Information Technology Management: Census Bureau Has Implemented Many Key Practices, but Additional Actions Are Needed
GAO-05-661
Published: Jun 16, 2005. Publicly Released: Jul 18, 2005.
Skip to Highlights
Highlights
The Census Bureau's mission is to serve as the leading source of high quality data about the American people and the economy. This information is used to determine congressional and state legislative districts and to distribute hundreds of billions of dollars in federal funds each year. Information technology (IT) plays a critical role in the bureau's ability to carry out its missions by supporting data collection, analysis, and dissemination activities. In the past, the bureau has experienced problems with the development, acquisition, and implementation of IT systems. GAO was asked to (1) provide an IT profile of the Census Bureau, including an overview of information technology management and plans for the 2010 decennial census and (2) evaluate the adequacy of the bureau's IT policies, procedures, and practices in the areas of investment management, system development/management, enterprise architecture management, information security, and human capital.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status Sort descending |
|---|---|---|
| Department of Commerce | To improve information security, the Secretary of Commerce should direct the bureau to establish milestones for identifying system penetration tools to aid network access security and for testing network controls using these tools. |
In our June 2005 report entitled Information Technology Management: Census Bureau Has Implemented Many Key Practices, but Additional Actions Are Needed (GAO-05-661), we found that the Census Bureau was at an increased risk of not adequately managing major IT investments and was more likely to experience performance shortfalls in major IT acquisitions. In particular, we reviewed the bureau's policies and procedures in five key IT areas including information security. We recommended that to improve information security, the Bureau established milestones for identifying system penetration tools to aid network access security and for testing network controls using these tools. The Bureau agreed with this recommendation and in fiscal year 2007 stated that it had contracted with an IT security firm to conduct formal penetration testing of its networks. As a result, the Bureau has improved the security of its IT systems.
|
| Department of Commerce | To improve information security, the Secretary of Commerce should direct the bureau to monitor progress against these milestones and the milestones that have already been established to address weaknesses in risk assessments, information system security controls, and oversight management tools, in order to ensure that these activities are completed in a timely manner. |
In our June 2005 report entitled Information Technology Management: Census Bureau Has Implemented Many Key Practices, but Additional Actions Are Needed (GAO-05-661), we found that the Census Bureau was at an increased risk of not adequately managing major IT investments and was more likely to experience performance shortfalls in major IT acquisitions. In particular, we reviewed the bureau's policies and procedures in five key IT areas including information security. We recommended that to improve information security, the Bureau monitor progress toward milestones it had established to address weaknesses in risk assessments, information system security controls, and oversight management tools to ensure that these activities were completed in a timely manner. The Bureau agreed with this recommendation and in fiscal year 2007 stated that it had completed milestones to address these weaknesses. For example, the Bureau has secured a product to provide more consistent risk assessments that can be tracked by its IT security organization, its staff completed training to improve documentation of information system security controls, and it has enhanced its analysis and documentation of such controls. As a result, the Bureau has improved the security of its IT systems.
|
| Department of Commerce | To improve the bureau's ability to manage its IT workforce, the Secretary of Commerce should direct the bureau to annually assess IT knowledge and skills to determine whether they meet current requirements. |
In our June 2005 report entitled Information Technology Management: Census Bureau Has Implemented Many Key Practices, but Additional Actions Are Needed (GAO-05-661), we found that the Census Bureau had not conducted a skills gap assessment of its IT workforce, increasing the risk that it lacked a trained staff to accomplish its mission objectives. Consequently, we recommended that to improve the bureau's ability to manage its IT workforce, the Secretary of Commerce direct the bureau to annually assess IT knowledge and skills to determine whether they meet current requirements, use the planned gap analysis to identify workforce strategies to fill skills gaps and evaluate these strategies to determine their effectiveness in improving human capital management. In March 2007, the Bureau completed a gap analysis and has been tracking progress toward closing identified gaps each quarter. As a result, the Bureau is closing critical IT skills gaps in its workforce, enabling it to better manage its IT investments.
|
| Department of Commerce | To improve the bureau's ability to manage its IT workforce, the Secretary of Commerce should direct the bureau to use the planned gap analysis to identify workforce strategies to fill skills gaps and then evaluate these strategies to determine their effectiveness in improving human capital management. |
In June 2005, we reported that because the Census Bureau had not yet identified IT skills gaps or developed strategies to fill these gaps, it was not yet able to evaluate the effectiveness of its strategies. We recommended that the Bureau use the planned gap analysis to identify workforce strategies to fill skills gaps and then evaluate these strategies to determine their effectiveness in improving human capital management. In response to our recommendation, the Bureau has used the gap analysis to identify workforce strategies and is evaluating the effectiveness of these strategies. For example, the Bureau's college recruitment program focuses on those campuses that produce high numbers of graduates qualified for IT specialists. The Bureau is evaluating its recruitment program effectiveness and results show in 2007-2009 for IT competencies a continued increase in the number of applicants and qualified hires. As a result, the Bureau is improving its ability to manage its IT workforce.
