Information Technology: Departments Need to Improve Chief Information Officers' Review and Approval of IT Budgets
GAO-19-49
Published: Nov 13, 2018. Publicly Released: Nov 13, 2018.
Skip to Highlights
Highlights
Skip to Recommendations
What GAO Found
The departments GAO reviewed—the Departments of Energy (DOE), Health and Human Services (HHS), Justice (DOJ), and the Treasury (Treasury)—took steps to establish policies and procedures that align with eight selected Office of Management and Budget (OMB) requirements intended to implement information technology (IT) acquisition reform legislation (commonly referred to as the Federal Information Technology Acquisition Reform Act, or FITARA) and to provide the chief information officer (CIO) visibility into and oversight over the IT budget. For example, of the eight OMB requirements, all four departments had established policies and procedures related to the level of detail with which IT resources are to be described in order to inform the CIO during the planning and budgeting processes. Agencies varied, however, as to how fully they had established policies and procedures related to some other OMB requirements, and none of the four departments had yet established procedures for ensuring that the CIO had reviewed whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (See table.)
Evaluation of Selected Departments' Policies and Procedures for Key Information Technology (IT) Budgeting Requirements
|
Selected Office of Management and Budget (OMB) requirement |
DOE |
HHS |
DOJ |
Treasury |
|
1. Establish the level of detail with which IT resources are to be described in order to inform the Chief Information Officer (CIO) during the planning and budgeting processes. |
● |
● |
● |
● |
|
2. Establish agency-wide policy for the level of detail with which planned expenditures for all transactions that include IT resources are to be reported to the CIO. |
◑ |
◑ |
◑ |
◑ |
|
3. Include the CIO in the planning and budgeting stages for programs that are supported with IT resources. |
◑ |
◑ |
● |
◑ |
|
4. Include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level governance boards. |
◑ |
◑ |
◑ |
◑ |
|
5. Document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. |
◑ |
◑ |
● |
● |
|
6. Ensure the CIO has reviewed and approved the major IT investments portion of the budget request. |
◑ |
◑ |
● |
◑ |
|
7. Ensure the CIO has reviewed IT resources that are to support major program objectives and significant increases and decreases in IT resources. |
○ |
○ |
● |
● |
|
8. Ensure the CIO has reviewed whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. |
○ |
○ |
○ |
○ |
●= The department provided documentation that satisfied all of the OMB requirement. ◑= The department provided documentation that satisfied most, but not all of the OMB requirement. ○= The department could not provide documentation that satisfied any of the OMB requirement.
Departments: DOE = Department of Energy, HHS = Department of Health and Human Services, DOJ = Department of Justice, Treasury = Department of the Treasury
Source: GAO analysis of department data. | GAO-19-49
Where the departments had not fully established policies and procedures, it was due, in part, to having not addressed in their FITARA implementation and delegation plans how they intended to implement the OMB requirements. Until departments develop comprehensive policies and procedures that address IT budgeting requirements established by OMB, they risk inconsistently applying requirements that are intended to facilitate the CIO's oversight and approval of the IT budget.
Departments varied in the extent to which they could demonstrate implementation of key IT budgeting requirements when developing fiscal year 2017 funding requests for sampled investments. Specifically, while DOJ demonstrated that it had fully implemented the selected requirements for the majority of the investments GAO sampled, HHS and Treasury partially demonstrated implementation for a majority of the sampled investments, and DOE could not demonstrate implementation for the majority of the sampled investments. For example, DOE, HHS, and Treasury were not able to fully show that their CIOs had reviewed whether estimates of IT resources included in the budget request were appropriate for two of their respective departments' largest fiscal year 2017 IT investments. Departments often could not demonstrate that they had implemented selected IT budgeting requirements at the investment level because they had not established comprehensive policies and procedures that required them to do so. As a result, departments could not show that CIOs were sufficiently involved in planning fiscal year 2017 IT expenditures at the individual investment level.
