Skip to main content

Information Technology: SSA Has Improved Acquisitions and Operations, but Needs to Fully Address the Role of Its Chief Information Officer

GAO-18-703T Published: Sep 27, 2018. Publicly Released: Sep 27, 2018.
Jump To:
Skip to Highlights


What GAO Found

The Social Security Administration (SSA) has improved its management of information technology (IT) acquisitions and operations by addressing 14 of the 15 recommendations that GAO has made to the agency. For example,

Incremental development. The Office of Management and Budget (OMB) has emphasized the need for agencies to deliver IT investments in smaller increments to reduce risk and deliver capabilities more quickly. In November 2017, GAO reported that agencies, including SSA, needed to improve their certification of incremental development. As a result, GAO recommended that SSA's CIO (1) report incremental development information accurately, and (2) update its incremental development policy and processes. SSA implemented both recommendations.

Software licenses. Effective management of software licenses can help avoid purchasing too many licenses that result in unused software. In May 2014, GAO reported that most agencies, including SSA, lacked comprehensive software license policies. As a result, GAO made six recommendations to SSA, to include developing a comprehensive software licenses policy and inventory. SSA implemented all six recommendations.

However, SSA's IT management policies have not fully addressed the role of its CIO. Various laws and related guidance assign IT management responsibilities to CIOs in six key areas. In August 2018, GAO reported that SSA had fully addressed the role of the CIO in one of the six areas (see table). Specifically, SSA's policies fully addressed the CIO's role in the IT leadership and accountability area by requiring the CIO to report directly to the agency head, among other things.

In contrast, SSA's policies did not address or minimally addressed the IT workforce and IT strategic planning areas. For example, SSA's policies did not include requirements for the CIO to annually assess the extent to which personnel meet IT management skill requirements or to measure how well IT supports agency programs. GAO recommended that SSA address the weaknesses in the remaining five key areas. SSA agreed with GAO's recommendation and stated that the agency plans to implement the recommendation by the end of this month.

Extent to Which Social Security Administration Policies Addressed the Role of the Agency's Chief Information Officer, as of August 2018

Responsibility to be addressed in agency policies

GAO assessment

Information technology (IT) leadership and accountability


IT strategic planning


IT workforce

Not at all

IT budgeting


IT investment management


Information security


Source: GAO analysis of Social Security Administration policies. | GAO-18-703T

Why GAO Did This Study

SSA delivers services that touch the lives of almost every American, and relies heavily on IT resources to do so. Its systems support a range of activities, such as processing Disability Insurance payments, to calculating and withholding Medicare premiums, and issuing Social Security numbers and cards. For fiscal year 2018, the agency planned to spend approximately $1.6 billion on IT.

GAO has previously reported that federal IT projects have often failed, in part, due to a lack of oversight and governance. Given the challenges that federal agencies, including SSA, have encountered in managing IT acquisitions, Congress and the administration have taken steps to improve federal IT, including enacting federal IT acquisition reform legislation and issuing related guidance.

This statement summarizes GAO's previously reported findings regarding SSA's management of IT acquisitions and operations. In developing this testimony, GAO summarized findings from its reports issued in 2011 through 2018, and information on SSA's actions in response to GAO's recommendations.


GAO has made 15 recommendations to SSA to improve its management of IT acquisitions and operations from 2011 through 2018, and 1 recommendation to improve its CIO policies. While SSA has implemented nearly all of them, it would be better positioned to overcome longstanding IT management challenges when it addresses the CIO's role in its policies.

Full Report

Office of Public Affairs


BudgetingChief information officersCompliance oversightCost savingsCybersecurityIT acquisitionsIT investmentsIT managementIT resourcesInformation technologySoftware licensesStrategic planning