|
| Department of Commerce | To strengthen the bureau's ability to manage IT investments, the Secretary of Commerce should direct the bureau to develop and implement defined criteria and documented policies and procedures for monitoring the progress of all IT projects and systems. |
In our June 2005 report entitled Information Technology Management: Census Bureau Has Implemented Many Key Practices, but Additional Actions Are Needed (GAO-05-661), we found that the Census Bureau lacked written policies and procedures for monitoring the progress of all IT projects and systems. Consequently, to strengthen the bureau's ability to manage IT investments, we recommended that the Secretary of Commerce direct the bureau to develop and implement defined criteria and documented policies and procedures for monitoring the progress of all IT projects and systems. In April 2007, the Bureau developed and is using criteria and documented procedures to monitor IT projects. For example, ongoing projects are evaluated using a checklist completed by experts in security, acquisitions, enterprise architecture, and other areas. As a result, the Bureau has improved its ability to consistently manage its IT investments.
|
| Department of Commerce | To strengthen the bureau's ability to manage IT investments, the Secretary of Commerce should direct the bureau to develop written procedures to guide its IT investment boards' operations and use these procedures to ensure consistent investment management and decision-making practices. |
In our June 2005 report entitled Information Technology Management: Census Bureau Has Implemented Many Key Practices, but Additional Actions Are Needed (GAO-05-661), we found that the Census Bureau lacked written procedures to guide its IT investment boards' operations and ensure consistent investment management practices. Consequently, to strengthen the bureau's ability to manage IT investments, we recommended that the Secretary of Commerce direct the bureau to develop written procedures to guide its IT investment boards' operations and use these procedures to ensure consistent investment management and decision-making practices. In April 2007, the Bureau developed and is using written procedures to guide its IT investment management process, including the operation of its IT investment boards. As a result, the Bureau has improved its ability to consistently manage its IT investments.
|
| Department of Commerce | To strengthen the bureau's ability to manage IT investments, the Secretary of Commerce should direct the bureau to create a comprehensive repository that collects investment information that is up to date and accessible to decision makers. |
As of August 2006, ISSRO reported that it planned to implement a repository that collects investment information for decisionmakers in early 2007. As of April 2007, the ISSRO reported that it was unable to deliver the guidance to the CIO in March, but planned to deliver in April 2008. In 2008, we are continuing to review the Census Bureau's investment management capabilities as part of ongoing audit work. As of July 2009, the agency does have a repository of IT investment information that provides decision makers with data for evaluating the impacts and opportunities created by proposed (or continuing) IT investments.
|
| Department of Commerce | To strengthen the bureau's ability to manage IT investments, the Secretary of Commerce should direct the bureau to develop well-defined and disciplined written procedures that outline the process for selecting new IT proposals and reselecting ongoing investments and use these procedures in investment decision making. |
In April 2007, Census issued guidance on procedures to select new IT proposals and reselect ongoing IT investments. These procedures require that individual investments be ranked in terns of technical alignment and projected performance as measured by cost, schedule, benefit, and risk to the CPIC process. The Operating Committee (OC) prioritizes and selects IT investments, ensures success of IT projects, and assesses projects based on business requirements and risk-adjusted return. The OC also reviews the IT portfolio and specific IT projects as needed; provides final approval of the investment portfolio; and takes corrective action for investments that show significant deviation from planned performance.
|
| Department of Commerce | To support the bureau in its efforts to develop and implement an effective enterprise architecture (EA), the Secretary of Commerce should direct the bureau to determine an adequate level of resources to accomplish planned EA activities in order to ensure continued improvements to the bureau's EA model. |
In our June 2005 report entitled Information Technology Management: Census Bureau Has Implemented Many Key Practices, but Additional Actions Are Needed (GAO-05-661), we found that while the Census Bureau provided funding for personnel, consultants, and tools to support its enterprise architecture, this funding varied from year to year and could fall below the level needed to accomplish project goals. This limited the ability of the bureau to expand and improve its enterprise architecture. To support the bureau in its efforts to develop and implement an effective enterprise architecture, we recommended that the Secretary of Commerce direct the bureau to determine an adequate level of resources to accomplish planned EA activities in order to ensure continued improvements to the bureau's EA model. The bureau has since increased the staff assigned to its enterprise architecture team and acquired software to use in implementing its enterprise architecture. As a result, the Bureau is taking steps to improve its enterprise architecture.
|
| Department of Commerce | To support the bureau in its efforts to develop and implement an effective enterprise architecture (EA), the Secretary of Commerce should direct the bureau to establish a written policy endorsing and enforcing the bureau's enterprise architecture. |
In our June 2005 report entitled Information Technology Management: Census Bureau Has Implemented Many Key Practices, but Additional Actions Are Needed (GAO-05-661), we found that while the Census Bureau had a plan guiding its enterprise architecture development, it did not yet have a policy for enterprise architecture development that was signed by the Bureau director. To support the bureau in its efforts to develop and implement an effective enterprise architecture, we recommended that the Secretary of Commerce direct the bureau to establish a written policy endorsing and enforcing the bureau's enterprise architecture. The bureau has since established several policies and procedures that endorse and enforce the bureau's enterprise architecture. As a result, the Bureau's ability to ensure compliance with its enterprise architecture has been improved.