All four selected departments lacked quality assurance processes for ensuring their IT budgets were informed by reliable cost information. Specifically, the selected departments did not have IT capital planning processes for (1) ensuring government labor costs have been accurately reported, (2) aligning contract costs with IT investments, and (3) utilizing budget object class data to capture all IT programs. This resulted in billions of dollars in requested IT expenditures without departments having comprehensive information to support those requests, and nearly $4.6 billion in IT contract spending that was not explicitly aligned with investments in selected departments' IT portfolios. This was due to a lack of processes for periodically reviewing data quality and estimation methods for government labor estimates, as well as a lack of mechanisms to cross-walk IT spending data in their procurement and accounting systems with investment data in their IT portfolio management systems. In August 2017, OMB developed a new approach of using a standard set of categories to group IT spending that, if properly implemented, has the potential to provide departments and CIOs enhanced visibility into IT costs across the portfolio. Nevertheless, until departments establish processes for assessing or otherwise ensuring the quality of relevant IT cost data used to inform their IT budgets, department CIOs will have less assurance that their budget includes appropriate and comprehensive estimates of IT resources.
Why GAO Did This Study
In December 2014, Congress enacted FITARA, which was intended to improve covered agencies' acquisitions of IT. FITARA also provided an opportunity to strengthen the authority of CIOs to provide needed direction and oversight of agencies' IT budgets.
GAO was asked to review whether CIOs' IT budgeting practices are consistent with FITARA and OMB's implementing guidance. This report addresses the extent to which selected federal agencies (1) established policies and procedures that address IT budgeting requirements, (2) could demonstrate that they had developed fiscal year 2017 IT budgets for sampled investments consistent with FITARA and OMB guidance, and (3) implemented processes to ensure that annual IT budgets are informed by reliable cost information.
GAO selected four departments to review. These departments had the two highest and the two lowest average initial selfassessments scores of compliance with OMB's FITARA guidance, as well as a fiscal year 2017 IT budget of at least $1 billion. Within each of the departments, GAO also selected the component agencies with the largest fiscal year 2017 IT budget. For each selected department and component agency, GAO reviewed relevant IT budget policies and procedures, analyzed a sample of major and non-major investment proposals against key OMB requirements, and determined whether selected departments captured government labor costs, among other things.
Recommendations
GAO is making 43 recommendations to the eight selected departments and component agencies to address gaps in their IT budgeting policies and procedures, demonstrate implementation of OMB requirements, and establish procedures to ensure IT budgets are informed by reliable cost information. HHS, the Centers for Medicare and Medicaid Services, DOJ, the Federal Bureau of Investigation, and the Internal Revenue Service agreed with our recommendations. DOE partially agreed with one recommendation and agreed with the other recommendations made to it, as well as with the recommendations made to its component agency—the National Nuclear Security Administration. Treasury neither agreed nor disagreed with the recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Energy | The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 1) |
DOE agreed with our recommendation and has taken actions to implement it. Specifically, DOE Order 200.1A establishes requirements for reporting planned IT expenditures to the CIO. In addition, the DOE CIO's IT capital planning and investment control (CPIC) guidance for fiscal year 2022 further instructs DOE components to report 100 percent of IT costs through the Technology Business Management (TBM) framework, consistent with requirements from OMB Circular A-11, Section 55. In doing so, DOE CIO is to further categorize and provide more detail on the cost of various IT resources associated with each investment. For instance, cost pools are to include internal labor expenses such as employee wages and benefits, consulting services, physical technology assets, and software. Cost towers are to include a higher-level representation of functional expenses associated with centralized data storage, network operations costs, and enterprise applications, among other things. DOE's IT CPIC guidance further notes that the sum of all towers and cost pools should equal the total cost for each IT investment. Finally, DOE provides additional guidance on what to report in various towers and cost pools, including how to account for expenditures associated with National Labs for field sites. By updating its IT capital planning procedures to clarify how all expenditures for IT resources are to be reported to the CIO using TBM as a framework, the department has positioned the CIO to have greater assurance that the IT budget requests contain complete and accurate resource estimates.
|
| Department of Energy | The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 2) |
DOE agreed with our recommendation. The department has provided documentation regarding its IT budget procedures. However, DOE has not yet documented procedures for ensuring the CIO is included in budget decisions for all programs with IT resources, including those within NNSA and the national laboratories. We will continue to monitor the agency's progress in implementing our recommendation.
|
| Department of Energy | The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 3) |
DOE agreed with our recommendation. The department has provided charters that included the CIO as a member of department-level governance boards that inform IT decisions. However, DOE has not provided charters that include the CIO as a member of component-level IT governance boards. We will continue to monitor the department's progress in implementing our recommendation.
