Information Technology: Departments Need to Improve Chief Information Officers' Review and Approval of IT Budgets

Highlights

What GAO Found

The departments GAO reviewed—the Departments of Energy (DOE), Health and Human Services (HHS), Justice (DOJ), and the Treasury (Treasury)—took steps to establish policies and procedures that align with eight selected Office of Management and Budget (OMB) requirements intended to implement information technology (IT) acquisition reform legislation (commonly referred to as the Federal Information Technology Acquisition Reform Act, or FITARA) and to provide the chief information officer (CIO) visibility into and oversight over the IT budget. For example, of the eight OMB requirements, all four departments had established policies and procedures related to the level of detail with which IT resources are to be described in order to inform the CIO during the planning and budgeting processes. Agencies varied, however, as to how fully they had established policies and procedures related to some other OMB requirements, and none of the four departments had yet established procedures for ensuring that the CIO had reviewed whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (See table.)

Evaluation of Selected Departments' Policies and Procedures for Key Information Technology (IT) Budgeting Requirements

Selected Office of Management and Budget (OMB) requirement	DOE	HHS	DOJ	Treasury
1. Establish the level of detail with which IT resources are to be described in order to inform the Chief Information Officer (CIO) during the planning and budgeting processes.	●	●	●	●
2. Establish agency-wide policy for the level of detail with which planned expenditures for all transactions that include IT resources are to be reported to the CIO.	◑	◑	◑	◑
3. Include the CIO in the planning and budgeting stages for programs that are supported with IT resources.	◑	◑	●	◑
4. Include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level governance boards.	◑	◑	◑	◑
5. Document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources.	◑	◑	●	●
6. Ensure the CIO has reviewed and approved the major IT investments portion of the budget request.	◑	◑	●	◑
7. Ensure the CIO has reviewed IT resources that are to support major program objectives and significant increases and decreases in IT resources.	○	○	●	●
8. Ensure the CIO has reviewed whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request.	○	○	○	○

●= The department provided documentation that satisfied all of the OMB requirement. ◑= The department provided documentation that satisfied most, but not all of the OMB requirement. ○= The department could not provide documentation that satisfied any of the OMB requirement.

Departments: DOE = Department of Energy, HHS = Department of Health and Human Services, DOJ = Department of Justice, Treasury = Department of the Treasury

Source: GAO analysis of department data. | GAO-19-49

Where the departments had not fully established policies and procedures, it was due, in part, to having not addressed in their FITARA implementation and delegation plans how they intended to implement the OMB requirements. Until departments develop comprehensive policies and procedures that address IT budgeting requirements established by OMB, they risk inconsistently applying requirements that are intended to facilitate the CIO's oversight and approval of the IT budget.

Departments varied in the extent to which they could demonstrate implementation of key IT budgeting requirements when developing fiscal year 2017 funding requests for sampled investments. Specifically, while DOJ demonstrated that it had fully implemented the selected requirements for the majority of the investments GAO sampled, HHS and Treasury partially demonstrated implementation for a majority of the sampled investments, and DOE could not demonstrate implementation for the majority of the sampled investments. For example, DOE, HHS, and Treasury were not able to fully show that their CIOs had reviewed whether estimates of IT resources included in the budget request were appropriate for two of their respective departments' largest fiscal year 2017 IT investments. Departments often could not demonstrate that they had implemented selected IT budgeting requirements at the investment level because they had not established comprehensive policies and procedures that required them to do so. As a result, departments could not show that CIOs were sufficiently involved in planning fiscal year 2017 IT expenditures at the individual investment level.

All four selected departments lacked quality assurance processes for ensuring their IT budgets were informed by reliable cost information. Specifically, the selected departments did not have IT capital planning processes for (1) ensuring government labor costs have been accurately reported, (2) aligning contract costs with IT investments, and (3) utilizing budget object class data to capture all IT programs. This resulted in billions of dollars in requested IT expenditures without departments having comprehensive information to support those requests, and nearly $4.6 billion in IT contract spending that was not explicitly aligned with investments in selected departments' IT portfolios. This was due to a lack of processes for periodically reviewing data quality and estimation methods for government labor estimates, as well as a lack of mechanisms to cross-walk IT spending data in their procurement and accounting systems with investment data in their IT portfolio management systems. In August 2017, OMB developed a new approach of using a standard set of categories to group IT spending that, if properly implemented, has the potential to provide departments and CIOs enhanced visibility into IT costs across the portfolio. Nevertheless, until departments establish processes for assessing or otherwise ensuring the quality of relevant IT cost data used to inform their IT budgets, department CIOs will have less assurance that their budget includes appropriate and comprehensive estimates of IT resources.

Why GAO Did This Study

In December 2014, Congress enacted FITARA, which was intended to improve covered agencies' acquisitions of IT. FITARA also provided an opportunity to strengthen the authority of CIOs to provide needed direction and oversight of agencies' IT budgets.

