Skip to Highlights
Highlights

What GAO Found

The U.S. Secret Service (Secret Service) Chief Information Officer (CIO) fully implemented 11 of 14 selected information technology (IT) oversight responsibilities, and partially implemented the remaining 3. The CIO partially implemented the responsibilities to establish a process that ensures the Secret Service reviews IT contracts; ensure that the component's IT policies align with the Department of Homeland Security's (DHS) policies; and set incremental targets to monitor program progress. Additional efforts to fully implement these 3 responsibilities will further position the CIO to effectively manage the IT portfolio.

Of the 15 selected practices within the 5 workforce planning and management areas, the Secret Service fully implemented 3 practices, partly implemented 8, and did not implement 4 (see table). Within the strategic planning area, the component partly implemented the practice to, among other things, develop IT competency needs. While the Secret Service had defined general core competencies for its workforce, the Office of the CIO (OCIO) did not identify all of the technical competencies needed to support its functions. As a result, the office was limited in its ability to address any IT competency gaps that may exist. Also, while work remains to improve morale across the component, the Secret Service substantially implemented the employee morale practices for its IT staff.

The U.S. Secret Service's Implementation of 15 Selected Leading Practices Associated with 5 Workforce Planning and Management Areas for Its Information Technology Workforce

Workforce area

Overall area rating

Number of practices fully implemented

Number of practices partly implemented

Number of practices not implemented

1. Strategic planning

Minimally implemented

0

2

1

2. Recruitment and hiring

Minimally implemented

0

1

2

3. Training and development

Minimally implemented

0

2

1

4. Employee morale

Substantially implemented

2

1

0

5. Performance management

Substantially implemented

1

2

0

Total

 

3

8

4

Source: GAO analysis of data provided by U.S. Secret Service officials. | GAO-19-60.

Secret Service officials said the gaps in implementing the workforce practices were due to, among other things, their focus on reorganizing the IT workforce within OCIO. Until the Secret Service fully implements these practices for its IT workforce, it may be limited in its ability to ensure the timely and effective acquisition and maintenance of the component's IT infrastructure and services.

Of the two selected IT project monitoring practices, DHS and the Secret Service fully implemented the first practice to monitor the performance of the Information Integration and Technology Transformation (IITT) investment. In addition, for the second practice—to monitor projects on incremental development metrics—the Secret Service fully implemented the practice on one of IITT's projects and partially implemented it on another. In particular, OCIO did not fully measure post-deployment user satisfaction with the system on one project. OCIO plans to conduct a user satisfaction survey of the system by September 2018, which should inform the office on whether the system is meeting users' needs.

Why GAO Did This Study

Commonly known for protecting the President, the Secret Service also plays a leading role in investigating and preventing financial and electronic crimes. To accomplish its mission, the Secret Service relies heavily on the use of IT infrastructure and systems. In 2009, the component initiated the IITT investment—a portfolio of programs and projects that are intended to, among other things, improve systems availability and security in support of the component's business operations.

GAO was asked to review the Secret Service's oversight of its IT portfolio and workforce. This report discusses the extent to which the (1) CIO implemented selected IT oversight responsibilities, (2) Secret Service implemented leading IT workforce planning and management practices, and (3) Secret Service and DHS implemented selected performance monitoring practices for IITT. GAO assessed agency documentation against 14 selected component CIO responsibilities established in DHS policy; 15 selected leading workforce planning and management practices within 5 topic areas; and two selected leading industry project monitoring practices that, among other things, were, in GAO's professional judgment, of most significance to managing IITT.

Skip to Recommendations

Recommendations

GAO is making 13 recommendations, including that the Secret Service establish a process that ensures the CIO reviews all IT contracts, as appropriate; and identify the skills needed for its IT workforce. DHS concurred with all recommendations and provided estimated dates for implementing each of them.

