planning And Management Responsibilities And Decision Making Influences 3.1.4 Recommendations The Librarys greatest challenge is to think more strategically about its facilities due to the inherent inter-relationship between the Librarys mission and its facilities. Treating facilities as an important strategic element for accomplishing the Librarys mission will address the most pressing needs the Library is currently facing: severe space resource constraints, degradation of the quality of collections environments, and no comprehensive long-term facilities requirements plan. As the Library develops a comprehensive strategic plan that integrates its mission and technology, facilities planning and management operations must continue to be service-oriented and designed around the needs of Library users. Facility resources should be managed appropriately in support of those needs. This shift should be accomplished through the effective and efficient coordination of facility planning and implementation activities. The following are recommendations for improving the Library's facilities planning and management decision making and facilities utilization strategies. 1. Develop a Library-wide Strategic Facilities Plan. The Library's organizational decision making structure directly impacts its ability to strategically plan and execute an effective and comprehensive planning program in order to satisfy its collections storage needs. Authority and coherent direction should originate from upper management in the Library's hierarchy, at the Associate Librarian of Congress level, and be channeled directly along vertical and horizontal reporting lines. The direction given to facilities must be strategic and based upon a thorough understanding of the inherent inter- relationship between the Library's mission and its facilities in order to provide an attainable and coordinated strategic facilities planning framework for staff execution. Therefore, it is recommended that the responsibility for strategic facilities planning be formally assigned to an upper management position that places a clear focus on facilities operational requirements. This position must carry with it clear authority and accountability to develop the strategic plan for the facilities divisions and all Library liaisons. A strategic facilities plan will enable the Library to determine and control their role in the planning and management of key factors affecting space and facility use. It will also help them define the inter-relationships between facilities and how they support the collections through the utilization of a comprehensive process to guide development. Exhibit 3-4 models a strategic facilities plan that may be used in developing a Library-wide plan. 2. The Library of Congress should design, develop, and implement a data sharing methodology. The ISS Director must create the appropriate mechanisms to ensure coordination between facilities departments and facilitate decision making and project planning across the ISS team. One such mechanism could be the establishment of mandatory and routine space management reviews with representation from all facilities divisions. Another mechanism would involve the design and implementation of a data sharing system. 3. ISS should be given "ownership" of the Library facilities to ensure both the optimal use of Library space and to ensure proper support for the collections. Facility Services needs to operate as the owner of the spaces, a role the service units currently assume. This change will help Facility Services operate more pro-actively and efficiently. It will also insert them into the collections management process, ensuring that the availability of appropriate space is addressed in a timely manner in the case of special collections, such as the WETA/PBS tape archives that were awaiting the arrival of storage shelves in the Landover Annex during our site visits. EXHIBIT 3-4 Model Strategic Facilities Plan 4. Develop and implement an integrated, shared, and technically accurate set of facilities-specific CAD drawings and associated databases. In order to implement and manage an integrated, shared, and accurate database, a computer aided facilities management (CAFM) system should be developed to provide the necessary tools for long-term planning and infrastructure management. These tools will provide Library personnel with quick and easy access to accurate information on each functional component. Paramount to this accomplishment is the issue of standardizing hardware platforms and software tools in a CAFM system. This standardized environment is a prerequisite for local or wide area networks that utilize client server technology to connect the various user locations. The Library's Facilty Design and Construction Section has already purchased some of the major hardware and software components that would be needed to implement an integrated CAFM system. An integral component of developing a CAFM system is the definition of a functional data sharing process and a concept of operation that promotes maximum efficiency across facility management divisions in terms of resources, operational capabilities, and cost. This concept of operations should provide the capability for bi-directional flow of facilities planning and space management information between users, ultimately support the decision-making process with accurate and timely data, and their consolidation into a strategic level executive information system. It is important that the integrated facilities planning and space management system database become the primary repository of information for the Library's infrastructure. 5. Fully implement the Arthur Young Library of Congress Management study finding and Facility Services' subsequent draft Process for Determining and Implementing Space Planning Priorities. The Library obviously recognizes the importance of establishing and implementing procedures for space project prioritization because procedures were developed in 1995, service unit liaisons were assigned, and initial service unit priorities were identified in order to integrate these priorities into a master schedule. It is time to move forward with the implementation. 6. Develop comprehensive, uniform, qualitative, and quantitative space standards for all Library facilities and for each type of functional space; use GSA government-wide standards where applicable. It is critical that the space standards include both qualitative and quantitative characteristics. Qualitative narrative would describe in detail the requirements for such necessities as climate control, air filtration, security, lighting, fire protection, and adjacency. Quantitative narrative would prescribe the amount of square footage for each functional type of space. Once these standards are developed, they can be applied to all existing spaces by functional type in order to assess the efficiency of current space use. In addition, when projecting future space requirements, these standards will serve as a defensible database to support the projected requirements. 7. Assign formal responsibility and accountability to ISS for fundamental facilities roles. ISS should develop and maintain programs, policies, and/or procedures for: Standardization of space utilization Compliance with the recommended/proposed space standards, and Appropriateness of the usage of the space. The ISS Director, as an active participating member of the Library Senior Management Reporting Group, also should stress to the other members of that team the critical importance of the inter-relationship between facilities and the Library's mission. 8. Require the Library to develop a Space Utilization Program. The Library should design the program to facilitate the assessment of how efficiently they utilize all three Capitol Hill facilities. This Space Utilization Program should also be designed to help the Library maximize the efficient use of space in coordination with the Library's strategic vision. 3.2 SECURITY 3.2.1 Background With more than 4,000 employees, three large buildings on Capitol Hill that are open to the public, more than 100 million items of stored property (the Collections), and their own police force, the Library has a unique blend of security concerns. These concerns arise from the potential for environmental emergencies, for example, fire or water damage in the stacks; the theft or destruction of invaluable material in the collections; or other forms of natural causes and criminal acts committed in Library buildings or surrounding streets. Security at the Library encompasses the protection of Library buildings, systems, employees and visitors, sensitive information in both paper and electronic form, and the Library's collections. At the Library, security is organized and implemented through three distinct programs: physical security, information (computer) security, and personnel security. The physical security program, including electronic security and the Library police, are organized centrally under the Protective Services Division (PSD) within the Integrated Support Services (ISS) Unit. The physical security program provides for the badging of Library employees and visitors and ensures the integrity of all physical barriers and locks used to control access to work and storage areas. The electronic security program repetitions is responsible for the specification, installation, and maintenance of existing and new electronic access controls, intrusion detection systems, and closed-circuit television systems. The Library's electronic security program currently focuses on the implementation of electronic security equipment to protect collection storage areas (book stacks) and reading rooms, and to facilitate the installation of security equipment to support temporary exhibitions. The day-to-day operations of Library security are implemented by the Library police. With a staff of over 104 full-time uniformed armed officers, the Library police provide control of building exteriors, entry, and exit points. They also guard highly valuable exhibits, patrol internal space, and respond to emergencies as needed. The Library has a responsibility to protect information. To accomplish this, the Library has instituted an information security program operated by the Information Technology Service (ITS) Unit. Although in a formative stage, the Library has published a computer security policy that assigns roles and responsibilities for the protection of both sensitive, proprietary, and publicly held information. The Library also has the responsibility of handling and storing classified information received from Congress and other sources. To facilitate this activity, the Library has established a personnel security program operated by the Personnel Security Office (PSO) with the authority to grant security clearances. Sustaining, and hence protecting the Collections, are central to the Library's operations under its current mission. The establishment and maintenance of collections security has been a topic of intense discussion and debate within the Library over the past two decades. From the mid-1970's through 1995, workgroups have studied the effectiveness of both Library and collections security. A number of different security experts and consultants have been hired to analyze security. Internal committees were formed to develop collections security plans, and funding has been requested and spent to improve the protection of Library materials. Although the Library has taken steps to improve security of the Collections over this period, there continue to be allegations of book theft and mutilations. These allegations have prompted Congress to question the status and condition of the security at the Library. 