GAO was asked to review whether CIOs' IT budgeting practices are consistent with FITARA and OMB's implementing guidance. This report addresses the extent to which selected federal agencies (1) established policies and procedures that address IT budgeting requirements, (2) could demonstrate that they had developed fiscal year 2017 IT budgets for sampled investments consistent with FITARA and OMB guidance, and (3) implemented processes to ensure that annual IT budgets are informed by reliable cost information.

GAO selected four departments to review. These departments had the two highest and the two lowest average initial selfassessments scores of compliance with OMB's FITARA guidance, as well as a fiscal year 2017 IT budget of at least $1 billion. Within each of the departments, GAO also selected the component agencies with the largest fiscal year 2017 IT budget. For each selected department and component agency, GAO reviewed relevant IT budget policies and procedures, analyzed a sample of major and non-major investment proposals against key OMB requirements, and determined whether selected departments captured government labor costs, among other things.

Recommendations

GAO is making 43 recommendations to the eight selected departments and component agencies to address gaps in their IT budgeting policies and procedures, demonstrate implementation of OMB requirements, and establish procedures to ensure IT budgets are informed by reliable cost information. HHS, the Centers for Medicare and Medicaid Services, DOJ, the Federal Bureau of Investigation, and the Internal Revenue Service agreed with our recommendations. DOE partially agreed with one recommendation and agreed with the other recommendations made to it, as well as with the recommendations made to its component agency—the National Nuclear Security Administration. Treasury neither agreed nor disagreed with the recommendations.

