This is the accessible text file for GAO report number GAO-12-723T 
entitled 'Social Security Administration: Technology Modernization 
Needs Improved Planning and Performance Measures' which was released 
on May 9, 2012. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Testimony: 

Before the Subcommittee on Social Security, Committee on Ways and 
Means, House of Representatives: 

For Release on Delivery: 
Expected at 2:00 p.m. EDT:
Wednesday, May 9, 2012: 

Social Security Administration: 

Technology Modernization Needs Improved Planning and Performance 
Measures: 

Statement of Valerie C. Melvin, Director: 
Information Management and Technology Resources Issues: 

GAO-12-723T: 

Chairman Johnson, Ranking Member Becerra, and Members of the 
Subcommittee: 

Thank you for inviting me to participate in today's hearing on the 
Social Security Administration's (SSA) efforts to modernize its 
information technology (IT) systems and environment. As you know, SSA 
is responsible for delivering services that touch the lives of 
virtually every American, and the agency relies heavily on IT to do 
so. Its computerized information systems support a range of 
activities, from the processing of Disability Insurance and 
Supplemental Security Income payments to the calculation and 
withholding of Medicare premiums, and the issuance of Social Security 
numbers and cards. Last fiscal year, the agency spent nearly $1.6 
billion on IT. 

As SSA's systems have aged and its workload has increased, the agency 
has committed to investing in the capacity and modern technologies 
needed to update its strained IT infrastructure. In addition, the 
agency has recently undertaken a realignment of its IT governance 
structure, including the responsibilities of its Chief Information 
Officer (CIO). 

At your request, over the past year, we have been examining SSA's 
modernization efforts. The specific objectives of our study were to 
(1) determine SSA's progress in modernizing its IT systems and 
capabilities; (2) evaluate the effectiveness of SSA's plans and 
strategy for modernizing its systems and capabilities; and (3) assess 
whether the realignment of the agency's CIO responsibilities allows 
for effective oversight and management of the systems modernization 
efforts. 

Our report documenting the results of the study is being released 
today.[Footnote 1] As agreed with your office, my testimony statement 
summarizes the key findings in our report. In preparing this 
statement, we relied on the work supporting our report. The report 
contains a more detailed overview of the scope of our review and the 
methodology used. The work upon which this statement is based was 
conducted in accordance with generally accepted government auditing 
standards from May 2011 to April 2012. Those standards require that we 
plan and perform audits to obtain sufficient, appropriate evidence to 
provide a reasonable basis for our findings and conclusions. We 
believe that the evidence obtained provided a reasonable basis for our 
findings and conclusions based on our audit objectives. 

Background: 

SSA's mission is to deliver Social Security services that meet the 
changing needs of the public. The Social Security Act and amendments 
established the programs that SSA administers, which include: 

* the Old Age, Survivors, and Disability Insurance program: Commonly 
referred to simply as "Social Security," this program is one of the 
nation's largest entitlement programs and provides monthly benefits to 
retired and disabled workers, their spouses and children, and the 
survivors of insured workers who have died; and: 

* the Supplemental Security Income program: This is a needs-based 
program financed from general tax revenues that provides benefits to 
aged adults, blind or disabled adults, and children with limited 
income and resources. 

According to SSA, in fiscal year 2011, about 54 million people 
received benefits from the Old Age, Survivors, and Disability program, 
and over 8 million people received benefits from the Supplemental 
Security Income program. Collectively, about 155 million people work 
and pay Social Security taxes. The agency's fiscal year 2011 expenses 
totaled about $12.4 billion to support its programs. 

SSA Relies on IT to Deliver Services: 

SSA relies extensively on IT to administer its programs and support 
related activities. Specifically, its systems are used to, among other 
things, 

* handle millions of transactions on SSA's toll-free telephone number, 

* maintain records for the millions of beneficiaries and recipients of 
SSA's programs, 

* evaluate evidence and make determinations of eligibility for 
benefits, 

* issue new and replacement Social Security cards, and: 

* process earnings items for crediting to workers' earnings records. 

However, as the agency's systems have aged, SSA has faced challenges 
in carrying out its increasing workload. Specifically, many of SSA's 
existing systems software were developed in the 1960s and 1970s and 
are written in older computer programming languages or are past their 
designed life cycle. While the agency has made technical and 
functional upgrades throughout the years, it continues to face 
challenges because of the need to store, process, and share increasing 
amounts of data and to transition to Web-based, online access for SSA 
data and services, among other factors. 