3.2.2 Methodology Our assessment of this portion of the study centered around the following objectives: Determine whether the Library organizes and manages its physical, information, and personnel security program effectively Address whether the Library has spent the money allocated for security in a cost efficient and useful manner Determine whether the Library is handling its security functions in accordance with generally accepted security practices. Our security evaluation team completed this task using a variety of methods to include: external research and analysis, face-to-face and telephone interviews, technical site surveys, and site visits. Research and Analysis. We conducted literature searches on Library and collections security both specific to the Library of Congress, and to the library community in general. We researched trends in book and art thefts and mutilations to develop an understanding of the problems associated with this form of crime. We also identified and contacted library associations to find available documentation as to "best practices" for library security. Since the protection of Library materials is a relatively new topic for library associations, the American Library Association (ALA) and the Association of College and Research Libraries (ACRL) indicated that the development of protective standards has not been a high priority. Interviews. We conducted a series of interviews both within and outside the Library. We also conducted telephone interviews with several national and international libraries to assess best practices for security available from the professional library community and lessons learned available from other libraries. Site Surveys and Visits. We conducted extensive site surveys and assessment of Library buildings, storage facilities, and work areas. We viewed the placement and location of physical security equipment within the buildings, evaluated the security control and security monitoring locations, and assessed the operation of entry/exit points, and Library Police posts. We conducted tours with Library Police and Protective Services personnel to review operating procedures. We conducted site visits to comparable Federal archive and state library facilities, and visited several large academic libraries on the East Coast to compare their security measures with those of the Library of Congress. 3.2.3 Findings and Conclusions The Library has a number of security related problems resulting from a fragmented organization, ineffective management procedures, lack of a clear security policy, ill-defined requirements for Collections security, incomplete risk management processes, and no comprehensive security plan. These findings are supported in the following sections. A case study focused specifically on the history and management of collections security is provided in Volume 2. A. The Library does not organize and manage its security functions in an effective manner. The Library suffers from a number of management problems that impact the security program. In addition to a fragmented security organization, unqualified PSD manager, and a budget structure that does not provide adequate cost information, little emphasis is placed on security related training or awareness. In response to some of these issues, PSD recently retained Computer Sciences Corporation (CSC) to conduct several assessments of the Library's protective programs. Although the CSC effort is not designed to provide a comprehensive overview of Library functions, CSC is under contract to the Library to survey security operations under four tasks: a physical security survey of occupied buildings; a study of Library Police operations with regard to collection protection; the design of a security awareness program; and an inventory study of selected collection items. Specific issues in the security management area include the following: 1. The Library has not appointed a single point of authority to manage all of its security programs. There is no single individual responsible and accountable for overall security of the Library. Current security responsibilities are fragmented across the Protective Services Division (physical security), Information Technology Services (computer security), and the Personnel Security Office (personnel security). Collections security is assigned to collection managers as supported by Protective Services. Focusing on the security of the Collections as part of the Physical Security Program, LCR 610-2 also places a "custodial" responsibility for Library materials on the division chiefs and Library officers who have custody of Library materials, the Library personnel who make use of Library materials as part of their jobs, and the researchers who are granted access to Library materials under specific readership rules. Each of these groups has separate and distinct programs with its own policies and guidelines. Assigning responsibility for overall security to a single individual would allow the Library to move toward a more integrated approach to its security programs. For example, at Harvard University, a Library Security Officer has been appointed to oversee all security functions. Within the physical security arena, organizational confusion exists regarding electronic security. The management and implementation of electronic security is currently divided between Protective Services and the Architect of the Capitol (AOC). The Library is responsible for temporary installations, i.e., to support exhibits, while the AOC purchases, installs, tests, and maintains permanent intrusion detection and access control equipment for the Adams, Jefferson, and Madison buildings. A similar situation exists with respect to computer security. For applications and data residing on the mainframes, responsibility and authority for security has been designated to the Director, Information Technology Section. The Library does have an effective Personnel Security organization managed by the Personnel Security Office. The PSO grants security clearances to about 300 Library of Congress staff who require access to classified information. The PSO also manages the determination of suitability for employment at the Library. In May 1995, OPM reviewed the PSO and concluded that the Library's personnel security and suitability programs are being operated in an effective manner, with only minor adjustments needed. In September 1995, the Library OIG conducted a review of the PSO and determined that "the Personnel Security Program effectively ensures that appropriate suitability and clearance investigations are initiated and issues uncovered by OPM are adjudicated." 2. The permanent manager of Protective Services Division (PSD) should have the security background needed to lead the technical and operational implementation of Library physical security programs. Within the Library's Integrated Support Services Service Unit, PSD operates the physical and electronic security sections and manages the Library police force. Protective Services is responsible for the development of physical and information security policies and has the largest staff dedicated to Library security. PSD provides the technical capability to identify security problems and to develop solution options. If long-term security planning and coordination are to occur, this position requires a security professional with extensive management experience on large security programs. Although the acting PSD manager gained an appreciation for Library security programs as the Chairman of the Collection's Security Oversight Committee, his background and training are not in the security field. Prior to being detailed to the PSD assignment, he served as the Special Assistant to the Librarian. 3. The budget structure does not provide sufficient information on security costs. With the closing of the book stacks in 1992 and on-going Congressional pressure, expenditures for security were increased from approximately $200,000 in FY 1991 to over $1 million in FY 1992. The projected budget expenditure for FY 1996 is $3,707K. (Total expenditures for security from FY 1991 through FY 1996 will be approximately $11,956K). Money during this period has been allocated to five major areas: The Security Policy Oversight area received approximately 11% of the total funding, with the majority spent on the evaluation of the security program in 1992 and 1995 and on the administration of the security initiatives to include staff time and training. The Collections area received approximately 39% of the total funding, with the majority spent on development and enhancement of the Tracking Control Facility, implementation of anti-theft tags, and KNOGO gates, and securing of the delivery/charge stations serving the reading rooms. The Collections Storage and Processing area received approximately 23% of the total funding with the majority spent on improving access controls over the book stacks and special collections areas, increased Police patrols of the book stacks, and implementation of physical security at the Landover facility. The Reading Rooms area received approximately 22 percent of the total funding with the majority spent on improving reader registration systems, surveillance cameras, and security for Library exhibits. The Building Entrances/Exits/Loading Docks area received approximately 5% of the total funding with the majority spent on improving reader registration systems, surveillance cameras, and security for Library exhibits. The Library's budget structure makes it difficult to determine specifically how much money is spent on security. Security-related costs are contained in the Constituent Services, Copyright Office, Law Library, Congressional Research Service and Collections budgets. In addition, the Library's allocation of resources for collections security includes the use of Library managers and staff in indirect ways that are not tracked. As a result, it is difficult to accurately assess the Library's total security costs. It is also difficult to determine whether the Library has spent money on the appropriate security initiatives since it has not completed a comprehensive risk assessment that would form the basis for budget decisions. The issue of risk management is addressed below. 