U.S. Secret Service: Action Needed to Address Gaps in IT Workforce Planning and Management Practices
Highlights
What GAO Found
The U.S. Secret Service (Secret Service) Chief Information Officer (CIO) fully implemented 11 of 14 selected information technology (IT) oversight responsibilities, and partially implemented the remaining 3. The CIO partially implemented the responsibilities to establish a process that ensures the Secret Service reviews IT contracts; ensure that the component's IT policies align with the Department of Homeland Security's (DHS) policies; and set incremental targets to monitor program progress. Additional efforts to fully implement these 3 responsibilities will further position the CIO to effectively manage the IT portfolio.
Of the 15 selected practices within the 5 workforce planning and management areas, the Secret Service fully implemented 3 practices, partly implemented 8, and did not implement 4 (see table). Within the strategic planning area, the component partly implemented the practice to, among other things, develop IT competency needs. While the Secret Service had defined general core competencies for its workforce, the Office of the CIO (OCIO) did not identify all of the technical competencies needed to support its functions. As a result, the office was limited in its ability to address any IT competency gaps that may exist. Also, while work remains to improve morale across the component, the Secret Service substantially implemented the employee morale practices for its IT staff.
The U.S. Secret Service's Implementation of 15 Selected Leading Practices Associated with 5 Workforce Planning and Management Areas for Its Information Technology Workforce
|
Workforce area |
Overall area rating |
Number of practices fully implemented |
Number of practices partly implemented |
Number of practices not implemented |
|
1. Strategic planning |
Minimally implemented |
0 |
2 |
1 |
|
2. Recruitment and hiring |
Minimally implemented |
0 |
1 |
2 |
|
3. Training and development |
Minimally implemented |
0 |
2 |
1 |
|
4. Employee morale |
Substantially implemented |
2 |
1 |
0 |
|
5. Performance management |
Substantially implemented |
1 |
2 |
0 |
|
Total |
|
3 |
8 |
4 |
Source: GAO analysis of data provided by U.S. Secret Service officials. | GAO-19-60.
Secret Service officials said the gaps in implementing the workforce practices were due to, among other things, their focus on reorganizing the IT workforce within OCIO. Until the Secret Service fully implements these practices for its IT workforce, it may be limited in its ability to ensure the timely and effective acquisition and maintenance of the component's IT infrastructure and services.
Of the two selected IT project monitoring practices, DHS and the Secret Service fully implemented the first practice to monitor the performance of the Information Integration and Technology Transformation (IITT) investment. In addition, for the second practice—to monitor projects on incremental development metrics—the Secret Service fully implemented the practice on one of IITT's projects and partially implemented it on another. In particular, OCIO did not fully measure post-deployment user satisfaction with the system on one project. OCIO plans to conduct a user satisfaction survey of the system by September 2018, which should inform the office on whether the system is meeting users' needs.
Why GAO Did This Study
Commonly known for protecting the President, the Secret Service also plays a leading role in investigating and preventing financial and electronic crimes. To accomplish its mission, the Secret Service relies heavily on the use of IT infrastructure and systems. In 2009, the component initiated the IITT investment—a portfolio of programs and projects that are intended to, among other things, improve systems availability and security in support of the component's business operations.
GAO was asked to review the Secret Service's oversight of its IT portfolio and workforce. This report discusses the extent to which the (1) CIO implemented selected IT oversight responsibilities, (2) Secret Service implemented leading IT workforce planning and management practices, and (3) Secret Service and DHS implemented selected performance monitoring practices for IITT. GAO assessed agency documentation against 14 selected component CIO responsibilities established in DHS policy; 15 selected leading workforce planning and management practices within 5 topic areas; and two selected leading industry project monitoring practices that, among other things, were, in GAO's professional judgment, of most significance to managing IITT.