Recommendations for Executive Action

Agency Affected	Recommendation	Status Sort descending
Department of Health and Human Services	The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 25)	Open HHS agreed with the recommendation. In March 2021, HHS established a new policy for IT portfolio management. Among other things, the policy described requirements and plans to implement the Technology Business Management Framework, which can help government organizations to create a more transparent breakdown of IT expenditures. As of December 2023, HHS had not yet implemented quality assurance processes to ensure IT budgets have reliable cost information. We will continue to monitor the department's progress in implementing our recommendation.
Department of the Treasury	The Secretary of the Treasury should direct the department CIO to establish, for any OMB common baseline requirements that are related to IT budgeting that have been delegated, a plan that specifies the requirement being delegated, demonstrates how the CIO intends to retain accountability for the requirement, and ensures through quality assurance processes that the delegated official will execute such responsibilities with the appropriate level of rigor. (Recommendation 40)	Open In its FITARA delegation plan, Treasury delegated four responsibilities to bureau CIOs: (1) Include the CIO in the planning and budgeting stages for programs that are fully or partially supported with IT resources, (2) Include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level governance boards, (3) Ensure the CIO has reviewed and approved the major IT investments portion of the budget request, and (4) Ensure the CIO has reviewed whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. As of December 2023, Treasury's CIO has not yet established a plan that specifies how the CIO intends to retain accountability for these delegated responsibilities and quality assurance processes that ensure the delegated official will execute such responsibilities with the appropriate level of rigor. We will continue to monitor the department's progress in implementing our recommendation.
National Nuclear Security Administration	The Administrator of NNSA should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 15)	Closed – Implemented NNSA updated its FITARA implementation framework to incorporate the activities NNSA will complete to ensure that implementation of FITARA on individual investments is adequately documented. For example, the agency's updated FITARA implementation framework addresses how the agency is to document the CIO's efforts to work with program leadership to plan investments' IT resources and review the appropriateness of investments' estimates of IT resources, as well as other requirements from OMB's guidance on implementing FITARA. By taking these steps, NNSA has improved its ability to consistently document that its CIO is involved in planning and budgeting annual IT expenditures for individual investments.
Department of Energy	The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 4)	Closed – Implemented DOE agreed with our recommendation and took steps to implement it. In July 2023, the department demonstrated that it updated its IT budget guidance. Among other things, the department's budget guidance included identifying various IT priorities and a budget briefing template to ensure that the CIO reviews departmental elements' plans for addressing certain IT priorities. In addition, in September 2023, DOE provided procedures for the CIO's review of the IT budget. Those procedures included instructions for all field, site, and lab offices to submit plans for IT investments to program and staff offices at DOE headquarters, who then subsequently obtain the Office of the CIO's review and approval. Moreover, the procedures include various steps and time frames for the Office of the CIO's review of DOE program and staff offices' IT proposals, including opportunities for feedback and modifications based on the review. DOE also established an IT acquisition forecast template that is to be reviewed as part of the CIO's budget review. Among other things, program and staff offices are to describe each planned acquisition and its associated IT investment, indicate whether the CIO has already approved the acquisition, and provide other details such as the contract type, vendor, and forecasted spending over several years. By taking these steps, DOE has increased the CIO's ability to work with program leadership in the formulation and planning of IT budgets.
Centers for Medicare & Medicaid Services	The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 26)	Closed – Implemented CMS agreed with and has taken actions to implement our recommendation. In June 2022, CMS established a Target Life Cycle process to guide IT system development and investment management. Through this process, the CMS CIO is to be included in the planning and budgeting stages for all programs that are fully or partially supported with IT resources, including non-major investments. For example, all new business needs and material changes to existing systems must go through an Initiate phase, which culminates with a review of a Governance Review Board that includes the CIO as well as other senior managers. By taking these steps, CMS has greater assurance that its CIO is providing input into key IT resource planning decisions.
Department of Energy	The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 5)	Closed – Implemented DOE agreed with our recommendation and has taken steps to implement it. In September 2023, DOE provided procedures for the CIO's review and approval of major IT investments in the budget request. Those procedures included instructions for all field, site, and lab offices to submit plans for IT investments (including major investments) to program and staff offices at DOE headquarters, who then subsequently obtain the Office of the CIO's review and approval. Moreover, the procedures include various steps and time frames for the Office of the CIO's review of DOE program and staff offices' major IT investment business cases and proposals, including opportunities for feedback and modifications based on the review. Further, DOE also established an IT acquisition forecast template that is to be reviewed as part of the CIO's budget review. Among other things, program and staff offices are to describe each planned acquisition and its associated IT investment (including acquisitions for major investments), indicate whether the CIO has already approved the acquisition, and provide other details such as the contract type, vendor, and forecasted spending over several years. By taking these steps, DOE has increased its assurance that the CIO has adequately reviewed and approved major IT investments.
Department of the Treasury	The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 37)	Closed – Implemented Treasury established an Annual IT Review template, which asks bureaus to list all of the governance bodies overseeing IT resources and to discuss each body's governance processes for the CIO's review. It also asks to identify new or updated governance bodies since the prior annual planning review for the CIO's awareness. By taking these steps, Treasury has enhanced the CIO's awareness of governance boards that oversee IT investments and understanding of how bureaus are carrying out delegated governance board responsibilities.