4. The Library does not provide sufficient security training to its personnel. The implementation of a comprehensive security training and awareness program would enhance all aspects of security at the Library. This is significant because the Library has a unique culture where access to the stacks is seen as a job benefit. As a result, the staff resists security -driven changes that restrict their access. They seem reluctant to adhere to existing security guidelines. Doors to the stacks are sometimes propped open, security equipment is accidentally damaged by bookcarts, and some staff members refuse to wear identification badges in public areas. By their resistance, it appears that the staff does not understand the value of security measures. Without their support, no security procedures or systems will be effective. Security awareness training will help to solve this problem. The Library has implemented security training in the form of Security Awareness Week(s) and articles in The Gazette, but these actions do not constitute a complete security training program. The Library recently hired Computer Sciences Corporation to develop security awareness materials centered on physical security. Personnel security information should also be integrated into this process. With respect to computer security, LCR 1620 stipulates that "employees shall be trained in techniques to enhance security. New employees shall receive a computer security awareness orientation and existing employees shall receive periodic training on computer security." The Department of Justice conducted a briefing several years ago stressing the need for formal computer security training and provided guidelines for a computer security awareness program. On August 22, 1989, the Librarian issued a special announcement stating that the Staff Training and Development Office would be implementing a computer security awareness training program to increase staff awareness of protection measures and techniques. The announcement stated that additional information would be provided later that month. No such training program has occurred. Some divisions have provided personnel with overviews of computer security responsibilities, but this has been on an informal basis. Finally, the Library Police receive a minimal amount of pertinent training. Library Police officers are required to successfully complete the Federal Law Enforcement Training Center (FLETC) curriculum to join the force. Once hired, they receive internal exit and entry inspection training based on an "Exit Inspections Procedures" manual. Besides this training, police personnel receive little training in police functions. They attend CPR and other training available to all Library personnel and can attend Washington, DC Police training courses if space is available. B. The Library's security program does not conform to generally accepted security practices. Exhibit 3-5 identifies the key elements and interrelationships of an effective security program. These elements are generally accepted best practices throughout Government and industry. EXHIBIT 3-5 Key Elements of Security Program Security requirements set the minimum criteria for the implementation of an effective program. An established set of requirements sets a baseline for security and for the evaluation of its adequacy. A comprehensive security policy encompasses the mission and goals of the organization and addresses the specific objectives and needs of its operations. A policy is essential to set the standards by which the effectiveness of security can be measured. Risk management is the process of identifying threats and vulnerabilities, assessing their impact (the risk), and identifying the appropriate protections to mitigate that risk. Inherent in the risk management process is the ability to make informed decisions as to the application of protection. Determining risk is critical to developing a comprehensive security program for an organization. The implementation of security can be effective only if managed against a comprehensive security plan. An effective security plan encompasses both near-and long-term activities focused on meeting specified requirements, policy objectives, and identified risk reduction countermeasures. Successful implementation of a security program provides a cohesive and integrated approach to protection; maximizing the use of resources against multiple goals or objectives. Careful management of implementation activities is critical to the effectiveness of security throughout the organization. Our findings are structured to show how the Library performs against each of these elements. 1. No single, comprehensive set of security requirements exists for Library collections programs. Security at the Library of Congress encompasses the protection of personnel (Library employees and the visiting public), property (Government property and Library materials), and information (resident in paper, electronic, and other media formats). To implement these protections, the Library should compile a comprehensive set of Library regulations to cover Federal law pertaining to personnel and information security and protection of Government property. It should be noted that no Federal requirements address the protection of the rare books and other materials for which the Library is responsible since this is a unique form of Government resource. The Library has not developed its own set of comprehensive requirements to cover this issue. Without a requirements baseline, the Library has no comprehensive set of standards, or yardstick, by which to conduct or measure the effectiveness of its security programs. As a result, security is often evaluated only in terms of events, like the theft or mutilation of books. 2. The Library does not have a single, clearly documented security policy. Security policies within the Library have been developed primarily for individual programs, or to address specific problem areas. The Library's 1992 Plan for Enhancing Collections Security called for the "development and publication of revisions to Library Regulations as necessary to support enhanced Collections security." These regulations contain policy statements specific to individual areas, but there is no policy that addresses the overall objectives of security for the Library. 3. The Library does not have a risk management program that includes a comprehensive assessment of the security risks associated with its current operations. The Library has no method or procedures for systematically evaluating or analyzing risk. Managers from within PSD provide ad hoc risk assessments in concert with managers of the Collections, although for the most part, they react to what the Collections managers want, which may not always be consistent with best security practices. From 1974 through 1995, several internal and external (consultant) efforts were undertaken to identify vulnerabilities and recommend protections. The most recent efforts, conducted in 1992 and again in 1995, have led to the elimination of some identified vulnerabilities, for example, by reducing access to the stacks and by providing more controls in the reading rooms. These efforts, however, do not represent a complete risk assessment. The Library does not have a written threat statement. PSD and ITS personnel verbally acknowledge a variety of threats to the people, property, and Library materials, including: The threat of outsiders coming into Library facilities to commit crimes against Library employees and visitors, against personal and Government property, and against the collections. This threat ranges from unsophisticated thefts to professional attacks against valuable Library materials. The threat of theft or mutilation of Library materials from people within the Library. The threat of people hacking into the Library's information systems, although the Library does not seem to be targeted by any organized groups. Natural threats from fires, wind, snow, ice, and water, introduced through human errors and facility defects. Although the Library has recently implemented some security tightening measures, it is still vulnerable to physical attacks committed on its property, and computer-based attacks committed through its connectivity to external telephone and data networks. Entry into the Madison building provides access to the Library complex through underground tunnels, and visitors have access to work areas, some storage areas, and utilities areas. Many of the Library's vulnerabilities are due to the age and nature of its facilities and its current operations. For example: The Adams and Jefferson facilities are vulnerable to fire damage because of the construction of the buildings and the amount of paper materials (fuel) stored within these buildings. Fire surveillance and control systems are implemented only to the extent that they do not degrade historic value. The Library buildings have a history of water leaks and other problems that cannot be fully resolved without degrading the historical character of the facilities or without large renovation expenditures. With respect to computer security, the Library has not performed a risk assessment of its information systems. LCR 1620 stipulates that the "Library shall ensure that audits, reviews, certifications, and/or risk analyses be performed at least every 3 to 5 years which evaluate the adequacy and proper functioning of computer security safeguards and identify vulnerabilities that could heighten threats to existing or prospective automated data or resources." Until this is completed, there is no clear understanding of the risks, threats, or vulnerabilities that exist for automated resources at the Library. 4. The Library lacks a comprehensive plan that addresses physical, computer, collections, and personnel security. As noted above, the Library did develop a Plan for Enhancing Collections Security in 1992 and has implemented a number of measures in accordance with that plan. These measures include: inspections at building entrances and exits, reduced access to the stacks, Police patrols in the stacks, installation of video surveillance cameras and anti-theft gates, personal belongings disallowed in reading rooms, and the installation of an automated Collections Control Facility that provides inventory control for books. The plan, however, did not call for regulations covering all aspects of security. For example, the Library plan does not cover each phase of the collections process from acquisition and storage to availability for use. LCR 610 is focused only on the use of Library materials. It does not set forth objectives for the protection of materials while they are in storge. A more comprehensive security plan would allow the Library to improve its decision-making process by weighing the needs of all security programs, and providing the Librarian with a single point of reference for allocating resources. This is currently being done at the New York Public Library and at the Smithsonian Institution. Without such a complete plan, security implementation remains reactive to the latest problems or "wants" of the collections' managers and funding is reallocated against near term needs, e.g., to protect an exhibition. At the Smithsonian, there is a formal planning process that requires a representative from every division to approve changes to the facility and to the security system. In addition to having no comprehensive Library security plan, the Library lacks derivative plans in a number of key areas. For example, PSD has no systematic approach for planning or implementing physical security. The Library uses overlapping and multiple security hardware and procedures to achieve what it considers to be an effective level of physical protection. This approach has evolved more from the limitations to installation of security equipment in the buildings, than from a planned approach to security. Security for each specific collection depends, to a great extent, on the desires of the collection manager, previous consultant reports, and the experience of the Physical Security Section personnel. The Physical Security Section Manager works with individual collections managers to determine the level of protection to be afforded to the reading rooms and bookstacks assigned to that collection. In the information technology area, the Library General Counsel directed Information Technology Services in 1989 to develop a computer security policy for the Library. The written policy is in compliance with the Computer Security Act of 1987 that requires "all Federal agencies to identify each computer system that contains sensitive information and prepare plans for the security and privacy of such systems." Library of Congress Regulation 1620 was drafted in 1989 to provide a framework for compliance with the Computer Security Act of 1987. Because of required input and coordination from each service unit and division within the Library, the LCR 1620 policy was not finalized until 1995. In addition, the Library has not developed a contingency plan for its computer operations. LCR 1620 stipulates that the "Library shall require appropriate contingency and continuity of operations plans be developed, maintained, and coordinated." While the ITS organization has an understanding of emergency operating procedures, the Library has no written and approved contingency plan documenting procedures to develop, test, and maintain emergency response, backup operations, and disaster recovery. In lieu of a formal disaster recovery plan, the Library relies on other legislative sites that can be used as an off-site information resource to rebuild its systems. The Landover, Maryland, Library facility serves as the off-site backup location for critical Library processes. This back up arrangement does not satisfy all of the areas that should be included in a contingency plan such as how to deal with a fires in computer rooms or how to respond to hackers who attempt to enter into Library computer systems. 