This is the accessible text file for GAO report number GAO-05-661 
entitled 'Information Technology Management: Census Bureau Has 
Implemented Many Key Practices, but Additional Actions Are Needed' 
which was released on July 18, 2005. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

June 2005: 

Information Technology Management: 

Census Bureau Has Implemented Many Key Practices, but Additional 
Actions Are Needed: 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-661]: 

GAO Highlights: 

Highlights of GAO-05-661, a report to congressional requesters: 

Why GAO Did This Study: 

The Census Bureau's mission is to serve as the leading source of high 
quality data about the American people and the economy. This 
information is used to determine congressional and state legislative 
districts and to distribute hundreds of billions of dollars in federal 
funds each year. Information technology (IT) plays a critical role in 
the bureau's ability to carry out its missions by supporting data 
collection, analysis, and dissemination activities. In the past, the 
bureau has experienced problems with the development, acquisition, and 
implementation of IT systems. GAO was asked to (1) provide an IT 
profile of the Census Bureau, including an overview of information 
technology management and plans for the 2010 decennial census and (2) 
evaluate the adequacy of the bureau's IT policies, procedures, and 
practices in the areas of investment management, system 
development/management, enterprise architecture management, information 
security, and human capital. 

What GAO Found: 

The Census Bureau has a decentralized approach to IT management. The 
chief information officer is responsible for establishing policy and 
strategies and shares responsibility for implementing policies and 
managing systems and staff with the associate directors for different 
bureau program areas. In its 5-year strategic IT plan, the bureau 
identified 10 major investments that are currently estimated to total 
about $4 billion through 2009. Three of the bureau's 10 major 
investments--estimated to cost $2.7 billion--are expected to support 
the 2010 decennial census. For example, the bureau plans to invest 
about $1.8 billion in the 2010 Testing, Evaluation, and Systems Design 
program--an effort to redesign procedures and increase the use of 
automation planned for the 2010 decennial census through a multiyear 
effort of planning, development, and testing. 

The bureau has developed policies and procedures and initiated key 
practices in many of the areas that are important to successfully 
managing IT, including investment management, system 
development/management, enterprise architecture management, information 
security, and human capital management. However, many of these 
practices are not fully and consistently performed (see figure). For 
example, in the IT investment management area, the bureau has 
established executive-level investment boards, but it lacks written 
procedures outlining how the investment boards are to operate and 
ensuring a consistent and repeatable approach to investment management 
and decision making. As a result of this and other weaknesses, the 
bureau is at increased risk of not adequately managing major IT 
investments and is more likely to experience cost and schedule overruns 
and performance shortfalls. Because the bureau plans to spend billions 
of dollars on information technology to prepare for the 2010 decennial 
census, building in sound IT practices now is more critical than ever. 

Number of Key Information Technology Management Activities Implemented: 

Information Technology Management Area: IT Investment Management[A]; 
Incomplete or obsolete policies and procedures; ad hoc practices: 0; 
Policies or procedures for key functions; only selected practices in 
place: 4; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards: 1. 

Information Technology Management Area: System 
Development/Management[A]; 
Incomplete or obsolete policies and procedures; ad hoc practices: 1; 
Policies or procedures for key functions; only selected practices in 
place: 7; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards: 0. 

Information Technology Management Area: Enterprise Architecture 
Management[A]; 
Incomplete or obsolete policies and procedures; ad hoc practices: 0; 
Policies or procedures for key functions; only selected practices in 
place: 2; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards: 14. 

Information Technology Management Area: Information Security; 
Incomplete or obsolete policies and procedures; ad hoc practices: 0; 
Policies or procedures for key functions; only selected practices in 
place: 5; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards: 2. 

Information Technology Management Area: IT Human Capital; 
Incomplete or obsolete policies and procedures; ad hoc practices: 0; 
Policies or procedures for key functions; only selected practices in 
place: 3; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards: 1. 

Total: Incomplete or obsolete policies and procedures; ad hoc 
practices: 1; 
Policies or procedures for key functions; only selected practices in 
place: 21; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards: 18. 

Source: GAO. 

[A] Denotes areas assessed at less than full maturity within a maturity 
framework. 

[End of table]

What GAO Recommends: 

GAO is making recommendations to the Secretary of Commerce to improve 
the bureau's ability to effectively manage IT by addressing weaknesses 
found in each of the management areas GAO reviewed. In written comments 
on a draft of this report, Commerce agreed with GAO's recommendations 
and noted that the bureau has already begun improvements. 

www.gao.gov/cgi-bin/getrpt?GAO-05-661. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact David A. Powner at (202) 
512-9286 or pownerd@gao.gov. 

[End of section] 

Contents: 

Letter: 

Recommendations: 

Agency Comments and Our Evaluation: 

Appendixes: 

Appendix I: Briefing Slides: 

Appendix II: Comments from the Department of Commerce: 

Appendix III: GAO Contact and Staff Acknowledgments: 

Related Products by GAO and the Department of Commerce's Inspector 
General: 

Letter June 16, 2005: 

The Honorable Tom Davis: 
Chairman:
Committee on Government Reform: 
House of Representatives: 

The Honorable Michael R. Turner: 
Chairman: 
Subcommittee on Federalism and the Census: 
Committee on Government Reform: 
House of Representatives: 

The Honorable Adam H. Putnam: 
House of Representatives: 

The Census Bureau's mission is to serve as the leading source of high-
quality data about the American people and the economy. These data are 
used to determine congressional and state legislative districts and to 
distribute hundreds of billions of dollars in federal funds each year. 
Also, federal agencies use census data to evaluate the effectiveness of 
government programs, while businesses use census data to target new 
services and products and to tailor existing ones to demographic 
changes. Information technology (IT) plays a critical role in the 
bureau's ability to carry out its missions by supporting data 
collection, analysis, and dissemination activities throughout the 
organization. 

The bureau is currently planning the decennial census--the nation's 
oldest and most comprehensive source of population and housing 
information. The bureau estimates that the 2010 decennial census will 
cost $11.3 billion, including $2.7 billion for IT investments. Because 
the bureau has experienced problems with the development, acquisition, 
and implementation of systems in preparing for past censuses, you 
requested that we examine whether it is employing effective information 
technology management practices. Our objectives were to (1) provide an 
IT profile of the Census Bureau, including an overview of information 
technology management and plans for the 2010 decennial census and (2) 
evaluate the adequacy of the bureau's IT policies, procedures, and 
practices in the areas of investment management, system 
development/management, enterprise architecture management, information 
security, and human capital. 

To provide an overview of the bureau's information technology 
management, we assessed its documentation, including IT operational and 
strategic plans, and we interviewed bureau officials to identify 
management roles and responsibilities, organization, staffing, and 
investments. To evaluate the adequacy of the bureau's information 
technology management, we reviewed the bureau's policies and procedures 
in each of five key IT areas--investment management, system 
development/management, enterprise architecture management, information 
security, and human capital--and we compared them against applicable 
laws, federal guidelines, and industry standards. We also reviewed 
selected projects, to determine whether the bureau's practices were 
consistent with its own policies and procedures as well as with 
industry standards. More detailed descriptions of the scope and 
methodology for each of the five IT areas are provided in the segments 
of this briefing that address each area. We performed our work at the 
Department of Commerce in Washington, D.C., and at Census Bureau 
headquarters, in Suitland, Maryland, from August 2004 to February 2005, 
in accordance with generally accepted government auditing standards. 

In mid-April 2005, we provided a detailed briefing to your subcommittee 
and committee staffs on the results of this work. The briefing slides 
are included in appendix I. The purpose of this letter is to formally 
publish the briefing slides and to officially transmit our 
recommendations to the Secretary of Commerce. 

In brief, we reported that the bureau has a decentralized approach to 
IT management. The chief information officer is responsible for 
establishing policy and strategies and shares responsibility for 
implementing policies and managing systems and staff with the associate 
directors for different bureau program areas. In its 5-year strategic 
IT plan, the bureau identifies 10 major investments that are currently 
estimated to cost about $4 billion through 2009. Three of the bureau's 
10 major investments--estimated to cost $2.7 billion--are expected to 
support the 2010 decennial census. For example, the bureau plans to 
invest $1.8 billion in the 2010 Testing, Evaluation, and Systems Design 
program--an effort to redesign procedures and increase the use of 
automation planned for the 2010 decennial census through a multiyear 
effort of planning, development, and testing. 

The bureau has developed policies and procedures and has initiated key 
practices in many of the areas that are important to successfully 
managing IT--including investment management, system 
development/management, enterprise architecture management, information 
security, and human capital management. However, many of these 
practices are not fully and consistently performed. For example, in the 
IT investment management area, the bureau has established executive-
level investment boards, but it lacks written procedures outlining how 
the investment boards are to operate and ensuring a consistent and 
repeatable approach to investment management and decision making. As a 
result of this and other weaknesses we found, the bureau is at 
increased risk of not adequately managing major IT investments and is 
therefore more likely to experience the cost and schedule overruns and 
performance shortfalls that plague other major IT investments and 
acquisitions. Because the bureau plans to spend billions of dollars on 
information technology to prepare for the 2010 decennial census, 
building in sound IT practices now is more critical than ever. 

Recommendations: 

To improve the Census Bureau's ability to effectively manage 
information technology, we are making 13 recommendations to the 
Secretary of Commerce to direct the bureau to address weaknesses we 
found in each of the IT management areas. 

To strengthen the bureau's ability to manage IT investments, we 
recommend that the Secretary of Commerce direct the bureau to: 

* develop written procedures to guide its IT investment boards' 
operations and use these procedures to ensure consistent investment 
management and decision-making practices,

* develop well-defined and disciplined written procedures that outline 
the process for selecting new IT proposals and reselecting ongoing 
investments and use these procedures in investment decision making,

* develop and implement defined criteria and documented policies and 
procedures for monitoring the progress of all IT projects and systems, 
and: 

* create a comprehensive repository that collects investment 
information that is up to date and accessible to decision makers. 

To strengthen agencywide system development and management 
capabilities, we recommend that the Secretary of Commerce direct the 
bureau to institutionalize a process improvement initiative, such as 
the Capability Maturity Model Integration framework, and establish 
goals for projects to reach successive capability levels in selected 
process areas, including project planning, project monitoring and 
control, requirements management, process and product quality 
assurance, configuration management, measurements and analysis, 
verification, and risk management. 

To support the bureau in its efforts to develop and implement an 
effective enterprise architecture (EA), we recommend that the Secretary 
of Commerce direct the bureau to: 

* determine an adequate level of resources to accomplish planned EA 
activities in order to ensure continued improvements to the bureau's EA 
model and: 

* establish a written policy endorsing and enforcing the bureau's 
enterprise architecture. 