Accordingly, in its most recent Agency Strategic Plan, SSA has 
identified IT as a key foundational element to achieving success in 
meeting its goals. Recognizing the challenges facing its IT 
environment, the agency has stated that it plans to, among other 
things, develop and implement a common system for processing 
disability cases, increase its use of online services for access to 
benefits and information, and automate its processes for reporting 
information. 

Office of Systems Oversees SSA's IT Systems and Investments: 

SSA's Office of Systems is responsible for developing, overseeing, and 
maintaining the agency's IT systems. Comprised of eight component 
offices and approximately 3,300 staff, the Office of Systems has 
responsibility for the agency's IT. 

SSA uses its capital planning and investment control process to manage 
its software development projects. This process is intended to meet 
the objectives of the Clinger-Cohen Act of 1996[Footnote 2] by 
providing a framework for selecting, controlling, and evaluating 
investments in IT to help ensure that they meet the strategic and 
business objectives of the agency. This process requires a series of 
reviews by executive oversight bodies, including the agency's 
Strategic Information Technology Assessment and Review board, to 
ensure that IT projects are selected that best meet the agency's 
goals; that, once selected, they are performing within expected 
schedule and cost parameters; and finally, that once implemented, 
these projects are delivering results. 

In June 2011, in an effort to increase efficiency, the Commissioner of 
Social Security announced the realignment of CIO functions and 
associated personnel. As part of this realignment, the Office of the 
CIO was eliminated, and most of its responsibilities for managing IT, 
along with the IT budget, were reassigned to the Office of Systems. 
Previously, key duties of the CIO were to select and prioritize IT 
investments and oversee the review and approval of the annual IT 
budget, while the Office of Systems was responsible for managing the 
acquisition, development, and maintenance of IT projects. Under the 
realignment, the Deputy Commissioner for Systems--who heads the Office 
of Systems--assumed the major responsibilities of the CIO. 

SSA Has Undertaken Numerous Modernization Efforts but Lacks Effective 
Tools for Measuring Progress: 

Since 2001, SSA has reported spending more than $5 billion on the 
development, modernization, and enhancement of its IT systems and 
capabilities. SSA officials identified 120 initiatives undertaken from 
2001 to 2011 that the agency considered to be key investments in 
modernization. These comprise a subset of the hundreds of projects and 
modernization activities SSA undertakes yearly, which vary greatly in 
level of effort, scope, and cost. These initiatives affected all of 
the agency's main program areas: 

* According to managers within SSA's Office of Disability Systems, in 
an effort to reduce backlogs of disability hearings, the agency 
implemented a process for creating electronic "folders" for each 
applicant, to replace the existing paper-based process. This 
initiative included capabilities for electronically viewing an 
applicant's folder, electronic screening for faster disability 
determinations, and Internet access to information on disability 
hearings and determinations. 

* The Office of Retirement and Survivors Insurance Systems took steps 
to improve outdated legacy systems and respond to legislation or other 
mandates requiring new system functionality. These efforts included 
integrating stand-alone "post-entitlement" processes, facilitating 
online application for benefits, and conversion of a key database to a 
more modern, industry-standard one. 

* Managers from the Office of Applications and Supplemental Security 
Income described initiatives to modernize large legacy databases and 
facilitate data sharing to streamline the claims process. These 
included enhancements to the electronic death registration process and 
the development of a Web application enabling access to data from 
multiple systems. 

* SSA officials described initiatives in the area of electronically 
exchanging data with external partners, including states and private-
sector partners such as banks and credit bureaus. 

* SSA also noted efforts to streamline the process for administering 
Social Security cards, such as introducing safeguards against 
counterfeiting and replacing its legacy printers. 

In addition to these initiatives, SSA undertook a project to establish 
a disaster recovery capability at a secondary computing site. This 
project provided for continuity of operations, continuous processing 
of SSA's workload, and backup of the agency's IT assets, among other 
capabilities. 

While these improvements have yielded benefits, SSA still has a number 
of other major efforts under way to continue the modernization of its 
IT environment. These efforts involve: 

* completing the conversion of the agency's legacy Master Data Access 
Method database system (used to support the storage and retrieval of 
SSA's major program master files) to a modern, industry-standard 
database system; 

* transitioning from its legacy system for processing retirement and 
survivors' claims to a single, unified system that integrates initial 
and post-entitlement actions; 

* streamlining operations and reducing duplication in disability 
databases and transitioning from multiple and fragmented applications 
to a single, unified case processing system; 

* enhancing and refreshing telecommunications equipment and ongoing 
improvement of connectivity and bandwidth for data, voice, and video 
communications; and: 

* supporting enhancements to SSA's Medicare initiatives, including 
changes required by the Patient Protection and Affordable Care Act, 
which are intended to improve the process for verifying the name, 
Social Security number, and other data on Medicare earnings reports. 