5. Implementation of security at the Library is conducted in an inconsistent and sometime undocumented manner. The Library does not uniformly implement the physical, computer and collections security procedures it has developed. In some areas there are no procedures at all. This further degrades the security posture of the Library. The following implementation issues at the Library were noted. a. No complete set of procedures guides the actions of the Library police, and policies are not uniformly followed. The Library police operating guidelines are a collection of procedures that expand in reaction to Library needs. The Library uses LCR 1810-2 ,"Access to Library Buildings and Collections," to define entry/exit requirements for Library space. LCR 414-1, "Marking of Library Materials," is used to define exit inspection criteria. Library police jurisdiction is defined to be within the Library buildings and outside to the curb. The Office of the Librarian determines which entry/exit points will be opened and closed, and when. The Library police have an unwritten procedure to patrol only public space and the stacks. Written procedures on detaining or arresting individuals suspected of breaking Library rules are contained in Section AR of the Library of Congress Police Policy Manual. Exit/entry inspections were observed to be inconsistent with published guidelines. In the Library Police Manual, Part 1, "Responsibilities and Procedures for Police Officers," it states that the Police should "ask each person before they go through the KNOGO if he/she has any Library materials. The answer to this question may be used as evidence in court..." We did not observe that this requirement was always followed. The Physical Security Section also issues picture badges to employees that are printed on a magnetic stripe access control card. The Library has mandated that all employees wear badges. The magnetic stripe card is designed to provide access to the closed stacks. Not all employees are wearing the badges, thus making identification of authorized personnel difficult for the Police and the staff. b. Electronic security systems at the Library have varying levels of effectiveness. The Library has an assortment of manual and electronically activated locks and door hardware that are fitted into existing doors. The absence of documented procedures for the implementation of locking hardware and exit/entry barriers has resulted in a "mixed bag" of physical security equipment. This "mixed bag" has created maintenance problems and difficulty interfacing with the electronic security system. A card access system controls access to the closed stacks and restricted areas. The design of the system is effective, but operational problems with door exits and alarms have been reported. For example, false alarms occur when someone exits using the doorknob rather than the push bar. The push bar shunts the alarm of the door. If the doorknob is used, an alarm goes off which is noted in the communication center. Since these types of false alarms are continually reported, the police have stopped responding. The KNOGO system, an exit-based detection system, appears to be an effective deterrent, but not all Library material has the appropriate sensors or tags. Intrusion detection systems monitor the closed stacks and other restricted areas. The AOC stated that the intrusion detection systems, the same as those at the Library, perform well in the other Capitol Hill buildings. The Electronic Security Section Managers consider the AOC- provided intrusion detection systems to be unreliable, and as a result, have installed extra sensors and alarm monitoring equipment in several areas. Some doors in the stacks have as many as four door contacts. This difference of opinion has been a continuing source of conflict and has led to redundant expenditures for sensors. Closed Circuit Television (CCTV) cameras and video tape recorders are used in reading rooms, stack areas, and for general surveillance and deterrence. Common area and entry/exit point surveillance is monitored in the command centers. Cameras in the Rare Book reading rooms are also constantly monitored. Video surveillance systems in the other reading rooms are effective where installed, because of the physical coverage of the cameras. The overall effectiveness of those cameras is diminished, however, by the fact that they are not regularly monitored. Although the Library has plans to install additional CCTV systems, finding suitable mounting and conduit locations is a problem. c. The Library has implemented common commercial practices to secure its automated information resources. Although we did not test specific computer security processes during our assessment, we did review available documentation and interview Library personnel. Because formal procedures and practices do not exist, the Library is using commonly acceptable commercial practices to protect their information resources. Such practices include: Inspection of log data for obvious trouble signs Inspection of legitimate files available for transfer Investigation of all suspicious e-mail received Close review of the Computer Emergency Response Team (CERT) advisory to keep abreast of attacks attempted on other systems and the recommended safeguard protections. Access to UNIX systems at the Library is closely controlled by limited distribution of system administration privileges within the ITS division. A medium-security configuration on IBM mainframes at the Library provides automated security features to determine the secure state of the system. Commercial off-the-shelf security products are installed on the Library servers. Access to files is authorized by data owners and is controlled by the system administrator. 3.2.5 Recommendations The following recommendations are considered critical to the implementation of an effective, successful security program at the Library. 1. The Library needs to organize and manage its security functions in a less fragmented manner. The Library needs to identify a single Library Security Officer (LSO) responsible for all security functions in the Library, including physical, information and personnel security. The LSO should be responsible for providing the leadership and focus for the security organization and for developing and implementing the Library's overall security policy. The Library should investigate transitioning full responsibility for the design, component selection, installation, integration, and operation of all permanent and temporary electronic security components and systems to the AoC. This would eliminate confusion and reduce the need for the Library to maintain expertise in electronic security systems. The Library needs to provide management with more detailed information on security program costs and performance. This will ensure that adequate and complete information is available to determine how security dollars should be spent and whether the money is being spent wisely. The Library should establish a robust training program for its personnel, to include general security awareness and computer security. Since the staff must help enforce security policies, it needs to understand the value of security in protecting the collections for future generations. 2. The Library needs to change its security program to conform with generally accepted security practices. The Library needs to establish a comprehensive and overarching security policy based on a single set of requirements. Accordingly, the Librarian should publish a statement of the Library's objectives for the protection of personnel, property, and information. This statement should take the form of a top-level Library Regulation from which all other regulations can be derived. The Library needs to implement a comprehensive risk management process, starting with a Library-wide risk assessment, to support ongoing decision making and allocation of protective resources. The understanding of security-related threats and vulnerabilities is an essential component of an effective security program. The Library should identify and understand real and potential threats, and articulate current weaknesses and vulnerabilities. Also, it needs to formulate and prioritize its risks by potential severity. This information should be used to make budget prioritization decisions on security initiatives. After Library security requirements and risks are identified and prioritized, a comprehensive security plan that incorporates elements from the 1992 Plan for Enhancing Collections Security should be developed to direct the implementation of security across all Library operating elements and to drive the optimal allocation of personnel and financial resources to fulfill Library security goals and objectives. The Library needs to implement the security policies and procedures it develops in a rigorous manner. 3.3 TECHNOLOGY USAGE Although information is still delivered in hardcopy form, i.e., newspapers, magazines, and books, computer technology is rapidly liberating information from the limitations of print. The Internet has become the agent of change that is accelerating global, decentralized access to information. In the next decade, the pervasive presence of computers and advances in telecommunications will profoundly affect the nature of the Library and its mission. People will no longer be precluded from accessing information based on geography or time. The digital revolution will enable people to access and create the specific information they need. Millions of bits of information will be stored in computers, rather than just on Library shelves. Hardcopy physical material, normally in a single media, is giving way to a multimedia, hyperlinked "logical" world where physical handling becomes at best a second order issue. Multimedia processing has moved us from a singular thinking world to a world where information can now be viewed and heard, both at the same time. Technology is the critical element that is revolutionizing the way people work, learn, and live. The Library is uniquely positioned to take a pivotal role in this information revolution. Bold leadership and innovations in cataloging, storage, and presentation techniques will be required to meet the needs of future information consumers. The Library has demonstrated such leadership in the past. For example, in the 1960-70 timeframe, the Library developed a capability that enabled libraries around the world to develop automated cataloging systems for efficient information access. Such creativity and innovation will become even more important in the digital age. 3.3.1 Methodology The purpose of this portion of the study was to determine whether the Library is properly positioned in terms of strategy, leadership, organization, business processes, data, and technology, to serve Congress and the Nation effectively in this new information revolution. We also assessed the level of strategic planning required to enable the Library