Recommendations for Executive Action

Agency Affected Recommendation Status
United States Secret Service The Director should ensure that the CIO establishes and documents an IT acquisition review process that ensures the CIO or the CIO's delegate reviews all contracts containing IT, as appropriate. (Recommendation 1)
Closed - Implemented
In response to our recommendation, in April 2019 the Secret Service established a policy that specifies that the CIO must approve all Secret Service IT purchases, including hardware, software, and services. The policy also identifies how Secret Service staff are to submit IT purchase requests for review and outlines the approval sequence for such purchases. As part of this, the policy states that the final approver--called the Secret Service Approver--will not approve any requisitions that do not have the required CIO approval. By establishing this policy and process, the Secret Service CIO should be better informed of all IT purchases made by the component. The CIO should also be better positioned to ensure that such purchases are a cost-effective use of resources and are aligned with the component's missions and goals.
United States Secret Service The Director should update the enterprise governance policy to specify (1) the CIO's current role and responsibilities on the Executive Resources Board, to include developing and reviewing the IT budget formulation and execution; and (2) the Deputy CIO's role and responsibilities on the Enterprise Governance Council. (Recommendation 2)
Open
DHS concurred with this recommendation. In July 2020, Secret Service officials stated that the component had drafted a revised enterprise governance policy that outlines the CIO's and Deputy CIO's roles and responsibilities. We will continue to monitor the component's efforts to finalize this policy.
United States Secret Service The Director should ensure that the Secret Service develops a charter for its Executive Resources Board that specifies the roles and responsibilities of all board members, including the CIO. (Recommendation 3)
Open
DHS concurred with this recommendation. In July 2020, Secret Service officials stated that the component had drafted a charter for its Executive Resources Board that specifies the roles and responsibilities of Board members, including the CIO. We will continue to monitor the component's efforts to finalize this charter.
United States Secret Service The Director should ensure that the CIO includes product quality and post-deployment user satisfaction metrics in the modular outcomes and target measures that the CIO sets for monitoring agile projects. (Recommendation 4)
Open
Secret Service officials provided documentation of the key performance parameters associated with one of their programs that was developed using agile. However, this documentation did not identify any product quality-related metrics (e.g. metrics such as "defects discovered after deployment" and "outages after deployment"). Secret Service officials also stated that, for agile programs, user satisfaction is part of the development process. Further, after each Sprint, the user input includes qualitative satisfaction assessments that are folded into that Sprint's deployed capability. However, we did not receive documentation that demonstrates that post-deployment user satisfaction metric results are being collected following each production release. We will continue to monitor the department's efforts to implement this recommendation.
United States Secret Service The Director should ensure that the CIO identifies all of the required knowledge and skills for the IT workforce. (Recommendation 5)
Open
The Secret Service has made progress in identifying the required knowledge and skills for its IT workforce. In particular, the Secret Service has identified the required knowledge and skills for seven of the 12 occupational series within its IT workforce. However, we have not received any evidence to validate that the Secret Service has defined the required knowledge and skills for the remaining five occupational series that make up the IT workforce. As such, we will continue to monitor the component's efforts to implement this recommendation.
United States Secret Service The Director should ensure that the CIO regularly analyzes the IT workforce to identify its competency needs and any gaps it may have. (Recommendation 6)
Open
In July 2020, Secret Service officials stated that they were working with a contractor to perform staffing modeling efforts and identify gaps associated with its IT workforce. The officials added that this effort would continue to at least December 2020. As of April 2021, we have not yet received any documentation related to these efforts. As such, we will continue to follow-up with the Secret Service for documentation of its efforts to implement this recommendation.
United States Secret Service The Director should ensure that, after OCIO completes an analysis of the IT workforce to identify any competency and staffing gaps it may have, the Secret Service updates its recruiting and hiring strategies and plans to address those gaps, as necessary. (Recommendation 7)
Open
Although the Secret Service provided documentation to demonstrate that it focused its fiscal year 2019 recruiting events on addressing IT staffing and competency gaps, it has not yet fully identified all of its competency and gaps as stated in recommendation six. As such, we will continue to follow-up with the Secret Service for documentation of the analyses the OCIO conducted to determine its IT staffing and competency gaps along with its subsequent recruiting and hiring efforts.
United States Secret Service The Director should ensure that the Office of Human Resources (1) develops and tracks metrics to monitor the effectiveness of the Secret Service's recruitment activities for the IT workforce, including their effectiveness at addressing skill and staffing gaps; and (2) reports to component leadership on those metrics. (Recommendation 8)
Open