|
| Department of Energy | The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 4) |
DOE agreed with our recommendation. The department has provided IT governance board and budget procedures. However, DOE has not documented procedures by which the CIO is to work with program leadership in planning IT resources for all programs, including those within NNSA and the national laboratories. We will continue to monitor the department's progress in implementing our recommendation.
|
| Department of Energy | The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 5) |
The department has provided IT budget procedures. However, DOE has not documented procedures by which the CIO is to review and approve all major IT investments, including those within NNSA and the national laboratories. We will continue to monitor the department's progress in implementing our recommendation.
|
| Department of Energy | The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 6) |
DOE agreed with our recommendation. The department has provided IT budget procedures. However, DOE has not documented procedures for the CIO's review of IT resources that are to support major program objectives and significant increases and decreases in IT resources for department and component agency budget requests. We will continue to monitor the department's progress in implementing our recommendation.
|
| Department of Energy | The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 7) |
DOE agreed with our recommendation. The department has provided IT budget procedures. However, DOE has not developed procedures for documenting steps the CIO is to take to ensure that the IT portfolio includes appropriate estimates of all IT resources. We will continue to monitor the department's progress in implementing our recommendation.
|
| Department of Energy | The Secretary of Energy should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 8) |
DOE agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Energy | The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 9) |
DOE agreed with our recommendation and is planning to take steps towards implementing it. Specifically, DOE plans to implement the Technology Business Management Framework in its fiscal year 2022 reporting on the IT portfolio. Additionally, the department is coordinating internally to update its financial and procurement systems to better identify IT spending. DOE anticipates that its updates will allow the agency to compare actual IT spending against estimates in the portfolio. We will continue to monitor the department's progress in implementing our recommendation.
|
| National Nuclear Security Administration | The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that establish agency-wide policy for the level of detail with which planned expenditures for all transactions that include IT resources are to be reported to the CIO. (Recommendation 10) |
NNSA agreed with this recommendation and has taken actions through DOE to implement it. DOE Order 200.1A establishes requirements for reporting planned IT expenditures to the CIO. In addition, the DOE CIO's IT capital planning and investment control (CPIC) guidance for fiscal year 2022 further instructs DOE components, including NNSA, to report 100 percent of IT costs through the Technology Business Management (TBM) framework, consistent with requirements from OMB Circular A-11, Section 55. In doing so, DOE CIO aims to further categorize and provide more detail on the cost of various IT resources associated with each investment. For instance, cost pools are to include internal labor expenses such as employee wages and benefits, consulting services, physical technology assets, and software. Cost towers are to include a higher-level representation of functional expenses associated with centralized data storage, network operations costs, and enterprise applications, among other things. DOE's IT CPIC guidance further notes that the sum of all towers and cost pools should equal the total cost for each IT investment. Finally, DOE provides additional guidance on what to report in various towers and cost pools, including how to account for expenditures associated with National Labs for field sites. By updating its IT capital planning procedures to clarify how all expenditures for IT resources are to be reported to the CIO using TBM as a framework, the department has positioned the NNSA CIO and DOE CIO to have greater assurance that the IT budget requests contain complete and accurate resource estimates.
|
| National Nuclear Security Administration | The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 11) |
NNSA agreed with our recommendation and has taken steps to implement it. NNSA updated Supplemental Directive 415.1A, which establishes requirements and procedures for IT project oversight, in April 2021. Among other things, the supplemental directive details procedures for how the NNSA CIO is to be involved in the planning and budgeting of IT resources through its investment review board and capital planning and investment control process. In addition, the supplemental directive describes how NNSA's program offices, field office managers, and the Office of Enterprise Project Management are to coordinate with and integrate the NNSA office of the CIO when planning IT resources as part of their acquisition strategies and IT portfolios. Further, NNSA established an IT investment review board charter in March 2020 that provides more detailed instructions and a process for obtaining the NNSA CIO's review of funding requests to acquire and maintain IT resources. This review process requires the NNSA CIO to approve projects with IT components and includes a step for the NNSA CIO to obtain input from advisory board members, including the DOE CIO. By including the NNSA CIO, with input from department-level CIO, in the planning and budgeting stages for programs that are fully or partially supported with IT resources, NNSA has greater assurance that the CIO is able to provide input into key IT resource planning decisions.