To improve information security, we recommend that the Secretary of 
Commerce direct the bureau to: 

* establish milestones for identifying staff with special security 
training needs and developing an effective training program for them;

* establish milestones for identifying system penetration tools to aid 
network access security and for testing network controls using these 
tools; and: 

* monitor progress against these milestones and the milestones that 
have already been established to address weaknesses in risk 
assessments, information system security controls, and oversight 
management tools, in order to ensure that these activities are 
completed in a timely manner. 

To improve the bureau's ability to manage its IT workforce, we 
recommend that the Secretary of Commerce direct the bureau to: 

* annually assess IT knowledge and skills to determine whether they 
meet current requirements and: 

* use the planned gap analysis to identify workforce strategies to fill 
skills gaps and then evaluate these strategies to determine their 
effectiveness in improving human capital management. 

Agency Comments and Our Evaluation: 

We received comments on a draft of this report from the Department of 
Commerce (see app. II). In these comments, the Acting Deputy Secretary 
of Commerce stated that the agency agrees with our recommendations and 
that our findings are accurate, but noted that the report did not 
acknowledge steps that the Census Bureau is taking to address the 
report's findings and other IT issues. In particular, the deputy 
secretary noted that the bureau is taking a very proactive and 
aggressive movement toward change and that it is in the process of 
introducing a corporate IT environment--which is expected to lead to 
improvements in IT management. Commerce also commented that only 1 of 
40 activities we evaluated was found to be incomplete or obsolete. 

The bureau's steps to act on our recommendations should put it in a 
better position to manage information technology in the future. 
However, it is important to note that while only 1 of 40 activities was 
rated as incomplete or obsolete, there were 21 other activities that 
did not have key policies and/or practices in place. For example, while 
we found that the bureau collects information about IT projects, it 
does not have a comprehensive and consistent repository of IT 
investment information that provides decision makers with data for 
evaluating the impacts and opportunities created by IT investments. We 
plan to assess the bureau's recent, ongoing, and planned steps to 
improve its IT management practices as part of our follow-up on open 
recommendations. 

As agreed with your offices, unless you publicly announce the contents 
of this report earlier, we plan no further distribution of it until 30 
days from the report date. At that time, we will send copies of this 
report to interested congressional committees, the Secretary of 
Commerce, and other interested parties. In addition, this report will 
be available at no charge on GAO's Web site at [Hyperlink, 
http://www.gao.gov]. 

If you have any questions on matters discussed in this report, please 
contact me at (202) 512-9286 or [Hyperlink, pownerd@gao.gov]. Contact 
points for our Offices of Congressional Relations and Public Affairs 
may be found on the last page of this report. GAO staff who made major 
contributions to this report are listed in appendix III. 

Signed by: 

David A. Powner: 
Director, Information Technology Management: 

[End of section]

Appendixes: 

Appendix I: Briefing Slides: 

Census Bureau Information Technology Management: 

Briefing for the Subcommittee on Federalism and the Census: 
Committee on Government Reform: 

House of Representatives: 

April 20, 2005: 

Purpose and Outline: 

Purpose: 

* To provide an overview and our analysis of the Census Bureau's 
information technology (IT) management: 

Outline: 

* Objectives; 
* Scope and Methodology; 
* Results in Brief; 
* Background; 
* Census Bureau's IT Profile-Overview and Plans; 
* Census Bureau's IT Policies, Procedures, and Practices; 
* IT Investment Management; 
* System Development/Management; 
* Enterprise Architecture Management; 
* Information Security; 
* IT Human Capital; 
* Agency Comments: 

GAO Objectives: 

* To provide an IT profile of the Census Bureau, including an overview 
of information technology management and IT plans for the 2010 
decennial census: 

To evaluate the adequacy of the bureau's IT policies, procedures, and 
practices in the areas of investment management, system 
development/management, enterprise architecture management, information 
security, and human capital: 

Scope and Methodology: 

* To identify the bureau's IT profile, we assessed agency 
documentation, including IT operational and strategic plans, and we 
interviewed bureau officials to determine IT management roles and 
responsibilities, organization, staffing, and investments. 

* We analyzed GAO's and the Department of Commerce's Inspector 
General's reports to identify past IT management issues that affected 
the 2000 census, and we reviewed bureau documentation and interviewed 
agency officials to determine plans for IT systems during the 2010 
decennial census. 

* To evaluate the adequacy of the bureau's IT management, we reviewed 
the bureau's IT policies and procedures for investment management, 
system development/management, enterprise architecture management, 
information security, and human capital, and we compared them with 
applicable laws and regulations, federal guidelines, and industry 
standards. More detailed descriptions of the scope and methodology for 
each of the five IT areas is provided in the segments of this briefing 
that address each area. 

* We reviewed selected IT projects to determine whether practices 
complied with the agency's policies and procedures, federal guidance, 
and industry standards, and we sought work products documenting these 
practices, where applicable. Given the importance of IT to the 
decennial census effort, we selected projects that support decennial 
census activities. 

* We conducted this review at the Department of Commerce in Washington, 
D.C. and at Census Bureau headquarters in Suitland, Maryland. We 
conducted our work from August 2004 through February 2005, in 
accordance with generally accepted government auditing standards. 

Results in Brief: 

The Census Bureau has a decentralized approach to IT management. The 
Information Technology directorate, led by the Chief Information 
Officer, is responsible for establishing IT policy and strategies, 
while multiple program directorates are responsible for implementing 
policies and managing IT systems and staff. 

The bureau's 5-year strategic plan identifies 10 major IT investments 
that are currently estimated to cost about $4 billion through 2009, of 
which three investments support the reengineering of the 2010 decennial 
census. The bureau is reengineering its approach to IT support for the 
decennial census and plans to test new technologies and systems in 2006 
and 2008. 

The bureau has established policies or procedures and initiated key 
practices in many of the areas that are important to successfully 
managing IT, including investment management, system development and 
management, enterprise architecture management, information security, 
and human capital management. However, many of the key practices are 
not fully and consistently performed. As a result, the bureau is at 
increased risk of not adequately managing major IT investments and is 
more likely to experience the cost and schedule overruns and 
performance shortfalls that plague other major IT investments and 
acquisitions. 

Since the bureau plans to spend billions of dollars on information 
technology to prepare for the 2010 decennial census, building in sound 
IT practices now is more critical than ever. 

In order to improve the bureau's ability to effectively manage IT 
investments, we are making recommendations to the Secretary of Commerce 
to direct the Census Bureau to address weaknesses we found in each of 
the IT management areas. 

In commenting on a draft of this briefing, Census Bureau officials, 
including the Chief Information Officer, the Comptroller, and the Chief 
of the Information Systems Support and Review Office, stated that they 
agreed with our findings and recommendations. 

Background: 

Census Bureau's Mission and Core Activities: 

The bureau's mission is to serve as the leading source of high quality 
data about the nation's people and economy. Core activities include: 

* conducting decennial, economic, and government censuses;

* conducting demographic and economic surveys;

* managing international demographic and socioeconomic databases and 
providing technical advisory services to foreign governments; and 

* performing other activities such as producing official population 
estimates and projections. 

Public and private decision makers use census population and 
socioeconomic data for various purposes. For example, decennial census 
data are used to determine congressional and state legislative 
districts and to distribute hundreds of billions of dollars of federal 
funds each year. Also, federal agencies use census data to evaluate the 
effectiveness of established programs, while businesses use census data 
to target new services and products and to tailor existing ones to 
demographic changes. 

IT plays a critical role in the bureau's ability to carry out its 
missions, supporting data collection, analysis, and dissemination 
throughout the organization. 

Background: 

Census Bureau Organization: 

The bureau is a large and complex organization. A conceptual view of 
the agency includes three core organizations, two auxiliary 
organizations that provide guidance and operational support for the 
core organizations, and three support organizations that provide 
administrative and technical support for the entire bureau. Each of 
these organizations is headed by an associate director who reports to 
the Deputy Director of the Census Bureau. 

[See PDF for image]

[End of figure]

Background: 

The Bureau's Decennial Census: 

The bureau's decennial census is the nation's oldest and most 
comprehensive source of population and housing information. 

Conducting a decennial census involves: 

* identifying and correcting addresses for all known living quarters in 
the United States,

* sending questionnaires to housing units,

* following up with non-respondents through personal interviews,

* trying to identify people with non-traditional living arrangements,

* managing a voluminous workforce that is responsible for follow-up 
activities,

* collecting census data using questionnaires, phone calls, and 
personal interviews,

* summarizing and tabulating census data, and: 

* disseminating analytical results from the census to the public. 

Background: 

IT Issues Affected the 2000 Census: 

Information technology is critical to a successful decennial census. We 
and Commerce's Inspector General have reported on several issues that 
arose as the bureau developed and used IT systems for the 2000 census. 
[NOTE 1] These issues included: 

* untimely and inaccurate management information,

* lack of mature and effective software and systems development 
processes,

* inadequate testing of key systems,

* inadequate security controls, and: 

* insufficient number of experienced staff to manage expensive and 
complex system projects. 

Both we and the Inspector General have made a series of recommendations 
to address these issues, and the bureau has initiated efforts to 
address them. 

IT Profile Overview and Plans: 

IT Roles and Responsibilities: 

The bureau's Associate Director for Information Technology-who is also 
the Chief Information Officer (CIO)-and the other associate directors 
share key responsibilities for IT management. 

The CIO is responsible for bureauwide IT technical support and 
leadership, including: 

* managing the investment management process to ensure that all IT 
investments support desired mission outcomes;

* establishing standards for system development and management of IT 
projects;

* defining and directing enterprise architecture development, education 
and compliance; and: 

* ensuring the information security of systems and networks. 

* The Associate Director for Administration, who is also the Chief 
Financial Officer, is responsible for providing bureauwide 
administrative and financial management for the agency, including 
conducting human capital strategic planning for IT and other personnel. 

* The associate directors for the other organizations are responsible 
for managing system acquisitions and IT staff to support their programs 
and goals. 

IT Profile Overview and Plans: 

IT Staffing: 

As of February 2005, the bureau reported having about 1,100 IT staff in 
its approximately 12,000-person workforce. These staff are spread 
throughout the bureau, to support the bureau's organizations as 
follows: 

[See PDF for image]--graphic text: 

Pie chart with eight items. 

Information Technology/Chief Information Officer: 23%; 
Economic Programs: 23%; 
Decennial Census: 13%; 
Demographic Programs: 13%; 
Administration/Chief Financial Officer: 8%; 
Others (including the Director's Office and Communications): 3%; 
Methodology and Standards: 2%. 

Source: GAO analysis based on U.S. Census Bureau data. 