Secret Service officials stated that the component has conducted recruitment and outreach efforts focused on IT, cyber, and engineering careers, and monitors the effectiveness of these efforts. Secret Service also provided supporting documentation that identified its fiscal year 2018-2020 recruitment activities. However, the Secret Service has not yet provided supporting documentation demonstrating that it has (1) developed and tracked metrics to monitor the effectiveness of these recruitment activities, including their effectiveness at addressing skill and staffing gaps within the IT workforce; and (2) reported to component leadership on those metrics. We will continue to monitor the Secret Service's efforts to implement this recommendation.
United States Secret Service The Director should ensure that the Office of Human Resources and OCIO adjust their recruitment and hiring plans and activities, as necessary, after establishing and tracking metrics for assessing the effectiveness of these activities for the IT workforce. (Recommendation 9)
Open
The Secret Service has not yet demonstrated that it has established and tracked metrics for monitoring the effectiveness of its recruitment and hiring plans and activities for the IT workforce as stated in recommendation six. As such, the component is not yet able to demonstrate that its Office of Human Resources and OCIO have adjusted their recruitment and hiring plans and activities based on these metrics. We will continue to monitor the Secret Service's efforts to implement this recommendation.
United States Secret Service The Director should ensure that the CIO (1) defines the required training for each IT workforce group, (2) determines the activities that OCIO will include in its IT workforce training and development program based on its available training budget, and (3) implements those activities. (Recommendation 10)
Open
In December 2019, the Secret Service established a standard operating procedure document that identifies, among other things, recommended training and certifications for each OCIO division (e.g., network management, cyber security). However, this procedure document does not identify required training for each of these divisions. In March 2020, Secret Service officials stated that OCIO supervisors issued individual development plans to their team members that identified training requirements for continued professional development. In July 2020, Secret Service officials provided examples of the individual development plans developed for a few OCIO employees However, the Secret Service has not yet provided documentation that defines the required training for each occupational series within the IT workforce group, nor evidence to support that the OCIO has determined and documented the activities that the OCIO will include in its IT workforce training and development program based on its available training budget. Moreover, the officials stated that, in response to the Coronavirus Disease 2019 (COVID-19), training is suspended. As such, the component is not implementing IT workforce training activities at this time. The officials plan to continue staff training once it is reinstated. We will continue to monitor the component's efforts to implement this recommendation.
United States Secret Service The Director should ensure that the CIO ensures that the IT workforce completes training specific to their positions (after defining the training required for each workforce group). (Recommendation 11)
Open
While Secret Service officials stated that the component's Office of Training establishes the required curriculum for Secret Service personnel, the component has not yet demonstrated that the CIO has defined the training required for each IT workforce group as stated in recommendation ten. As such, the component is also not able to demonstrate that it is ensuring that each IT workforce group completes the training specific to their positions, as we also recommended. We will continue to monitor the Secret Service's efforts to implement this recommendation.
United States Secret Service The Director should ensure that the CIO collects and assesses performance data (including qualitative or quantitative measures, as appropriate) to determine how the IT training program contributes to improved performance and results (once the training program is implemented). (Recommendation 12)
Open
Secret Service officials stated that they are assessing how IT training has contributed to improved performance and results by comparing IT course completion results to the results of related training exercises that the component conducts. For example, the Secret Service may compare the completion rates for an IT security awareness training course to the results of a related IT security awareness exercise that the component conducts. Further, in July 2020, Secret Service officials provided documentation for IT course completion. While the documentation provided identifies training completion results for two IT-related courses that all USSS employees are required to complete, the Secret Service has not yet provided documentation that shows that the CIO is collecting and assessing performance data to determine how the activities specific to the IT workforce's training and development program are contributing to improved performance and results. In addition, given that the Secret Service has suspended its IT training program. We will continue to monitor the component's efforts to implement this recommendation.
United States Secret Service The Director should ensure that the CIO updates the performance plans for each occupational series within the IT workforce to include the relevant technical competencies, once identified, against which IT staff performance should be assessed. (Recommendation 13)
Closed - Implemented
In July 2020, the Secret Service OCIO provided the updated performance plans for the occupational series within the Secret Service's IT workforce that included the relevant technical competencies against which IT staff performance should be assessed. As a result, the OCIO has improved its ability to provide IT staff with a complete assessment of their performance. In addition, Secret Service management now have more insight into the extent to which IT staff are meeting their relevant technical competencies.

Full Report

GAO Contacts