to take full advantage of today's technology. During the course of this study, we established technology benchmarks based on site visits to large research institutions, public libraries, commercial information providers, and technology development organizations. Our assessment centered around the following specific objectives: Address whether the information technology (IT) strategy is linked to the overall Library mission Evaluate whether integrated IT planning, budgeting, and performance measurement processes exist Define the degree to which business unit heads in the Library interact with Information Technology Services (ITS) to make joint decisions on IT spending and direction Evaluate existing Library information systems and their effectiveness in supporting the current mission and operations Evaluate the current Library technology organization and its effectiveness in delivering technology enabling solutions Define relevant enabling technologies and assess their potential impact on Library operations Define "best practices" that are employed by similar organizations in Government, academia, and industry; and assess how these practices could be used to enhance the Library's operations. Using GAO's Strategic Information Management Self-Assessment Toolkit, we first examined the Library's information needs from the perspective of current operational needs and the potential for exploiting new technologies. As part of this assessment, we focused on acquiring a sound understanding of the factors affecting the Library's mission and goals. These factors included its organization, functions, and supporting processes. In addition, we defined and assessed enabling technologies and their potential for improving Library operations. Through a combination of interviews and site visits, we also examined best practices from similar Government, industry, and academic institutions. The list of site visits is provided in Exhibit 3-6. EXHIBIT 3-6 Benchmark Site Visits SITE RATIONALE Patent and Trademark Office (PTO) To review lessons learned in the areas of facilities, security, and technology, including the digital capture of patents and trademarks and the dissemination of information. National Archives and Records Administration (NARA) To review its approach to record and document storage. Smithsonian Institution To review its large volume of physical material, data catalog, security, and material access controls. New York Public Library To review its methods and techniques for managing its vast holdings and the role that technology plays in day-to-day operations. Chicago Public Library To review its approach to using technology to meet the needs of the public. Harvard University To review its extensive archive holdings and its approach to an Integrated Library System (ILS). Massachusetts Institute of Technology (MIT) To review its innovation in on-line access, information storage and retrieval, and information sharing. Indiana University To review innovation in the area of digital information handling (sound and video) and support for the Internet. In addition, to discuss their views on copyright information processing. Carnegie Mellon University To review innovation in the area of digital information handling and its support for the Internet. Purdue University To review its innovation in on-line information access, its Thorplus Web site, and information sharing. The University of California at Berkeley To review its information technology infrastructure and the changes it has made to the School of Library Science. The University of California at Los Angeles To review its approach to an Integrated Library System (ILS). On-line Computer Library Center (OCLC) To review its leadership in information cataloging and data sharing. 3.3.2 Findings and Conclusions The Library has not recognized the importance of information technology as an investment, nor does it have a strategic information management process linked to customer needs and mission objectives. Information technology planning, budgeting, and evaluation processes are not tied into the overall Library strategy. Finally, the Library has not built an organization-wide technology infrastructure to address all of its current and future needs. Staff technology skills, anchored in old mainframe- based (legacy) systems, will inhibit the Library's transition into a modern client-server environment. These findings are supported in the following sections. A. A greater strategic focus on Information Resources Management (IRM) would position the Library to make better use of technology. The Library does not view technology in a strategic context, nor has it focused on what information is needed to run the organization. This is evidenced by the fact that there is no single system-level architecture in place, complete with a performance measurement component, that can facilitate the organization's decision making process. Through interviews with Library staff, we found that IT prioritization decisions are not based on a clearly defined strategy and are not directly linked to the Library's mission objectives. This situation has inhibited the Library from moving technology forward to better support the user community. The Library's leaders have not secured the full support and commitment of the entire organization and no sense of common ownership has been created at all management levels. The New York Public Library, on the other hand, is an example of an organization that views technology as integral to its mission. It started a strategic planning process in 1992 and now has an operational focus with buy-in at all levels of the organization. The New York Public Library would serve as an excellent model for the Library of Congress in this arena. The Massachusetts Institute of Technology (MIT) also has an excellent strategic plan that is used as a communications tool for the staff and to support staff requests, budget planning, and task prioritization. Lack of a recognized need for a global vision and strategy has resulted in costly projects that never achieved their stated goals or had to be canceled prior to reaching their objectives. The Resystemization effort, which was initiated to modernize the existing cataloging environment, failed, in part, as a result of these missing components. Project leaders initially recognized the importance of the process but the commitment to seeing this project succeed was not present. 1. The ITS organization does not have a global view of the Library's information needs. The current ITS organization views itself as an applications development and maintenance organization, largely reactive to the day-to-day operational needs of the Library. The Library does not view ITS in a strategic role as the manager of all the organization's information needs. It does not integrate all information requirements Library-wide and has no communication strategy for distributing technology decisions, soliciting recommendations, and documenting problems and solutions. ITS supplies maintenance services for the legacy systems and the network infrastructure required to support current library operations. It continues to accept new tasks that monopolize the development staff, while neglecting capabilities that would better assist the overall organization. For example, the Library has focused on the THOMAS project, the initiation of the National Digital Library (NDL) project, and the creation of a digital video capture environment to record Congressional sessions, while neglecting enhancements needed in other areas, such as cataloging. Even in new system development projects, tasks are structured as a "job jar" list. This is evident in the way that IT responsibilities are allocated and managed in the Library. Specifically: There is no clear delineation of responsibilities between ITS and the service units with respect to technology implementation. The shortage of resources, the perceived need to provide equitable support across the service areas, and constant shifts in priorities cause technical staff to be inefficiently "time-shared" across numerous projects. Information required to make key technology decisions is not always available and, as a result, ITS decisions are made from incomplete data. It is almost impossible today to perform a cost benefit trade-off analysis on IT projects because the necessary information is not tracked and in a usable form. As a result of not tracking pertinent information concerning project performance and expenditures, it is difficult to determine when tasks will be done or how much they will cost. The cost may not just be financial in nature but may include lost opportunities to provide better service to the organization. In summary, Exhibit 3-7 compares the difference between the current ITS approach used by the Library and an IRM organizational approach that we derived from our site visits. EXHIBIT 3-7 Contrasting ITS and IRM Approaches Finding Areas ITS Approach IRM Approach Planning focus Evidence: Tasks are undertaken in a job jar fashion. Staff is constantly reshuffled on a weekly basis to meet the current priority. Tactical in nature - the goal is to maximize near term benefit Operationally driven Reactive Decisions based on competing initiatives Strategic in nature - the goal is to maximize long-term as well as short- term objectives Mission driven Proactive Decisions based on end-to- end, integrated capabilities Organization orientation and leadership Evidence: Information is not the cornerstone of the organization. Detailed status reports and process metrics are not gathered, analyzed and used to make cost/benefit analysis decisions IT Director Technology driven Product provider Support organization CIO Information solution enabled Service provider Integrated team Information architecture Evidence: The current environment does not have an overarching infrastructure. It is difficult to move information easily across the environment without additional software development. Stovepipe approach based on current short-term needs Integrated based on open long-term needs 2. The lack of a strategic, mission-driven perspective results in divergent systems and a duplication of effort. The lack of a single IRM focus within the Library has resulted in the introduction of competing, often divergent, technology infrastructures. For example, CRS implemented its own electronic mail system, network operating system, and Window management system because CRS believed that ITS could not meet its needs. The technology environment that CRS implemented is not totally compatible with the infrastructure in the rest of the Library. Moreover, CRS has had to provide its own staff to support the CRS network, and electronic mail environment. These resources cannot be shared with ITS because of the different skills required. 