[End of figure] 

The bureau also has about 500 on-site contractor staff who perform a 
variety of activities, including systems design and programming, 
systems integration, studies, and analyses. 

IT Profile Overview and Plans: 

IT Investments: 

In its 2004-2009 strategic IT plan, the bureau identified 10 major IT 
investments that are currently estimated to total about $4 billion. 

Investment Name: American Community Survey; 
Description: an initiative to survey households on a monthly basis, 
provide annual tabulations, and thereby eliminate the long form from 
the 2010 decennial census; 
Estimated Total Life Cycle Costs (in millions): $324.00. 

Investment Name: Master Address File/Topologically Integrated 
Geographic Encoding & Referencing (MAF/TIGER) system enhancement 
program; 
Description: an effort to modernize the MAF/TIGER systems to support 
the 2010 census and its associated testing activities; 
Estimated Total Life Cycle Costs (in millions): $535.50. 

Investment Name: 2010 Testing, Evaluation, and Systems Design; 
Description: an integrated set of tasks oriented toward developing an 
IT architecture to enable the bureau to conduct a reengineered, short-
form only decennial census in 2010; 
includes identifying the conceptual components of specific systems, 
testing operations during 2004 and 2006 tests and then defining the 
functional requirements for specific systems that will be implemented 
in the 2008 dress rehearsal and the 2010 census; 
Estimated Total Life Cycle Costs (in millions): $1,813.30. 

Investment Name: Automated Export Trade Statistics System; 
Description: a system that supports expedited monthly statistics on 
international trade, remedies shortcomings in export statistics, and 
helps to control the export of weapons or other hazardous items that 
could be a threat to our national security or the public welfare; 
Estimated Total Life Cycle Costs (in millions): $42.50. 

Investment Name: Data Access and Dissemination System; [NOTE 2]
Description: a system that provides portal access to the largest and 
most popular census data sets; 
Estimated Total Life Cycle Costs (in millions): $265.90. 

Investment Name: Demographic Statistics IT Support Systems; 
Description: systems that account for and provide tools for managing 
the costs associated with the demographic surveys division’s IT 
infrastructure maintenance; 
Estimated Total Life Cycle Costs (in millions): $123.00. 

Investment Name: Economic Census, Government Census, and Surveys; 
Description: a project to provide statistical programs that count and 
profile U.S. businesses and government organizations; 
Estimated Total Life Cycle Costs (in millions): $462.50. 

Investment Name: E-Government; 
Description: an initiative to support e-government services by letting 
businesses file electronically in any current economic survey; 
Estimated Total Life Cycle Costs (in millions): $17.10. 

Investment Name: Field Support Systems; 
Description: an initiative that involves developing, testing, and 
maintaining automated systems for data collection, tracking, and 
training for the critical current survey programs and for maintaining 
IT infrastructure for field headquarters and twelve regional offices; 
Estimated Total Life Cycle Costs (in millions): $246.00. 

Investment Name: Geographic Support Systems; 
Description: systems that provide the integrated and automated computer-
based geographic support that is crucial to all censuses and household 
surveys; 
Estimated Total Life Cycle Costs (in millions): $175.00. 

[End of table] 

IT Profile Overview and Plans: 

Plans for 2010 Decennial Systems: 

Three of the 10 major IT investments in the bureau's strategic IT plan 
(comprising $2.7 billion, or 67 percent, of the $4 billion in planned 
IT investments) are expected to support the reengineering of the 2010 
decennial census: 

* American Community Survey: 

* MAF/TIGER Enhancement Program: 

* 2010 Testing, Evaluation, and Systems Design: 

The bureau is reengineering the 2010 decennial census by changing 
procedures, increasing the use of automation, and using new 
technologies. These initiatives are expected to lead to a simpler 
decennial census which is more efficient and cost effective, provides 
richer information, improves coverage accuracy, and reduces operational 
risk. 

Key elements of this reengineering include: 

* moving away from using the long form during the decennial census (by 
substituting the American Community Survey in its place),

* improving the accuracy and reliability of address data (via MAF/TIGER 
Enhancements), and: 

* redesigning procedures and increasing the use of automation planned 
for the 2010 decennial census through a multiyear effort of planning, 
development, testing, revision, and retesting (via the 2010 Testing, 
Evaluation, and Systems Design program). 

More specifically, the 2010 Testing, Evaluation, and Systems Design 
program includes the following: 

Field data collection activities: 

* exploring improved integration and automation of field data 
collection activities, including new technologies such as hand-held 
computers;

* awarding a contract to design and develop field data collection 
processes and systems by April 2006; the cost of this contract, called 
the Field Data Collection Automation program, has not yet been 
finalized. 

Public response activities: 

* identifying new approaches to providing assistance to the public and 
capturing census data from telephone, paper, and internet sources;

* awarding a contract by October 2005 to develop a system for providing 
assistance to the public and capturing data; according to bureau 
officials, this contract, called the Decennial Response Integration 
System, is estimated to cost over $669 million through 2013. 

The 2010 Testing, Evaluation, and Systems Design program also includes 
a series of tests in the years leading up to the decennial census. 

2004: The bureau tested critical field operations using systems under 
conditions similar to those that will be used during the decennial 
census. In particular, the agency studied the feasibility of using hand 
held mobile computing devices equipped with Global Positioning System 
capability to conduct nonresponse follow-up operations. We recently 
reported on lessons learned during this test. [NOTE 3] 

2006: The bureau plans to test the methodology and functions of the 
integration of systems that will be needed to carry out the 
reengineered census, focusing on efforts to automate nonresponse follow-
up activities and on initiatives to update the address list. 

2008: The bureau plans to conduct a final operational test of the 
entire complement of methodological, procedural, and systems 
innovations for the 2010 decennial census. 

IT Policies, Procedures, and Practices: 

IT Areas Evaluated: 

To evaluate IT management, we focused on five key areas that encompass 
major IT functions and are recognized by public and private entities as 
having substantial influence on the effectiveness of IT operations: 

* IT investment management processes and practices are used to select, 
control, and evaluate investments in order to help ensure that they 
increase business value and mission performance. In 2004, we issued a 
framework for assessing federal agencies' IT investment management 
practices. [NOTE 4] This framework identifies critical processes for 
making successful IT investments; it is organized into five 
increasingly mature stages. The framework's five maturity stages 
represent steps toward achieving a stable and mature IT investment 
process. By determining the current stage of maturity of an 
organization, managers are better able to identify specific steps that 
would contribute to improving IT management. 

* System development/management capabilities help organizations 
acquire, develop, and manage information systems and technology 
successfully-that is, they help reduce the risk of cost overruns, 
schedule delays, and performance shortfalls. The Software Engineering 
Institute has established a framework for organizations to use to 
assess and improve system management capabilities in different process 
areas, such as project planning, project monitoring and control, 
requirements management, configuration management, and risk management. 
By determining a project's or organization's current capabilities, 
managers can identify steps for improving the processes that can 
contribute to successful project results. 

* Effective use of an enterprise architecture (EA), or a modernization 
blueprint, is a trademark of successful public and private 
organizations. An EA connects an organization's strategic plan with 
program and system solutions by providing the fundamental information 
details needed to guide and constrain investments in a consistent, 
coordinated, and integrated fashion-thereby improving interoperability 
and reducing duplicative efforts. As such, it should provide a clear 
and comprehensive view of an entity, including descriptions of the 
entity's current or "as is" environment, its target or "to be" 
environment, and a capital investment road map for transitioning from 
the current to the target environment. In 2003, we updated our 
framework for assessing and improving an organization's EA management. 
[NOTE 5] 

* Information security helps protect the integrity, confidentiality, 
and availability of an agency's data and systems by reducing the risks 
of tampering, unauthorized intrusions and disclosures, and serious 
disruptions of operations. Information security activities include 
conducting risk assessments, promoting awareness and training, 
implementing controls, performing evaluations, and providing 
centralized coordination and oversight of all security activities. 

* IT human capital management helps provide employees with the 
appropriate knowledge and skills to effectively execute critical IT 
functions. Key processes for human capital management involve assessing 
IT knowledge and skills requirements, inventorying existing staff's 
knowledge and skills and assessing them against requirements, 
developing strategies and plans to fill any gaps between requirements 
and existing staffing, and evaluating and reporting on progress in 
filling any gaps in knowledge and skills. 

IT Policies, Procedures, and Practices: 

Evaluation Indicators: 

In evaluating the five key IT areas at the Census Bureau, we assessed 
applicable policies, procedures, and practices. We use three broad 
indicators to depict our results: 

[See PDF for graphic representations, accessible text descriptions 
provided below] 

A blank circle indicates that policies and procedures do not exist or 
are obsolete or incomplete and that practices are not performed at all 
or are performed on a predominantly ad hoc basis. 

A half circle indicates that policies or procedures facilitate key 
functions and that selected key practices have been performed, while 
others remain to be implemented. 

A solid circle indicates that policies and procedures are current and 
comprehensive for key functions and that practices adhere to policies, 
procedures, and generally accepted standards. 

For each of the five key IT areas we reviewed, we selected indicators 
based on our judgment of the current state of Census policies, 
procedures, and practices. 

IT Policies, Procedures, and Practices: 

Evaluation Summary: 

IT Investment Management*: Instituting the investment board; Policies 
or procedures for key functions; only selected practices in place. 

IT Investment Management*: Meeting business needs; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

IT Investment Management*: Selecting an investment; 
Policies or procedures for key functions; only selected practices in 
place. 

IT Investment Management*: Providing investment oversight; 
Policies or procedures for key functions; only selected practices in 
place. 

IT Investment Management*: Capturing investment information; 
Policies or procedures for key functions; only selected practices in 
place. 

System Development/Management*: Project planning; 
Policies or procedures for key functions; only selected practices in 
place. 

System Development/Management*: Project monitoring and control; 
Policies or procedures for key functions; only selected practices in 
place. 

System Development/Management*: Requirements management; 
Policies or procedures for key functions; only selected practices in 
place. 

System Development/Management*: Process and product quality assurance; 
Policies or procedures for key functions; only selected practices in 
place. 

System Development/Management*: Configuration management; 
Policies or procedures for key functions; only selected practices in 
place. 

System Development/Management*: Measurement and analysis; 
Incomplete or obsolete policies and procedures; ad hoc practices. 

System Development/Management*: Verification; 
Policies or procedures for key functions; only selected practices in 
place. 

System Development/Management*: Risk management; 
Policies or procedures for key functions; only selected practices in 
place. 

Enterprise Architecture Management*: Adequate resources exist; 
Policies or procedures for key functions; only selected practices in 
place. 

