Key Issues > High Risk > Improving the Management of IT Acquisitions and Operations
High Risk Medallion

Improving the Management of IT Acquisitions and Operations

To better manage billions of dollars in information technology (IT) investments, the Office of Management and Budget (OMB) and other federal agencies should further implement the requirements of federal IT acquisition reforms.

View the 2019 Report

  1. Share with Facebook 
  2. Share with Twitter 
  3. Share with LinkedIn 
  4. Share with mail 

The executive branch has undertaken numerous initiatives to better manage the more than $90 billion that is annually invested in IT. However, federal IT investments too frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes. These investments often suffered from a lack of disciplined and effective management, such as project planning, requirements definition, and program oversight and governance. In 2015, we added the government’s management of IT acquisitions and operations to the High-Risk list.

Recognizing the severity of issues related to the government-wide management of IT, in December 2014, Congress and the President enacted federal IT acquisition reform legislation; in November 2017, the sunset dates of several of these statutory provisions were extended or removed. Among other things, these laws require covered agencies to: (1) enhance agency CIO authority, (2) enhance transparency and improve risk management, (3) consolidate federal data centers, (4) review IT investment portfolios, (5) purchase government-wide software licenses, (6) maximize the benefit of federal strategic sourcing and (7) expand training and use of IT acquisition cadres.

Improving the Management of IT Acquisitions and Operations

Since our 2017 High-Risk Report, ratings for all five criteria remain unchanged.

Leadership commitment: met. OMB continues to demonstrate its leadership commitment by (1) issuing guidance for covered departments and agencies (agencies) to implement statutory provisions commonly referred to as the Federal Information Technology Acquisition Reform Act (FITARA), (2) optimizing federal data centers, and (3) acquiring and managing software licenses. It will be important for OMB to maintain its current level of top leadership support and commitment to ensure that agencies successfully execute OMB’s guidance on implementing FITARA and related IT initiatives. Sustained Congressional focus on implementing FITARA has led to improvement, as highlighted in agencies’ FITARA implementation scores issued biannually by the House Committee on Oversight and Reform. However, further Executive branch and Congressional attention is required.

Capacity: partially met. OMB has established guidance for FITARA and related IT management practices that addresses how agencies are to implement roles and responsibilities. The guidance covers, among other things, enhancing the authority of federal chief information officers (CIO) and ensuring that program staff has the necessary knowledge and skills to effectively acquire IT. As we reported in August 2018, none of the 24 major federal agencies had IT management policies that fully addressed the role of their CIOs consistent with federal laws and guidance. The majority of the agencies minimally addressed or did not address their CIO’s role in assessing agency IT workforce needs, and developing strategies and plans for meeting those needs. Correspondingly, the majority of the 24 CIOs acknowledged they were not fully effective at implementing IT workforce responsibilities.

In November 2016, we reported that while the five agencies we reviewed had demonstrated important progress in implementing key IT workforce planning activities, each had shortfalls. For example, four agencies had not demonstrated an established IT workforce planning process. All five agencies either agreed or partially agreed with our recommendations and identified planned actions to address our recommendations to improve their IT workforce planning. However, as of December 2018, none of our recommendations had been fully implemented.

Action plan: partially met. In addition to requiring covered agencies to conduct self-assessments, OMB’s FITARA implementation guidance requires agencies to develop and implement plans describing changes they will make to ensure that IT management responsibilities for CIOs and other senior agency officials are effectively implemented. These plans are to address the areas of IT management that we have identified as high risk, such as reviewing poorly performing investments, managing agencies’ IT portfolios, and implementing incremental development. While all 24 major federal agencies have developed FITARA implementation plans, the agencies need to demonstrate additional progress in effectively implementing these plans. As of December 2018, our continuing work to monitor progress in this area showed that 22 of the 24 major federal agencies had publicly reported at least partial completion of their FITARA milestones; however, all 22 of those agencies also reported incomplete milestones.

Significant work remains for federal agencies to establish action plans to modernize or replace obsolete IT investments. In May 2016, we reported that agencies were using systems which had components that were, in some cases, at least 50 years old. To address this issue, we recommended that 12 agencies identify and plan to modernize or replace legacy systems, including establishing time frames, activities to be performed, and system functions to be replaced or enhanced. Of the 12 agencies, 10 either concurred or partially concurred with our recommendations, while 2 stated they had no comment. However, as of December 2018, only 3 of the 12 agencies had implemented our recommendation and made progress in planning to modernize their legacy systems.

Monitoring: partially met. The President’s Management Agenda identified improving IT spending transparency as one of the Administration’s 14 cross-agency priority goals and tasked OMB with leading the drive towards better agency reporting on IT spending.