3. Without a formal strategic plan or an integrated IRM planning process, prioritization decisions are not always consistent with mission needs. Because the ITS organization views itself in a tactical versus a strategic role, the Library does not have an IRM plan that focuses technology investments and resources on Library-wide core mission goals, business processes, and customer needs. As a result, there is no solid basis for allocating resources and making priority decisions with respect to IT products and services. The Library's current IRM planning process is informal, reactive to short-term needs, and not rooted in a comprehensive IT vision. As a result, resource allocation and technology decisions are often based on perceived short-term requirements rather than on established mission priorities. Projects are often prioritized based on the availability of resources rather than on their benefit to the organization and its mission. The following specific examples illustrate this point. Although they demonstrate the flexibility and responsiveness of the ITS staff, their undertaking diverted scarce resources from other priorities. In December 1994, Congress directed the Library to provide a gateway for sharing legislative information on the Internet. The goal was to have this capability in place by the start of the new Congress on January 5, 1995. The Library responded by developing a capability called THOMAS. To satisfy this quick-turnaround task, three people were redirected from other key projects such as the Global Legal Information Network and the Bibliographic WorkStation (BWS). The Technology Assessment Group has not focused on assessing innovations which could streamline the Library's operations or enhance their product delivery capabilities. While some of their work has been lauded from outside the Library, it is not supporting any of the Library's stated internal strategic objectives. IT priorities for the Library have been described and documented in the ITS Strategic Plan, last revised in September 1995. This plan exemplifies the planning process used by ITS in establishing tactical priorities for the Library. This process consists of the following steps: ITS customers and constituencies are identified. User needs are established and defined in one-on-one sessions with each customer. Priorities are reviewed in periodic meetings conducted between user and ITS representatives. ITS management reconciles conflicts that cross the Library and attempts to address at least one or more high priority item from each constituency group. Final decisions are made by ITS management based on resource availability rather than organizational priorities. As evidenced by this process, major initiatives in the Library are usually first championed from within one of the user organizations, then supported at the Executive Committee level. Some projects, such as the National Digital Library (NDL), are initiated from the top down. Others, such as THOMAS, originate from a Congressional request. More often, projects result from a need advocated by either a technical or functional proponent in the Library. The Copyright Office Registration, Recordation, and Deposit System (CORDS), for example, did not take on significant importance until a new manager took over the Copyright Division and pushed the initiative. Because initiatives are linked to the Library's mission only to the extent that the mission is reflected in the perceived needs of the individual proponent, the planning process does not address all the strategic planning elements that would better enable ITS to allocate resources, define technology expenditures, and establish priorities across the Library. These missing elements include the following: A vision for the future that includes IT as an enabler to the Library's mission (Where do we want to be?) An integrated IRM architecture (i.e., organization, business processes, and support systems) rooted in this vision (What resources are needed to get there?) Performance improvement objectives that are measurable and linked to the mission (How do we know when we get there?). Many libraries and institutions we visited during our site surveys offer excellent examples of how strategic planning can effectively drive technology decisions. The Library of Congress would benefit from using some of the same IRM planning processes that have been implemented at the National Archives & Records Administration, the Patent & Trademark Office, Carnegie Mellon University, the Massachusetts Institute of Technology, and the Chicago Public Library. B. The existing technology infrastructure is not integrated across the Library. As the Library increases its use of technology, both to support internal operations and to interact with its external customers, the overall infrastructure becomes an increasingly critical factor affecting the ability of the Library to accomplish its mission. This infrastructure consists of the architecture, systems, resources, and processes designed to support technology. Library systems are currently not integrated at a level appropriate to reduce interfaces between systems, lessen the need for maintenance resources, and minimize redundant data. The Library currently faces a situation associated with its core information systems that is not uncommon among organizations that developed automated tools in the 1970's. At that time, systems were built to focus on specific, localized problems or processes. Library systems developed using this approach include the following: Multi-Use MARC System (MUMS) - A data repository system for bibliographic data Subject-Content-Oriented Retrieval for Processing Information On-line (SCORPIO) - A data repository system containing indexed information pertaining to material available in the Library Copyright Office Publication and Interactive Cataloging System (COPICS) - A data repository system containing copyright registration information Copyright Office IN-process System (COINS) - A data repository and tracking system for managing deposit accounts and requests for information on fee services associated with the copyright registration process. These systems form the foundation for a majority of the automated information processing now associated with the Library's day-to-day operations. They were developed around non-integrated data structures that were state-of-the-art at that time. Newer Library systems are designed to improve access to these core systems and to address additional functional capabilities. Multiple interfaces have been developed among these systems (e.g., MUMS, SCORPIO, COPICS, COINS). The number, quality, and complexity of these interfaces complicates software changes since a change made to one system may affect several other systems. The Library's technical architecture has evolved around the need to support and enhance these legacy systems rather than in accordance with an overall data model representing the organization's integrated information needs. Lack of a comprehensive, integrated information architecture has also caused systems to be acquired as independent entities. Automated solutions to provide new capabilities tend to be bounded by the requirements of a single organization, rather than implemented within the larger context of the Library's global requirements. An important example of this is the current issue surrounding the selection of an electronic mail package for the Library. The main purpose of an electronic mail selection is to provide an enterprise-wide capability that can serve the entire Library community. CRS has standardized its e- mail environment, but the remainder of the Library continues to operate using numerous products. The Library has adapted the CRS solution but no plan for migration was available for review. As a result, inefficiencies in operation, staffing and communication exist. Another shortcoming of this piecemeal approach to system selection has been a failure to recognize the benefit of an Integrated Library System (ILS), i.e., a system that would help the Library track orders, acquisition, cataloging, and circulation functions. A consultant's report prepared for the Acting Director, Public Service Collection, on Processing and Information in the Library, dated April 25, 1995, clearly demonstrated the feasibility and potential benefits of adapting a commercially available ILS environment. The Library has not yet capitalized on this report. Both Carnegie Mellon University and the Chicago Public Library depend upon ILS to facilitate Library management functions. The Library has many system databases that will continually increase in volume. The NDL, for example, is expected to store 5 million digitized images by the year 2000. A key benefit of integrating systems within a comprehensive, targeted architecture is the ability to limit data redundancy, thus reducing costs associated with data storage capacity and the resources required to keep common elements synchronized. At the present time, however, there are a number of systems that perform similar activities. For example, MUMS and COPICS both perform functions needed to process catalog records but they contain some of the same data fields. The lack of an integrated plan for managing these data systems into the foreseeable future is a risk for the Library. Data redundancy that does not specifically improve performance or provide some other benefit in support of the Library's mission should be minimized in order to reduce resource costs. Individuals within the Library, both system developers and end-users, recognize the need to integrate technical decisions across project initiatives. A current example of this is the needed integration among the NDL, CORDS, GLIN, and THOMAS projects, all of which plan to use the Internet as a means of data transmission. Integration efforts are driven by individual initiative, however, because the concept of technical integration across the Library has not been institutionalized. No formal process has been established to ensure that technical information is shared across projects. C. Technology programs and projects are not managed as investments. Because the Library does not have a comprehensive IRM vision or strategy, it does not view technology as an investment. Insufficient attention is paid to program and project costs, priorities, and performance. As a result, the Library cannot determine if its investments in technology are supporting its mission objectives. 1. The budget structure does not provide program or project level cost information. Budget planning follows a bottom-up process within ITS. Every year the ITS staff gets budget inputs from the service units and prepares a draft submission. This exercise is usually accomplished by taking the previous year's approved expenditures and either increasing or decreasing each of the cost centers to achieve an internally generated funding objective. Budget estimates are based on current staffing levels and estimated capital expenditures, not on mission priorities as defined in an overall Library strategy. The budget is executed as a general pool of resources expended on short-term needs rather than on long term IRM objectives. As a result, it is difficult for the Library to justify spending priorities and to perform cost benefit analyses. The budget structure itself does not provide adequate information on IRM expenditures for specific initiatives. When resources are diverted to a new priority, such as THOMAS, the true cost is unavailable because no information is kept to account for project level costs. As a result, it is difficult to accurately assess either individual initiative or total Library IT costs. Reasons for this lack of budget visibility include the following: The Library has 5 different appropriations: Library Salaries, Congressional Research Services, Copyright, Books for the Blind and Physically Handicapped, and Furniture and Furnishings. Technology expenditures are included in at least three of these appropriations. The cost center structure for the ITS budget does not provide the necessary visibility to track cost performance associated with specific high priority initiatives. Whereas the budget details are treated more specifically within ITS, the true cost of certain programs can only be estimated. Other Library organizations, such as CRS, plan and manage their component of the IT budget independently of ITS. 2. The Library has no formal performance measurement system. Performance measurement is a critical element in the strategic IRM planning process because it determines whether the IRM strategy is addressing mission objectives effectively. The Library has a number of deficiencies in this area