Department of Health and Human Services	The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 16)	Closed – Implemented HHS agreed with our recommendation and has taken actions to implement it. Specifically, the department issued a new Policy for IT Portfolio Management in September 2021 that, among other things, established requirements for reporting planned IT expenditures to the CIO. The new policy requires all operating divisions, staff divisions, and offices within HHS to utilize the Technology Business Management framework and specific categories required by the Office of Management and Budget when reporting IT costs. By doing so, HHS has positioned the CIO to have greater assurance that its IT budget requests contain complete and accurate resource estimates.
Centers for Medicare & Medicaid Services	The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 27)	Closed – Implemented CMS agreed with and has taken actions to implement our recommendation. In June 2022, CMS established a Target Life Cycle process to guide IT system development and investment management. In doing so, CMS documented processes by which program leadership is to work with the CIO to plan an overall portfolio of IT resources. For example, all new business needs and material changes to existing systems must go through an Initiate phase, which culminates with a review of a Governance Review Board that includes the CIO as well as other senior managers. In addition, the Governance Review Board is to review documentation that business owners submit for projects through the capital planning and investment control process, such as a business case and analysis of alternatives. By taking these steps, CMS has greater assurance that its CIO is working with program leadership and has a significant role in the formulation of the IT budget.
Department of Energy	The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 6)	Closed – Implemented DOE agreed with our recommendation and took steps to implement it. In July 2023, the department demonstrated that it updated its IT budget guidance. Among other things, the department's budget guidance included identifying various IT priorities and a budget briefing template to ensure that the CIO reviews departmental elements' plans for addressing major IT program objectives and priorities. In addition, in September 2023 DOE provided procedures for the CIO's review of the IT budget. Those procedures included various steps and time frames for the Office of the CIO's review of DOE program and staff offices' IT proposals, including opportunities for feedback and modifications based on the review. The procedures also identified where the Office of the CIO could identify significant changes for each investment, including changes in total spending, spending on development, spending on operations, and labor costs. Further, the Office of the CIO established an IT acquisition forecast template that enables the CIO to review changes in the forecasted spending over several years for planned acquisitions within each investment. By taking these steps, DOE has increased its assurance that the IT budget request consistently supports the departments' goals and objectives and that the CIO has approved significant changes in the budget.
Department of the Treasury	The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 38)	Closed – Implemented Treasury established an Annual IT Review template, which includes an in-depth review and discussion of each component's top five major investments. The CIO also has discretion to conduct a more detailed review of IT acquisitions to be selected based on a list of all bureau acquisitions to be provided as part of the annual IT review process. By taking these steps, Treasury has demonstrated how the CIO is to review and approve the major IT investments portion of the budget request to include investments managed by its bureaus.
Department of Health and Human Services	The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 17)	Closed – Implemented HHS agreed with our recommendation and has taken actions to implement it. Specifically, the Office of the CIO demonstrated that it conducts an annual review of HHS Operating Divisions' fiscal year IT budget request per a new IT Portfolio Management policy created in September 2021. Among other things, the CIO reviews the Operating Divisions' efforts to address strategic IT priorities and plans for programs with IT resources. By doing so, HHS has ensured that the CIO is providing input into programs partially or fully supported by IT resources.
Centers for Medicare & Medicaid Services	The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 28)	Closed – Implemented CMS agreed with and has taken actions to implement our recommendation. In June 2022, CMS established a Target Life Cycle to guide IT system development and investment management. Through this process, CMS documented the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. For example, during the Initiate phase the Governance Review Board, which includes the CIO, is to discuss alternatives of new IT proposals and system changes and determine whether proposed options are in alignment with CMS strategic goals and the desired technical architecture. In addition, through the capital planning and investment control process, the Governance Review Board may require an existing investment with major changes to update its acquisition strategy. By taking these steps, CMS has greater assurance that the IT budget request consistently supports the agency's goals and objectives and that its CIO has approved significant changes in the budget.
Department of Energy	The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 7)	Closed – Implemented DOE agreed with and has taken actions to implement our recommendation. As of January 2024, DOE identified several steps that the Office of the CIO takes to help ensure departmental elements have included appropriate estimates of resources in their IT budget request. For example, as part of the annual IT budget process the Offices of the CFO and CIO jointly review departmental elements' IT budget data and follow-up with questions or request additional information. In addition, the CIO requests and receives annual budget briefings from departmental elements that include, among other things, a discussion of resource requirements to accomplish IT investment priorities. By taking these steps, DOE will have greater assurance that the CIO has adequately reviewed the IT budget request.
Department of the Treasury	The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 39)	Closed – Implemented Treasury has taken steps to implement our recommendation. In November 2022, Treasury established a Technology Business Management Data Governance Framework, which included several steps for Office of the CIO and bureaus to conduct data quality checks and validation of resources included in the IT portfolio. By taking these steps, Treasury has greater assurance that its IT portfolio includes appropriate estimates of all IT resources.
Centers for Medicare & Medicaid Services	The Administrator of CMS should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 29)	Closed – Implemented CMS agreed with and has taken actions to implement our recommendation. In June 2022, CMS established a Target Life Cycle process to guide IT system development and investment management. Through this process, CMS has taken steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. For example, CMS requires business owners to develop and maintain several capital planning and investment control and system development-related documents, such as a business case, alternatives analysis, user requirements, and technical design of the system. By taking these steps, CMS has greater assurance that individual investments comply with OMB's FITARA guidance.