SSA officials noted that the agency faces several challenges in 
successfully carrying out these modernization efforts. These include 
planning for system changes within a single fiscal year budget cycle, 
a practice that limits the agency's ability to make long-term 
modernization plans; devoting significant resources to the maintenance 
of existing legacy systems because of large quantities of legacy code; 
and diverting resources from long-term projects to shorter-term 
immediate requirements, such as those arising from legislative changes. 

Compounding these challenges, we found that SSA has not fully 
established performance measures or a post-implementation review 
process that would allow it to determine the progress it is making in 
its modernization efforts. Federal law requires agencies to identify 
performance measures for their IT investments,[Footnote 3] and we have 
previously reported that comprehensive measures are essential for 
gauging the progress and benefits of IT investments.[Footnote 4] 
However, while SSA developed performance measures for most of its 17 
major modernization investments for fiscal year 2010, it did not 
identify any measures in one of four management areas identified by 
the Office of Management and Budget (OMB) for 3 of these investments. 
[Footnote 5] Moreover, the measures SSA developed did not always allow 
for assessments of each project's effectiveness in meeting agency 
goals. For example, these measures did not always (1) identify how 
each project is to contribute to expected benefits; (2) include 
measures of investments' effectiveness in meeting goals, requirements, 
or mission results; or (3) provide the means for measuring progress 
toward specific modernization goals. 

In addition, SSA has not conducted post-implementation reviews of its 
IT projects or systems, as called for by OMB guidance. Such a review 
should confirm the extent to which planned benefits were achieved, 
determine the cost-effectiveness of the project, and identify lessons 
learned and opportunities for improvement. While SSA conducts 
assessments of completed initiatives, these assessments lack key 
elements called for by OMB that would provide assurance that 
modernization and other IT projects are delivering expected benefits 
at acceptable costs and that SSA is making progress in meeting its 
goals. 

Modernization Approach Is Not Guided by Key Practices: 

Comprehensive strategic planning is essential for successfully 
carrying out large-scale efforts such as SSA's IT modernizations. Key 
elements of such planning include developing an IT strategic plan and 
an enterprise architecture that, together, outline modernization 
goals, measures, and timelines. 

An IT strategic plan serves as an agency's vision and helps align its 
information resources with its business strategies and investment 
decisions. As such, it provides a high-level perspective of the 
agency's goals and objectives, enabling the agency to prioritize how 
it allocates resources; proactively respond to changes; and 
communicate its vision and goals to management, oversight bodies, and 
external parties. The enterprise architecture helps to implement the 
strategic vision by providing a focused "blueprint" of the 
organization's business processes and technology that supports them. 
It includes descriptions of how the organization operates today, how 
it intends to operate in the future, and a plan for transitioning to 
the target state. It further helps coordinate the concurrent 
development of IT systems to limit unnecessary duplication and 
increase the likelihood that these systems will inter-operate. 

SSA developed an IT strategic plan in 2007 to guide its modernization 
efforts; however, the plan is outdated and may not be aligned with the 
agency's overall strategic plan. Specifically, because it has not been 
updated since 2007, the plan contains elements that are no longer 
relevant to SSA's ongoing modernization efforts. For example, the plan 
discusses projects that have largely been completed, does not 
reference current information security requirements, and does not 
reflect current staffing needs. Further, it does not reflect the way 
in which modernization decisions are driven by the agency's Strategic 
Information Technology Assessment and Review board. 

The currency of the IT strategic plan is further called into question 
by the fact that the agency updated its overall Agency Strategic Plan 
in 2008 and again in 2012. Thus, the IT strategic plan may no longer 
be aligned with the agency's broader goals. In the absence of an 
updated IT strategic plan, SSA has relied on a number of program 
activities to guide its modernization efforts, such as identifying and 
prioritizing IT modernization investments during its annual investment 
review process and developing high-level descriptions of projects in 
each of the agency's portfolios. However, these activities are based 
on short-term budget cycles and do not provide a long-term strategic 
vision with detailed steps and milestones. SSA officials stated that 
they are updating the IT strategic plan; however, it has yet to be 
finalized or approved. 

