Skip to Highlights
Highlights

What GAO Found

Agencies reported that 62 percent of major information technology (IT) software development investments were certified by the agency Chief Information Officer (CIO) for implementing adequate incremental development in fiscal year 2017, as required by the Federal IT Acquisition Reform Act (FITARA) as of August 2016. However, a number of responses for the remaining investments were incorrectly reported due to agency error. Officials from 21 of the 24 agencies in GAO's review reported that challenges hindered their ability to implement incremental development, which included: (1) inefficient governance processes; (2) procurement delays; and (3) organizational changes associated with transitioning from a traditional software methodology that takes years to deliver a product, to incremental development, which delivers products in shorter time frames. Nevertheless, agencies reported that the certification process was beneficial because they used the information from the process to assist with identifying investments that could more effectively use an incremental approach, and using lessons learned to improve the agencies' incremental processes.

As of August 2017, only 4 of the 24 agencies had clearly defined CIO incremental development certification policies and processes that contained: descriptions of the role of the CIO in the process; how the CIO's certification will be documented; and included definitions of incremental development and time frames for delivering functionality consistent with Office of Management and Budget (OMB) guidance (see figure).

Figure: Analysis of Agencies' Policies for Chief Information Officer Certification of the Adequate Use of Incremental Development in Information Technology Investments

Figure: Analysis of Agencies' Policies for Chief Information Officer Certification of the Adequate Use of Incremental Development in Information Technology Investments

In addition, OMB's fiscal year 2018 capital planning guidance did not establish how agency CIOs are to make explicit statements to demonstrate compliance with FITARA's incremental provisions, while the 2017 guidance did. However, OMB's fiscal year 2019 guidance provides clear direction on reporting incremental certification and is a positive step in addressing this issue.

Why GAO Did This Study

Investments in federal IT too often result in failed projects that incur cost overruns and schedule slippages. Recognizing the severity of issues related to government-wide IT management, Congress enacted federal IT acquisition reform legislation in December 2014. Among other things, the law states that OMB require in its annual IT capital planning guidance that CIOs certify that IT investments are adequately implementing incremental development.

GAO was asked to review agencies' use of incremental development. This report addresses the number of investments certified by agency CIOs as implementing adequate incremental development and any reported challenges, and whether agencies' CIO certification policies and processes were in accordance with FITARA. GAO analyzed data for major IT investments in development, as reported by 24 agencies, and identified their reported challenges and use of certification information. GAO also reviewed the 24 agencies' policies and processes for the CIO certification of incremental development and interviewed OMB staff.

