Improving the Management of IT Acquisitions and Operations
The executive branch has undertaken numerous initiatives to better manage the more than $90 billion that is annually invested in IT. However, federal IT investments too frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes. These investments often suffered from a lack of disciplined and effective management, such as project planning, requirements definition, and program oversight and governance. In 2015, we added the government’s management of IT acquisitions and operations to the High-Risk list.
Recognizing the severity of issues related to the government-wide management of IT, in December 2014, Congress and the President enacted federal IT acquisition reform legislation; in November 2017, the sunset dates of several of these statutory provisions were extended or removed. Among other things, these laws require covered agencies to: (1) enhance agency CIO authority, (2) enhance transparency and improve risk management, (3) consolidate federal data centers, (4) review IT investment portfolios, (5) purchase government-wide software licenses, (6) maximize the benefit of federal strategic sourcing and (7) expand training and use of IT acquisition cadres.
Since our 2017 High-Risk Report, ratings for all five criteria remain unchanged.
Leadership commitment: met. OMB continues to demonstrate its leadership commitment by (1) issuing guidance for covered departments and agencies (agencies) to implement statutory provisions commonly referred to as the Federal Information Technology Acquisition Reform Act (FITARA), (2) optimizing federal data centers, and (3) acquiring and managing software licenses. It will be important for OMB to maintain its current level of top leadership support and commitment to ensure that agencies successfully execute OMB’s guidance on implementing FITARA and related IT initiatives. Sustained Congressional focus on implementing FITARA has led to improvement, as highlighted in agencies’ FITARA implementation scores issued biannually by the House Committee on Oversight and Reform. However, further Executive branch and Congressional attention is required.
Capacity: partially met. OMB has established guidance for FITARA and related IT management practices that addresses how agencies are to implement roles and responsibilities. The guidance covers, among other things, enhancing the authority of federal chief information officers (CIO) and ensuring that program staff has the necessary knowledge and skills to effectively acquire IT. As we reported in August 2018, none of the 24 major federal agencies had IT management policies that fully addressed the role of their CIOs consistent with federal laws and guidance. The majority of the agencies minimally addressed or did not address their CIO’s role in assessing agency IT workforce needs, and developing strategies and plans for meeting those needs. Correspondingly, the majority of the 24 CIOs acknowledged they were not fully effective at implementing IT workforce responsibilities.
In November 2016, we reported that while the five agencies we reviewed had demonstrated important progress in implementing key IT workforce planning activities, each had shortfalls. For example, four agencies had not demonstrated an established IT workforce planning process. All five agencies either agreed or partially agreed with our recommendations and identified planned actions to address our recommendations to improve their IT workforce planning. However, as of December 2018, none of our recommendations had been fully implemented.
Action plan: partially met. In addition to requiring covered agencies to conduct self-assessments, OMB’s FITARA implementation guidance requires agencies to develop and implement plans describing changes they will make to ensure that IT management responsibilities for CIOs and other senior agency officials are effectively implemented. These plans are to address the areas of IT management that we have identified as high risk, such as reviewing poorly performing investments, managing agencies’ IT portfolios, and implementing incremental development. While all 24 major federal agencies have developed FITARA implementation plans, the agencies need to demonstrate additional progress in effectively implementing these plans. As of December 2018, our continuing work to monitor progress in this area showed that 22 of the 24 major federal agencies had publicly reported at least partial completion of their FITARA milestones; however, all 22 of those agencies also reported incomplete milestones.
Significant work remains for federal agencies to establish action plans to modernize or replace obsolete IT investments. In May 2016, we reported that agencies were using systems which had components that were, in some cases, at least 50 years old. To address this issue, we recommended that 12 agencies identify and plan to modernize or replace legacy systems, including establishing time frames, activities to be performed, and system functions to be replaced or enhanced. Of the 12 agencies, 10 either concurred or partially concurred with our recommendations, while 2 stated they had no comment. However, as of December 2018, only 3 of the 12 agencies had implemented our recommendation and made progress in planning to modernize their legacy systems.
Monitoring: partially met. The President’s Management Agenda identified improving IT spending transparency as one of the Administration’s 14 cross-agency priority goals and tasked OMB with leading the drive towards better agency reporting on IT spending.
In January 2018, we reported that the majority of 22 agencies that we reviewed did not identify all of their IT contracts, leaving about $4.5 billion in IT-related contract obligations beyond those reported by agencies. Further, in November 2018, we reported that four selected agencies lacked quality assurance processes for ensuring that billions of dollars requested in their IT budgets were informed by reliable cost information. We made recommendations for those agencies to improve how IT acquisitions are identified and to establish procedures for ensuring IT budgets are informed by reliable cost information. Until agencies properly identify IT acquisitions and establish processes for ensuring the quality of cost data used to inform their IT budgets, agency CIOs are at risk of not having appropriate oversight of IT acquisitions worth billions of dollars and not having adequate transparency into IT spending to make informed budget decisions.
OMB has taken action to improve monitoring through its IT Dashboard—a public website that provides detailed information on major IT investments at 26 federal agencies, including ratings from CIOs that should reflect the level of risk facing each investment. However, in June 2016, we reported that our assessments of IT Dashboard risk ratings showed more risk on the majority of agency IT investments we sampled than did the associated CIO ratings. Consequently, we made 25 recommendations to 15 agencies to improve their CIO’s risk ratings; 12 agencies generally agreed with or did not comment on our recommendations, and 3 disagreed. As of December 2018, only 14 of the recommendations had been fully implemented. Agencies should continue to fully and accurately report on these risks to ensure their IT investments receive appropriate oversight.
An additional area of concern regarding the monitoring of IT acquisitions is agencies’ reported use of incremental development; OMB policy requires that IT investments deliver functionality in 6-month increments. However, our May 2014 report found that delivery rate to be challenging for agencies and, thus, we recommended that OMB instead require increments of 12 months. While OMB disagreed with our recommendation, our continuing work in this area has found that most agencies have reported progress in improving the rate at which their IT acquisitions deliver functionality at the 12-month rate. Nonetheless, in November 2017, we reported that most agencies lacked the required policies intended to ensure adequate consideration of incremental development approaches for major IT investments and we made 19 recommendations to 17 agencies to address this issue. Eleven agencies agreed with our recommendations, 1 partially agreed, and 5 did not state whether they agreed or disagreed. As of December 2018, 11 of our 19 recommendations remained open.
Demonstrated progress: partially met. In our 2017 high-risk update, we identified agency plans to save $5.3 billion from data center consolidation, a number which included $3.3 billion planned through fiscal year 2015. Agencies subsequently reported achieving $2.8 billion of that amount. In 2016, OMB issued new guidance on consolidating data centers and subsequently, a number of agencies revised their planned savings, resulting in $2.4 billion planned from fiscal years 2016 through 2018. As of August 2018, our continuing work to monitor progress in this area has shown that over $1.9 billion of that savings had been achieved. The total achieved savings of $4.7 billion represents slightly more than 80 percent of the agencies’ planned $5.7 billion in savings since 2011. In our 2017 high-risk update, we cited this 80 percent target as one of several actions that should be taken and recognize the positive government-wide progress this demonstrates. However, improvement is still needed in other areas.
Since fiscal year 2010, we have made 1,242 recommendations to address shortcomings in IT acquisitions and operations; 514 since this area was added to the High-Risk List in February 2015. As of December 2018, OMB and federal agencies had fully implemented only 735 (or about 59 percent) of the total recommendations and only 169 (about 33 percent) of the recommendations made since February 2015. In addition, agencies have made progress in achieving about $2.5 billion in savings across a key OMB initiative—PortfolioStat—intended to improve the management of IT investments by consolidating and eliminating duplicative systems, among other things. Through fiscal year 2016, agencies had saved almost $1.8 billion, with more than $754 million in fiscal year 2017. Nevertheless, agencies have approximately $3.5 billion in their reported planned savings still to be achieved.
As we have recommended, OMB and covered federal agencies should further implement the requirements of FITARA. OMB will need to provide sustained oversight to ensure that agency actions are completed and the desired results are achieved.
- Beyond implementing FITARA and OMB’s guidance to improve the capacity to address our high-risk area, agencies need to implement our recent recommendations related to improving CIO authorities, as well as past recommendations on improving IT workforce planning practices.
- Agencies must establish action plans to modernize or replace obsolete IT investments.
- Agencies need to implement our recommendations to address weaknesses in their IT Dashboard reporting of investment risk and incremental development implementation.
- OMB and agencies should work toward implementing our remaining 456 open recommendations related to this high-risk area. These remaining recommendations include 12 priority recommendations for agencies to, among other things, report all data center consolidation cost savings to OMB, plan to modernize or replace obsolete systems as needed, and improve their implementation of PortfolioStat. OMB and agencies need to take additional actions to (1) implement at least 80 percent of our open recommendations related to the management of IT acquisitions and operations, (2) ensure that a minimum of 80 percent of the government’s major IT acquisitions deliver functionality every 12 months, and (3) achieve at least 80 percent of the over $6 billion in planned PortfolioStat savings.
GAO-19-49: Published: Nov 13, 2018. Publicly Released: Nov 13, 2018.
The departments GAO reviewed—the Departments of Energy (DOE), Health and Human Services (HHS), Justice (DOJ), and the Treasury (Treasury)—took steps to establish policies and procedures that align with eight selected Office of Management and Budget (OMB) requirements intended to implement information technology (IT) acquisition reform legislation (commonly referred to as the Federal Informatio...
GAO-18-93: Published: Aug 2, 2018. Publicly Released: Aug 2, 2018.
None of the 24 agencies have policies that fully addressed the role of their Chief Information Officers (CIO) consistent with federal laws and guidance. In addition, the majority of the agencies did not fully address the role of their CIOs for any of the six key areas that GAO identified (see figure 1).Figure 1: Extent to Which 24 Agencies' Policies Addressed the Role of Their Chief Information Of...
GAO-18-264: Published: May 23, 2018. Publicly Released: May 23, 2018.
The 24 agencies participating in the Office of Management and Budget's (OMB) Data Center Optimization Initiative (DCOI) reported mixed progress toward achieving OMB's goals for closing data centers by September 2018. Over half of the agencies reported that they had either already met, or planned to meet, all of their OMB-assigned goals by the deadline. This would result in the closure of 7,221 of...
GAO-18-42: Published: Jan 10, 2018. Publicly Released: Jan 10, 2018.
Most of the 22 selected agencies did not identify all of their information technology (IT) contracts. The selected agencies identified 78,249 IT-related contracts, to which they obligated $14.7 billion in fiscal year 2016. However, GAO identified 31,493 additional contracts with $4.5 billion obligated, raising the total amount obligated to IT contracts in fiscal year 2016 to at least $19.2 billion...
GAO-18-51: Published: Nov 21, 2017. Publicly Released: Nov 21, 2017.
The Office of Management and Budget's (OMB) Office of E-Government and Information Technology (E-Gov) reported that it undertook a structured approach to identify the top 10 high priority IT programs in reports to Congress in June 2015 and June 2016. Specifically, OMB staff stated that they chose the top 10 programs from a longer list of agency programs requiring additional oversight (referred to...
GAO-18-148: Published: Nov 7, 2017. Publicly Released: Nov 7, 2017.
Agencies reported that 62 percent of major information technology (IT) software development investments were certified by the agency Chief Information Officer (CIO) for implementing adequate incremental development in fiscal year 2017, as required by the Federal IT Acquisition Reform Act (FITARA) as of August 2016. However, a number of responses for the remaining investments were incorrectly repor...
GAO-17-448: Published: Aug 15, 2017. Publicly Released: Sep 6, 2017.
Of the 24 agencies required to participate in the Office of Management and Budget's (OMB) Data Center Optimization Initiative (DCOI), 22 collectively reported limited progress against OMB's fiscal year 2018 performance targets. Two agencies did not have a basis to report on progress as they do not have agency-owned data centers. For OMB's five optimization targets, five agencies or less reported t...
GAO-17-388: Published: May 18, 2017. Publicly Released: May 18, 2017.
The 24 agencies participating in the Office of Management and Budget's (OMB) Data Center Optimization Initiative (DCOI) have made progress on their data center closure efforts. As of August 2016, the agencies collectively had identified a total of 9,995 data centers, of which they reported having closed 4,388 and having plans to close a total of 5,597 through fiscal year 2019. The Departments of A...
GAO-17-251SP: Published: Apr 11, 2017. Publicly Released: Apr 11, 2017.
What the Participants SaidForum participants discussed the challenges and opportunities for Chief Information Officers (CIO) to improve information technology (IT) acquisitions and operations--with the goal of better informing policymakers and government leadership. They identified key actions related to the following topics: strengthening the Federal Information Technology Acquisition Reform Act...