Department of Energy	The Secretary of Energy should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 8)	Closed – Implemented DOE agreed with and has taken actions to implement our recommendation. As of January 2024, DOE identified annual IT budget briefings that the CIO requests and receives. Through this process, program offices are better positioned to maintain documentation that demonstrates how elements of the common baseline for implementing FITARA are being addressed. For example, the briefings demonstrate the CIO's involvement the planning and budgeting of investments with IT resources, the CIO's review of how the investment supports major program objectives, and the CIO's review of any major increases or decreases in resources. By taking these steps, DOE can better demonstrate that the CIO is sufficiently involved in planning and budgeting of annual IT expenditures.
Department of Health and Human Services	The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 19)	Closed – Implemented HHS agreed with our recommendation and has taken actions to implement it. Specifically, the Office of the CIO demonstrated that it conducts an annual review of HHS Operating Divisions' fiscal year IT budget request per a new IT Portfolio Management policy created in September 2021. Among other things, the CIO reviews the Operating Divisions' efforts to address strategic IT priorities and plans for programs with IT resources. By doing so, HHS has established a process by which program leadership works with the CIO to plan an overall portfolio of IT resources.
Department of Justice	The Attorney General should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 30)	Closed – Implemented The department developed IT budget procedures in April 2019 for reporting planned expenditures to the CIO for all transactions that include IT resources. Specifically, as part of the department's annual budgeting process, the DOJ CIO and Chief Financial Officer are to collaborate on the level of detail that program offices are required to report in their cost estimates for enhancement requests across IT spending categories. By taking these steps, DOJ is better positioned to ensure that budget requests contain complete and accurate resource estimates with the appropriate level of detail to inform the department's annual IT budget.
Department of Energy	The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 9)	Closed – Implemented DOE agreed with and has taken actions to implement our recommendation. Specifically, DOE has incorporated the Technology Business Management (TBM) taxonomy into its IT portfolio submission and review process and requires all IT investment costs to align with TBM categories. In September 2023, DOE established a Technology Business Management Data Process that addresses how DOE conducts data quality checks and validation of labor, contract, and other relevant IT expenditures. By taking these steps, DOE will likely have enhanced visibility into IT costs across the portfolio and additional assurance that the budget is being informed by all relevant IT costs.
Department of the Treasury	The Secretary of the Treasury should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 41)	Closed – Implemented Treasury has taken steps to implement our recommendation. Treasury identified steps that the department is taking to help ensure individual IT investments have documented requirements from OMB's common baseline. For example, in June 2022 Treasury provided a copy of its IT Annual Review template, which facilitates documentation of the CIO's inclusion in the planning and budget stage for investments with IT resources and efforts by program leadership to work with the CIO in planning IT resources within each bureau. By taking these steps, Treasury can more consistently demonstrate how the CIO was sufficiently involved in planning and budgeting annual IT expenditures.
Department of Health and Human Services	The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 20)	Closed – Implemented HHS agreed with the recommendation and has taken steps to implement it. Specifically, HHS documented procedures for the CIO's annual IT investment review process that includes the review and approval of the major IT investments portion of the budget request. As a result, HHS is better positioned to ensure that its CIO has reviewed and approved the department's budget request for its major IT investments prior to submission.
Department of Justice	The Attorney General should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 31)	Closed – Implemented DOJ agreed with this recommendation and has taken steps to implement it. Specifically, in October 2019, the DOJ CIO issued a memorandum requiring component CIOs to establish a process for providing IT investment information to the DOJ CIO. The component CIO's process is to either include the DOJ CIO as a member of component investment review boards or provide an alternative mechanism for obtaining the DOJ CIO's input on component IT investments. DOJ demonstrated that it established and implemented processes to include the DOJ CIO in governance boards and related review mechanisms that inform decisions regarding IT resources. As a result, the DOJ CIO is better positioned to provide input into key IT resource planning decisions.
National Nuclear Security Administration	The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that establish agency-wide policy for the level of detail with which planned expenditures for all transactions that include IT resources are to be reported to the CIO. (Recommendation 10)	Closed – Implemented NNSA agreed with this recommendation and has taken actions through DOE to implement it. DOE Order 200.1A establishes requirements for reporting planned IT expenditures to the CIO. In addition, the DOE CIO's IT capital planning and investment control (CPIC) guidance for fiscal year 2022 further instructs DOE components, including NNSA, to report 100 percent of IT costs through the Technology Business Management (TBM) framework, consistent with requirements from OMB Circular A-11, Section 55. In doing so, DOE CIO aims to further categorize and provide more detail on the cost of various IT resources associated with each investment. For instance, cost pools are to include internal labor expenses such as employee wages and benefits, consulting services, physical technology assets, and software. Cost towers are to include a higher-level representation of functional expenses associated with centralized data storage, network operations costs, and enterprise applications, among other things. DOE's IT CPIC guidance further notes that the sum of all towers and cost pools should equal the total cost for each IT investment. Finally, DOE provides additional guidance on what to report in various towers and cost pools, including how to account for expenditures associated with National Labs for field sites. By updating its IT capital planning procedures to clarify how all expenditures for IT resources are to be reported to the CIO using TBM as a framework, the department has positioned the NNSA CIO and DOE CIO to have greater assurance that the IT budget requests contain complete and accurate resource estimates.