Enterprise Architecture Management*: Agency is aware of EA; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

Enterprise Architecture Management*: Chief architect exists; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

Enterprise Architecture Management*: EA is developed using a framework, 
methodology, and tool; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

Enterprise Architecture Management*: EA key descriptions will address 
security; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

Enterprise Architecture Management*: EA plans call for “as is” and “to 
be” environments and a sequencing plan; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

Enterprise Architecture Management*: EA plans call for key 
descriptions; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

Enterprise Architecture Management*: EA plans call for key descriptions 
to address security; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

Enterprise Architecture Management*: EA plans call for metrics; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

Enterprise Architecture Management*: EA products are under 
configuration management; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

Enterprise Architecture Management*: EA products include key 
descriptions; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

Enterprise Architecture Management*: EA products will describe “as is” 
and “to be” environments and a sequencing plan; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

Enterprise Architecture Management*: Enterprise committee approves EA; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

Enterprise Architecture Management*: Policy for EA development exists; 
Policies or procedures for key functions; only selected practices in 
place. 

Enterprise Architecture Management*: Program office for EA exists; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

Enterprise Architecture Management*: Progress is measured and reported; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

Information Security: Risk assessment; 
Policies or procedures for key functions; only selected practices in 
place. 

Information Security: Controls--Network access; 
Policies or procedures for key functions; only selected practices in 
place. 

Information Security: Controls--Information systems; 
Policies or procedures for key functions; only selected practices in 
place. 

Information Security: Awareness and training; 
Policies or procedures for key functions; only selected practices in 
place. 

Information Security: Controls--Physical security; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

Information Security: Evaluation; 
Policies or procedures for key functions; only selected practices in 
place. 

Information Security: Central management; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

IT Human Capital: Requirements; 
Policies or procedures for key functions; only selected practices in 
place. 

IT Human Capital: Workforce strategies and plans; 
Policies or procedures for key functions; only selected practices in 
place. 

IT Human Capital: Inventory; 
Comprehensive, current policies and procedures; practices adhere to 
policies, procedures, and generally accepted standards. 

IT Human Capital: Progress evaluation; 
Policies or procedures for key functions; only selected practices in 
place. 

* Denotes areas assessed at less than full maturity within a maturity 
framework. 

[End of table]

IT Policies, Procedures, and Practices: 

IT Investment Management-Overview: 

IT investment management provides a framework for implementing the 
processes that are critical to the effective selection, control, and 
evaluation of a portfolio of IT investments. The maturity stages, 
listed below, represent steps toward achieving a stable and mature IT 
investment management process. 

Project-centricity increases from Stage 1 to Stage 5: 

Maturity Stage 1: Creating Investment Awareness; 
Description: Ad hoc, unstructured, and unpredictable investment 
processes characterize the investment process. There is generally 
little relationship between the success or failure of one project and 
the success or failure of another project. 

Maturity Stage 2: Building the Investment Foundation; 
Description: Basic selection capabilities are being driven by the 
development of project selection criteria, including benefit and risk 
criteria, and an awareness of organizational priorities when 
identifying projects for funding. 

Maturity Stage 3: Developing a Complete Investment Portfolio; 
Description: The organization has developed a well-defined IT 
investment portfolio using an investment process that has sound 
selection criteria and maintains mature, evolving, and integrated 
selection, control, and evaluation processes. 

Maturity Stage 4: Improving the Investment Process; 
Description: The organization is focused on evaluation techniques to 
improve its IT investment processes and portfolio(s) while maintaining 
mature selection and control techniques. 

Maturity Stage 5: Leveraging IT for Strategic Outcomes; 
Description: The organization has mastered the selection, control, and 
evaluation processes and now seeks to shape its strategic outcomes by 
benchmarking its IT investment processes relative to other "best-in-
class" organizations. 

Source: GAO. 

[End of table] 

Critical processes in stages 1 and 2 include: 

Stage 1: 

* IT spending without disciplined investment processes-characterizes 
organizations that are not yet involved in ITIIVI activities: 

Stage 2: 

* Instituting the investment board-entails creating and defining the 
membership and guiding policies, operations, roles, responsibilities, 
and authorities for one or more IT investment boards within the 
organization. 

* Meeting business needs-entails ensuring that IT projects and systems 
support the organizations business needs and meet users' needs. It 
involves identifying business and users needs for each IT project, and 
having users participate in project management throughout the projects 
life cycle. 

* Selecting an investment-entails ensuring that a well-defined and 
disciplined process be used to select new IT proposals and reselect 
ongoing investments. 

* Providing investment oversight-entails monitoring the progress of all 
IT projects and systems relative to cost, schedule, risk, and benefit 
expectations and taking corrective action when these expectations are 
not being met. 

* Capturing investment information-involves identifying IT assets and 
creating a comprehensive repository of investment information for 
decision makers to use to evaluate the impacts and opportunities 
created by proposed (or continuing) IT investments. 

IT Policies, Procedures, and Practices: 

IT Investment Management--Review: 

We evaluated the bureau's IT investment management using GAO's guide, 
Information Technology Investment Management: A Framework for Assessing 
and Improving Process Maturity. [NOTE 6] 

We reviewed the bureau's current IT investment management practices. We 
also evaluated the investment processes used on the Data Access and 
Dissemination System and Field Support Systems. 

We assessed the bureau's investment processes at maturity stage 2. We 
did not evaluate maturity stage 1 because it is characterized by a lack 
of processes, and the bureau has passed that stage. We also did not 
evaluate maturity stages 3, 4, or 5 because bureau officials reported 
that they are working to achieve maturity stage 2 and had not yet 
implemented critical processes associated with the higher maturity 
stages. 

IT Policies, Procedures, and Practices: 

IT Investment Management-Evaluation: 

Activity (Critical process): Instituting the investment board ; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau’s Operating Committee and IT Governing Board 
(ITGB) serve as enterprisewide executive-level IT investment boards. 
The Operating Committee provides business direction and leadership, 
while the ITGB approves and oversees the implementation of the Census 
Bureau’s IT investment management process and makes recommendations to 
the committee about each IT investment. However, the bureau lacks 
written procedures outlining the IT investment boards’ operations and 
ensuring consistent investment management and decision-making 
practices. 
Activity (Critical process): Meeting business needs; 

Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: The bureau has a process for ensuring that its investments 
support its business needs. Business needs and specific users are 
clearly identified for IT projects. Projects supporting key initiatives 
can be traced to strategic objectives. Identified users participate in 
project management during the project's life cycle. 

Activity (Critical process): Selecting an investment; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: New and ongoing IT projects are selected and reselected 
during the general budget cycle. The Operating Committee, ITGB and ad 
hoc investment review subgroups ensure that the selection process is 
compliant with OMB Exhibit 300 requirements. However, the bureau does 
not have organizationwide policies to ensure that a well-defined and 
disciplined process is used to select new IT proposals and reselect 
ongoing investments. 

Activity (Critical process): Providing investment oversight; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: Investment oversight is provided through the Operating 
Committee, ITGB, and ad hoc investment review subgroups. Investment 
information is provided and reviewed annually, quarterly, and weekly. 
However, the bureau lacks written policies and procedures for 
monitoring the progress of all IT projects and systems. 

Activity (Critical process): Capturing investment information; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau identifies and collects information about IT 
projects and systems through OMB Exhibit 300s, IT Business Plans, and 
shared network drives. However, the agency does not have a 
comprehensive and consistent repository of IT investment information 
that provides decision makers with data for evaluating the impacts and 
opportunities created by proposed (or continuing) IT investments. 

[End of table] 

IT Policies, Procedures, and Practices: 

IT Investment Management-Impact of Weaknesses: 

Taking steps to improve the shortfalls listed above is important for 
the following reasons: 

* Without written procedures, the bureau lacks assurance that the IT 
investment boards will provide investment management oversight and 
decision making in a consistent and repeatable manner. 

* Without a well-defined and disciplined organizationwide policy for 
selecting new IT proposals and reselecting ongoing investments, the 
bureau cannot ensure that it is selecting and funding the IT 
investments that best result in mission-focused benefits. 

* Without defined criteria and documented policies and procedures for 
monitoring the progress of all IT projects and systems, the bureau 
lacks assurance that consistent and appropriate actions will be taken 
when cost, schedule, and performance expectations are not met. 

* Without a comprehensive repository of up-to-date investment 
information, the bureau cannot ensure that decision makers have the 
information they need to effectively manage the organization's IT 
investments. 

IT Policies, Procedures, and Practices: 

IT Investment Management--Conclusions and Recommendations: 

The Census Bureau has initiated basic IT investment management 
processes, but much remains to be done. Specifically, the bureau lacks 
a comprehensive, consistent, and repeatable approach to IT investment 
management. Until it develops and implements such an approach, the 
bureau cannot ensure that it is effectively and efficiently managing 
million and billion dollar investments in IT. 

To strengthen its ability to manage IT investments, we recommend that 
the Secretary of Commerce direct the bureau to: 

* develop written procedures to guide its IT investment boards' 
operations and use these procedures to ensure consistent investment 
management and decision-making practices,

* develop well-defined and disciplined written procedures that outline 
the process for selecting new IT proposals and reselecting ongoing 
investments and use these procedures in investment decision making,

* develop and implement defined criteria and documented policies and 
procedures for monitoring the progress of all IT projects and systems, 
and 

* create a comprehensive repository that collects investment 
information that is up to date and accessible to decision makers. 

IT Policies, Procedures, and Practices: 

System Development/Management-Overview: 

Many organizations rely on software-intensive systems to perform their 
missions. The quality of this software and these systems is governed 
largely by the quality of the processes involved in acquiring, 
developing, managing, and maintaining them. Carnegie Mellon 
University's Software Engineering Institute (SEI), recognized for its 
expertise in software and system processes, has developed the 
Capability Maturity ModeIR Integration (CMMISM) [NOTE 7] model and a 
CMMI appraisal methodology to evaluate, improve, and manage system and 
software development and engineering processes. 

The CMMI model and appraisal methodology provide a logical framework 
for measuring and improving key processes that are needed for achieving 
high-quality software and systems. The model can help an organization 
set process improvement objectives and priorities and to improve its 
processes. SEI has found that organizations that implement such process 
improvements can achieve better project cost and schedule performance 
and develop higher quality products. 

The CMMI appraisal methodology calls for assessing up to 25 different 
process areas-clusters of related activities such as project planning, 
requirements management, and quality assurance-by determining whether 
key practices have been implemented and whether overarching goals have 
been satisfied. 

Successful implementation of these practices and satisfaction of these 
goals result in the achievement of successive capability levels. CMMI 
capability levels range from 0 to 5. Level 0 means the process is 
either not performed or is only partially performed; level 1 means the 
basic process is performed; level 2 means the process is managed; level 
3 means the process is defined throughout the organization; level 4 
means the process is quantitatively managed; and level 5 means the 
process is optimized. 