In January 2018, we reported that the majority of 22 agencies that we reviewed did not identify all of their IT contracts, leaving about $4.5 billion in IT-related contract obligations beyond those reported by agencies. Further, in November 2018, we reported that four selected agencies lacked quality assurance processes for ensuring that billions of dollars requested in their IT budgets were informed by reliable cost information. We made recommendations for those agencies to improve how IT acquisitions are identified and to establish procedures for ensuring IT budgets are informed by reliable cost information. Until agencies properly identify IT acquisitions and establish processes for ensuring the quality of cost data used to inform their IT budgets, agency CIOs are at risk of not having appropriate oversight of IT acquisitions worth billions of dollars and not having adequate transparency into IT spending to make informed budget decisions.

OMB has taken action to improve monitoring through its IT Dashboard—a public website that provides detailed information on major IT investments at 26 federal agencies, including ratings from CIOs that should reflect the level of risk facing each investment. However, in June 2016, we reported that our assessments of IT Dashboard risk ratings showed more risk on the majority of agency IT investments we sampled than did the associated CIO ratings. Consequently, we made 25 recommendations to 15 agencies to improve their CIO’s risk ratings; 12 agencies generally agreed with or did not comment on our recommendations, and 3 disagreed. As of December 2018, only 14 of the recommendations had been fully implemented. Agencies should continue to fully and accurately report on these risks to ensure their IT investments receive appropriate oversight.

An additional area of concern regarding the monitoring of IT acquisitions is agencies’ reported use of incremental development; OMB policy requires that IT investments deliver functionality in 6-month increments. However, our May 2014 report found that delivery rate to be challenging for agencies and, thus, we recommended that OMB instead require increments of 12 months. While OMB disagreed with our recommendation, our continuing work in this area has found that most agencies have reported progress in improving the rate at which their IT acquisitions deliver functionality at the 12-month rate. Nonetheless, in November 2017, we reported that most agencies lacked the required policies intended to ensure adequate consideration of incremental development approaches for major IT investments and we made 19 recommendations to 17 agencies to address this issue. Eleven agencies agreed with our recommendations, 1 partially agreed, and 5 did not state whether they agreed or disagreed. As of December 2018, 11 of our 19 recommendations remained open.

Demonstrated progress: partially met. In our 2017 high-risk update, we identified agency plans to save $5.3 billion from data center consolidation, a number which included $3.3 billion planned through fiscal year 2015. Agencies subsequently reported achieving $2.8 billion of that amount. In 2016, OMB issued new guidance on consolidating data centers and subsequently, a number of agencies revised their planned savings, resulting in $2.4 billion planned from fiscal years 2016 through 2018. As of August 2018, our continuing work to monitor progress in this area has shown that over $1.9 billion of that savings had been achieved. The total achieved savings of $4.7 billion represents slightly more than 80 percent of the agencies’ planned $5.7 billion in savings since 2011. In our 2017 high-risk update, we cited this 80 percent target as one of several actions that should be taken and recognize the positive government-wide progress this demonstrates. However, improvement is still needed in other areas.

Since fiscal year 2010, we have made 1,242 recommendations to address shortcomings in IT acquisitions and operations; 514 since this area was added to the High-Risk List in February 2015. As of December 2018, OMB and federal agencies had fully implemented only 735 (or about 59 percent) of the total recommendations and only 169 (about 33 percent) of the recommendations made since February 2015. In addition, agencies have made progress in achieving about $2.5 billion in savings across a key OMB initiative—PortfolioStat—intended to improve the management of IT investments by consolidating and eliminating duplicative systems, among other things. Through fiscal year 2016, agencies had saved almost $1.8 billion, with more than $754 million in fiscal year 2017. Nevertheless, agencies have approximately $3.5 billion in their reported planned savings still to be achieved.

As we have recommended, OMB and covered federal agencies should further implement the requirements of FITARA. OMB will need to provide sustained oversight to ensure that agency actions are completed and the desired results are achieved.

  • Beyond implementing FITARA and OMB’s guidance to improve the capacity to address our high-risk area, agencies need to implement our recent recommendations related to improving CIO authorities, as well as past recommendations on improving IT workforce planning practices.
  • Agencies must establish action plans to modernize or replace obsolete IT investments.
  • Agencies need to implement our recommendations to address weaknesses in their IT Dashboard reporting of investment risk and incremental development implementation.
  • OMB and agencies should work toward implementing our remaining 456 open recommendations related to this high-risk area. These remaining recommendations include 12 priority recommendations for agencies to, among other things, report all data center consolidation cost savings to OMB, plan to modernize or replace obsolete systems as needed, and improve their implementation of PortfolioStat. OMB and agencies need to take additional actions to (1) implement at least 80 percent of our open recommendations related to the management of IT acquisitions and operations, (2) ensure that a minimum of 80 percent of the government’s major IT acquisitions deliver functionality every 12 months, and (3) achieve at least 80 percent of the over $6 billion in planned PortfolioStat savings.
Looking for our recommendations? Click on any report to find each associated recommendation and its current implementation status.
  • portrait of Carol Harris
    • Carol Harris
    • Director, Information Technology and Cybersecurity
    • (202) 512-4456