that need to be addressed, including: Specific, measurable performance objectives, tied to Library mission priorities, are not formally established, negotiated, and communicated within the organization. Programs or projects are not managed as investments. The program or project evaluation process is not directly linked to the planning and budgeting process. No formal process exists for monitoring major initiatives, programs, and funding priorities; and subjecting them to a comprehensive performance review process. Performance measures are established on a transaction basis tied to specific system platforms rather than linked to the mission as a measure of organizational performance. Exhibit 3-8 summarizes our findings about the Library's ITS performance measurement process. It describes the sources and types of performance measures typically employed at each level of evaluation and how these evaluation methods compare to the Library's performance evaluation process. EXHIBIT 3-8 Weaknesses in the Performance Measurement Process Performance Entity Types of Measures Library Performance Measurement Process Mission  Customer Satisfaction  Mission goals and objectives measures  No formal IRM performance measurement process integrating planning budgeting and evaluation processes  Performance of key mission delivery processes not formally measured  IRM performance measures not formally defined, communicated and linked to mission performance Organization  Customer satisfaction  Strategic objective measures % Resource usage by objective  Measurable organizational performance objectives not defined and documented in the IT strategy  Performance measures not linked to budget evaluation  Resource expenditures and technology investments not measured against a defined IRM strategy and measurable performance objectives Program  Cost performance  Schedule performance  Technical performance  IRM programs and projects not treated as investments; program evaluation process not directly linked to planning and budgeting % Program and project work plans not consistently developed % Many high priority programs lack a formal review process to track and measure cost, schedule and technical performance Individual  Measurable personal business objectives  Development objectives  Accomplishments  Individual performance appraisals and personal development plans not formally tied to IRM objectives IT System or Application  User satisfaction  Reliability/Maintain-ability/Availability  Transaction-based statistics  System level performance is typically measured by transaction-based measures  System performance measures not closely linked to user satisfaction and responsiveness to mission needs D. The Library needs to decide whether to build new systems in-house or to outsource future systems development. The Library is currently at a crossroads and must determine whether it wants to continue to build new systems in-house or whether it would be more cost effective to acquire these capabilities elsewhere. Other government organizations have faced similar issues. For example, NARA has outsourced administration of its network environment and the Patent & Trademark Office has migrated away from doing custom software development to procuring and adapting commercial solutions. In any case, the Library will be faced with establishing more rigorous systems engineering processes and acquiring staff with new skills to ensure that automation requirements are met in an efficient and timely manner, and that they are consistent with organizational goals. 1. The Library is in a transition state with respect to the systems it is implementing. The Library is currently in a transition state regarding the types of systems it is implementing to support its mission. It is moving from building the internal data repository capabilities represented by the core legacy systems, to systems that are designed more to automate processes. This means that the operations of the Library are increasingly coupled to the systems designed to support them. The Library can either accept system development as integral to its mission and establish a full-scale, high-quality system development capability; or it can acquire the systems it needs by other means, i.e., purchase commercial products or outsource. The Library's need for sophisticated, technology-based solutions is expanding beyond its current capabilities. This trend is accentuated by the following: Expanding requirements for serving Congress and other Library users (resulting in systems such as THOMAS, GLIN, and NDL). The need to manage databases continually increasing in volume Changes in cataloging rules or strategy resulting in considerable data maintenance (e.g., the need for global updates to catalog records) Increased capability and technology innovation available in the marketplace 2. The Library's current legacy systems cannot support its future needs. The Library has a core dependence on legacy systems (e.g., SCORPIO, MUMS, COINS, COPICS) that have been in operation for over 20 years. These systems are complex, increasingly difficult to maintain, and cannot evolve in line with future Library requirements. The software code for the legacy systems was developed by Library staff at a time when system resources (e.g., memory, system registers, disk space, standardized operating system utilities) were scarce. This issue required software developers to structure code to conserve resources. As new requirements were identified, changes were implemented by fixing existing code and/or adding more code to the baselined version. Over two decades, these systems have necessarily become functionally rich and specifically tailored to the historical operating processes of the Library but they have also become extremely convoluted in design. As a result, the structure and complexity of these legacy systems are increasingly inflexible and difficult to adapt to changing requirements. They will eventually reach a point at which they can no longer evolve without major re-engineering efforts to restructure all or portions of the code. Additionally, if the Library moves in the direction of assuming an information broker role in the future, it must move to new interactive technologies that facilitate data sharing among geographically dispersed organizations. These legacy systems will not accommodate such changes. 3. The processes designed to support software development in the Library are not adequate for building high quality systems. At some point in its history, the Library institutionalized a structured development methodology called the Work in Process System (WPS). This approach, which detailed the documents and phases required to develop Library systems, was used for implementing large-scale, stand-alone, batch-oriented systems. It is still used, in part, by the staff maintaining the mainframe systems. Based upon discussions with various Library IT maintenance staff, however, it is not applied uniformly across all software development projects. As technology evolved, the WPS approach has become less applicable. The Library abandoned the WPS system engineering framework but did not replace it with system engineering practices more appropriate to new systems. As a result, no institutionalized system engineering framework currently exists. Each individual development team decides on its own approach, platform, and development environment. The team then monitors its own adherence to self-developed conventions. The only development standards that are being followed by multiple teams are those developed for systems on the Internet. If the Library wants to continue to build information systems, it must address existing shortfalls in its System Development Life Cycle approach in the following areas: System planning Requirements definition Requirements tracking/validation Configuration management/control Development tools/environment Development methodologies Test approach/tools Data definition and repository Engineering process integration Project control. The following sections detail our specific findings regarding processes in each of these system engineering disciplines: System planning-System development costs are not routinely estimated before development and only sometimes after a project has been completed. The hardware may be planned but the labor required is taken out of the development labor pool and is usually not viewed as a "cost" to the project. In the only discovered instance in which a project (SMS) had been assessed to determine cost, including labor, an issue still under discussion is the "loading" applied to labor rates (e.g., for benefits, facilities, auxiliary support functions, etc.). This information is not readily available to the Library staff. True costs and level of accomplishment for specific initiatives are also obscured by the fact that the budget is not structured and executed in a way that will easily produce such data. Requirements definition-The Library has implemented several useful techniques in this area focused on garnering strong user involvement. ITS points of contact with the service areas are primarily tasked with ensuring requirements are properly defined. Methods for capturing defined requirements are not consistent across the teams and sometimes rely heavily on mutual understanding between the staff involved. Although most projects reviewed did produce some type of written requirements statement, format, content and level of detail vary. Requirements tracking and validation-The most common method of tracking requirements at the Library is to record individual requirements in the form of tasks to be completed. This task list then becomes the Project Plan for the effort. We found no evidence of automated requirements tracking systems or other mechanisms to support this function, with the exception of the Work Tracking System used to track help desk problem reports. Discussions with the development staff indicate that requirements are not universally linked to system documentation. Configuration Management (CM)-CM is handled by each development team until the system is turned over for production. The mainframe systems are more tightly controlled. CM planning, processes, and tools are not required to be consistent between projects and we did not find evidence of a formal CM structure. Only one project indicated it used automated CM tools for tracking source code and system components. A common response we received when requesting specific documentation was that it existed somewhere but the exact location was not immediately known. Development tools-The Library indicated that several products have been tried but none has been adopted for Library-wide use. Individual development teams select the tools and environment considered most appropriate for the system they are building, subject to management concurrence. ITS is in the process of trying to standardize on a set of data base products and development platforms to address the issue of support and maintenance for a heterogeneous architecture. Development methodologies-The Library indicated that it does not use a suite of standardized development methodologies other than the instances where the WPS approach is still followed. Use of a particular methodology is at the initiative of an individual team or staff member. Test approach and tools-The maintenance teams for the mainframe systems currently implement the most rigorous approach to testing; although "emergency" fixes do not always go through a full test scenario. Quality assurance staff are responsible for reviewing changes to production systems, performing some testing in accordance with developed test scripts, and moving versions of the code into production. Systems under development are tested