In addition, SSA has developed an enterprise architecture, but it is 
missing key components. Specifically, the architecture captures 
certain foundational information about the current and target states 
of the organization, such as current business processes and business 
outcomes, to assist in evolving existing information systems and 
developing new ones. Nevertheless, the architecture lacks important 
content called for by federal CIO Council and OMB guidance that would 
allow the agency to more effectively plan its investments and achieve 
its vision of modernized systems and operations. Specifically, the 
architecture lacks key elements that would establish the specific 
steps and direction to reach its vision of modernized systems by 2016. 
In particular, the agency has not developed a service-oriented 
architecture road map that would, among other things, articulate the 
changes and growth in IT capabilities over time and provide a 
conceptual plan that establishes a basis for developing more detailed 
project plans. Further, SSA has not conducted an enterprise gap 
analysis to identify the differences between its current and target 
states to enable the development of a plan for transitioning from the 
current to the target state. SSA also has not developed quantitative 
performance expectations for the target state or analyzed the flows of 
information among the agency's business processes. Without a long-term 
strategic vision and an enterprise architecture that provides details 
on how this vision is to be executed, SSA lacks assurance that its 
modernization initiatives will effectively and efficiently support its 
goals and mission. 

CIO Realignment Allows for Effective Oversight and Management but Was 
Implemented without Adequate Planning or Updated Guidance: 

As mentioned earlier, in 2011, SSA realigned the functions of its 
Office of the CIO, consolidating major responsibilities for the 
management and oversight of IT in its Office of Systems. Federal law, 
specifically the Clinger-Cohen Act of 1996, requires the heads of 
executive branch agencies to designate a CIO with key responsibilities 
for managing an agency's IT resources. As we have previously reported, 
to carry out these responsibilities effectively, CIOs require 
sufficient control over IT investments, including control over the IT 
budget and workforce.[Footnote 6] 

Under the realignment, key responsibilities of the CIO and Deputy 
Commissioner for Systems were merged into the Office of Systems. 
Specifically, this arrangement gave the Office for Systems 
responsibility for, among other things, 

* oversight and management of IT budget formulation; 

* systems acquisition, development, and integration; 

* the IT capital planning and investment control process; 

* workforce planning and allocation of resources to IT projects; 

* IT strategic planning; 

* enterprise architecture; 

* IT security; and: 

* IT operations. 

If implemented appropriately, this organizational structure should 
allow for effective oversight and management of the agency's systems 
and modernization initiatives. However, we found in our review that 
the realignment was undertaken without the benefit of an analysis of 
the impact of this significant organizational change. Specifically, 
SSA did not develop a management plan that would describe the 
challenges associated with the realignment or strategies for 
addressing them, along with time frames, resources, performance 
measures, and accountability structures. Further, SSA did not analyze 
the roles and responsibilities needed to support the allocation of 
functions under the realignment. Without such an analysis, it cannot 
be determined whether the reassignment of staff that occurred as a 
result of the realignment represents an optimal allocation of 
resources. 

In addition, SSA has not updated its capital planning and investment 
control guidance to reflect the realignment. This guidance sets forth 
the process and responsibilities for managing the selection, control, 
and evaluation of SSA's IT investments. However, under the 
realignment, certain elements of the existing guidance are obsolete, 
such as the requirement for independent CIO reviews of IT investment 
proposals. SSA officials stated that the guidance was being updated 
and would be reviewed internally; however, they could not provide a 
time frame for the approval and implementation of the revised 
guidance. Having updated guidance is critical to ensuring that 
responsibilities for management and oversight of the agency's IT 
investments are being carried out effectively under the realigned 
organizational structure. 

SSA Needs to Take Actions to Help Ensure the Success of Its 
Modernization: 

In our report, we made a number of recommendations to SSA to address 
the challenges it faces in carrying out its IT modernization efforts. 
Specifically, we recommended that SSA: 

* Ensure that performance measures are established for IT investments 
in each of OMB's four management areas and that they allow for 
measurement of progress in meeting modernization goals. 

* In updating the agency's IT strategic plan, ensure that it includes 
key elements, such as results-oriented goals, strategies, milestones, 
performance measures, and an analysis of interdependencies among 
projects and activities, and is used to guide and coordinate 
modernization efforts. 

* Establish an enterprise architecture that includes key elements, 
such as a service-oriented architecture road map, a gap analysis, 
performance targets, and descriptions of information flows and 
relationships. 

* Define roles and responsibilities of realigned IT staff and develop 
and clearly document updated investment review guidance. 