To evaluate system development/management capabilities, we appraised 
two projects, the Decennial Master Address File pilot and the Master 
Address File/Topologically Integrated Geographic Encoding and 
Referencing system redesign. 

We applied the CMMI model and its related appraisal methodology. Our 
appraisers were all SEI-trained software and information systems 
specialists. We evaluated the projects' processes at capability level 
2, because bureau officials had set a goal of achieving level 2. In 
conjunction with project officials, we selected eight core process 
areas that are critical to sound program management: 

* project planning; 
* configuration management; 
* project monitoring and control; 
* measurements and analysis [NOTE 8]; 
* requirements management; 
* verification; 
* process and product quality assurance; 
* risk management. 

The process areas we evaluated address key aspects of system 
development/management. 

* Project planning: The purpose of this process area is to establish 
and maintain plans that define the project activities. This process 
area involves developing and maintaining a plan, interacting with 
stakeholders, and obtaining commitment to the plan. 

* Project monitoring and control: The purpose of this process area is 
to provide an understanding of the project's progress, so that 
appropriate corrective actions can be taken if actual performance 
deviates significantly from the plan. Key activities include monitoring 
the project, communicating status, taking corrective action, and 
determining progress. 

* Requirements management: The purpose of this process area is to 
manage the product components and to identify inconsistencies among 
requirements and the project's plans and work products. This process 
area includes managing all technical and nontechnical requirements and 
any changes to these requirements as they evolve. 

* Process and product quality assurance: The purpose of this process 
area is to provide staff and management with objective insights into 
processes and associated work products. This includes the objective 
evaluation of project processes and products against approved 
descriptions and standards. Through quality assurance, the project team 
is able to identify and document noncompliance issues and provide 
appropriate feedback to project staff. 

* Configuration management: The purpose of configuration management is 
to establish and maintain the integrity of work products. This process 
area includes both the functional processes used to establish and track 
work product changes and the technical systems used to manage these 
changes. Through configuration management, accurate status information 
and data are provided to developers, end users, and customers. 

* Measurements and analysis: The purpose of this process area is to 
develop and sustain a measurement capability that is used to support 
management information needs. This process area includes identifying 
measures, performing data collection, analysis, and storage of the 
measures, and reporting these values. This process allows users to 
objectively plan and estimate project activities and to identify and 
resolve potential issues. 

* Verification: The purpose of verification is to ensure that selected 
work products meet specified requirements. This process area involves 
preparing for and performing tests and identifying corrective actions. 
Verification of work products substantially increases the likelihood 
that the product will meet the customer, product, and product-component 
requirements. 

* Risk management: The purpose of this process area is to identify 
potential problems before they occur, so that risk-handling activities 
may be planned and invoked as needed across the life of the product or 
project in order to mitigate adverse impacts on achieving objectives. 
Early and aggressive detection of risk is important, because it is 
typically easier, less costly, and less disruptive to make changes and 
correct work efforts during the early phases of the project. 

Activity (Critical process): Project planning; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau's Software Development and Maintenance policy 
addresses project planning. One of the project teams we evaluated 
performed all and the other performed most of the practices associated 
with this process, including establishing a work breakdown structure 
and a project plan. However, one project team did not fully implement 
other practices, including establishing a budget or maintaining its 
schedule. 

Activity (Critical process): Project monitoring and control; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau's policy addresses project monitoring and control. 
Both project teams performed many of the practices associated with this 
process, including monitoring commitments against plans and 
periodically reviewing the project's progress. However, these projects 
did not fully implement other practices. For example, one project team 
did not adequately manage corrective actions to closure and neither 
project team adequately evaluated adherence to the process. 

Activity (Critical process): Requirements management; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau's policy addresses requirements management. Both 
project teams performed many of the practices associated with this 
process, including managing changes to requirements. However, these 
project teams did not fully implement other practices. For example, one 
team did not monitor and control the process, and the other did not 
adequately evaluate adherence to the overall requirements management 
process. 

Activity (Critical process): Process and product quality assurance; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau's policy addresses process and product quality 
assurance. Both project teams performed many of the practices 
associated with this process, including resolving noncompliance issues 
and maintaining records of quality assurance activities. However, these 
project teams did not fully implement other practices. For example, one 
team did not adequately monitor and control the process, and the other 
did not adequately evaluate adherence to the quality assurance process. 

Activity (Critical process): Configuration management; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau's policy addresses configuration management. One 
of the project teams performed all and the other performed most of the 
practices associated with this process, including creating baselines 
and tracking change requests. However, one project team did not fully 
implement other practices, such as objectively evaluating adherence to 
the configuration management process. 

Activity (Critical process): Measurement and analysis; 
Assessment: Incomplete or obsolete policies and procedures; ad hoc 
practices; 
Comments: The bureau's policy does not address measurement and 
analysis, but the organization governing one of the projects 
established a measurement and analysis policy. However, neither project 
team implemented the majority of measurement and analysis practices, 
including storing and analyzing measurement data. 

Activity (Critical process): Verification; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau's policy addresses verification, and both project 
teams performed practices associated with this process, including 
conducting peer reviews. However, these project teams did not perform 
other practices. For example, one of the project teams did not 
adequately monitor and control the process, and neither team defined 
its verification environment. 

Activity (Critical process): Risk management; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau's policy does not address risk management, but the 
organization governing one of the project teams implemented a risk 
management policy and the other project team had risk management 
procedures in place. Additionally, both teams performed many of the 
practices associated with this process, including identifying, 
evaluating, and categorizing risks. However, these project teams did 
not implement other practices; for example, neither team fully 
monitored and controlled the risk management process. 

[End of table]

IT Policies, Procedures, and Practices: 

System Development/Management--Impact of Weaknesses: 

Taking steps to improve the shortfalls listed above is important for 
the following reasons: 

* Without an adequate project planning process, the bureau lacks 
assurance that reasonable plans and tools for managing projects-
including project life-cycle phases and schedules-have been developed 
and are in use. 

* Without an adequate project monitoring and control process, the 
bureau lacks assurance that management can effectively monitor 
projects' actual progress and take appropriate corrective action if 
performance deviates significantly from plans. 

* Without an adequate requirements management process, the bureau 
cannot ensure that it will be able to identify inconsistencies between 
requirements and plans, increasing the likelihood that products will 
not meet customer needs. 

* Without an adequate process and product quality assurance process, 
the Bureau cannot ensure that it will be able to provide staff and 
management with objective insight into processes throughout the 
project's life cycle. 

Further: 

* Without an adequate configuration management process, the bureau 
cannot ensure the integrity of plans and other work products throughout 
a project's life cycle. 

* Without an adequate measurement and analysis process, the bureau 
cannot ensure that project information provided to management is 
measured, analyzed, and recorded so that management can effectively 
monitor actual performance and take appropriate corrective actions. 

* Without an adequate verification process, the bureau cannot ensure 
that products will be built to meet the customer and product 
requirements, increasing the likelihood that products will not meet 
customer needs. 

* Without an adequate risk management process, the bureau cannot ensure 
that risks are identified, analyzed, tracked, and mitigated. Therefore, 
potential problems are more likely to become actual problems and have 
adverse effects on objectives. 

IT Policies, Procedures, and Practices: 

System Development/Management--Conclusions and Recommendations: 

Individual project teams within the bureau have taken the initiative to 
improve their system development and management processes but have not 
yet fully implemented many of the key practices that make up a sound 
project management process. Unless the bureau adopts a consistent 
approach to improving system development and management processes, 
project teams will continue to manage systems in an ad hoc manner and 
risk the cost overruns, schedule slippages, and performance shortfalls 
that plague other government system development projects. 

To strengthen agencywide system development and management 
capabilities, we recommend that the Secretary of Commerce direct the 
bureau to institutionalize a process improvement initiative, such as 
the CMMI maturity framework, and establish goals for projects to reach 
successive capability levels in selected process areas, including: 

* project planning; 
* configuration management; 
* project monitoring and control; 
* measurements and analysis; 
* requirements management; 
* verification; 
* process and product quality assurance; 
* risk management. 

IT Policies, Procedures, and Practices: 

Enterprise Architecture Management-Overview: 

An enterprise architecture (EA) serves as a blueprint to guide and 
constrain systems modernization efforts. The maturity stages listed 
below represent incremental steps toward advancing an organization's 
ability to manage the development, maintenance, and implementation of 
an EA. 

Stage 1: Creating EA awareness: 

The organization is becoming aware of the value of an EA, but has not 
yet established the management foundation needed to develop one. 

Stage 2: Building the EA management foundation: 

The organization moves from basic awareness to building the foundation 
for effectively managing the development, maintenance, and 
implementation of an EA. 

Stage 3: Developing EA products: 

The organization moves from building the EA management foundation to 
developing EA products. 

Stage 4: Completing EA products: 

The organization moves from developing to completing EA products. 

Stage 5: Leveraging the EA for managing change: 

The organization uses EA products to guide and constrain investment 
decisions in a way that effectively supports achievement of business 
and systems modernization. 

Stage 1: Creating EA awareness; 
Core Element: Agency is aware of EA. 

Stage 2: Building the EA management foundation; 
Core Element: Adequate resources exist. 

Stage 2: Building the EA management foundation; 
Core Element: Committee or group representing the enterprise is 
responsible for directing, overseeing, or approving EA. 

Stage 2: Building the EA management foundation; 
Core Element: Program office responsible for EA development and 
maintenance exists. 

Stage 2: Building the EA management foundation; 
Core Element: Chief architect exists. 

Stage 2: Building the EA management foundation; 
Core Element: EA is being developed using a framework, methodology, and 
automated tool. 

Stage 2: Building the EA management foundation; 
Core Element: EA plans call for describing the “as is” environment, the 
“to be” environment, and a sequencing plan. 

Stage 2: Building the EA management foundation; 
Core Element: EA plans call for describing the enterprise in terms of 
business, performance, information/data, application/service, and 
technology. 

Stage 2: Building the EA management foundation; 
Core Element: EA plans call for business, performance, 
information/data, application/service, and technology descriptions to 
address security. 

Stage 2: Building the EA management foundation; 
Core Element: EA plans call for developing metrics for measuring EA 
progress, quality, compliance, and return on investment. 

Stage 3: Developing EA products; 
Core Element: Written and approved organization policy exists for EA 
development. 

Stage 3: Developing EA products; 
Core Element: EA products are under configuration management. 

Stage 3: Developing EA products; 
Core Element: EA products describe or will describe the enterprise’s 
business, performance, information/data, application/service, and the 
technology that supports them. 

Stage 3: Developing EA products; 
Core Element: EA products describe or will describe the “as is” 
environment, the “to be” environment, and a sequencing plan. 