|
| National Nuclear Security Administration | The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources. (Recommendation 12) |
NNSA agreed with this recommendation and has taken steps to implement it. Specifically, NNSA demonstrated that its CIO is a member of several key investment governance boards, which provide oversight for all investments reported through the investment management reporting system and those listed in the NNSA IT portfolio. For example, NNSA established an IT investment review board charter in March 2020 that provides detailed instructions and a process for obtaining the NNSA CIO's review of funding requests to acquire and maintain IT resources. This review process requires the NNSA CIO to approve requests for new funding involving IT resources with input from advisory board members, including the DOE CIO. By requiring that the NNSA CIO, with input from the department-level CIO, be included in key governance board decisions regarding IT investments, NNSA has increased its assurance that the CIO is providing input into key IT resource planning decisions.
|
| National Nuclear Security Administration | The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 13) |
NNSA agreed with this recommendation. The agency noted that it would update related procedures for its planning, programming, budgeting, and execution process to address the recommendation. However, those procedures, as of May 2021, did not include any discussion of IT or the NNSA CIO. We will continue to monitor the agency's progress towards implementing our recommendation.
|
| National Nuclear Security Administration | The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 14) |
NNSA agreed with this recommendation and has taken steps to implement it. NNSA established an IT investment review board charter in March 2020 that provides detailed instructions and a process for obtaining the NNSA CIO's review of funding requests to acquire and maintain IT resources. The review board is chaired by the NNSA CIO and is to obtain input from the DOE CIO and other advisory members through its review process. Among other things, the review board is to assess whether projects and procurement requests for IT resources are aligned with the organizational mission, goals, and objectives of the enterprise and verify that IT investments are achieving established goals. In addition, the charter notes that the Office of the CIO's capital planning and investment control team is to monitor financial resource additions and subtractions to both new and existing investments, conduct periodic review of project documentation, and participate in select project meetings. The capital planning and investment control team is to provide input to the NNSA IT investment review board with any concerns that arise during its continuous oversight. By developing procedures for the CIO's review of alignment with major program objectives and wither IT investment resources have increased or decreased significantly, NNSA has greater assurance that the IT budget request consistently supports the departments' goals and objectives and that the CIO has approved significant changes in the budget.
|
| National Nuclear Security Administration | The Administrator of NNSA should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 15) |
NNSA updated its FITARA implementation framework to incorporate the activities NNSA will complete to ensure that implementation of FITARA on individual investments is adequately documented. For example, the agency's updated FITARA implementation framework addresses how the agency is to document the CIO's efforts to work with program leadership to plan investments' IT resources and review the appropriateness of investments' estimates of IT resources, as well as other requirements from OMB's guidance on implementing FITARA. By taking these steps, NNSA has improved its ability to consistently document that its CIO is involved in planning and budgeting annual IT expenditures for individual investments.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 16) |
HHS agreed with this recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT investment planning policy to include requirements for reporting expenditures that apply to all transactions with an IT component. We will continue to monitor the department's progress towards implementing our recommendation.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 17) |
HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT investment planning policy to amplify the CIO's role in the planning and budgeting stages for all programs with IT resources. Also, HHS intends to document procedures for ensuring that all delegated authorities are carried out. We will continue to monitor the department's progress towards implementing our recommendation.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 18) |
HHS agreed with the recommendation. The department has provided charters that included the CIO as a member of department-level governance boards that inform IT decisions. However, HHS has not provided charters that include the CIO as a member of component-level IT governance boards or demonstrated that the CIO delegated the requirement to the component CIOs. We will continue to monitor the department's progress in implementing our recommendation.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 19) |
HHS agreed with the recommendation. The department demonstrated that the CIO holds monthly CIO Council meetings with the component CIOs to discuss topics of concern that may affect HHS's IT portfolio such as cybersecurity issues and budget. The council is responsible for reviewing and making recommendations for IT investment plans over $20 million annually. However, the department has not developed policies and procedures that incorporate the processes by which the program leadership plans the portfolio of IT resources with the CIO for investments delegated to components. HHS plans to update its IT investment planning policy to address these shortfalls. We will continue to monitor the department's progress in implementing our recommendation.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 20) |
HHS agreed with the recommendation and has taken steps to implement it. Specifically, HHS documented procedures for the CIO's annual IT investment review process that includes the review and approval of the major IT investments portion of the budget request. As a result, HHS is better positioned to ensure that its CIO has reviewed and approved the department's budget request for its major IT investments prior to submission.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 21) |