In commenting on a draft of our report, SSA neither agreed nor 
disagreed with our recommendations. However, the agency provided 
responses to each of the recommendations, as well as more general 
comments on our report's findings. SSA described steps it is taking 
that would address elements of the recommendations related to 
planning, enterprise architecture, and IT oversight, while it took 
issue with other elements of the recommendations, including the level 
of detail that an IT strategic plan should contain and the need for 
more comprehensive measures. We continue to believe these 
recommendations are warranted. (Please see the "Agency Comments and 
Our Evaluation" section of our report for more details on SSA's 
comments and our response.) 

In summary, while SSA has undertaken important initiatives that have 
resulted in improvements to its processes, significant efforts remain 
for it to fully meet its goals for modernizing its IT environment. 
Ensuring that it is successful in meeting these goals will be 
difficult without the agency establishing effective tools for 
measuring progress and performance and without comprehensive strategic 
planning. SSA's realignment of the CIO responsibilities provides an 
opportunity for effective management and oversight of the agency's 
systems modernization efforts; however, this effectiveness may well be 
hindered without appropriate implementation of the realignment, 
including defined roles and responsibilities and updated oversight 
guidance. 

Chairman Johnson, Ranking Member Becerra, and Members of the 
Subcommittee, this concludes my statement. I would be pleased to 
answer any questions that you may have at this time. 

Contact and Acknowledgments: 

If you have any questions regarding this statement, please contact 
Valerie C. Melvin, Director, Information Management and Technology 
Resources Issues, at (202) 512-6304 or melvinv@gao.gov. Other 
individuals who made key contributions include Christie Motley, 
Assistant Director; Michael Alexander; David Hong; Alina Johnson; Lee 
McCracken; and Scott Pettis. 

[End of section] 

Footnotes: 

[1] GAO, Social Security Administration: Improved Planning and 
Performance Measures Are Needed to Help Ensure Successful Technology 
Modernization, [hyperlink, http://www.gao.gov/products/GAO-12-495] 
(Washington, D.C.: Apr. 26, 2012). 

[2] The Clinger-Cohen Act (see 40 U.S.C. �� 11301-11331) provides a 
framework for effective IT management that encompasses systems 
integration planning and investment. 

[3] The Paperwork Reduction Act requires federal agencies to establish 
performance measures that depict how effectively the management of 
information resources, which includes IT, is supporting their business 
needs. In addition, the Clinger-Cohen Act requires agencies to 
establish performance measures, such as those related to how IT 
contributes to program productivity, efficiency, and effectiveness, 
and to monitor the actual-versus-expected performance of those 
measures. 

[4] GAO, Information Technology Management: Governmentwide Strategic 
Planning, Performance Measurement, and Investment Management Can Be 
Further Improved, [hyperlink, http://www.gao.gov/products/GAO-04-49] 
(Washington, D.C.: Jan. 12, 2004). 

[5] These four areas are mission and business results, processes and 
activities, customer results, and technology. See OMB, Federal 
Enterprise Architecture: Consolidated Reference Model Document, 
version 2. 3 (Washington, D.C.: October 2007). 

[6] GAO, Federal Chief Information Officers: Opportunities Exist to 
Improve Role in Information Technology Management, [hyperlink, 
http://www.gao.gov/products/GAO-11-634] (Washington, D.C.: Sept. 15, 
2011). 

[End of section] 

GAO�s Mission: 

The Government Accountability Office, the audit, evaluation, and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the 
performance and accountability of the federal government for the 
American people. GAO examines the use of public funds; evaluates 
federal programs and policies; and provides analyses, recommendations, 
and other assistance to help Congress make informed oversight, policy, 
and funding decisions. GAO�s commitment to good government is 
reflected in its core values of accountability, integrity, and 
reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO�s website [hyperlink, http://www.gao.gov]. Each 
weekday afternoon, GAO posts on its website newly released reports, 
testimony, and correspondence. To have GAO e-mail you a list of newly 
posted products, go to [hyperlink, http://www.gao.gov] and select �E-
mail Updates.� 

Order by Phone: 

The price of each GAO publication reflects GAO�s actual cost of 
production and distribution and depends on the number of pages in the 
publication and whether the publication is printed in color or black 
and white. Pricing and ordering information is posted on GAO�s 
website, [hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or 
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card, 
MasterCard, Visa, check, or money order. Call for additional 
information. 

Connect with GAO: 

Connect with GAO on facebook, flickr, twitter, and YouTube.
Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts.
Visit GAO on the web at [hyperlink, http://www.gao.gov]. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 
Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; 
E-mail: fraudnet@gao.gov; 
Automated answering system: (800) 424-5454 or (202) 512-7470. 

Congressional Relations: 

Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, DC 20548. 

Public Affairs: 
Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, DC 20548.