|
| Department of Commerce | To improve information security, the Secretary of Commerce should direct the bureau to establish milestones for identifying staff with special security training needs and developing an effective training program for them. |
In our June 2005 report entitled Information Technology Management: Census Bureau Has Implemented Many Key Practices, but Additional Actions Are Needed (GAO-05-661), we found that the Census Bureau was at an increased risk of not adequately managing major IT investments and was more likely, as a result, to experience cost and schedule overruns and performance shortfalls in major IT acquisitions. In particular, we reviewed the bureau's policies and procedures in five key IT areas - investment management, system development, enterprise architecture management, information security, and human capital. Consequently, we recommended that to improve information security, the Bureau establish milestones for identifying staff with special security training needs and develop an effective training program for them. The Bureau agreed with this recommendation and in August of 2006 identified the types of security personnel that should complete training and reported that 67 personnel in significant security roles had already completed at least one security training course, with another 128 personnel identified as either requiring training or being enrolled in future courses. In addition, the Bureau implemented three role-based training courses for information security professionals to provide training in information security domains and best practices, and for assessing risk and establishing security requirements. By completing these activities, the Bureau has improved its management of IT acquisitions by addressing shortcomings in information security training program policies and procedures.
|
| Department of Commerce | To strengthen agencywide system development and management capabilities, the Secretary of Commerce should direct the bureau to institutionalize a process improvement initiative, such as the Capability Maturity Model Integration framework. |
As of August 2006, the bureau is taking action to implement bureauwide process to strengthen system development and management capabilities. The IT Directorate has been working with organizations across the bureau to implement a Process Improvement Toolkit. This Toolkit consists of a Senior Management Commitment document, applicable CMMI process areas towards their goals. Currently, the toolkit does not include goals for reaching successive capability levels in areas such as project planning and requirements management across projects. As of April 2007, the Bureau was continuing to provide templates and training on the CMMU v.1.2 process. Although the Bureau has taken actions to initiate, it has not institutionalized a process improvement initiative such as the CMMI framework for projects. We are continuing to review the Census Bureau's capabilities as part of ongoing audit work. As of July 2009, the agency said it completed the design of a new automated internal Process Asset Library (PAL). The PAL will provide the framework for a software development lifecycle. The PAL will be a self-service repository of CMMI process improvement assets for software development for Census use. It also will contain lessons learned documents, templates, examples, best practices and references to educational resources. The PAL will provide a structured mechanism for defining the appropriate software development lifecycle profile for each project. Although, the bureau has initiated a process, it has not institutionalized the process across the agency, and continues to take a self-service approach.
|
| Department of Commerce | To strengthen agencywide system development and management capabilities, the Secretary of Commerce should direct the bureau to establish goals for projects to reach successive capability levels in selected process areas, including project planning, project monitoring and control, requirements management, process and product quality assurance, configuration management, measurements and analysis, verification, and risk management. |
As of August 2006, the bureau has not established a requirement that projects reach successive capability levels in areas such as project planning and requirements management across projects. As of April 2007, the bureau had not establised a requirment for projects to reach successive CMMI capability levels. During 2008, we are continuing to review the Census Bureau's capabilities as part of ongoing audit work. As of July 31, 2009, according to the agency, this fiscal year, the Deputy Director established the Office of the Senior Advisor for Project Management. The purpose of this office is to develop a corporate methodology for project management and establish a formal investment review process for major investments of the Census Bureau. Policy for the establishment of the Census Program Review Board (CPRB) was drafted but has not yet been issued as official policy of the Census Bureau. The CPRB consists of the senior executive program managers and is chaired by the Deputy Director. A pilot was conducted for the FY 2011 initiatives in March of this year. Each major investment was presented to the CPRB and a summary of the ratings for each investment was documented and signed by the members of the CPRB. Critical vacancies within the office were recently hired which will allow further progression in fulfilling the investment review and monitoring goals of the office. As the office goals are implemented, it is envisioned that the Office of the Senior Advisor for Project Management will be the focal point for establishing periodic reviews of major investments and be a central point for major investment information for senior management. Although, the bureau is taking actions to improve its software improvement processes, it has not established goals for projects to reach successive capability levels in selected areas, such as project planning.
|
Full Report
Office of Public Affairs
Topics
CensusEnterprise architectureHuman capital managementInformation resources managementInformation security managementInformation technologyIT human capitalIT policiesManagement information systemsPolicy evaluationProgram evaluationRisk managementStrategic information systems planningStrategic planningSystems evaluationIT investment managementPolicies and procedures