Pursuant to a congressional request, GAO reviewed the Department of Defense's (DOD) efforts to reduce the costs associated with civilian personnel management, focusing on: (1) how DOD determines the number and locations for civilian personnel regional service centers and why is there a wide disparity in the number of regional centers among the services; (2) whether DOD is applying the investment principles of the Clinger-Cohen Act in overseeing, managing, and developing the Defense Civilian Personnel Data System (DCPDS); (3) whether DCPDS duplicates the Office of Personnel Management's (OPM) Employee Express System: (4) whether DOD leadership is aware of the extent and cost of the needed modifications to the commercial-off-the-shelf (COTS) software applications; and (5) whether DOD identified and mitigated the risks associated with the major COTS modifications.
Recommendations for Executive Action
|Department of Defense||Before Defense starts to deploy the new system beyond test sites, the Secretary of Defense should rigorously evaluate all business and system alternatives to providing personnel services as envisioned by the Clinger-Cohen Act, and, using this data and the system test results, select the most cost beneficial business and system alternative and develop and implement a transition plan for that alternative. Specifically, business alternatives considered should include: (1) use of regions or local offices to serve specific agencies or services; (2) use of regions or local offices to serve multiple agencies and services; (3) centralizing all or parts of personnel management operations that currently operate at component headquarters and major commands; (4) integrating DOD's civilian personnel and payroll management systems; (5) outsourcing civilian personnel computer operations; (6) outsourcing all civilian personnel management services; and (7) acquiring other commercially available products.|
|Department of Defense||In analyzing commercially available products, the Secretary of Defense should consider the costs, benefits, and returns-on-investment of all commercially available products that support personnel management. The analysis of commercially available products should consider technical risks, including whether each one can be modified in the future at a reasonable cost. In evaluating the range of business alternatives, consideration should be given to the substantial investment that has already been made in the current approach.|
|Department of Defense||Regardless of the business and system alternative selected, Defense should optimize it by collecting, analyzing, and using reliable cost and performance data and making improvements.|
|Department of Defense||Regardless of the chosen approach, the Secretary of Defense should take the following actions to mitigate technical, security, and year 2000 risks. To ensure that the system is adequately maintained and that modifications are carefully controlled, Defense should: (1) develop agreements with system partners and interface partners to define responsibility for system operations, maintenance, and security; (2) establish a configuration control board comprised of system users to assist in deciding on which changes need to be made to the system, prioritizing change requests, and ensuring that changes are correctly made; and (3) assign clear responsibility for providing technical assistance to Defense components.|
|Department of Defense||Regardless of the chosen approach, the Secretary of Defense should take the following actions to mitigate technical, security, and year 2000 risks. To ensure that sensitive personnel data are adequately protected, Defense should: (1) assess its risks and determine security needs; (2) define and implement appropriate policies and related controls, including standards for encrypting data and firewalls; (3) promote security awareness at all sites maintaining the system; and (4) continually monitor and evaluate policy and effectiveness.|
|Department of Defense||Regardless of the chosen approach, the Secretary of Defense should take the following actions to mitigate technical, security, and year 2000 risks. To mitigate year 2000 risks, Defense should: (1) establish interface agreements that clearly specify date format changes, timeframes for these changes, and processes for resolving conflicts; (2) refine business continuity and contingency plans to ensure that they consider risks posed by external systems and infrastructure; assess the costs and benefits of alternative contingency strategies; and describe resources, staff roles, procedures and timetables needed for implementation of the plan; and (3) test contingency plans to ensure that they are capable of providing the desired level of support to the agency's core business processes and can be implemented within a specified period of time.|