Skip to Recommendations

Recommendations

GAO is making 19 recommendations to 17 agencies, including 3 to improve reporting accuracy and 16 to update or establish certification policies. Eleven agencies agreed with GAO's recommendations, 1 partially agreed, and 5 did not state whether they agreed or disagreed. OMB disagreed with several of GAO's conclusions, which GAO continues to believe are valid, as discussed in the report.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Energy 1. The Secretary of Energy should ensure that the CIO of Energy reports major IT investment information related to incremental development accurately in accordance with OMB guidance. (Recommendation 1)
Closed - Implemented
The Department of Energy (Energy) concurred with, and has taken steps to address, our recommendation. In July 2018, a review of the IT Dashboard found that the department had updated its major IT investment information related to incremental development in accordance with OMB guidance. Current IT projects on the IT Dashboard now include whether the project is a software development project and provide information on the status of the project's delivery of incremental functionality. By implementing our recommendation, Energy has helped to ensure that OMB and other key stakeholders have the most accurate and current information about the department's investments in order to make decisions and also helped to ensure the department's efforts to improve the use of incremental development are successful.
Department of Agriculture 2. The Secretary of Agriculture should ensure that the CIO of U.S. Department of Agriculture (USDA) reports major IT investment information related to incremental development accurately in accordance with OMB guidance. (Recommendation 2)
Closed - Implemented
The U.S. Department of Agriculture (USDA) concurred with, and has taken steps to address, our recommendation. In November 2019, a review of the IT Dashboard found that the department had updated its major IT investment information related to incremental development in accordance with OMB guidance. Current IT projects on the IT Dashboard now include whether the project is a software development project and provide information on the status of the project's delivery of incremental functionality. By implementing our recommendation, USDA has helped to ensure that OMB and other key stakeholders have the most accurate and current information about the department's investments in order to make decisions and also helped to ensure the department's efforts to improve the use of incremental development are successful.
Social Security Administration 3. The Commissioner of the Social Security Administration (SSA) should ensure that the CIO of SSA reports major IT investment information related to incremental development accurately in accordance with OMB guidance. (Recommendation 3)
Closed - Implemented
The Social Security Administration (SSA) concurred with and has taken steps to address, our recommendation. Specifically, in May 2018, SSA updated its guidance, Systematic, Disciplined IT Capital Planning Process at Social Security Administration, to include a description of the agency's process for reviewing project information on a quarterly basis in order to confirm the use of incremental development prior to reporting this information to OMB. In addition, a review of SSA's incremental project data on the IT Dashboard in July 2018 found that the agency had updated this information to include whether the project is a software development project and provide information on the status of the project's delivery of incremental functionality. By implementing our recommendation, SSA has helped to ensure that OMB and other key stakeholders have the most accurate and current information about the agency's investments in order to make decisions and also helped to ensure the agency's efforts to improve the use of incremental development are successful.
Department of Housing and Urban Development 4. The Secretary of Housing and Urban Development (HUD) should ensure that the CIO of HUD establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 4)
Closed - Implemented
The Department of Housing and Urban Development (HUD) concurred with, and has taken steps to address, our recommendation. Specifically, in December 2018, HUD established its guidance, Agile Methodology Policy, which includes a description of the CIO's role in the certification process, a description of how CIO certification will be documented, and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. In particular, the CIO has delegated authority for certification to the Technical Review Sub-Committee, which reviews each project's use of adequate incremental development during the project life cycle phases and documents the certification of incremental development in decision memos. HUD's guidance also defines incremental development and timeframes for delivering functionality in a manner consistent with OMB guidance. By establishing guidance for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, HUD will be able to help ensure that the department is adequately implementing and benefiting from incremental development practices.
Department of the Interior 5. The Secretary of the Interior should ensure that the CIO of Interior updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development, consistent with OMB guidance. (Recommendation 5)
Closed - Implemented
The Department of the Interior (Interior) concurred with, and has taken steps to address, our recommendation. Specifically, in January 2018, Interior updated its guidance, Fiscal Year 2018 Information Technology Capital Planning & Investment Control Annual Requirements, which includes a description of CIO's role in the certification process and how CIO certification will be documented, and a definition of incremental development, consistent with OMB guidance. By updating its policy for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, Interior will be able to help ensure that the department is adequately implementing and benefiting from incremental development practices.
Department of Justice 6. The Attorney General of the United States should ensure that the CIO of Justice establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 6)
Closed - Implemented
The Department of Justice (Justice) concurred with, and has taken steps to address, our recommendation. Specifically, in March 2019, Justice established its guidance, Component CIO Incremental Certification Procedure, which includes a description of the CIO's role in the certification process and how CIO certification will be documented, and a definition of incremental development, consistent with OMB guidance. In particular, the CIO delegates this role to the Investment Business Manager, who validates the component CIOs certification during the fall and spring budget submissions. The component CIOs are required to sign the Component CIO Certification Resource Statement, which signifies adherence to incremental development. Justice's procedures also define incremental development and timeframes for delivering functionality in a manner consistent with OMB guidance. By establishing guidance for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, Justice will be able to help ensure that the department is adequately implementing and benefiting from incremental development practices.
Department of Labor 7. The Secretary of Labor should ensure that the CIO of Labor updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 7)
Closed - Implemented
The Department of Labor (Labor) has taken steps to address our recommendation. Specifically, in October 2019, Labor updated its guidance, IT Capital Planning and Investment Control (CPIC) Guide: Managing IT Investments, which includes a description of CIO's role in the certification process and how CIO certification will be documented. By updating its policy for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, Labor will be able to help ensure that the department is adequately implementing and benefiting from incremental development practices.
Department of State 8. The Secretary of State should ensure that the CIO of State updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 8)
Closed - Implemented
The Department of State (State) has taken steps to address our recommendation. Specifically, in November 2017, State updated its guidance, 5 Foreign Affairs Manual 690 Incremental Development Policy, to include a description of the CIO's role in the certification process and a definition of incremental development and timeframes for delivering functionality, consistent with OMB guidance. In addition, State updated its guidance, 5 Foreign Affairs Manual 914 Responsibilities to include a description of how CIO certification will be documented. By updating its policy for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, State will be able to help ensure that the department is adequately implementing and benefiting from incremental development practices.