Stage 3: Developing EA products; 
Core Element: Business, performance, information/data, 
application/service, and technology descriptions address or will 
address security. 

Stage 3: Developing EA products; 
Core Element: Progress against EA plans is measured and reported. 

Stage 4: Completing EA products (includes all elements from stage 3); 
Core Element: Written and approved organization policy exists for EA 
maintenance. 

Stage 4: Completing EA products (includes all elements from stage 3); 
Core Element: EA products and management processes undergo independent 
verification and validation. 

Stage 4: Completing EA products (includes all elements from stage 3); 
Core Element: EA products describe the “As Is” environment, the “To Be” 
environment, and a sequencing plan. 

Stage 4: Completing EA products (includes all elements from stage 3); 
Core Element: EA products describe the enterprise’s business, 
performance, information/data, application/service, and the technology 
that supports them. 

Stage 4: Completing EA products (includes all elements from stage 3); 
Core Element: Business, performance, information/data, 
application/service, and technology descriptions address security. 

Stage 4: Completing EA products (includes all elements from stage 3); 
Core Element: Organization chief information officer has approved 
current version of EA. 

Stage 4: Completing EA products (includes all elements from stage 3); 
Core Element: Committee or group representing the enterprise or the 
investment review board has approved current version of EA. 

Stage 4: Completing EA products (includes all elements from stage 3); 
Core Element: Quality of EA products is measured and reported. 

Stage 5: Leveraging the EA for managing (includes all elements from 
stage 4); 
Core Element: Written and approved policy exists for IT investment 
compliance with EA. 

Stage 5: Leveraging the EA for managing (includes all elements from 
stage 4); 
Core Element: Process exists to formally manage EA change. 

Stage 5: Leveraging the EA for managing (includes all elements from 
stage 4); 
Core Element: EA is integral component of IT investment management 
process. 

Stage 5: Leveraging the EA for managing (includes all elements from 
stage 4); 
Core Element: EA products are periodically updated. 

Stage 5: Leveraging the EA for managing (includes all elements from 
stage 4); 
Core Element: IT investments comply with EA. 

Stage 5: Leveraging the EA for managing (includes all elements from 
stage 4); 
Core Element: Organization head has approved current version of EA. 

Stage 5: Leveraging the EA for managing (includes all elements from 
stage 4); 
Core Element: Return on EA investment is measured and reported. 

Stage 5: Leveraging the EA for managing (includes all elements from 
stage 4); 
Core Element: Compliance with EA is measured and reported. 

[End of table] 

We evaluated the bureau's policies and management of its IT enterprise 
architecture using GAO's EA assessment guide. [NOTE 9] We assessed the 
Bureau's enterprise architecture at maturity stages 1, 2, and 3. 

We did not evaluate maturity stages 4 or 5 because bureau officials 
reported that they had not yet implemented all of the core elements for 
these stages. However, they noted that they had begun to implement some 
of the core elements in these advanced maturity stages. 

IT Policies, Procedures, and Practices: 

Enterprise Architecture Management-Evaluation: 

Activity (Critical process): Agency is aware of EA; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: The bureau is aware of enterprise architecture concepts. 

Activity (Critical process): Adequate resources exist; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau provides funding for personnel, consultants, and 
tools to support its enterprise architecture, but this funding varies 
from year to year and, according to the Chief Architect, can fall below 
the level needed to accomplish project goals. 

Activity (Critical process): Committee of group representing the 
enterprise is responsible for directing, overseeing, or approving EA; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: The bureau has established a committee (chaired by the CIO) 
to direct, oversee, and approve its enterprise architecture effort. 

Activity (Critical process): Program office responsible for EA 
development and maintenance exists; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: The bureau has established a program office with 
responsibility for developing and maintaining the enterprise:
Activity (Critical process): Chief architect exists; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: The bureau has a chief architect for its enterprise 
architecture. 

Activity (Critical process): EA is being developed using a framework, 
methodology, and automated tool; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: The bureau is developing its EA using a framework, a 
methodology, methodology, and an automated tool. 

Activity (Critical process): EA plans call for describing the “as is” 
environment, the “to be” environment, and a sequencing plan; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: Bureau EA plans call for describing the "as is" environment, 
the "to be" environment, and a sequencing plan. 

Activity (Critical process): EA plans call for describing the 
enterprise in terms of business, performance, information/data, 
application/service, and technology; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: Bureau EA plans call for describing the enterprise in terms 
of business, performance, information, applications, and technology 
infrastructure. 

Activity (Critical process): EA plans call for business, performance, 
information/data, application/service, and technology descriptions to 
address security; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: Bureau EA plans call for business, performance, information, 
application, and technology descriptions to address security. 

Activity (Critical process): EA plans call for developing metrics for 
measuring EA progress, quality, compliance, and return on investment; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: Bureau plans call for developing metrics for measuring EA 
progress, quality, compliance, and return on investment. 

Activity (Critical process): Written and approved organization policy 
exists for EA development; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau has a detailed business plan guiding its EA 
development, which is approved by the Chief Information Officer. 
However, it does not yet have a policy for EA development that is 
signed by the Bureau director. 

Activity (Critical process): EA products are under configuration 
management; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: Bureau EA products are under configuration management. 

Activity (Critical process): EA products describe or will describe the 
enterprise’s business, performance, information/data, 
application/service, and the technology that supports them; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: Bureau EA products describe the enterprise's business, 
information, applications, and technology infrastructure. The Bureau 
plans for future EA products to describe the enterprise's performance. 

Activity (Critical process): EA products describe or will describe the 
“as is” environment, the “to be” environment, and a sequencing plan; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: Bureau EA products describe the "as is" and the "to be" 
environments and will describe the sequencing plan. 

Activity (Critical process): Business, performance, information/data, 
application/service, and technology descriptions address or will 
address security; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: The bureau's EA business, information, application, and 
technology descriptions address security, and efforts are under way to 
continue to integrate security with the enterprise architecture. The 
bureau plans for future EA products that describe the enterprise's 
performance to address security. 

Activity (Critical process): Progress against EA plans is measured and 
reported; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: The bureau measures and reports on its progress against its 
EA plans. 

[End of table]

IT Policies, Procedures, and Practices: 

Enterprise Architecture Management--Impact of Weaknesses: 

Taking steps to improve the two EA shortfalls described above is 
important for the following reasons: 

* Without adequate resources, the bureau's EA office will not be able 
to accomplish its goals of expanding and improving the architecture. 

* Without a written policy endorsing the EA, the bureau may not be able 
to get the support it needs to fully implement the EA and to realize 
its benefits. A written policy could lead to enhanced support for the 
EA and increased use and benefits throughout the agency. Based on our 
experience in reviewing other agencies, not having an effective 
architecture program can be attributable to limited senior management 
understanding and commitment and to cultural resistance to using an 
architecture. The result can be an inability to implement modernized 
systems in a way that minimizes overlap and duplication and maximizes 
integration and mission support. 

IT Policies, Procedures, and Practices: 

Enterprise Architecture Management Conclusions and Recommendations: 

The bureau has made important progress in managing its enterprise 
architecture program and has identified critical next steps to further 
expand, use, and achieve benefits from its architecture. However, the 
EA initiative lacks the senior management commitment-both in terms of 
resources and policy endorsement-that it needs to be truly effective. 
Unless the bureau demonstrates this senior level commitment, the EA 
initiative will likely be limited in how much progress it can continue 
to make. 

To support the agency in its efforts to develop and implement an 
effective enterprise architecture, we recommend that the Secretary of 
Commerce direct the bureau to: 

* determine an adequate level of resources to accomplish planned EA 
activities in order to ensure continued improvements to the bureau's EA 
model and: 

* establish a written policy endorsing and enforcing the bureau's 
enterprise architecture. 

IT Policies, Procedures, and Practices: 

Information Security-Overview: 

Information security protects an organization's computer-supported 
resources and assets. Such protection ensures the integrity, 
appropriate confidentiality, and availability of an organization's data 
and systems. Integrity means that data have not been altered or 
destroyed in an unauthorized manner. Confidentiality means that 
information is not made available or disclosed to unauthorized 
individuals, entities, or processes. Availability means that data will 
be accessible or usable upon demand by an authorized entity. 

Key activities for managing information security risks include: 

* Risk assessment-identifying security threats and vulnerabilities to 
information assets and operational capabilities, ranking risk 
exposures, and identifying cost-effective controls; 

* Awareness and training-promoting awareness of security risks and 
educating users about security policies and procedures, as well as 
providing security training to staff; 

* Controls-implementing the controls necessary to deal with identified 
risks to information systems, physical facilities, and networks, in 
order to protect them; 

* Evaluation-monitoring the effectiveness of controls and awareness 
activities through periodic evaluation; 

* Central management-coordinating security activities through a 
centralized group. 

Information security is of special importance to the Census Bureau 
because under law, with certain limited exceptions, the bureau must 
protect from disclosure the data it collects about individuals and 
establishments. [NOTE 10] Specifically, the bureau may not disclose or 
publish any private information that identifies an individual or 
establishment. 

We evaluated the bureau's policies and procedures on information 
security by comparing them to the requirements in the Federal 
Information Security Management Act of 2002 [NOTE 11] and to guidelines 
issued by OMB and the National Institute of Standards and Technology. 
We assessed selected bureau systems' security plans, risk assessments, 
and certification and accreditation packages. We interviewed bureau and 
Commerce security officials on security policies and practices. We also 
analyzed reports on the bureau's information security program by the 
Department of Commerce's Office of the Inspector General. 

Activity (Critical process): Risk assessment; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau’s security policy calls for system owners to 
conduct risk assessments on all major applications in an effort to 
identify and manage threats, vulnerabilities, and risks. The bureau 
reported that these risk assessments were completed by December 2003. 
However, in early 2004, the bureau revised its risk assessment policy 
to address documentation weaknesses that had been identified by the 
Inspector General, and it instructed system owners to reassess their 
systems. The bureau’s Information Security Chief plans to work with 
system owners to improve their risk assessments, as part of an effort 
to improve certification and accreditation (C&A) packages by September 
2005. 

Activity (Critical process): Awareness and training; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau’s policy calls for general security training for 
all employees and contractors and for more specialized security 
training tailored to certain job descriptions. The bureau has 
implemented multiple security awareness and training programs. However, 
the bureau does not yet have a program in place for identifying 
employees who need specialized security training or for providing this 
training. 

Activity (Critical process): Controls--information system and security; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau’s policy requires system owners to assess systems 
risks, address any identified weaknesses, and obtain system 
certification and accreditation (C&A). The bureau completed C&A 
packages for many of its systems, but the Inspector General recently 
reported that selected systems’ C&A packages were incomplete and 
inaccurate. The Information Security Chief plans to recertify and 
accredit Bureau systems by the end of September 2005. 

