This is the accessible text file for GAO report number GAO-02-779R entitled 'Executive Office of the President: Analysis of Mandated Report on Key Information Technology Areas' which was released on June 28, 2002. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products’ accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. June 28, 2002: The Honorable Byron L. Dorgan: Chairman: The Honorable Ben Nighthorse Campbell: Ranking Minority Member: Subcommittee on Treasury and General Government: Committee on Appropriations: United States Senate: The Honorable Ernest J. Istook, Jr. Chairman: The Honorable Steny H. Hoyer: Ranking Minority Member: Subcommittee on Treasury, Postal Service, and General Government: Committee on Appropriations: House of Representatives: Subject: Executive Office of the President: Analysis of Mandated Report on Key Information Technology Areas: In the fiscal year 2002 appropriations act covering the Executive Office of the President (EOP), [Footnote 1] the Congress limited the office’s use of systems modernization funds until EOP submitted a report to the House and Senate Committees on Appropriations that included an enterprise architecture (blueprint for modernization), a description of an information technology (IT) capital planning and investment control process, a capital investment plan (portfolio of planned investments for fiscal year 2003), and an IT human capital plan (an approach to meeting strategic human capital needs). As specified in the act, the report was to be approved by the Office of Management and Budget (OMB) and reviewed by us. EOP submitted its enterprise architecture, investment control process description, and capital investment plan on March 13, 2002; the IT human capital plan followed on March 18, 2002. These submissions constitute EOP’s report, which OMB subsequently approved on April 19, 2002. As we agreed with your offices, our review objective was to determine EOP’s progress and plans relative to the four areas covered by the report. To accomplish our objective, we reviewed the EOP report to ensure that it satisfied the conditions specified by the Congress, including that it addressed each of the key IT management areas cited in the legislation. In addition, we met with EOP officials, including the Chief Information Officer (CIO) and Deputy CIO, to determine how each of the four areas in the report was derived and what plans existed to further develop each. In doing so, we obtained and reviewed additional management documentation, such as the enterprise architecture development plan, descriptions of organizational roles and responsibilities, and memoranda relating to actions already under way. We also compared the content of the report and the plans for each topic area to relevant IT management best practices and federal guidance. [Footnote 2] We conducted our work from March 2002 through May 2002 in accordance with generally accepted government auditing standards. In summary, EOP has made progress, and it has made plans and future commitments relative to each of the four areas addressed in its report. First, the office is in the process of developing an officewide blueprint for modernizing its operations and supporting technology, commonly referred to as an enterprise architecture. Thus far, it has developed parts of the architecture, most notably the rules and definitions governing the technical characteristics of IT investments and explaining EOP-wide technical service categories (e.g., network services, security services, etc.). Moreover, the steps it has taken to complete the architecture are consistent with recognized best practices. For example, these steps include designating a chief architect, using an architecture framework and an automated repository tool, and having a detailed project management plan. Second, EOP has taken steps toward defining an officewide IT capital planning and investment control process that is to be used to implement the enterprise architecture, and these initial steps are also consistent with best practices. For example, it has established a council that is to have executive representation from across EOP and that is intended to function as a corporate investment decision-making board. Third, recognizing that both of these key elements of IT management are not yet mature, the office has defined a portfolio of projects in its fiscal year 2003 capital investment plan that appropriately focuses on correcting existing system problems and introducing infrastructure upgrades that are consistent with its defined technical rules and definitions. Fourth, to facilitate its ongoing and planned efforts to complete the enterprise architecture, expand the capital planning and investment control process, and manage the implementation of its fiscal year 2002 and 2003 capital investment plans, EOP has also begun employing effective IT human capital management practices. For example, it has analyzed its existing human capital capabilities, identified its future needs, and is taking steps to address shortfalls, such as hiring new staff, training existing staff, and contracting for missing expertise and support. EOP’s efforts at this juncture should be viewed as work in progress, as opposed to completed tasks. This means