Department of Agriculture 9. The Secretary of Agriculture should ensure that the CIO of USDA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 9)
Open
In October 2020, a Department of Agriculture official stated that the department was working to establish a policy to include the information noted in our recommendation and planned to finalize a policy by the end of January 2021. We will continue to monitor the department's progress on these efforts.
Department of Veterans Affairs 10. The Secretary of Veterans Affairs (VA) should ensure that the CIO of VA updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 10)
Open
The Department of Veterans Affairs (VA) concurred with our recommendation and stated that it would draft a policy to address it. In September 2020, a VA official stated that the department was working to address our recommendation but did not identify timeframes for when all activities would be completed. We will continue to evaluate the department's progress in implementing this recommendation.
Environmental Protection Agency 11. The Administrator of the Environmental Protection Agency (EPA) should ensure that the CIO of EPA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 11)
Open
The Environmental Protection Agency (EPA) concurred with our recommendation and stated that it planned to develop a policy to implement this recommendation and other FITARA issues. Specifically, EPA officials reported in June 2020 that the agency was continuing to work to address the recommendation but did not provided a time frame for when a policy would be finalized. We will continue to monitor EPA's progress on these efforts.
General Services Administration 12. The Administrator of the General Services Administration (GSA) should ensure that the CIO of GSA updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 12)
Closed - Implemented
The General Services Administration (GSA) concurred, and has taken steps to address, our recommendation. Specifically, in June 2018, GSA updated its guidance, GSA IT Guide to Capital Planning and Investment Control, to include a description of CIO's role in the certification process and how CIO certification will be documented. By updating its policy for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, GSA will be able to help ensure that the agency is adequately implementing and benefiting from incremental development practices.
National Aeronautics and Space Administration 13. The Administrator of the National Aeronautics and Space Administration (NASA) should ensure that the CIO of NASA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 13)
Closed - Implemented
The National Aeronautics and Space Administration (NASA) concurred, and has taken steps to address, our recommendation. Specifically, in September 2020, NASA updated its guidance, NPR 7120.7A NASA Information Technology Program and Project Management Requirements to include a description of the CIO's role and how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. By updating its policy for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, NASA will be able to help ensure that the agency is adequately implementing and benefiting from incremental development practices.
National Science Foundation 14. The Director of the National Science Foundation (NSF) should ensure that the CIO of NSF updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 14)
Closed - Implemented
The National Science Foundation (NSF) has taken action to address our recommendation. Specifically, in August 2018, NSF issued its guidance, CIO Incremental Development Policy, that includes a description of the CIO's role in the certification process, a description of how CIO certification will be documented, and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. By updating its guidance for the CIO's certification of major IT investment' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, NSF will be able to help ensure that the agency is adequately implementing and benefiting from incremental development practices.
Nuclear Regulatory Commission 15. The Chairman of the Nuclear Regulatory Commission (NRC) should ensure that the CIO of NRC establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 15)
Closed - Implemented
The U.S. Nuclear Regulatory Commission (NRC) has taken steps to address our recommendation. Specifically, in December 2017, NRC updated its guidance, Capital Planning and Investment Control Policy and Overview, to include a description of the CIO's role in the certification process and how CIO certification will be documented. By updating its policy for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, NRC will be able to help ensure that the agency is adequately implementing and benefiting from incremental development practices.
Office of Personnel Management 16. The Director of the Office of Personnel Management (OPM) should ensure that the CIO of OPM updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 16)
Open
In November 2020, an official from the Office of Personnel Management (OPM) reported that, due to continued resource limitations, the Office of the CIO did not have the capacity to fully address our recommendation at this time. Starting in December 2020, the official reported that OPM will aim to begin monthly project reviews for all projects managed within the Office of the CIO, including monitoring and documenting projects for adequate use of incremental development. In addition, OPM will also aim to establish a quarterly major investment review meeting for the CIO to review each of the eleven major IT investments for compliance with OPM policy and other federal mandates. The OPM official reported that, with appropriate resources, OPM plans to update its guidance to include the CIO certification of modern iterative development methodologies, but did not provide a time frame for when a policy would be finalized. We will continue to monitor OPM's progress on these efforts.
Small Business Administration 17. The Administrator of the Small Business Administration (SBA) should ensure that the CIO of SBA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 17)
Closed - Implemented
The Small Business Administration (SBA) concurred with, and has taken steps to address our recommendation. Specifically, in January 2020, SBA updated its guidance, SBA Information Technology and Capital Planning and Investment Control Standard Operating Procedures, to include a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality. By establishing a policy for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, SBA will be able to help ensure that the agency is adequately implementing and benefiting from incremental development practices.
Social Security Administration 18. The Commissioner of the Social Security Administration should ensure that the CIO of SSA updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 18)
Closed - Implemented
The Social Security Administration (SSA) concurred with and has taken steps to address, our recommendation. Specifically, in May 2018, SSA updated its guidance, Systematic, Disciplined IT Capital Planning Process at Social Security Administration, to include a description of the CIO's role in the certification process and how CIO certification will be documented. By updating its policy for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, SSA will be able to help ensure that the agency is adequately implementing and benefiting from incremental development practices.
United States Agency for International Development 19. The Administrator of the U.S. Agency for International Development (USAID) should ensure that the CIO of USAID establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 19)
Closed - Implemented
The U.S. Agency for International Development (USAID) has taken steps to address our recommendation. Specifically, in May 2019, USAID established its guidance, Automated Directives System Chapter 509: Management and Oversight of Agency Information Technology Resources, which includes a description of the CIO's role in the certification process, a description of how CIO certification will be documented, and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. In particular, the CIO receives monthly reports on the status of delivered incremental functionality for each of the agency's major IT investments and uses this information to certify the adequate use of incremental development in the agency's annual IT resource statements. In addition, USAID's guidance also defines incremental development and timeframes for delivering functionality in a manner consistent with OMB guidance. By establishing guidance for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, USAID will be able to help ensure that the agency is adequately implementing and benefiting from incremental development practices.

Full Report

GAO Contacts