HHS agreed with this recommendation and has taken steps towards implementing it. Specifically, HHS documented procedures that require the CIO to hold annual IT investment review meetings with components to review changes in IT resources. However, HHS has not documented procedures for the CIO's role in reviewing major program objectives. HHS plans to update its IT investment planning policy to address this shortfall. We will continue to monitor the department's progress toward implementing our recommendation.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 22) |
HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the department intends to assess and update its existing policies and procedures to document the steps the CIO is to take to review the IT portfolio for appropriate estimates of all IT resources. We will continue to monitor the department's progress toward implementing our recommendation.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should direct the department CIO to establish, for any OMB common baseline requirements that are related to IT budgeting that have been delegated, a plan that specifies the requirement being delegated, demonstrates how the CIO intends to retain accountability for the requirement, and ensures through quality assurance processes that the delegated official will execute such responsibilities with the appropriate level of rigor. (Recommendation 23) |
HHS agreed with the recommendation and has taken steps towards implementing it. Specifically, the department provided an updated memorandum, which specified the requirements delegated to component CIOs. Additionally, the memorandum stated that the HHS CIO retains authority over the entire HHS IT portfolio including component-level IT portfolios. While the delegation memorandum also included stipulations for retaining the delegated authorities that required the CIO's involvement, it did not detail how the CIO ensures through quality assurance processes that the delegated official executes such responsibilities with the appropriate level of rigor. We will continue to monitor the department's progress towards implementing our recommendation
|
| Department of Health and Human Services | The Secretary of Health and Human Services should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 24) |
HHS agreed with the recommendation. HHS updated its IT acquisition program policy and related processes to automate quality assurance measures and ensure IT investment governance for acquisitions containing IT resources. However, HHS has not demonstrated that it has taken steps to ensure the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented, such as documenting the CIO's visibility into IT resources, input into IT resource plans, and review and approval of IT budgets. We will continue to monitor the agency's progress in implementing our recommendation.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 25) |
HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, HHS established a working group and developed a roadmap for implementing the Technology Business Management Framework by fiscal year 2022. The agency anticipates that its strategy and approach will enable HHS to, among other things, link IT portfolio data, procurement system data, and financial system data. Further, HHS plans to update its IT investment planning policy to include the department's implementation of the Technology Business Management Framework. We will continue to monitor the department's progress towards implementing our recommendation.
|
| Centers for Medicare & Medicaid Services | The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 26) |
CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Centers for Medicare & Medicaid Services | The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 27) |
CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Centers for Medicare & Medicaid Services | The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 28) |
CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Centers for Medicare & Medicaid Services | The Administrator of CMS should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 29) |
CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Justice | The Attorney General should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 30) |
The department developed IT budget procedures in April 2019 for reporting planned expenditures to the CIO for all transactions that include IT resources. Specifically, as part of the department's annual budgeting process, the DOJ CIO and Chief Financial Officer are to collaborate on the level of detail that program offices are required to report in their cost estimates for enhancement requests across IT spending categories. By taking these steps, DOJ is better positioned to ensure that budget requests contain complete and accurate resource estimates with the appropriate level of detail to inform the department's annual IT budget.
|
| Department of Justice | The Attorney General should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 31) |
DOJ agreed with this recommendation and has taken steps to implement it. Specifically, in October 2019, the DOJ CIO issued a memorandum requiring component CIOs to establish a process for providing IT investment information to the DOJ CIO. The component CIO's process is to either include the DOJ CIO as a member of component investment review boards or provide an alternative mechanism for obtaining the DOJ CIO's input on component IT investments. DOJ demonstrated that it established and implemented processes to include the DOJ CIO in governance boards and related review mechanisms that inform decisions regarding IT resources. As a result, the DOJ CIO is better positioned to provide input into key IT resource planning decisions.
|
| Department of Justice | The Attorney General should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 32) |
The department developed IT budget procedures in April 2019 that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. Specifically, DOJ's procedures include quality assurance steps that the CIO's budget manager is to carry out on component IT budget requests prior to the CIO's review. This includes quality assurance steps such as reviewing prior year expenditures for significant variances; identifying missing expenditures in acquisition forecasts; comparing financial system data to the budget; and validating data across various IT spending and cost categories, including government labor expenditures. By taking these steps, DOJ has improved its ability to ensure that its CIO is effectively positioned to consistently and adequately review and approve the IT budget request.
