Defense IRM: Alternatives Should Be Considered in Developing the New Civilian Personnel System

AIMD-99-20 Published: Jan 27, 1999. Publicly Released: Jan 27, 1999.
Jump To:
Skip to Highlights

Pursuant to a congressional request, GAO reviewed the Department of Defense's (DOD) efforts to reduce the costs associated with civilian personnel management, focusing on: (1) how DOD determines the number and locations for civilian personnel regional service centers and why is there a wide disparity in the number of regional centers among the services; (2) whether DOD is applying the investment principles of the Clinger-Cohen Act in overseeing, managing, and developing the Defense Civilian Personnel Data System (DCPDS); (3) whether DCPDS duplicates the Office of Personnel Management's (OPM) Employee Express System: (4) whether DOD leadership is aware of the extent and cost of the needed modifications to the commercial-off-the-shelf (COTS) software applications; and (5) whether DOD identified and mitigated the risks associated with the major COTS modifications.

Skip to Recommendations


Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense Before Defense starts to deploy the new system beyond test sites, the Secretary of Defense should rigorously evaluate all business and system alternatives to providing personnel services as envisioned by the Clinger-Cohen Act, and, using this data and the system test results, select the most cost beneficial business and system alternative and develop and implement a transition plan for that alternative. Specifically, business alternatives considered should include: (1) use of regions or local offices to serve specific agencies or services; (2) use of regions or local offices to serve multiple agencies and services; (3) centralizing all or parts of personnel management operations that currently operate at component headquarters and major commands; (4) integrating DOD's civilian personnel and payroll management systems; (5) outsourcing civilian personnel computer operations; (6) outsourcing all civilian personnel management services; and (7) acquiring other commercially available products.
Closed – Implemented
Defense' Civilian Personnel Management Service officials informed GAO that DOD has considered business and system alternatives and will continue to consider alternative approaches to improve DCPDS. Based on the alternatives that GAO recommended, the Departments of the Army and Navy have closed three regional centers and they provided documentation indicating these actions will improve operational efficiency and customer service and reduce operating costs by about $2.15 million a year. The officials also stated that the Army also consolidated ten regional databases into one, reducing operating costs by about $619,000 a year and created an electronic personnel folder that will result in about $20 million a year in savings.
Department of Defense In analyzing commercially available products, the Secretary of Defense should consider the costs, benefits, and returns-on-investment of all commercially available products that support personnel management. The analysis of commercially available products should consider technical risks, including whether each one can be modified in the future at a reasonable cost. In evaluating the range of business alternatives, consideration should be given to the substantial investment that has already been made in the current approach.
Closed – Implemented
DOD established a civilian HR systems innovation sub-committee consisting of user representatives and chaired by the Civilian Personnel Management Service (CPMS) to evaluate and recommend new COTS applications and other initiatives for consideration by the DCPDS Change Control Board. DOD assigned its technical contractor (Lockheed Martin) responsibility for continuous evaluation of software products for consideration by CPMS. DOD has conducted a functional analysis of several COTS products to enhance the capabilities of DCPDS, but has not selected any of the products for implementation.
Department of Defense Regardless of the business and system alternative selected, Defense should optimize it by collecting, analyzing, and using reliable cost and performance data and making improvements.
Closed – Implemented
Civilian Personnel Management Service (CPMS) drafted a set of performance measures based on those used by Fortune 500 companies. CPMS plans to obtain comments on these measures from the Defense components and agencies, incorporate their recommendations, and begin reporting information on the measures in fiscal year 2004.
Department of Defense Regardless of the chosen approach, the Secretary of Defense should take the following actions to mitigate technical, security, and year 2000 risks. To ensure that the system is adequately maintained and that modifications are carefully controlled, Defense should: (1) develop agreements with system partners and interface partners to define responsibility for system operations, maintenance, and security; (2) establish a configuration control board comprised of system users to assist in deciding on which changes need to be made to the system, prioritizing change requests, and ensuring that changes are correctly made; and (3) assign clear responsibility for providing technical assistance to Defense components.
Closed – Implemented
Civilian Personnel Management Service (CPMS) drafted a charter with its system partners and signed an agreement with its interface partner, Defense Finance and Accounting Service; established a Change Control Board and a charter defining the authority and responsibilities of the board; developed a concept of operations document describing responsibilities for the maintenance, sustainment, and operation of DCPDS; awarded a contract to Lockheed Martin for system operations, sustainment, and maintenance.
Department of Defense Regardless of the chosen approach, the Secretary of Defense should take the following actions to mitigate technical, security, and year 2000 risks. To ensure that sensitive personnel data are adequately protected, Defense should: (1) assess its risks and determine security needs; (2) define and implement appropriate policies and related controls, including standards for encrypting data and firewalls; (3) promote security awareness at all sites maintaining the system; and (4) continually monitor and evaluate policy and effectiveness.
Closed – Implemented
DOD conducted a security test and evaluation to evaluate security features of DCPDS; the Air Force Information Warfare Center performed a computer security engineering assessment of the system; performed security certification visits to contractor (Lockheed Martin) sites, including the disaster recovery site; developed security policies and related documents and disseminated them to user organizations; purchased and tested a data encryption package; instituted a 24 by 7 intrusion detection reporting process for contractor and regional operations; developed a security features users guide, a security annex to the training support plan, and a set of trusted facility manuals to support security awareness and training; developed a technical and functional certification checklist for use during site visits that DOD plans to conduct periodically; and is conducting a review of all contingency plans to ensure component regional centers are prepared to respond to emergencies.
Department of Defense Regardless of the chosen approach, the Secretary of Defense should take the following actions to mitigate technical, security, and year 2000 risks. To mitigate year 2000 risks, Defense should: (1) establish interface agreements that clearly specify date format changes, timeframes for these changes, and processes for resolving conflicts; (2) refine business continuity and contingency plans to ensure that they consider risks posed by external systems and infrastructure; assess the costs and benefits of alternative contingency strategies; and describe resources, staff roles, procedures and timetables needed for implementation of the plan; and (3) test contingency plans to ensure that they are capable of providing the desired level of support to the agency's core business processes and can be implemented within a specified period of time.
Closed – Implemented
The remediation for the legacy DCPDS system was completed and contingency plans were completed and fully tested as of August 1999.

Full Report