in accordance with the test approach selected by the development team, which may or may not be formalized. In most cases, final acceptance testing is accomplished by turning the test configuration over to the user rather than using a structured approach governed by an Acceptance Test Plan. Data definition and repository-The ITS data administration staff has the responsibility for working with development teams and overseeing all data dictionary and data element definition activities. Entity-relationship models are used as the basis for more complex systems, but are developed on an individual project basis. Attempts to develop global definitions for data used by different segments within the organization have not been successful. Engineering process integration-No formal mechanism exists for translating requirements into support and resource needs across ITS and other segments of the Library. The focus of planning and process implementation is at the project level and varies between individual projects. Communication between projects is dependent upon individual team members and is not governed by any formal mechanism. It is facilitated to some degree by the "automation liaisons" but this mechanism is heavily dependent on personal relationships. The key formal mechanism for interaction on a technical level is the Technology Working Group, which emphasizes workstation allocation and other budget issues. This role has not been enhanced to provide a means of developing integrated plans and solutions. Project control-Although reporting mechanisms exist, they are oriented toward budget management of the organization. They are not crafted to provide the level of information needed to monitor and guide development and project activities effectively. The "project control" function at the global level is missing or informal. This includes activities such as developing master schedules across all projects, resource balancing, and resource projection. At the individual project level, the use of project control techniques supported by automated tracking or management tools has not been institutionalized and initiatives are not tracked in sufficient detail to determine total project cost, projected resource needs, overallocated resources, etc. In summary, we found that some accepted systems engineering practices have been implemented or are being developed throughout the Library. The degree to which this is occurring depends upon the specific project or development group. Although the lack of a structured system engineering framework is viewed by many as allowing flexibility, the potential impacts for the Library include: There is greater difficulty in accurately assessing the status of current systems Individual teams must "pay the cost" to recreate needed components Systems are developed with little consistency (e.g., design approaches, naming conventions, screens, documentation, development techniques, degree of modularity) System integration is hampered and opportunities for multi-use code are reduced The quality, complexity, and comprehensiveness of developed systems is dependent upon the skills and capabilities of a specific team. 4. Continued in-house systems development will be difficult with the existing staff. The key resource for a high-quality system delivery capability is the staff. The Library has a pool of staff resources, many of whom have a long history with the organization. A number of issues, however, must be overcome if the Library chooses to continue in-house systems development. These issues include the following: ITS has staff members who are experts in certain applications (e.g., bibliographic records). The Library legacy systems are maintained by staff who are highly skilled in the intricacies of their particular segment of the system and, in some cases, were even involved in the original implementation efforts. For the most part, this staff is fairly small (maintenance staff typically averages 4-5 people, not always full- time) and these individuals do not cross into other areas or systems. This situation poses a high long-term risk for the Library because the legacy systems are complex, difficult to replace, lack accurate maintenance documentation, and require skills that are difficult to find in the marketplace. The Library Resystemization effort started in the late 1980's was designed to resolve this situation but it was never completed. In one anecdotal example, a new staff member was able to "come up to speed" on an existing legacy system to the point of producing viable work at a basic level after one year, including three months of working with a knowledgeable staff member. Resources and skills of those responsible for implementing technology are in many instances rooted in the mainframe milieu. The Library does not yet have the critical mass of technical talent needed to continually expand and sustain current new initiatives such as NDL. Staff that are core knowledge holders are reaching retirement age and have not always been back-filled with trained, younger staff. The lengthy hiring process adversely affects the ability of ITS to acquire talent necessary to deliver state-of-the-art technology solutions. 5. The skills and structure needed to outsource technical work are not fully available. The structure and skills required to manage outsourced technical work do not fully exist at the Library. The framework required to support contract efforts and to ensure that high-quality products are delivered must include many of the components of a structured system engineering organization that the Library currently lacks. These include: Proven, structured methods for capturing, managing and communicating system and project requirements Clear, measurable quality standards against which deliverables can be assessed Mechanisms to enforce project and technical integration across the organization and all contract efforts Efficient, clear and consistent project control and reporting mechanisms Performance metrics tied to the mission Concise development standards and guidelines Functionally and technically knowledgeable staff. The Library has already contracted out several efforts with mixed results. For example, the Copyright Imaging System (CIS) was originally developed using proprietary hardware and software from a small vendor company. The proprietary nature of the platform made it difficult to integrate with other systems and restricted the Library's ability to upgrade the system without calling upon the original developer. CIS is in the process of being changed to resolve this issue. We also encountered several descriptions of small systems built under contract in the PC environment that were not adequately documented. When the individuals who built the systems were no longer available, the Library was unable to maintain the systems properly. In another instance, the Library has not specified the use of engineering standards for the contractor associated with CORDS and NDL (Corporation for National Research Initiatives (CNRI)). Infrastructure requirements have not been modeled, nor have the requirements for indefinitely sustaining the NDL been specified and budgeted. 3.3.3 Recommendations There are a number of action items that the Library could take to improve its technology infrastructure and processes should it decide to continue in the systems development business. More importantly, however, the Library needs to view information technology as an integral component of its mission. This issue will become even more critical if the Library assumes a collaborative information/knowledge broker role as described in the Mission section. The Library's ability to "make knowledge available and useful to Congress and to the American people and to provide leadership in creating networks of institutions that enable the world's resources to be shared" will be predicated upon the successful implementation of emerging information technology. Specific recommendations include the following 1. The Library needs to place a greater strategic focus on Information Resources Management (IRM). The Library management must first adopt a strategic IRM approach by changing how it views, collects, and uses information in order to achieve its mission objectives. As recommended earlier in the Mission section of this report, the mission of the Library and the customers it supports must be clearly defined and articulated, and this definition must be supported by both Congress and the Library. This global approach should be reflected in a strategic IRM plan that lays out the part technology will play in enabling mission goals. The Library should expand the focus of the ITS Director to include the functions of a Chief Information Officer (CIO). The position must be enabled with the responsibility and authority to participate in the formation of the mission strategy so that technology will more fully support the Library's needs. The CIO should be responsible for providing the leadership and focus for the information organization, for managing executive expectations, and for developing and implementing the IT strategy. Both the Smithsonian Institution and the Patent & Trademark Office have assigned a CIO to manage information strategy and information assets. 2. The Library needs to integrate its technology infrastructure across the organization. The Library should perform a structured configuration audit of all existing systems to establish an accurate configuration baseline. Once this is completed, it should develop a plan to transition to a target architecture to support its long-range goals. Finally, the Library should establish the mechanisms to control this architecture and to keep it documented. The Library should develop detailed, workable transition plans for its legacy systems within the context of the target architecture. 3. The Library needs to manage its technology programs and projects as investments. The Library should establish a process to provide management with information on IRM program costs and performance. This will ensure that information is available to make wise technology investment decisions. The University of California at Berkeley is an example of an organization that has successfully taken a business approach to its library operations. 4. The Library should decide whether to build new systems in-house or to outsource future systems development. If the Library decides to continue developing its own systems, it needs to address shortfalls in its System Development Life Cycle processes because no institutionalized system engineering framework currently exists. Additionally, it needs to assess current skills against needed skills and implement a process to acquire missing skills through training or hiring. If the Library decides to outsource systems development, it should develop the framework and skills needed to manage outsourced technical work. 1 Data from the December 1, 1992, Library of Congress Collections Storage Plan. 2 FY 1993 Legislative Branch Appropriations Bill. 3 Data from the March 28, 1994, Library of Congress Regulation 214-3, Functions and Organization of Integrated Support Services, Constituent Services. 4 Data from July 13, 1995, Library of Congress memorandum from the Director of ISS to the Deputy Librarian of Congress. 5 Data from the December 1, 1992, Library of Congress Collections Storage Plan. 6 Data from, the January 26, 1989, Arthur Young Library of Congress Management Review. 7 Data from the December, 1989, Madison Building Offices and Conference Rooms Revised Standards Document. 8 Data from the July 31, 1995, National Archives and Records Administration, Report of the NARA Space Planning Team. BoozaAllen & Hamilton 3-1 BoozaAllen & Hamilton 3-35 BoozaAllen & Hamilton 3-56