|
| Department of Justice | The Attorney General should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 33) |
The department developed IT budget standards in April 2019 that establish quality assurance processes for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. Specifically, DOJ's procedures include quality assurance steps that the CIO's budget manager is to carry out on component IT budget requests prior to the CIO's review. This includes quality assurance steps such as reviewing prior year expenditures for significant variances; identifying missing expenditures in acquisition forecasts; comparing financial system data to the budget; and validating data across various IT spending and cost categories, including government labor expenditures. By taking these steps, the DOJ CIO is better positioned to have increased transparency into IT spending, capture relevant costs in the IT budget, and make informed budget decisions.
|
| Federal Bureau of Investigation | The FBI Director should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 34) |
FBI agreed with our recommendation and has taken several steps to implement it. In particular, FBI established an Enterprise IT Governance model and a related FBI Policy Directive that are intended to enhance the CIO's oversight of IT resources. Among other things, the governance model includes a focus on reviewing investments' compliance with FITARA; responsibilities for the CIO to maintain documentation of governance body decision outcomes, actions, and conditions regarding investments; and audits of the governance model's oversight of IT investments. In addition, the governance model has required steps for coordination between the Office of the CIO, Division project managers, legal counsel, and financial experts on acquisition strategies and investment proposals. FBI's Office of the CIO also established an IT Cost Transparency program that aims to model and track the total cost to deliver and maintain FBI IT services. The program includes steps for analyzing budgets by tracing costs and resource consumption from an investment's sources to its uses. The program also includes steps for analyzing IT spending using financial system data to provide executives insight into budget allocation versus actual spending, as well as how that spending aligned with mission goals. Additionally, FBI has established steps for conducting periodic audits and assessments of major, standard, and a sample of non-major IT investments. Among other things, these reviews assess the accuracy of IT budget estimates and whether status reporting is consistent with approved program budgets. By taking these steps, FBI has enhanced its assurance that individual investments' actions to comply with OMB's guidance on implementing FITARA-including collaboration between the CIO and program leadership and the CIO's review of resource estimates-are adequately documented.
|
| Department of the Treasury | The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 35) |
According to Treasury, the Enterprise Technology Governance (ETG) office within the Office of the CIO is responsible for developing and implementing policies and procedures that establish the level of detail to be reported to the CIO for planned IT expenditures. Treasury officials stated that the department plans to further increase IT cost transparency across all bureaus through and enterprise-wide Technology Business Management (TBM) program led by its ETG office. Among other things, Treasury's TBM program intends to establish a TBM Data Governance Framework and business rules in collaboration with the bureaus to establish required details for IT expenditure reporting and processes for data management. We will continue to monitor the department's efforts to implement our recommendation.
|
| Department of the Treasury | The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 36) |
Treasury established an Annual IT Review process that outlines the procedures for the CIO's review of each bureau's planned IT resources for a given budget year proposal. Among other things, it includes a review of significant changes in the bureau's IT budget, an IT portfolio review that is to be broken out by program/activities at the bureau's discretion as long as it sums up to 100% of the IT spending, and a more detailed review of several IT acquisitions to be selected by the CIO based on a list of all bureau acquisitions. Treasury has drafted an update to its Treasury Directive 81-01 Publication to formalize the implementation of its Annual IT Review process by requiring that the Treasury CIO be invited to participate in Bureau IT governance discussions at their discretion and be notified of annual planning decisions in time to provide feedback as part of the annual planning process. In addition, the draft publication notes that the CIO is responsible for participating in an annual review of each Bureau IT portfolio to provide feedback and/or concurrence. However, these requirements are not yet in place since the publication is still in draft. We will continue to monitor the department's efforts to implement our recommendation.
|
| Department of the Treasury | The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 37) |
Treasury established an Annual IT Review template, which asks bureaus to list all of the governance bodies overseeing IT resources and to discuss each body's governance processes for the CIO's review. It also asks to identify new or updated governance bodies since the prior annual planning review for the CIO's awareness. By taking these steps, Treasury has enhanced the CIO's awareness of governance boards that oversee IT investments and understanding of how bureaus are carrying out delegated governance board responsibilities.
|
| Department of the Treasury | The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 38) |
Treasury established an Annual IT Review template, which includes an in-depth review and discussion of each component's top five major investments. The CIO also has discretion to conduct a more detailed review of IT acquisitions to be selected based on a list of all bureau acquisitions to be provided as part of the annual IT review process. By taking these steps, Treasury has demonstrated how the CIO is to review and approve the major IT investments portion of the budget request to include investments managed by its bureaus.
|
| Department of the Treasury | The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 39) |
According to Treasury, the department plans to implement an enterprise-wide Technology Business Management (TBM) program led by its Enterprise Technology Governance office. Among other things, Treasury's TBM program intends to establish procedures that could enable the CIO and Office of the CIO staff to verify resource estimates. In particular, Treasury's Data Governance Plan appears to include several steps for data validation and data quality reviews of IT resource estimates. However, Treasury has not yet provided documentation to corroborate its TBM program implementation and associated verification mechanisms for IT resource estimates in the budget request. We will continue to monitor the department's progress in implementing our recommendation.
|
| Department of the Treasury | The Secretary of the Treasury should direct the department CIO to establish, for any OMB common baseline requirements that are related to IT budgeting that have been delegated, a plan that specifies the requirement being delegated, demonstrates how the CIO intends to retain accountability for the requirement, and ensures through quality assurance processes that the delegated official will execute such responsibilities with the appropriate level of rigor. (Recommendation 40) |
In its FITARA delegation plan, Treasury delegated four responsibilities to bureau CIOs: (1) Include the CIO in the planning and budgeting stages for programs that are fully or partially supported with IT resources, (2) Include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level governance boards, (3) Ensure the CIO has reviewed and approved the major IT investments portion of the budget request, and (4) Ensure the CIO has reviewed whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. Treasury's CIO has not yet established a plan that specifies how the CIO intends to retain accountability for these delegated responsibilities and quality assurance processes that ensure the delegated official will execute such responsibilities with the appropriate level of rigor. We will continue to monitor the department's progress in implementing our recommendation.
|
| Department of the Treasury | The Secretary of the Treasury should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 41) |
Treasury's IT Annual Review template identifies steps Treasury has taken that would help to ensure individual IT investments have documented certain requirements from OMB's common baseline, such as how the CIO is included in the planning and budget stage for investments with IT resources and how program leadership working with the CIO to plan investment IT resources within each bureau. However, the annual review (or inputs/outputs form this review) does not appear to include the CIO's review of planned resource estimates (future spending estimates) for non-major investments or major investments not selected for more detailed review. According to Treasury, the department plans to implement an enterprise-wide Technology Business Management (TBM) program led by its Enterprise Technology Governance office. The TBM program, when implemented, is expected to provide additional assurance that the Office of the CIO has visibility into IT spending and that the data on this spending for individual investments is accurate. In particular, Treasury's Data Governance Plan appears to include several steps for data validation and data quality reviews of IT resource estimates. However, Treasury has not yet provided documentation to corroborate its TBM program implementation and associated verification mechanisms for IT resource estimates of individual investments. We will continue to monitor the department's progress in implementing our recommendation.
|
| Department of the Treasury | The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 42) |
According to Treasury, the department plans to implement an enterprise-wide Technology Business Management (TBM) program led by its Enterprise Technology Governance office. The TBM program, when implemented, is expected to provide quality assurance processes that could help to ensure the annual IT budget is informed by complete and reliable information. In particular, Treasury's Data Governance Plan appears to include several steps for data validation and data quality reviews of IT resource estimates. In addition, Treasury plans to link the IT portfolio with other data sources-including financial, human resources, and acquisition systems-to obtain a more accurate understanding of investment cost allocations. However, Treasury has not yet provided documentation to corroborate its TBM program implementation and associated quality assurance mechanisms. We will continue to monitor the department's progress in implementing our recommendation.
|
| Internal Revenue Service | The IRS Commissioner should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 43) |
IRS agreed with our recommendation and has taken steps towards implementing it. For example, the agency CIO and associate CIOs are taking steps through the IRS's annual IT investment planning process to work with program leadership to develop budgets for individual investments. In addition, IRS demonstrated how the CIO and associate CIOs review and approve major program objectives and changes in IT resources for major and non-major investments. Further, IRS demonstrated that it documented steps that the CIO has taken to ensure that individual investments' estimates of IT resources in the portfolio and budget request were appropriate. By taking these steps, IRS has improved its ability to consistently document that its CIO is involved in planning and budgeting annual IT expenditures for individual investments.
|