What We Found
To better manage tens of billions of dollars in information technology (IT) investments, the Office of Management and Budget (OMB) and other federal agencies should continue to fully implement critical requirements of federal IT acquisition reform legislation.
Since our 2019 High-Risk Report, ratings for all five criteria remain unchanged.
Leadership commitment: met. OMB continues to demonstrate its leadership commitment by (1) issuing guidance for covered departments and agencies (agencies) to implement statutory provisions commonly referred to as the Federal Information Technology Acquisition Reform Act (FITARA), (2) optimizing federal data centers, and (3) issuing a new federal government-wide strategy for cloud computing.
It will be important for OMB to maintain its current level of leadership support and commitment to ensure that agencies successfully execute OMB’s guidance on implementing FITARA and related IT reform initiatives. Sustained congressional focus on the implementation of FITARA has led to improvement, as highlighted in agencies’ FITARA implementation scores issued biannually by the House Committee on Oversight and Reform. However, continued executive branch and congressional attention is necessary.
Capacity: partially met. In December 2017, the Technology Modernization Fund (TMF) was established by the Modernizing Government Technology Act to assist agencies with funding to replace aging IT systems. Agencies receive incremental award funding and are required to repay the funds transferred and pay an administrative fee within 5 years. OMB, the General Services Administration (GSA), and the Technology Modernization Board oversee the TMF.
From March 2018, when GSA established the TMF Program Management Office to administer fund operations, to August 2019, the office had obligated about $1.2 million to cover its expenses from managing the fund. However, it had collected limited administrative fees to offset its expenses. As a result, the Technology Modernization Board had fewer funds available than anticipated to award to new projects.
Going forward, OMB and the TMF Program Management Office are likely to face ongoing challenges in collecting administrative fees due to factors that affect fee collection, such as project changes and the office’s lengthy time frame for recovering all costs. We made five recommendations to GSA and OMB in a December 2019 report, including that they (1) develop a plan to fully recover operating costs and (2) clarify that agencies should follow required cost guidance. As of December 2020, none of the recommendations had been implemented.
Twenty-one of the 24 major federal agencies still have not implemented our 2018 recommendations that the agencies modify their practices to fully address the role of their chief information officers (CIO) consistent with federal laws and OMB’s FITARA guidance. The guidance covers, among other things, enhancing the authority of federal CIOs and ensuring that program staff have the necessary knowledge and skills to effectively acquire IT. Progress in establishing key IT workforce planning processes is also lacking. None of the recommendations we made to five agencies in a November 2016 report have been implemented.
Action plan: partially met. Agencies continue to make progress with requirements under FITARA. Specifically, four of 24 agencies have reported completing all milestones within their plans to address the areas of IT management that we have identified as high risk, such as reviewing poorly performing investments and managing agencies’ IT portfolios. Eighteen agencies reported milestones that are still in progress or deferred. Two agencies have not reported on the status of their milestones and some agencies have not updated the status of their milestones in several years.
Agencies also continue to make progress with plans to modernize or replace obsolete IT investments. Specifically, 10 of 12 agencies implemented the recommendations we made in 2016 to identify and plan to modernize or replace legacy IT systems.
In 2019, we also reported on the need for agencies to develop plans to modernize critical legacy systems. Among the 10 most critical legacy systems that we identified as needing modernization, several used outdated languages, had unsupported hardware and software, and were operating with known security vulnerabilities.
Of the 10 agencies responsible for these legacy systems, seven agencies had documented plans for modernizing the systems. However, most lacked the key elements identified in best practices (milestones, a description of the work necessary to complete the modernization, and a plan for the disposition of the legacy system). The remaining three agencies did not have documented modernization plans.
We made eight recommendations to eight agencies to address these weaknesses and, as of December 2020, none had been implemented.
However, given the cost to maintain legacy systems, in 2010 OMB began requiring agencies to shift their IT services to a cloud computing option when feasible. In 2019, we reported that the 16 agencies we reviewed had made progress in implementing cloud computing services—namely, they established assessment guidance, performed assessments, and implemented these services—but the extent of their progress varied.
We made one recommendation to OMB on cloud savings reporting and 34 recommendations to the 16 agencies on cloud assessments and savings. OMB neither agreed or disagreed and has yet to implement our recommendation. However, two of the 16 agencies have begun to make progress on implementing these recommendations.