Department of the Treasury	The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 42)	Closed – Implemented Treasury has taken steps to implement our recommendation. In November 2022, established a Technology Business Management Data Governance Framework, which included several steps for Office of the CIO and bureaus to conduct data quality checks and validation of IT costs. Those steps include validating labor, contract, and other relevant IT costs that are pulled from different systems. By taking these steps, Treasury will likely have enhanced visibility into IT costs across the portfolio and additional assurance that the budget is being informed by all relevant IT costs.
Department of Health and Human Services	The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 21)	Closed – Implemented HHS agreed with our recommendation and has taken actions to implement it. Specifically, the Office of the CIO demonstrated that it conducts an annual review of HHS Operating Divisions' fiscal year IT budget request per a new IT Portfolio Management policy created in September 2021. Among other things, the CIO reviews the Operating Divisions' efforts to support major program objectives, including plans for technology modernization, implementation of zero trust strategies, enterprise risk management, and implementation of Technology Business Management plans. In addition, the CIO reviews changes in costs for individual IT investments over multiple years. By taking these steps, HHS has increased its assurance that the IT budget request supports department goals and objectives and that significant changes in the budget are appropriate.
Department of Justice	The Attorney General should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 32)	Closed – Implemented The department developed IT budget procedures in April 2019 that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. Specifically, DOJ's procedures include quality assurance steps that the CIO's budget manager is to carry out on component IT budget requests prior to the CIO's review. This includes quality assurance steps such as reviewing prior year expenditures for significant variances; identifying missing expenditures in acquisition forecasts; comparing financial system data to the budget; and validating data across various IT spending and cost categories, including government labor expenditures. By taking these steps, DOJ has improved its ability to ensure that its CIO is effectively positioned to consistently and adequately review and approve the IT budget request.
National Nuclear Security Administration	The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 11)	Closed – Implemented NNSA agreed with our recommendation and has taken steps to implement it. NNSA updated Supplemental Directive 415.1A, which establishes requirements and procedures for IT project oversight, in April 2021. Among other things, the supplemental directive details procedures for how the NNSA CIO is to be involved in the planning and budgeting of IT resources through its investment review board and capital planning and investment control process. In addition, the supplemental directive describes how NNSA's program offices, field office managers, and the Office of Enterprise Project Management are to coordinate with and integrate the NNSA office of the CIO when planning IT resources as part of their acquisition strategies and IT portfolios. Further, NNSA established an IT investment review board charter in March 2020 that provides more detailed instructions and a process for obtaining the NNSA CIO's review of funding requests to acquire and maintain IT resources. This review process requires the NNSA CIO to approve projects with IT components and includes a step for the NNSA CIO to obtain input from advisory board members, including the DOE CIO. By including the NNSA CIO, with input from department-level CIO, in the planning and budgeting stages for programs that are fully or partially supported with IT resources, NNSA has greater assurance that the CIO is able to provide input into key IT resource planning decisions.
Internal Revenue Service	The IRS Commissioner should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 43)	Closed – Implemented IRS agreed with our recommendation and has taken steps towards implementing it. For example, the agency CIO and associate CIOs are taking steps through the IRS's annual IT investment planning process to work with program leadership to develop budgets for individual investments. In addition, IRS demonstrated how the CIO and associate CIOs review and approve major program objectives and changes in IT resources for major and non-major investments. Further, IRS demonstrated that it documented steps that the CIO has taken to ensure that individual investments' estimates of IT resources in the portfolio and budget request were appropriate. By taking these steps, IRS has improved its ability to consistently document that its CIO is involved in planning and budgeting annual IT expenditures for individual investments.
Department of Justice	The Attorney General should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 33)	Closed – Implemented The department developed IT budget standards in April 2019 that establish quality assurance processes for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. Specifically, DOJ's procedures include quality assurance steps that the CIO's budget manager is to carry out on component IT budget requests prior to the CIO's review. This includes quality assurance steps such as reviewing prior year expenditures for significant variances; identifying missing expenditures in acquisition forecasts; comparing financial system data to the budget; and validating data across various IT spending and cost categories, including government labor expenditures. By taking these steps, the DOJ CIO is better positioned to have increased transparency into IT spending, capture relevant costs in the IT budget, and make informed budget decisions.
National Nuclear Security Administration	The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources. (Recommendation 12)	Closed – Implemented NNSA agreed with this recommendation and has taken steps to implement it. Specifically, NNSA demonstrated that its CIO is a member of several key investment governance boards, which provide oversight for all investments reported through the investment management reporting system and those listed in the NNSA IT portfolio. For example, NNSA established an IT investment review board charter in March 2020 that provides detailed instructions and a process for obtaining the NNSA CIO's review of funding requests to acquire and maintain IT resources. This review process requires the NNSA CIO to approve requests for new funding involving IT resources with input from advisory board members, including the DOE CIO. By requiring that the NNSA CIO, with input from the department-level CIO, be included in key governance board decisions regarding IT investments, NNSA has increased its assurance that the CIO is providing input into key IT resource planning decisions.