Activity (Critical process): Controls--physical security; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: The Department of Commerce manages the physical security of 
the bureau’s facilities. Commerce’s security policy calls for facility 
managers to conduct periodic risk assessments of their facilities to 
identify vulnerabilities and corresponding countermeasures. The 
Commerce office of security tracks completion of these risk assessments 
and closure of all countermeasures. Currently, all 47 bureau facilities 
are up to date on required risk assessments. 

Activity (Critical process): Controls--network access; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau’s security policy calls for system owners to 
identify network and logical access controls and the security office 
and system owners use network scanning tools to identify potential 
system vulnerabilities. However, in September 2004, the Inspector 
General reported that some systems’ testing and verification of network 
security controls was inadequate. A security official advised us that 
they are planning to address network access issues by procuring 
additional system penetration tools in order to better test systems. 
However, the security office does not have an estimated timeframe for 
completing this activity. 

Activity (Critical process): Evaluation; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau’s IT security office is responsible for overseeing 
systems security; it uses a database to track the status of systems’ 
certification and accreditation and to track any deficiencies 
(including network and system control weaknesses) until they are 
closed. However, this database does not effectively track all of the 
key information needed to effectively oversee security controls and 
does not allow for effective version control. To assist in managing 
system documentation, the security office plans to migrate to a new 
security oversight management tool by September 2005. 

Activity (Critical process): Central management; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: The bureau’s Information Technology Security Office, within 
the Office of the Chief Information Officer (CIO), is the central 
management office with responsibility for information security policies 
and procedures. This office is responsible for ensuring that IT 
security procedures, standards, and guidance are implemented, while the 
CIO approves policy. The Chief of Information Security also coordinates 
with other Bureau directorates to ensure that security policies are 
enforced. This office coordinates efforts with Commerce’s Office of 
Security at the Census Bureau, which is responsible for physical and 
personnel security. 

[End of table] 

IT Policies, Procedures, and Practices: 

Information Security-Conclusions and Recommendations: 

The bureau has policies and processes in place to manage information 
security, but important steps for ensuring that systems are secure 
remain to be carried out. Until the bureau completes these system 
security initiatives, it cannot ensure that information, systems, and 
networks are adequately protected from disclosure or attack. 

In order to improve information security, we recommend that the 
Secretary of Commerce direct the bureau to: 

* establish milestones for: 

* identifying staff with special security training needs and developing 
an effective training program for them,

* identifying system penetration tools to aid network access security 
and testing network controls using these tools, and: 

* monitor progress against these milestones and the milestones that 
have already been established to address weaknesses in risk 
assessments, information system security controls, and oversight 
management tools, to ensure that these activities are completed in a 
timely manner. 

IT Policies, Procedures, and Practices: 

IT Human Capital-Overview: 

Human capital centers on viewing people as assets whose value to an 
organization can be enhanced by investing in them. As the value of 
people increases, so does the performance capacity of the organization-
and therefore its value to clients and other stakeholders. 

According to the Clinger-Cohen Act of 1996, to maintain and enhance the 
capabilities of IT staff, an organization should conduct four basic 
activities: 

* Requirements-annually assess the knowledge and skills that an agency 
needs to effectively perform its IT operations to support its mission 
and goals: 

* Inventory-determine the knowledge and skills of current IT staff to 
identify gaps in needed capabilities: 

* Workforce strategies and plans-develop strategies and implement plans 
for hiring, training, and professional development to fill any gap 
between requirements and current staffing: 

* Progress evaluation-evaluate the progress made in improving IT human 
capital capability, and use the results of these evaluations to 
continuously improve the organization's human capital strategies: 

We compared the bureau's policies and procedures for IT human capital 
to the Clinger-Cohen Act [NOTE l2] and to our guide, Human Capital: A 
Self-Assessment Checklist for Agency Leaders. [NOTE 13] We reviewed IT 
human capital practices in the areas of skills and knowledge 
requirements, skills and knowledge inventories, workforce strategies, 
and progress evaluations. 

IT Policies, Procedures, and Practices: 

IT Human Capital-Evaluation: 

Activity (Critical process): Requirements; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: In 2000, the bureau’s Human Capital Office and program area 
directorates identified requirements, including knowledge and skills, 
that its IT staff need to perform their responsibilities. However, the 
bureau has not reassessed its requirements to ensure that it identifies 
any new knowledge and skills it needs, such as skills supporting e-
government initiatives. 

Activity (Critical process): Inventory; 
Assessment: Comprehensive, current policies and procedures; practices 
adhere to policies, procedures, and generally accepted standards; 
Comments: Commerce’s CIO maintains an inventory of IT staff skills. In 
2004, about 85 percent of the bureau’s IT staff participated in an IT 
workforce assessment survey and reported on whether they had skills in 
97 different IT areas. By April 2005, Commerce plans to make available 
a target-setting tool that the bureau can use to develop “what-if” 
scenarios. This tool will allow the bureau to identify both projected 
and desired future states of its IT workforce and to formulate a “gap 
analysis.” 

Activity (Critical process): Workforce strategies and plans; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau has procedures that address gaps in its IT 
workforce. In practice, the bureau addresses gaps through recruiting, 
retention, and professional development programs. For example, the 
bureau offers special pay incentives to IT specialists, and staff can 
complete IT courses to improve their skills. However, the bureau has 
not completed a skills gap analysis and therefore has not developed 
strategies to fill any identified gaps. 

Activity (Critical process): Progress evaluation; 
Assessment: Policies or procedures for key functions; only selected 
practices in place; 
Comments: The bureau annually evaluates its progress in human capital 
management planning, workforce development, and succession planning. 
However, because the bureau has not yet identified IT skills gaps or 
developed strategies to fill these gaps (as noted above), it is not yet 
able to evaluate the effectiveness of its strategies. 

[End of table] 

IT Policies, Procedures, and Practices: 

IT Human Capital-Impact of Weaknesses: 

Taking steps to improve the shortfalls listed above is important for 
the following reasons: 

* Until the bureau regularly assesses its IT requirements, it risks not 
identifying needed skills and knowledge in its IT workforce. 

* Until the bureau completes a gap analysis, it lacks assurance that it 
is optimizing the use of its current IT workforce and therefore is 
unable to implement workforce strategies to fill any identified gaps. 
As a result, the bureau is at increased risk that it lacks the trained 
staff it needs to fulfill its mission objectives. 

IT Policies, Procedures, and Practices: 

IT Human Capital-Conclusions and Recommendations: 

The Census Bureau has implemented steps to manage its IT human capital, 
but more remains to be done to update requirements for IT skills and 
knowledge and to develop and implement strategies for filling any skill 
gaps. Until the bureau completes these activities, it is at increased 
risk that it will not have the skills it needs to effectively develop 
and manage its million-and billion-dollar investments in information 
systems and technology. 

In order to improve the bureau's ability to manage its IT workforce, we 
recommend that the Secretary of Commerce direct the bureau to: 

* annually assess IT knowledge and skills to determine whether they 
meet current requirements, and: 

* use the planned gap analysis to identify workforce strategies to fill 
skills gaps and then evaluate these strategies to determine their 
effectiveness in improving human capital management. 

Agency Comments: 

In commenting on a draft of this briefing, Census Bureau officials, 
including the Chief Information Officer, Comptroller, and Chief, 
Information System Support and Review Office, stated that the bureau 
concurs with our findings and our recommendations. 

[1] See attachment for a list of relevant reports by us and by the 
Inspector General. 

[2] Bureau officials stated that they are evaluating whether to extend 
the Data Access and Dissemination System through the 2010 census or to 
acquire a new capability, called the Integrated Dissemination System. 
The cost, schedule, and scope of the Integrated Dissemination System 
have not yet been determined. 

[3] GAO, 2010 CENSUS: Basic Design Has Potential, but Remaining 
Challenges Need Prompt Resolution, GAO-05-9 (Washington, D.C.: January 
12, 2005). 

[4] GAO, Information Technology Investment Management: A Framework for 
Assessing and Improving Process Maturity (Version 1.1), GAO-04-394G 
(Washington, D.C.: March 2004). 

[5] U. S. GAO, Information Technology. A Framework for Assessing and 
Improving Enterprise Architecture Management (Version 1.1), GAO-03-584G 
(Washington, D.C.: April 2003). 

[6] GAO, Information Technology Investment Management: A Framework for 
Assessing and Improving Process Maturity (Version 1.1), GAO-04-394G 
(Washington, D.C.: March 2004). 

[7] CMM is registered in the U.S. Patent and Trademark Office by 
Carnegie Mellon University. CMMI is a service mark of the Carnegie 
Mellon University. 

[8] We did not perform a full appraisal of measurement and analysis on 
the Decennial Master Address File project because project officials 
reported that they had not yet implemented this process area. 

[9] GAO-03-548G. 

[10] U.S. Code, Title 13, Section 9. 

[11] Federal Information Security Management Act of 2002, Title III, E-
Government Act of 2002, P.L. 107-347, Dec. 17, 2002. 

[12] Clinger-Cohen Act of 1996, 40 U.S.C. 11101-11704. 

[13] U.S. GAO, Human Capital. A Self-Assessment Checklist for Agency 
Leaders, GAO/OCG-00-14G (Washington, D.C.: September 2000). 

[End of slide presentation] 

[End of section]

Appendix II: Comments from the Department of Commerce: 

THE DEPUTY SECRETARY OF COMMERCE: 
Washington, D.C. 20230: 

May 27, 2005: 

Ms. Colleen M. Phillips:
Assistant Director: 
Information Technology Issues:
U.S. Government Accountability Office: 
Washington, DC 20548: 

Dear Ms. Phillips: 

The U.S. Department of Commerce appreciates the opportunity to comment 
on the U.S. Government Accountability Office draft report entitled 
Information Technology Management: Census Bureau Has Implemented Many 
Key Practices, But Additional Actions Are Needed (GAO-05-661). I 
enclose the Department's comments on this report. 

Sincerely, 

Signed by: 

David A. Sampson: 
(Acting): 

Enclosure: 

U.S. Department of Commerce: 

Comments on the U.S. Government Accountability Office Draft Report 
Entitled "Information Technology Management: Census Bureau Has 
Implemented Many Key Practices, But Additional Actions Are Needed" GAO-
05-661: 

Comments on Conclusions: 

We agree with the draft report that the U.S. Census Bureau has 
developed policies and initiated key practices in many areas that are 
important to successfully manage information technology. These 
practices include investment management, system development/management, 
enterprise architecture management, information security, and human 
capital management. 