Monitoring: partially met. Since our High-Risk Report in 2019, agencies have made progress in identifying their IT contracts and ensuring that acquisition offices are involved. Specifically, in January 2018, we made recommendations to 20 agencies to identify IT contracts and ensure the involvement of an acquisition officer; 16 agencies have implemented our recommendations.
However, we also reported in November 2018 that four selected agencies needed to consistently provide CIOs with visibility into resources, input to resource plans, and meaningful review and approval of IT budgets. As of December 2020, only four of our 43 recommendations to those agencies had been implemented.
Additionally, in September 2020, we reported on the need for federal agencies to take further action to reduce duplicative IT contracts. We found that efforts varied to implement five OMB category management activities aimed at preventing, identifying, and reducing such contracts. We made 20 recommendations to six of the seven agencies in our review to fully implement category management and spend analyses activities.
Lastly, since issuing our 2017 report on implementing adequate incremental development approaches for major IT investments, 13 of 17 agencies have fully addressed recommendations to improve reporting accuracy and update or establish certification policies. Implementing the remaining recommendations will help agencies to ensure that accurate data are made available for the oversight and management of their investments.
Demonstrated progress: partially met. In our 2019 High-Risk Report, we noted that agencies had reported achieving slightly more than 80 percent of their planned data center consolidation savings, a critical step toward addressing this high-risk area. To agencies’ credit, they have continued to make further progress against their goals. Since the beginning of 2019, agencies have reported an additional $440 million in savings.
As of July 2020, OMB and agencies had implemented 133 of the 204 recommendations made to them to improve the reporting of related cost savings and to achieve optimization targets. Implementation of these remaining recommendations by OMB and the agencies could yield additional cost savings.
We also reported in our 2019 High-Risk Report that OMB and federal agencies had fully implemented about 59 percent of the total recommendations we had made since fiscal year 2010 to address shortcomings in IT acquisitions and operations. As of December 2020, that number has increased, with federal agencies fully implementing 65 percent of the 1,396 IT management-related recommendations. However, significant actions are required by agencies to build on this progress.
Agencies continue to report progress in savings across a key OMB initiative—PortfolioStat—intended to improve the management of IT investments by consolidating and eliminating duplicative systems, among other things. Since our last update, agencies added nearly $200 million in savings (in fiscal year 2018) contributing to a total of approximately $2.7 billion in savings from fiscal years 2012 through 2018. This accounts for approximately 45.4 percent of planned PortfolioStat savings. Still, agencies need to make additional progress in savings.
Finally, in April 2019, we reported that agencies identified 12 practices that helped them effectively implement one or more FITARA provisions, which in turn enabled those agencies to realize IT management improvements, such as decommissioning old systems and cost savings. Agencies’ efforts to leverage the practices we identified will be an important element in agencies’ overall FITARA implementation efforts.
The executive branch has undertaken numerous initiatives to better manage the more than $90 billion that is annually invested in IT. However, federal IT investments too frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes.
These investments often suffer from a lack of disciplined and effective management, such as project planning, requirements definition, and program oversight and governance. In 2015, we added the government’s management of IT acquisitions and operations to the High-Risk List.
Recognizing the severity of issues related to the government-wide management of IT, in December 2014, Congress and the President enacted federal IT acquisition reform legislation. In November 2017, and then again in December 2019, the sunset dates of several of these statutory provisions were extended or removed.
Among other things, these laws require covered agencies to: (1) enhance agency CIO authority, (2) enhance transparency and improve risk management of IT investments, and (3) consolidate federal data centers. Further, legislation enacted in December 2017 established a means for agencies to “borrow” funds in order to modernize their aging IT systems.
OMB and covered federal agencies should continue to fully implement the requirements of FITARA. Additionally, OMB will need to provide sustained oversight to ensure that agency actions are completed and the desired results are achieved. Beyond implementing FITARA and OMB’s guidance to improve the capacity to address our high-risk area, agencies should implement our remaining 400 open recommendations related to this high-risk area including
- our 2018 recommendations related to improving CIO authorities, as well as 2016 recommendations on improving IT workforce planning practices;
- our 2019 recommendations related to improving cloud computing investment spending and savings data; and
- 11 priority recommendations for agencies to, among other things, report all data center consolidation cost savings to OMB.
OMB and agencies need to take actions to (1) implement at least 80 percent of our open recommendations related to the management of IT acquisitions and operations and (2) achieve at least 80 percent of the over $6 billion in planned PortfolioStat savings. Lastly, agencies should consider applying effective practices that may better position them to implement FITARA provisions and realize IT management improvements and cost savings.