Department of Energy	The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 1)	Closed – Implemented DOE agreed with our recommendation and has taken actions to implement it. Specifically, DOE Order 200.1A establishes requirements for reporting planned IT expenditures to the CIO. In addition, the DOE CIO's IT capital planning and investment control (CPIC) guidance for fiscal year 2022 further instructs DOE components to report 100 percent of IT costs through the Technology Business Management (TBM) framework, consistent with requirements from OMB Circular A-11, Section 55. In doing so, DOE CIO is to further categorize and provide more detail on the cost of various IT resources associated with each investment. For instance, cost pools are to include internal labor expenses such as employee wages and benefits, consulting services, physical technology assets, and software. Cost towers are to include a higher-level representation of functional expenses associated with centralized data storage, network operations costs, and enterprise applications, among other things. DOE's IT CPIC guidance further notes that the sum of all towers and cost pools should equal the total cost for each IT investment. Finally, DOE provides additional guidance on what to report in various towers and cost pools, including how to account for expenditures associated with National Labs for field sites. By updating its IT capital planning procedures to clarify how all expenditures for IT resources are to be reported to the CIO using TBM as a framework, the department has positioned the CIO to have greater assurance that the IT budget requests contain complete and accurate resource estimates.
Department of Health and Human Services	The Secretary of Health and Human Services should direct the department CIO to establish, for any OMB common baseline requirements that are related to IT budgeting that have been delegated, a plan that specifies the requirement being delegated, demonstrates how the CIO intends to retain accountability for the requirement, and ensures through quality assurance processes that the delegated official will execute such responsibilities with the appropriate level of rigor. (Recommendation 23)	Closed – Implemented HHS agreed with our recommendation and has taken actions to implement it. Specifically, in March 2023 the HHS CIO issued an updated memorandum outlining its plan for delegating authorities to Operating Division CIOs. The memorandum identified specific authorities that were delegated as well as conditions that must be met for Operating Division CIOs to maintain those delegations. Among other things, the memorandum stated that the CIO would monitor the Operating Division CIOs' fulfillment of their responsibilities through periodic reviews of divisions' policies and procedures, compliance with HHS governance and approval obligations, performance on the annual CIO Action Plan, and attendance at CIO Council meetings. By implementing these oversight mechanisms into its plan for delegating authorities, the HHS CIO has greater assurance that delegated officials execute their responsibilities with the appropriate level of rigor.
Federal Bureau of Investigation	The FBI Director should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 34)	Closed – Implemented FBI agreed with our recommendation and has taken several steps to implement it. In particular, FBI established an Enterprise IT Governance model and a related FBI Policy Directive that are intended to enhance the CIO's oversight of IT resources. Among other things, the governance model includes a focus on reviewing investments' compliance with FITARA; responsibilities for the CIO to maintain documentation of governance body decision outcomes, actions, and conditions regarding investments; and audits of the governance model's oversight of IT investments. In addition, the governance model has required steps for coordination between the Office of the CIO, Division project managers, legal counsel, and financial experts on acquisition strategies and investment proposals. FBI's Office of the CIO also established an IT Cost Transparency program that aims to model and track the total cost to deliver and maintain FBI IT services. The program includes steps for analyzing budgets by tracing costs and resource consumption from an investment's sources to its uses. The program also includes steps for analyzing IT spending using financial system data to provide executives insight into budget allocation versus actual spending, as well as how that spending aligned with mission goals. Additionally, FBI has established steps for conducting periodic audits and assessments of major, standard, and a sample of non-major IT investments. Among other things, these reviews assess the accuracy of IT budget estimates and whether status reporting is consistent with approved program budgets. By taking these steps, FBI has enhanced its assurance that individual investments' actions to comply with OMB's guidance on implementing FITARA-including collaboration between the CIO and program leadership and the CIO's review of resource estimates-are adequately documented.
National Nuclear Security Administration	The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 13)	Closed – Implemented NNSA agreed with and has taken steps to implement this recommendation. In December 2023, NNSA revised Supplemental Directive 200.1, Information Resources Management. Among other things, the directive identifies policies and procedures for obtaining the NNSA CIO's review of major IT investments through its IT Investment Review Board. In addition, NNSA's FITARA Implementation Framework identifies procedures for the CIO's review and approval of major IT investments. This includes approving IT components of any program decision memorandums processed through NNSA's critical decision gate review process and ensuring that major IT investments are properly updated to include new projects, activities, risks, metrics, and documentation as appropriate and as required by the Office of Management and Budget. By taking these steps, NNSA has greater assurance that major investments with IT components are being reviewed and approved by its CIO.
Department of Energy	The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 2)	Closed – Implemented DOE agreed with our recommendation and took steps to implement it. In July 2023, the department demonstrated that it updated its IT budget guidance. Among other things, the department's budget guidance included identifying various IT priorities and a budget briefing template to ensure that the CIO reviews departmental elements' plans for addressing certain IT priorities. In addition, in September 2023, DOE provided procedures for the CIO's review of the IT budget. Those procedures included instructions for all field, site, and lab offices to submit plans for IT investments to program and staff offices at DOE headquarters, who then subsequently obtain the Office of the CIO's review and approval. Moreover, the procedures include various steps and time frames for the Office of the CIO's review of DOE program and staff offices' IT proposals, including opportunities for feedback and modifications based on the review. DOE also established an IT acquisition forecast template that is to be reviewed as part of the CIO's budget review. Among other things, program and staff offices are to describe each planned acquisition and its associated IT investment, indicate whether the CIO has already approved the acquisition, and provide other details such as the contract type, vendor, and forecasted spending over several years. By taking these steps, DOE has increased the CIO's ability to provide input into key IT resource planning.
Department of Health and Human Services	The Secretary of Health and Human Services should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 24)	Closed – Implemented HHS agreed with our recommendation and has taken actions to implement it. As of July 2023, the Office of the CIO demonstrated that it conducts an annual review of HHS Operating Divisions' fiscal year IT budget request per a new IT Portfolio Management policy created in September 2021. During these IT budget reviews, the CIO collects documentation about individual investments, such as presentation slides that provide an overview of investments that support key initiatives, investment accomplishments and successes, and investments that help to address major IT program objectives; a list of IT investments and their associated costs; and action items for corrective actions to take following the meetings. These efforts will help to ensure that elements of OMB's guidance for implementing FITARA are being documented for individual investments. Moreover, having procedures for collecting and reviewing this documentation will help the department demonstrate that the HHS CIO is sufficiently involved in planning and budgeting of annual IT expenditures.
Department of the Treasury	The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 35)	Closed – Implemented Treasury has taken steps to implement our recommendation. In November 2022, Treasury created its Technology Business Management (TBM) Program Data Governance document, which established department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. Specifically, Treasury adopted the TBM framework as a standard taxonomy for categorizing IT costs throughout the department. By taking these steps, Treasury has greater assurance that budget requests contain complete, consistent, and accurate IT resource estimates.
National Nuclear Security Administration	The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 14)	Closed – Implemented NNSA agreed with this recommendation and has taken steps to implement it. NNSA established an IT investment review board charter in March 2020 that provides detailed instructions and a process for obtaining the NNSA CIO's review of funding requests to acquire and maintain IT resources. The review board is chaired by the NNSA CIO and is to obtain input from the DOE CIO and other advisory members through its review process. Among other things, the review board is to assess whether projects and procurement requests for IT resources are aligned with the organizational mission, goals, and objectives of the enterprise and verify that IT investments are achieving established goals. In addition, the charter notes that the Office of the CIO's capital planning and investment control team is to monitor financial resource additions and subtractions to both new and existing investments, conduct periodic review of project documentation, and participate in select project meetings. The capital planning and investment control team is to provide input to the NNSA IT investment review board with any concerns that arise during its continuous oversight. By developing procedures for the CIO's review of alignment with major program objectives and wither IT investment resources have increased or decreased significantly, NNSA has greater assurance that the IT budget request consistently supports the departments' goals and objectives and that the CIO has approved significant changes in the budget.
Department of Energy	The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 3)	Closed – Implemented DOE agreed with and has taken actions to implement our recommendation. In January 2024, DOE provided support to demonstrate the CIO's role as a member of the NNSA IT Investment Review Board and the Energy Systems Acquisition Review Board. Through these governance boards, the CIO has an opportunity to inform decisions regarding programs that include, or could include, IT resources. In addition, the CIO chairs the department-wide Information Management Governance Board, which provides oversight and makes decisions on department-wide IT issues and investments. By taking these steps, the DOE has reduced the risk that the CIO is not providing input into key IT resource planning decisions.
Department of the Treasury	The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 36)	Open – Partially Addressed Treasury established an Annual IT Review process that outlines the procedures for the CIO's review of each bureau's planned IT resources for a given budget year proposal. Among other things, it includes a review of significant changes in the bureau's IT budget, an IT portfolio review that is to be broken out by program/activities at the bureau's discretion as long as it sums up to 100% of the IT spending, and a more detailed review of several IT acquisitions to be selected by the CIO based on a list of all bureau acquisitions. Treasury drafted an update to its Treasury Directive 81-01 Publication to formalize the implementation of its Annual IT Review process by requiring that the Treasury CIO be invited to participate in Bureau IT governance discussions at their discretion and be notified of annual planning decisions in time to provide feedback as part of the annual planning process. In addition, the draft publication notes that the CIO is responsible for participating in an annual review of each Bureau IT portfolio to provide feedback and/or concurrence. However, as of December 2023 these requirements were not yet in place since the publication is still in draft. We will continue to monitor the department's efforts to implement our recommendation.
Department of Health and Human Services	The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 18)	Open – Partially Addressed HHS agreed with our recommendation. The department provided charters that included the CIO as a member of department-level governance boards. However, as of December 2023 HHS has not yet demonstrated that the HHS CIO is a decision-making member of the Service and Supply Fund board-which reviews and approves operations and common service spending across the department-and other component-level IT investment review boards at CMS. We will continue to monitor the department's efforts to implement our recommendation.
Department of Health and Human Services	The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 22)	Open – Partially Addressed HHS agreed with our recommendation. As of July 2023, the Office of the CIO demonstrated that it conducts an annual review of HHS Operating Divisions' fiscal year IT budget request per a new IT Portfolio Management policy created in September 2021. Among other things, the annual review includes a list of the Operating Divisions' proposed investments and their associated costs. As of December 2023, HHS has not documented the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. We will continue to monitor the department's efforts to implement our recommendation.

See All 43 Recommendations

Full Report

Highlights Page (2 pages)

Full Report (97 pages)

GAO Contacts

Carol C. Harris

Director

harriscc@gao.gov

(202) 512-4456

Office of Public Affairs

Chuck Young

Managing Director

youngc1@gao.gov

(202) 512-4800

Topics

Information Technology

Budget dataBudget requestsCompliance oversightBudgetingBudgetsChief information officersFederal spendingIT investmentsIT resourcesInformation technologyPolicies and proceduresQuality assuranceChief financial officers