The report's findings, while accurate, do not acknowledge a number of 
steps being taken at the Census Bureau to more broadly address the 
report's findings and other unrelated Information Technology (IT) 
issues. The "Highlights" section of the Government Accountability 
Office (GAO) report begins by stating "The bureau has a decentralized 
approach to IT management. " This is correct and has been the 
management approach at the Census Bureau for a long time. However, what 
is not mentioned in the report and is of critical importance to 
improvement is the very proactive and aggressive movement in the Census 
Bureau toward change. We are in the process of introducing a corporate 
IT environment-one that will affect the Census Bureau operationally as 
well as organizationally. We anticipate the improvements we will 
experience over time from this undertaking will strengthen an already 
solid IT operation and further improve upon our audit performance. 

Also, the report did not clarify the system development/management 
perspective. For instance, of 40 information technology management 
areas assessed by GAO for system development/management, only one area-
measurements and analysis-was found to be incomplete or obsolete. What 
was not acknowledged was that the Census Bureau was being assessed 
while in transition from the older SW-CMM standard (measurements and 
analysis is embedded in the processes) to the new CMMI standard 
(measurements and analysis is a stand-alone process) used by GAO. 

Overall, we realize that improvements can be made and that additional 
actions are needed to accomplish improvements to our management of 
information technology. These additional actions are shown in the 
recommendations that follow. 

Comments on Recommendations for Executive Action: 

"To strengthen the bureau's ability manage IT investments, we recommend 
that the Secretary of Commerce direct the bureau to: 

* develop written procedures to guide its IT investment boards' 
operations and use these procedures to ensure consistent investment 
management and decision-making practices;

* develop well-defined and disciplined written procedures that outline 
the process for selecting new IT proposals and reselecting ongoing 
investments and use these procedures in investment decision making;

* develop and implement defined criteria and documented policies and 
procedures for monitoring the progress of all IT projects and systems; 
and: 

* create a comprehensive repository that collects investment 
information that is up to date and accessible to decision makers."

The Census Bureau concurs with the recommendation. 

"To strengthen agencywide system development and management 
capabilities, we recommend that the Secretary of Commerce direct the 
bureau to institutionalize a process improvement initiative, such as 
the Capability Maturity Model Integration framework, and establish 
goals for projects to reach successive capability levels in selected 
process areas, including project planning, project monitoring and 
control, requirements management, process and product quality 
assurance, configuration management, measurements and analysis, 
verification, and risk management."

The Census Bureau concurs with the recommendation. The Census Bureau 
will continue its transition from the SW-CMM standard to the new CMMI 
standard bureauwide to strengthen its system development and management 
capabilities. 

"To support the bureau in its efforts to develop and implement an 
effective enterprise architecture (EA), we recommend that the Secretary 
of Commerce direct the bureau to: 

* determine an adequate level of resources to accomplish planned EA 
activities in order to ensure continued improvements to the bureau's EA 
model; and: 

* establish a written policy endorsing and enforcing the bureau's 
enterprise architecture."

The Census Bureau concurs with the recommendation. 

"To improve information security, we recommend that the Secretary of 
Commerce direct the bureau to: 

* establish milestones for identifying staff with special security 
training needs and developing an effective training program for them;

* establish milestones for identifying system penetration tools to aid 
network access security and for testing network controls using these 
tools; and: 

* monitor progress against these milestones and the milestones that 
have already been established to address weaknesses in risk 
assessments, information system security controls, and oversight 
management tools, in order to ensure that these activities are 
completed in a timely manner."

The Census Bureau concurs with the recommendation. 

"In order to improve the bureau's ability to manage its IT workforce, 
we recommend that the Secretary of Commerce direct the bureau to: 

* annually assess IT knowledge and skills to determine whether they 
meet current requirements; and: 

* use the planned gap analysis to identify workforce strategies to fill 
skills gaps and then evaluate these strategies to determine their 
effectiveness in improving human capital management." 

The Census Bureau concurs with the recommendation. 

[End of section]

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

David A. Powner, (202) 512-9286 or [Hyperlink, pownerd@gao.gov].

Acknowledgments: 

In addition to the person named above, John Dale, Lester Diamond, 
Joanne Fiorino, Mark Fostek, Tonia Johnson, Deborah Lott, Teresa Neven, 
Tammi Nguyen, Madhav Panwar, Colleen Phillips, Cynthia Scott, Karl 
Seifert, Niti Tandon, Teresa Tucker, and Michael Virga made key 
contributions to this report. 

[End of section]

Related Products by GAO and the Department of Commerce's Inspector 
General: 

GAO Products: 

2010 Census: Basic Design Has Potential, but Remaining Challenges Need 
Prompt Resolution. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-09]. 
Washington, D.C.: January 12, 2005. 

Data Quality: Census Bureau Needs to Accelerate Efforts to Develop and 
Implement Data Quality Review Standards. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-86] 
Washington, D.C.: November 17, 2004. 

Census 2000: Design Choices Contributed to Inaccuracies in Coverage 
Evaluation Estimates. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-71] 
Washington, D.C.: November 12, 2004. 

American Community Survey: Key Unresolved Issues. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-82] 
Washington, D.C.: October 8, 2004. 

2010 Census: Counting Americans Overseas as Part of the Decennial 
Census Would Not Be Cost-Effective. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-898] 
Washington, D.C.: August 19, 2004. 

2010 Census: Overseas Enumeration Test Raises Need for Clear Policy 
Direction. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-470] 
Washington, D.C.: May 21, 2004. 

2010 Census: Cost and Design Issues Need to Be Addressed Soon. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-37] 
Washington, D.C.: January 15, 2004. 

Decennial Census: Lessons Learned for Locating and Counting Migrant and 
Seasonal Farm Workers. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-605] 
Washington, D.C.: July 3, 2003. 

Decennial Census: Methods for Collecting and Reporting Hispanic 
Subgroup Data Need Refinement. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-228] 
Washington, D.C.: January 17, 2003. 

Decennial Census: Methods for Collecting and Reporting Data on the 
Homeless and Others Without Conventional Housing Need Refinement. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-227] 
Washington, D.C.: January 17, 2003. 

2000 Census: Lessons Learned for Planning a More Cost-Effective 2010 
Census. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-40] 
Washington, D.C.: October 31, 2002. 

The American Community Survey: Accuracy and Timeliness Issues. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-956R] 
Washington, D.C.: September 30, 2002. 

2000 Census: Refinements to Full Count Review Program Could Improve 
Future Data Quality. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-562] 
Washington, D.C.: July 3, 2002. 

2000 Census: Coverage Evaluation Matching Implemented as Planned, but 
Census Bureau Should Evaluate Lessons Learned. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-297] 
Washington, D.C.: March 14, 2002. 

2000 Census: Best Practices and Lessons Learned for More Cost-Effective 
Nonresponse Follow-up. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-196] 
Washington, D.C.: February 11, 2002. 

2000 Census: Coverage Evaluation Interviewing Overcame Challenges, but 
Further Research Needed. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-26] 
Washington, D.C.: December 31, 2001. 

2000 Census: Analysis of Fiscal Year 2000 Budget and Internal Control 
Weaknesses at the U.S. Census Bureau. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-30] 
Washington, D.C.: December 28, 2001. 

2000 Census: Significant Increase in Cost Per Housing Unit Compared to 
1990 Census. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-31] 
Washington, D.C.: December 11, 2001. 

2000 Census: Better Productivity Data Needed for Future Planning and 
Budgeting. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-4] 
Washington, D.C.: October 4, 2001. 

2000 Census: Review of Partnership Program Highlights Best Practices 
for Future Operations. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-579] 
Washington, D.C.: August 20, 2001. 

Decennial Censuses: Historical Data on Enumerator Productivity Are 
Limited. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-208R] 
Washington, D.C.: January 5, 2001. 

2000 Census: Headquarters Processing System Status and Risks. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-1] 
Washington, D.C.: October 17, 2000. 

2000 Census: Update on Data Capture Operations and Systems. AIMD-00-
324R. Washington, D.C.: September 29, 2000. 

2000 Census: Status of Nonresponse Follow-up and Key Operations. T-
GGD/AIMD-00-164. Washington, D.C.: May 11, 2000. 

2000 Census: New Data Capture System Progress and Risks. AIMD-00-61. 
Washington, D.C.: February 4, 2000. 

2000 Census: Contingency Planning Needed to Address Risks That Pose a 
Threat to a Successful Census. GGD-00-6. Washington, D.C.: December 14, 
1999. 

Inspector General Reports: 

Improving Our Measure of America: What the 2004 Census Test Can Teach 
Us in Planning for the 2010 Decennial Census, OIG-16949-1, (Washington, 
D.C.: September 2004). 

Weaknesses in Census Bureau's Certification and Accreditation Process 
Leave Security of Critical Information Systems in Question, OSE-16519, 
(Washington, D.C.: August 2004). 

MAF/TIGER Redesign Project Needs Management Improvements to Meet Its 
Decennial Goals and Cost Objective, OSE-15725, (Washington, D.C.: 
September 2003). 

Selected Aspects of Census 2000 Accuracy and Coverage Evaluation Need 
Improvements Before 2010, IG-14226, (Washington, D.C.: March 2002). 

Improving Our Measure of America: What Census 2000 Can Teach Us in 
Planning for 2010, OIG-14431, (Washington, D.C.: Spring 2002). 

Actions to Address the Impact on the Accuracy and Coverage Evaluation 
of Suspected Duplicate Persons in the 2000 Decennial Census, OSE-13812, 
(Washington, D.C.: March 2001). 

A Better Strategy Is Needed for Managing the Nation's Master Address 
File, OSE-12065, (Washington, D.C.: September 2000). 

Telephone Questionnaire Assistance Contract Needs Administration and 
Surveillance Plan, OSE-12376, (Washington, D.C.: August 2000). 

PAMS/ADAMS Should Provide Adequate Support for the Decennial Census, 
but Software Practices Need Improvement, ESD-11684, (Washington, D.C.: 
March 2000). 

Improvements Needed in Multiple Response Resolution to Ensure Accurate, 
Timely Processing for the 2000 Decennial Census, OSE-10711, 
(Washington, D.C.: September l999). 

Dress Rehearsal Quality Check Survey Experience Indicates Improvements 
Needed for 2000 Decennial, ESD-11449, (Washington, D.C.: September 
l999). 

Method for Archiving 2000 Decennial Data and Procedures for Disposing 
of Questionnaires Should Be Finalized, OSE-10758, (Washington, D.C.: 
September 1999). 

Headquarters Information Processing Systems for 2000 Decennial Census 
Require Technical and Management Plans and Procedures, OSE-10034, 
(Washington, D.C.: November l997). 

(310484): 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office

441 G Street NW, Room LM
Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director,

NelliganJ@gao.gov

(202) 512-4800

U.S. Government Accountability Office,

441 G Street NW, Room 7149
Washington, D.C. 20548: