Library of Congress:

Strong Leadership Needed to Address Serious Information Technology Management Weaknesses

GAO-15-315: Published: Mar 31, 2015. Publicly Released: Mar 31, 2015.

Additional Materials:

Contact:

Joel C. Willemssen
(202) 512-6253
willemssenj@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Library of Congress has established policies and procedures for managing its information technology (IT) resources, but significant weaknesses across several areas have hindered their effectiveness:

Strategic planning: The Library does not have an IT strategic plan that is aligned with the overall agency strategic plan and establishes goals, measures, and strategies. This leaves the Library without a clear direction for its use of IT.

Investment management: Although the Library obligated at least $119 million on IT for fiscal year 2014, it is not effectively managing its investments. To its credit, the Library has established structures for managing IT investments—including a review board and a process for selecting investments. However, the board does not review all key investments, and its roles and responsibilities are not always clearly defined. Additionally, the Library does not have a complete process for tracking its IT spending or an accurate inventory of its assets. For example, while the inventory identifies over 18,000 computers currently in use, officials stated that the Library has fewer than 6,500. Until the Library addresses these weaknesses, its ability to make informed decisions will be impaired.

Information security and privacy: The Library assigned roles and responsibilities and developed policies and procedures for securing its information and systems. However, its implementation of key security and privacy management controls was uneven. For example, the Library's system inventory did not include all key systems. Additionally, the Library did not always fully define and test security controls for its systems, remediate weaknesses in a timely manner, and assess the risks to the privacy of personal information in its systems. Such deficiencies also contributed to weaknesses in technical security controls, putting the Library's systems and information at risk of compromise.

Service management: The Library's Information Technology Services (ITS) division is primarily responsible for providing IT services to the agency's operating units. While ITS has catalogued these services, it has not fully developed agreements with the other units specifying expected levels of performance. Further, the other units were often not satisfied with these services, which has contributed to them independently pursuing their own IT activities. This in turn has resulted in units purchasing unnecessary hardware and software, maintaining separate e-mail environments, and managing overlapping or duplicative IT activities.

Leadership: The Library does not have the leadership needed to address these IT management weaknesses. For example, the agency's chief information officer (CIO) position does not have adequate authority over or oversight of the Library's IT. Additionally, the Library has not had a permanent CIO since 2012 and has had five temporary CIOs in the interim.

In January 2015, at the conclusion of GAO's review, officials stated that that the Library plans to draft an IT strategic plan within 90 days and hire a permanent CIO. If it follows through on these plans, the Library will be in a stronger position to address its IT management weaknesses and more effectively support its mission.

Why GAO Did This Study

The Library of Congress is the world's largest library, whose mission is to make its resources available and useful to Congress and the American public. In carrying out its mission, the Library increasingly relies on IT systems, particularly in light of the ways that digital technology has changed the way information is created, shared, and preserved.

The House Appropriations Committee report accompanying the 2015 legislative branch appropriations bill required GAO to conduct a review of IT management at the Library. GAO's objectives focused on the extent to which the Library has established and implemented key IT practices and requirements in, among other areas: (1) strategic planning, (2) governance and investment management, (3) information security and privacy, (4) service management, and (5) leadership. To carry out its work, GAO reviewed Library regulations, policies, procedures, plans, and other relevant documentation for each area and interviewed key Library officials.

What GAO Recommends

GAO is recommending that the Library expeditiously hire a permanent CIO. GAO is also making 30 other recommendations to the Library aimed at establishing and implementing key IT management practices. The Library generally agreed with GAO's recommendations and described planned and ongoing actions to address them.

For more information, contact Joel C. Willemssen at (202) 512-6253 or willemssenj@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in September 2015 the Library hired a permanent Chief Information Officer (CIO). Additionally, in November 2016 the Librarian directed all top-level IT staff in the Library's various service units to be detailed to the Library's Office of the CIO, including service unit IT leadership. Further, in May 2017 the Librarian approved Library of Congress Regulations regarding the Office of the Chief Information Officer and IT Steering Committee (ITSC). These regulations make the CIO responsible for commodity IT and define the CIO's responsibilities for oversight of mission-specific systems through the ITSC. By hiring a permanent CIO with responsibility for IT, sufficient authority, and clearly defined responsibilities, the Library is better positioned to effectively acquire, operate, and maintain its IT in support of its mission.

    Recommendation: To provide stable, consistent, and effective leadership for addressing the weaknesses identified in this report, as well as for improving the organization's management of IT, the Librarian should expeditiously hire a permanent chief information officer responsible for managing the Library's IT and ensure that this official has clearly defined responsibilities and adequate authority, consistent with the role of a chief information officer as defined by best practices. This should include, among other things, (1) responsibility for commodity IT; (2) oversight of mission-specific systems, through the ITSC or another oversight mechanism; and (3) clarification of responsibilities and authorities between the Library CIO and service unit IT leadership.

    Agency Affected: Library of Congress

  2. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in March 2016, the Library finalized its IT strategic plan and updated its plan in April 2017. The plan includes four goals that are generally results-oriented and describes how each goal aligns with the agency's overall strategic plan. Additionally, the Library developed fiscal year 2017 performance measures and associated targets for each of the four goals. Further, the plan includes strategies for achieving its goals. Lastly, the plan describes interdependencies among projects. By developing an IT strategic plan that sets forth a long-term vision and the intermediate steps that are needed to guide the agency, the Library is better positioned to effectively prioritize investments and use the best mix of limited resources to move toward its longer-term, agency-wide goals.

    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should complete an IT strategic plan within the time frame the Library has established for doing so. The plan, at a minimum, should (1) align with the agency's overall strategic plan, (2) provide results-oriented goals and performance measures, (3) identify the strategies for achieving the desired results, and (4) describe interdependencies among projects.

    Agency Affected: Library of Congress

  3. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to address, this recommendation. Specifically, according to Library officials, they have developed a complete and reliable enterprise architecture. The Library plans to provide us with the enterprise architecture by the end of September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should establish a time frame for developing a complete and reliable enterprise architecture that accurately captures the Library's current IT environment, describes its target environment, and outlines a strategy for transitioning from one to the other, and develop the architecture within the established time frame.

    Agency Affected: Library of Congress

  4. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in July 2016 the Library engaged the Office of Personnel Management (OPM) to develop and conduct a skills assessment of the Library's IT workforce. According to Library officials, OPM led a focus group with IT specialists to review and revise competency and skill lists for IT positions. In June 2017, OPM administered a gap analysis survey to all IT specialists, supervisors, managers, and leaders within the Library. According to Library officials, the Library is developing a strategy for closing gaps identified in the survey results. The Library plans to complete the steps necessary to implement this recommendation by June 2018. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To provide strategic direction for the Library's use of its IT resources, the Librarian of Congress should establish a time frame for implementing a Library-wide assessment of IT human capital needs and complete the assessment within the established time frame. This assessment should, at a minimum, analyze any gaps between current skills and future needs, and include a strategy for closing any identified gaps.

    Agency Affected: Library of Congress

  5. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in June 2017 the Library finalized its regulation on Information Technology (IT) Investment Management. According to the regulation, all IT investment proposals are to be reviewed annually by the Architecture Review Board and the IT Steering Committee. After these reviews have been completed, the IT Steering Committee is to then identify which IT investment proposals are to be included in the annual IT Investment Portfolio. Once the IT Investment Portfolio has been developed, the directive calls for the Library's Executive Committee to review the portfolio and for the Librarian to provide final approval. By clarifying which governance bodies are responsible for making investment decisions, the Library is better positioned to ensure that investments are properly aligned with the business needs of the entire organization.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should clarify investment management policy to identify which governance bodies are responsible for making investment decisions, and under what conditions.

    Agency Affected: Library of Congress

  6. Status: Closed - Implemented

    Comments: The Library of Congress agreed with and has taken steps to implement this recommendation. As part of its investment management process, the Library developed a template for IT investment proposals that calls for investment managers to provide information on how the investments align with the Library's IT strategic plan and enterprise architecture (EA). In addition, for 15 fiscal year 2018 investments, the Library described how these investments align with its IT strategic plan and architecture. Specifically, all the investment proposals described alignment with the Library's IT strategic goals. With respect to EA, all 15 investments described alignment with the business functions of the organization, and all but three described alignment with the Library's technical environment. By establishing and implementing a process for linking IT investment management with IT strategic planning and EA, the Library is better positioned to make investment decisions that meet the needs of the agency.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement a process for linking IT strategic planning, enterprise architecture, and IT investment management.

    Agency Affected: Library of Congress

  7. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in June 2017, the Library finalized its regulation on Information Technology (IT) Investment Management. According to the regulation, all IT investment proposals-including those that are operational-are to be reviewed annually by the IT Steering Committee and the Executive Committee. In addition, the Library's IT Steering Committee and Executive Committee reviewed key operational investments for fiscal years 2017 and 2018. By establishing and implementing a process for reselecting investments that are already operational, the Library is better positioned will to make investment decisions that meet the needs of the agency.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement policies and procedures for reselecting investments that are already operational.

    Agency Affected: Library of Congress

  8. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. In June 2017, the Library finalized its regulation on Information Technology (IT) Investment Management. According to the regulation, funding requests for new IT programs are to be reviewed annually by the IT Steering Committee and the Executive Committee prior to being included in the agency's budget request. In addition, the Library's IT Steering Committee and Executive Committee reviewed the all of the funding requests for new IT programs for fiscal years 2017 and 2018. By establishing and implementing a process for ensuring that investment selection decisions have an impact on decisions to fund investments, the Library is better positioned will to make investment decisions that meet the needs of the agency.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should establish and implement policies and procedures for ensuring that investment selection decisions have an impact on decisions to fund investments.

    Agency Affected: Library of Congress

  9. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. In June 2017, the Library finalized its regulation on Information Technology (IT) Investment Management. According to the regulation, all IT investment proposals are to be reviewed annually by the IT Steering Committee and the Executive Committee. In addition, the Library's IT Steering Committee and Executive Committee reviewed the key investments for fiscal years 2017 and 2018. By ensuring that appropriate governance bodies review all investments that meet defined criteria, the Library is better positioned will to make investment decisions that meet the needs of the agency.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should ensure that appropriate governance bodies review all investments that meet defined criteria.

    Agency Affected: Library of Congress

  10. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in June 2017 the Library finalized its regulation on Information Technology (IT) Investment Management. According to the regulation, Library units are required to complete and submit quarterly IT investment reports for review by the Library's IT Steering Committee. Additionally, the Library developed a standard investment reporting template that includes requests for cost, schedule, and risk management data. Further, in November 2017, the Library provided us with reports for 19 key IT investments in development. The reports almost always included complete data on investment cost, schedule, and risk management. By requiring investments to provide complete data on cost, schedule, and risk, the Library will be better positioned to see early warning signs that indicate the need for corrective action, thereby reducing the risk of failed investments or investments that do not adequately support business processes, meet user needs, or provide a successful return on investment.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should require investments in development to submit complete investment data (i.e., cost and schedule variances and risk management data) in quarterly reports submitted to the ITSC.

    Agency Affected: Library of Congress

  11. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in September 2015 the Library's Chief Information Officer and Chief Financial Officer issued a memorandum requiring service units to track IT spending and provided guidance on how this is to be done. In April 2017, the Library finalized a report of fiscal year 2016 non-personnel IT expenditures. The report describes about $82 million in expenditures and shows how the money was spent by IT cost categories (e.g., data center, desktop and laptop systems, IT management) and by service unit. By developing and implementing a process for maintaining a full accounting of IT-related expenditures, the Library is in a more knowledgeable position to make decisions.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies, to include guidance for service units on classifying expenditures as IT, for maintaining a full accounting of the Library's IT-related expenditures.

    Agency Affected: Library of Congress

  12. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. The Library is developing an IT asset management directive to improve its processes for developing and maintaining its inventory of IT assets. Additionally, the Office of the CIO engaged a contractor to perform a full inventory of its IT assets in September 2017. Further, in March 2018, the Library provided an updated inventory of its IT assets. However, the inventory did not identify the organization, location, and inventory date for all assets. According to Library officials, moving forward, the Library has developed and implemented a new process to ensure that IT assets received at the warehouse are updated with the correct location information upon receipt. Library officials added that all assets will be updated when the 2018 annual inventory is complete in September 2018. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies for developing a comprehensive inventory of IT assets.

    Agency Affected: Library of Congress

  13. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Between October 2015 and June 2016, the Library has conducted post-implementation reviews for three investments. For each review the Library compared expectations for cost, schedule, performance, and mission improvement outcomes, consistent with established policies and procedures. As a result, the Library is better positioned to learn from all past investments and evaluate the effectiveness of its investment management process.

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should implement policies and procedures for conducting post-implementation reviews of investments.

    Agency Affected: Library of Congress

  14. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Library has established and implemented policies and procedures consistent with the following three key portfolio management practices: (1) defining the portfolio criteria, (2) creation the portfolio, and (3) evaluating the portfolio. By establishing and implementing policies and procedures for portfolio management, the Library is better positioned to make investment decisions that meet the needs of the agency

    Recommendation: To provide a framework for effective IT investment management and ensure that the Library has accurate information to support its decisions, the Librarian should fully establish and implement policies and procedures consistent with the key practices on portfolio management, including (1) defining the portfolio criteria, (2) creating the portfolio, and (3) evaluating the portfolio.

    Agency Affected: Library of Congress

  15. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for risk management. Further, the Project Management Office developed risk management guidance that includes key risk management practices. In addition, the Library provided documentation for three key IT projects that demonstrated the implementation of this guidance. Establishing and implementing these policies will provide additional assurance that risks facing IT investments are being adequately addressed.

    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should complete and implement an organization-wide policy for risk management that includes key practices as discussed in this report, and within the time frame the Library established for doing so.

    Agency Affected: Library of Congress

  16. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for requirements development. Further, the Project Management Office has finalized detailed guidance for the Library on requirements development. This guidance addressed key requirements management practices identified in our report. In addition, the Library provided documentation for three key IT projects that demonstrate evidence of the implementation of this guidance. By establishing and implementing a requirements management policy and procedures, the Library will have additional assurance that its IT investments will meet stakeholder and customer needs.

    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for requirements development that includes key practices as discussed in this report.

    Agency Affected: Library of Congress

  17. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing cost estimates. Further, we are reviewing the Project Management Office's guidance for developing cost estimates to evaluate whether it includes the key practices discussed in our report. In addition, we are reviewing documentation for three key IT projects to evaluate the implementation of this guidance. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for developing cost estimates that includes key practices as discussed in this report.

    Agency Affected: Library of Congress

  18. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a Project Management Office within the Office of the Chief Information Officer (OCIO) and tasked the office with communicating and enforcing Library requirements for project management and systems development. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing and maintaining schedules. Further, we are reviewing the Project Management Office's guidance for developing schedules to evaluate whether it includes the key practices discussed in our report. In addition, we are reviewing documentation for three key IT projects to evaluate the implementation of this guidance. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish a time frame for finalizing and implementing an organization-wide policy for developing and maintaining project schedules that includes key practices as discussed in this report, and finalize and implement the policy within the established time frame.

    Agency Affected: Library of Congress

  19. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, the Library's Information Technology Security Group conducted a review of Library systems and developed a consolidated inventory that includes all Library systems. Additionally, at the request of the Library's Chief Information Security Officer, each Library unit validated that the inventory is complete and accurate. As a result, the Library (1) has greatly increased assurance that it is aware of all of its systems and data, and (2) is in a more knowledgeable position to help ensure that these resources have appropriate security controls.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should develop a complete and accurate inventory of the agency's information systems.

    Agency Affected: Library of Congress

  20. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in March 2016, the Library developed guidance that calls for system security plans to describe common security controls. In addition, the Library ensured that system security plans for key systems described common controls. By establishing and implementing a policy for describing common security controls, the Library is better positioned to make fully informed judgments regarding the risks involved in operating its systems.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should revise information security policy to require system security plans to describe common controls, and implement the policy.

    Agency Affected: Library of Congress

  21. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, the Library ensured that the system security plans for key systems are complete by including descriptions of how security controls were implemented and justifications for why controls were not applied. By ensuring that system security plans are complete, the Library is better positioned to make fully informed judgments regarding the risks involved in operating its systems.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should ensure that all system security plans are complete, including descriptions of how security controls are implemented and justifications for why controls are not applied.

    Agency Affected: Library of Congress

  22. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, according to the Library, in August 2015 the Library began monthly security testing and vulnerability scans for servers, networks, and workstations. Additionally, in November 2015 the Library finalized guidance for its continuous monitoring program, which includes the establishment of ongoing security controls assessments for each system. The Library began to implement this guidance in fiscal year 2016 and plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should conduct comprehensive and effective security testing for all systems within the time frames called for by Library policy, to include assessing security controls that are inherited from the Library's information security program.

    Agency Affected: Library of Congress

  23. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in August 2017, the Library provided us with remedial action plans for key Library systems. The Library has generally documented and tracked remedial action plans for these key systems and has completed many. However, we also identified instances of remedial actions that, as of August 2017, had yet to be completed and were past their expected completion date. According to the Library, in August 2017 it hired additional information system security officers in order to improve the Library's management of information security, including management of remedial action plans. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should ensure that remedial action plans for identified security weaknesses are consistently documented, tracked, and completed in a timely manner.

    Agency Affected: Library of Congress

  24. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in October 2015 the Library finalized its guidance on security assessment and authorization, which requires authorizing officials to review the security status of information systems on an ongoing basis to determine whether the risk of operating the system remains acceptable. The Library began to implement this guidance in fiscal year 2016 and plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should finalize and implement guidance on continuous monitoring to ensure that officials are informed when making authorization decisions about the risks associated with the operations of the Library's systems.

    Agency Affected: Library of Congress

  25. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in December 2016 the Library finalized an IT system contingency planning template that generally addresses key elements of National Institute of Standards and Technology guidance. Additionally, In January 2018, the Library developed IT contingency plan for all systems that require such a plan. The Library also provided the IT contingency plans for nine key systems, and we determined these were consistent with federal guidance. By developing contingency plans for its systems, the Library has increased assurance that it will be able to recover systems entirely in the event of a large disaster and protect the information they contain from compromise.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should develop contingency plans for all systems that address key elements.

    Agency Affected: Library of Congress

  26. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in December 2017, the Library finalized a standard operating procedure that establishes a process for identifying and tracking whether all personnel with access to Library systems have taken required security and privacy training. In addition, in May 2018 the Library provided reports showing the users that completed the Library's security awareness training for fiscal years 2016 and 2017. We are reviewing these reports to evaluate whether the Library implemented its process for tracking whether all personnel have taken this training. The Library plans to complete the steps necessary to implement this recommendation by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should establish and implement a process for comprehensively identifying and tracking whether all personnel with access to Library systems have taken required security and privacy training.

    Agency Affected: Library of Congress

  27. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, in May 2016, the Library finalized its standard contract sections for information security and privacy requirements. These standard contract sections address federal information security guidelines and are required in all IT contracts. Additionally, in February 2017, the Library provided us with all contracts that were awarded between December 2016 and February 2017. Each of these contracts included the required information security and privacy sections. Further, the Library established and implemented a process for incorporating these sections into existing IT contracts. As a result, the Library has increased assurance that contractor personnel will operate and secure Library systems consistent with the agency's information security and privacy requirements.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should establish a time frame for finalizing and implementing the Library's standard contract sections for information security and privacy requirements, and finalize and implement the requirements within that time frame.

    Agency Affected: Library of Congress

  28. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. In particular, the Library has established a policy on privacy impact assessments. According to Library policy, privacy threshold analyses are to be conducted for all systems. Additionally, Library policy requires that privacy impact assessments be developed for systems with threshold analyses concluding that personally identifiable information (PII) is collected on members of the public or that sensitive PII is collected on any individual. Furthermore, Library policy calls for the Chief Privacy Office--the Office of General Counsel--to review all privacy impact assessments. In addition, the Library has implemented its policy on privacy impact assessments. Specifically, as of August 2017, the Library had established privacy threshold analyses for all 171 operational Library systems. Those assessments concluded that 81 of the 171 systems required privacy impact assessments, and the Library developed assessments for each of the 81 systems. Further, the Office of General Counsel reviewed the privacy impact assessments for all 81 systems. By ensuring that privacy impact assessments have been conducted for all IT systems, the Library has greater assurance that appropriate security controls are in place to protect PII.

    Recommendation: To better protect IT systems and reduce the risk that the information they contain will be compromised, the Librarian should require the chief privacy officer to establish and implement a process for reviewing the Library's privacy program, to include ensuring that privacy impact assessments are conducted for all information systems.

    Agency Affected: Library of Congress

  29. Status: Closed - Implemented

    Comments: The Library of Congress generally agreed with, and has taken steps to implement, this recommendation. Specifically, the Library issued a directive for how its Office of the Chief Information Officer (OCIO) manages the IT services that it provides to the Library service units. The directive calls for OCIO to maintain a service catalog that describes the IT services provided by OCIO and that includes the service-level targets at which the resources and services are to be provided. In addition, the directive states that IT services not described in the service catalog may require a separately negotiated memorandum of agreement between OCIO and the service unit, and includes procedures for how these agreements are to be established. Consistent with this directive, in September 2016 the Library's OCIO finalized a new IT service catalog, which identifies 21 categories of IT services that are available to OCIO customers (e.g., data network management, IT service desk, and website support) and describes applicable service-level targets relating availability, fulfillment, and response. Additionally, between May 2016 and May 2017, the Office of the CIO executed memorandums of understanding with the six main Library units. Each memorandum establishes roles and responsibilities for specialized application and services that the Office of the CIO provides to those units. By establishing and implementing this service-level agreement structure, the Library's IT office is better positioned to provide services that meet the needs of its customers.

    Recommendation: To help ensure that services provided by ITS meet the needs of the Library's service units, the Librarian should finalize and implement a Library-wide policy for developing service-level agreements that (1) includes service-level targets for agreements with individual service units and (2) covers services in a way that best meets the need of both ITS and its customers, including individual service units.

    Agency Affected: Library of Congress

  30. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in February 2018 the Office of the Chief Information Officer engaged with a vendor to develop a quality improvement process model for the Library's information technology services. The Library expects to complete this model by September 2018. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: To help ensure that services provided by ITS meet the needs of the Library's service units, the Librarian should document and execute a plan for improving customer satisfaction with ITS services that includes prioritized improvement projects and associated resource requirements, schedules, and measurable goals and outcomes.

    Agency Affected: Library of Congress

  31. Status: Open

    Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, the Library is drafting several policies and directives relating to IT investment management, to include reviewing the Library's IT portfolio to identify duplicative or overlapping activities and investments. In addition, according to Library officials, the Library has taken a number of steps to reduce duplicative IT activities. For example, in March 2015 we reported that the Office of Security and Emergency Preparedness (OSEP) managed its own network independent of the Library's central IT provider. However, in June 2017 the Library reported that the Office of the CIO is now managing the OSEP network. Further, the Library plans to assess the costs and benefits of consolidating potentially duplicative email and network services identified in our March 2015 report. The Library plans to complete the steps necessary to implement this recommendation by March 2018. We will continue to evaluate the Library's progress in implementing this recommendation.

    Recommendation: In addition, to help ensure an efficient and effective allocation of the agency's IT resources, the Librarian should conduct a review of the Library's IT portfolio to identify duplicative or overlapping activities and investments, including those identified in our report, and assess the costs and benefits of consolidating identified IT activities and investments.

    Agency Affected: Library of Congress

 

Explore the full database of GAO's Open Recommendations »

Sep 27, 2018

Aug 2, 2018

Jun 13, 2018

May 24, 2018

May 23, 2018

May 22, 2018

Mar 14, 2018

Jan 30, 2018

Jan 10, 2018

Looking for more? Browse all our products here