that the office’s modernization success largely depends on its ability and resolve in fulfilling its plans and commitments in each of these areas. To assist the appropriations committees in overseeing EOP’s IT management activities, we have highlighted the office’s key commitments in this report. Background: EOP is a confederation of 12 agencies and offices as well as several supporting organizations that provide policy and administrative advice and support to the President in his role as Chief Executive and Commander in Chief. [Footnote 3] Their missions span such diverse matters as the economy, national defense, homeland security, environmental quality, domestic policy, drug control policy, federal budget formulation and execution, and financial management; the size of their organizations ranges from 6 to 600 staff. Despite these differences, these offices and agencies share common functions, such as the receipt and transfer of information, as well as common administrative processes, such as human capital and financial management. One of EOP’s offices is the Office of Administration, which is directed by a Special Assistant to the President. The mission of this office is to provide EOP-wide administrative services, including financial, human capital, IT management, and systems support. In fiscal year 2002, EOP established a CIO organization within the Office of Administration. The CIO office consists of three groups: the Information Assurance group, whose mission is to protect information throughout the EOP from external and internal threats; the Information Systems and Technology group, whose mission is to deliver IT capabilities to EOP staff to assist them in efficiently performing their daily activities; and the Concepts, Requirements, and Systems Engineering group, whose mission is to champion and promote the use of an EOP architecture, well-defined system requirements, and structured development methods. As is represented by the solid and dotted lines in figure 1, the CIO has structured the operations of these three groups so that they are individually accountable to the CIO but are to work collaboratively in achieving their respective missions. Figure 1: CIO Organizational Chart: Source: Executive Office of the President, Office of Administration, Information Technology Architecture, 2001 Annual Update , Version 1.0 (March 1, 2002). [End of Figure] Since being established, the CIO organization has been developing and implementing various IT management plans and processes. Many of these plans and processes are described in the March 2002 report that the Director of the Office of Administration submitted in response to the legislative direction in the fiscal year 2002 appropriations act. [Footnote 4]: On April 19, 2002, OMB approved EOP’s report to the appropriations committees. In its approval letter, OMB stated that the architecture and capital planning submissions were an initial step, and that EOP had much more work to do in creating a fully defined enterprise architecture and associated investment processes. It also stated that EOP’s human capital plan conformed to existing concepts and objectives driving human capital management in the federal government, but that a more robust and integrated human capital planning process should follow in parallel with EOP’s future enterprise architecture and capital investment planning efforts. EOP’s Report Addresses Four Key Areas of IT Management: Each of the four areas discussed in EOP’s report to the appropriations committees is a key element of IT management. For each of these four areas, a brief description is provided below. (These four areas should not be construed as exhaustive, however: other key areas, such as system life cycle management processes and computer security, for example, are not addressed in EOP’s report or our report.) Enterprise architecture: An enterprise architecture is a blueprint for operational and systems modernization. In simple terms, an enterprise is any purposeful activity, and an architecture is the structure (or structural description) of any activity. More specifically, enterprise architectures are systematically derived and captured blueprints or descriptions--in useful models, diagrams, and narrative--of the mode of operation for a given enterprise, which can be (1) a single organization or (2) a functional or mission area that transcends more than one organizational boundary (e.g., financial management, acquisition management, logistics management). The architecture describes the enterprise’s operations in both (1) logical terms, such as interrelated business processes and business rules, information needs and flows, work locations and users, and applications, and (2) technical terms, as defined in a technical standards profile and technical reference model, [Footnote 5] such as the attributes and performance standards of hardware, software, data, communications, and security. The architecture provides these perspectives both for the enterprise’s current or “as is” environment and for its target or “to be” environment, as well as a sequencing plan for moving from the “as is” to the “to be” environment. IT Capital Planning and Investment Control Process: The IT capital planning and investment control process is the means by which the enterprise architecture is implemented. Under this process, new and ongoing projects originate from business and mission needs of the components as well as from the sequencing plan for transitioning from the current to the target architecture; these projects are proposed as part of a portfolio of investment options for approval by one or more investment boards. The board(s) make decisions on projects on the basis of costs, benefits, and risks, using defined selection criteria, such as positive return on investment and appropriate alignment with the enterprise architecture and with mission goals and objectives. The process also provides for controlling these projects throughout their life cycles to ensure that cost and benefit expectations are being met and risk is at an acceptable level. As projects are selected and controlled under this process, deviations from the architecture may be warranted, and these are used as the basis for updating the architecture. IT Capital Investment Plan: The IT capital investment plan (CIP) is a primary output of the capital planning and investment control process. The CIP identifies the portfolio of approved IT projects, including descriptive information about each project, such as statements of mission needs, descriptions of project capabilities, estimates of cost and schedule, and projections of return on investment and risk. If the CIP is developed within the context of an effective investment management process and a well-defined enterprise architecture, each project will be linked to mission, goals, and a positive return on investment. IT Human Capital Plan: An IT human capital plan is the means by which effective CIO organizations ensure that they have the right people on board at the right time to successfully deliver IT projects and associated services. To be effective, these plans provide for inventorying and assessing the organization’s existing knowledge and skills set; identifying the knowledge and skill sets needed to implement the target enterprise architecture, supporting sequencing plan, and annual CIPs; determining the gap between existing capabilities and needed capabilities; and defining a strategy for filling the gap, such as new hiring, proactive retention, training, and use of contractor support. Enterprise Architecture Progress Is Being Made, and Plans for Completion Are in Place: The importance of developing, implementing, and maintaining an enterprise architecture is a basic tenet of effective IT management. Used in concert with other IT management controls, such as an IT capital planning and investment control process, a well defined and applied architecture can appreciably increase the chances that an enterprise’s operations and systems will be structured in a way that optimizes mission performance. We have found that attempting to modernize operations and systems without an architecture leads to operational and systems duplication, lack of integration, and unnecessary expense. Our best practices research on successful public and private sector organizations has similarly identified enterprise architectures as essential to effective business and technology transformation. [Footnote 6]: Using our experience and research in enterprise architecture, we teamed with the federal CIO Council to produce guidance on effective architecture management, including practices that are critical to successfully developing one. [Footnote 7] Among other things, this guidance emphasizes that the following practices are critical to effectively developing an architecture: (1) establishing a steering committee to guide and direct the architecture effort and ensuring that this committee is composed of executives who represent the entire enterprise, (2) designating a chief architect under the CIO to manage the architecture effort, (3) using a framework to govern the structure and content of the architecture that includes views of the enterprise from its business, data, applications, and technology perspectives, (4) using an automated tool to capture the content of the architecture, and (5) managing the architecture effort as a formal program, including having a detailed plan and work breakdown structure. EOP is satisfying each of these practices. In particular: * The Special Assistant to the President and Director of the Office of Administration has established an Information Resources Management Executive Council, which is intended, among other things, to serve as the enterprise architecture steering committee and to ensure that EOP business processes are identified and used as the driver in selecting and aligning supporting IT projects and initiatives. The council membership is to consist of senior executives from 18 different EOP customer groups. The council is to be supported by the Enterprise Technology Task Force, which is to focus on technical architectural issues across the office. * The Director of Concepts, Requirements, and Systems Engineering, who reports to the EOP CIO, is the designated chief architect. * The chief architect is using the Federal Enterprise Architecture Framework, which includes business, data, application, and technology components. * The chief architect is using a commercially available automated repository tool to capture EOP’s architectural artifacts. * The chief architect is managing the architecture effort as a formal program. For example, an Enterprise Architecture Development and Sustainment Process and Concept of Operations has been developed that describes the activities, key players (including their roles and responsibilities), and major outputs of the program. Also, a development plan has been prepared that includes a detailed breakdown of tasks and milestones. Two key milestones against which future progress can be measured are the development of a target architecture and the development of a plan for sequencing from the baseline to the target architecture, both of which are to be completed by September 16, 2002. In addition to EOP’s plans for completing its enterprise architecture, it has already developed certain architectural components. For example, EOP has described the current or “as is” business processes and information requirements unique to its offices and agencies, as well as those shared among several (or all) offices and agencies. It has also described the existing networks and infrastructure across the office. Further, EOP has defined the principles and goals that are to govern the content of its target architecture, and it has defined a technical reference model and a technical standards profile to guide and constrain near-term investments in its IT infrastructure. For example, it has developed standards profiles to govern the characteristics of new software and hardware across a number of domains, including operating platforms, data management, data interchange, and network services. EOP owes its progress and commitments in enterprise architecture largely to the CIO office’s understanding of the importance and value of this IT management tool. Assuming that progress continues and the architecture development plan is effectively implemented, EOP’s ability to effectively invest in IT should benefit from its architecture efforts. EOP-wide Capital Planning and Investment Control Process Is Planned: The need for a well-defined and implemented capital planning and investment control process, sometimes referred to as an investment management process, is also a fundamental tenet of effective IT management. Our research on successful public and private sector organizations shows that these organizations have institutional and disciplined approaches to identifying, selecting, controlling, and evaluating IT investments. As this research also shows, the approach of these organizations is to establish corporate investment boards with responsibility for investment decisionmaking and to link decisions about competing investment options to defined criteria, such as mission needs and outcomes, return on investment, and investment risk. Using this research, we published a framework to assist organizations in establishing effective IT investment management processes. [Footnote 8] In addition, OMB has issued guidance requiring agencies to have such a process. [Footnote 9]: In developing and executing its fiscal year 2003 CIP and budget request, the EOP CIO office has followed a systematic approach to identifying, selecting, and controlling its IT project investments. For example, EOP identified and selected IT projects based on defined criteria, and it mapped each project to one or more IT strategic plan goals. As part of the decision criteria, each proposal was to include the following elements: * project description, including scope, actions to be taken, relationship to other systems, and alignment with technical standards profile and reference model; * cost (including capital investment and maintenance) and funding sources; * users’ needs to be resolved; * benefits and returns, including cost and time savings and productivity gains; and: * mission impact if the project is not selected and funded. Further, the CIO office is using a structured process to control project execution. According to the Deputy CIO, project managers are required to follow a standard briefing template in reporting monthly to the CIO and Deputy CIO on the status of their respective projects. In these sessions, project progress is evaluated against cost, schedule, and performance commitments; business cases justifying investment in the project are examined; and project risks are addressed. Recognizing the value of having an EOP-wide investment management process, the CIO office plans to extend and expand the existing process, so that it includes all EOP IT user groups and makes use, for example, of the enterprise architecture now under development. As a first step, EOP is in the process of establishing the Information Resources Management Executive Council, which is to guide and direct definition of this process and also to function as the EOP corporate investment board. According to EOP officials, specific plans and milestones for defining and implementing an EOP-wide investment management process have not yet been established because the office was waiting for the council, as an EOP corporate body, to lead this effort. According to a CIO official, the council is to convene in June 2002 to begin formulating plans. Assuming EOP follows through on its stated commitments, it would be in a position to establish a critical capability for effectively managing its IT investments. Current CIP Focuses on Near-Term Needs, Future Infrastructure, and IT Management Tools: In cases where federal agencies have yet to complete an enterprise architecture and a corporate investment management process, we have recommended that IT investments focus on certain near-term priorities. These priorities include projects that introduce enabling IT infrastructure and conform to agreed upon technical characteristics and service categories; projects that are intended to establish IT management capabilities (e.g., the architecture and an investment management process); projects that allow the organization to “stay in business,” meaning that they correct known performance problems with existing systems; and projects that represent low risk and high payoff. [Footnote 10] EOP’s fiscal year 2003 CIP focuses on investments that are consistent with our prior recommendations to other agencies. Funding in the CIP is devoted to projects that improve the office’s existing IT infrastructure. For example, one of the largest planned investments ($5 million) is for the redesign and relocation of the EOP data center to address issues of security and continuity of operations that were raised after the terrorist attacks of September 11, 2001. Other planned infrastructure investments include $1.5 million for customer service and desktop systems, and about $1 million for upgrading existing network communications. The narrow focus of the range of projects in the CIP reflects the CIO office’s awareness of the kinds of investments that are appropriate at this early stage in the office’s IT modernization agenda. According to CIO officials, projects aimed at business process reform will not be proposed until, for example, the architecture and investment decisionmaking process governing such reform are in place. This narrowly focused CIP should allow EOP to make the best near-term use of its available IT resources and capabilities and allow it to position itself for its longer term modernization. IT Human Capital Plan Is Being Implemented: As we have previously reported, [Footnote 11] strategic human capital centers on viewing people as assets whose value to an organization can be enhanced through investment. As the value of its people increases, so does the performance capacity of the organization. To maintain and enhance the capabilities of IT staff specifically, an organization should (1) assess the IT knowledge and skills needed to effectively support agency mission goals, (2) inventory the knowledge and skills of current IT staff, (3) identify gaps between needs and current capabilities, and (4) develop and implement plans to fill the gaps. EOP officials stated that they recognize the importance of understanding the office’s unmet IT human capital requirements and of planning how best to acquire, develop, and retain resources to meet these requirements. To this end, the office has developed an IT human capital plan for meeting these requirements, based on (1) a definition of needed IT knowledge and skills, (2) an inventory of its current IT workforce knowledge and skills, and (3) a gap analysis of shortfalls. More specifically, EOP’s CIO office used its planned IT initiatives and projects, combined with the perspectives of senior CIO staff, to identify 14 core knowledge and skill areas needed to support current and future operations. For example, its analysis showed that the CIO organization is becoming increasingly reliant on contractor support, and that improvements in project management and contractor oversight capabilities were needed. Accordingly, both are now included in the 14 core knowledge and skill competencies. The CIO office then surveyed and summarized the knowledge and skill sets of onboard staff (government and contractor), including their technical training and certification and years of experience. Next, a gap analysis was performed that compared the needed IT knowledge and skills with the inventory of current IT workforce knowledge and skills. Using this analysis, the CIO office identified shortfalls in nine areas, including project management, enterprise architecture, and staff support for the data center. With respect to project management, for example, the analysis identified project management as the primary role of the CIO office’s government staff, and recognized the need for skills in such project management areas as managing people, planning, documenting, project performance, cost analysis, and risk management. To begin addressing human capital shortfalls, EOP has developed a plan consisting of various initiatives, most of which are under way. For example, it has begun training staff in project management, contractor oversight, and enterprise architecture management. It plans to hire additional government staff and intends to fill the remaining gaps in IT knowledge and skill sets using contractor staff, once it has re- competed its systems engineering and technical assistance contract, which expires in September 2002. Moreover, the CIO office has made several future commitments that recognize the need to continually evaluate its needs and develop and retain its IT human capital in order to support EOP’s mission. These include: * assessing the effect on IT human capital capabilities of each architecture update or organizational realignment; * maintaining the existing staff knowledge and skills inventory; * working with each staff member to ensure that CIO organizational goals and objectives are understood, identifying individual training needs, and developing training plans; and: * providing training in core skills and knowledge areas using in- house expertise and outside resources. EOP owes its progress and commitments in IT human capital largely to the CIO office’s understanding of the importance and value of this strategic asset. Assuming that progress continues and plans are effectively implemented, EOP’s ability to effectively invest in IT should benefit from its IT human capital program. Concluding Observations: EOP and OMB have satisfied their legislative requirements to report to the appropriation committees on certain IT management areas and to approve the report, respectively. In doing so, they have recognized that EOP has work remaining to mature in each of these areas. This is consistent with the results of our analysis. To this end, EOP has made plans and future commitments, which can be used to measure its progress in each area. Agency Comments and Our Evaluation: In oral comments on a draft of this report, the Associate Counsel to the President stated that EOP’s CIO was satisfied with the substance of the report and that the White House had no substantive comments. The Associate Counsel provided additional information on EOP agencies and offices. We have incorporated this information into the report as appropriate. We are sending copies of this report to the Chairmen and Ranking Minority Members of other Senate and House committees and subcommittees that have appropriations, authorization, and oversight responsibilities for EOP. We are also sending copies to the Director of the EOP Office of Administration, the EOP CIO, and the OMB Director. Copies will also be made available to others upon request.: Should you or your staff have any questions on matters discussed in this report, please contact me at (202) 512-3439. I can also be reached by E-mail at hiter@gao.gov . Major contributors of this report include William G. Barrick, Barbara Collier, Larry E. Crosland, Lester P. Diamond, Richard B. Hung, and David L. McClure. Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: Signed by Randolph C. Hite. (310436): FOOTNOTES [1] Treasury and General Government Appropriations Act for Fiscal Year 2002 (Public Law 107-67). [2] Chief Information Officers Council, Architecture Alignment and Assessment Guide, (October 2000); Chief Information Officers Council, A Practical Guide to Federal Enterprise Architecture, Version 1.0 (February 2001); Office of Management and Budget, Management of Federal Information Resources, Circular No. A-130 (November 30, 2000); U.S. General Accounting Office, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, Exposure Draft, GAO/AIMD-10.1.23 (Washington D.C.: May 2001). U.S. General Accounting Office, Human Capital: Attracting and Retaining a High-Quality Information Technology Workforce, GAO-02-113T (Washington, D.C.: October 4, 2001). [3] The agencies/offices are the White House Office (includes, for example, the Office of Homeland Security), Office of the Vice President, Council on Environmental Quality, Office of Management and Budget, Office of Policy Development, President’s Foreign Intelligence Advisory Board, Office of Administration, Office of Science and Technology Policy, Office of National Drug Control Policy, National Security Council, Council of Economic Advisors, and the U.S. Trade Representative; the supporting organizations include the White House Communications Agency, a support office of the General Services Administration, the U. S. Secret Service, and the White House Branch of the U.S. Postal Service. [4] Treasury and General Government Appropriations Act for Fiscal Year 2002 (Public Law 107-67). [5] As defined in a guide on enterprise architectures published by the CIO Council, a technical standards profile is the set of rules that govern system implementation and operation; a technical reference model is a taxonomy of enterprise service areas, interface categories, and relationships to address interoperability and open-systems issues. [6] U.S. General Accounting Office, Executive Guide: Improving Mission Performance through Strategic Information Management and Technology, GAO/AIMD-94-115 (Washington, D.C.: May 1994). [7] Chief Information Officers Council, Architecture Alignment and Assessment Guide (October 2000); Chief Information Officers Council, A Practical Guide to Federal Enterprise Architecture, Version 1.0 (February 2001). [8] GAO/AIMD-10.1.23. [9] Office of Management and Budget, Management of Federal Information Resources, Circular No. A-130 (November 30, 2000). [10] See, for example, U.S. General Accounting Office, Information Technology: INS Needs to Strengthen Its Investment Management Capability, GAO-01-146 (Washington, D.C.: December 29, 2000), and U.S. General Accounting Office, Tax Administration: IRS’ Fiscal Year 1999 Budget Request and Fiscal Year 1998 Filing Season, GAO/T-GGD/AIMD-98- 114 (Washington, D.C.: March 31, 1998). [11] GAO-02-113T.