Recommendations
GAO is making 13 recommendations, including that the Secret Service establish a process that ensures the CIO reviews all IT contracts, as appropriate; and identify the skills needed for its IT workforce. DHS concurred with all recommendations and provided estimated dates for implementing each of them.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| United States Secret Service | The Director should ensure that the CIO establishes and documents an IT acquisition review process that ensures the CIO or the CIO's delegate reviews all contracts containing IT, as appropriate. (Recommendation 1) |
Closed – Implemented
In response to our recommendation, in April 2019 the Secret Service established a policy that specifies that the CIO must approve all Secret Service IT purchases, including hardware, software, and services. The policy also identifies how Secret Service staff are to submit IT purchase requests for review and outlines the approval sequence for such purchases. As part of this, the policy states that the final approver--called the Secret Service Approver--will not approve any requisitions that do not have the required CIO approval. By establishing this policy and process, the Secret Service CIO should be better informed of all IT purchases made by the component. The CIO should also be better positioned to ensure that such purchases are a cost-effective use of resources and are aligned with the component's missions and goals.
|
| United States Secret Service | The Director should update the enterprise governance policy to specify (1) the CIO's current role and responsibilities on the Executive Resources Board, to include developing and reviewing the IT budget formulation and execution; and (2) the Deputy CIO's role and responsibilities on the Enterprise Governance Council. (Recommendation 2) |
Closed – Implemented
In response to our recommendation, the Secret Service has taken important steps to address this recommendation. In particular, in April 2021, the Secret Service updated its Enterprise Governance Council charter to outline the roles and responsibilities of all board members, including senior designees from the OCIO. Next, in January 2022, the Secret Service established a charter for its Enterprise Resource Board (which was previously named the Executive Resources Board) and it outlined the roles and responsibilities of all board members, including senior designees from the OCIO. Then, in February 2022, Secret Service provided its Planning, Programming, Budget, Executive and Evaluation policy directive, which reflects the CIO's responsibilities for developing and reviewing IT budget formulation and execution. Lastly, in August 2023, the Secret Service updated its overarching Secret Service Enterprise Governance policy directive to align with the new and updated OCIO roles and responsibilities that are documented in the charters and policy directive. As a result, the OCIO has improved its ability to develop and review the component's IT budget. Further, the Secret Service is better positioned to ensure that all members understand their roles and responsibilities on the board and council and will perform them as expected.
|
| United States Secret Service | The Director should ensure that the Secret Service develops a charter for its Executive Resources Board that specifies the roles and responsibilities of all board members, including the CIO. (Recommendation 3) |
Closed – Implemented
In response to our recommendation, in January 2022, Secret Service officials finalized a charter for its Board (which was renamed to the Enterprise Resource Board charter). The charter identifies the general roles and responsibilities of all board members, including a senior representative from the Office of the CIO. By formally identifying member's roles and responsibilities in the charter, the Secret Service will be better positioned to ensure that all members understand their roles and responsibilities and will perform them as expected.
|
| United States Secret Service | The Director should ensure that the CIO includes product quality and post-deployment user satisfaction metrics in the modular outcomes and target measures that the CIO sets for monitoring agile projects. (Recommendation 4) |
Closed – Implemented
In response to our recommendation, the Secret Service updated its acquisition policy to inform program staff that they should refer to DHS post-implementation review guidance when conducting a post-implementation review six to 18 months after a system's deployment. The DHS document provides guidance on the post-implementation review process, including identifying certain elements and data sources that should be assessed during this type of review. Further, the guidance strongly recommends that, for agile programs, staff should assess the systems against product quality and post-deployment user satisfaction metrics. As a result, the Secret Service has better assurance that its future agile programs will measure product quality and post-deployment user satisfaction.
|
| United States Secret Service | The Director should ensure that the CIO identifies all of the required knowledge and skills for the IT workforce. (Recommendation 5) |
Closed – Implemented
In response to our recommendation, the Secret Service provided documentation that demonstrates that it had identified the required knowledge and skills for its IT workforce. In particular, in 2021 and 2022, the Secret Service OCIO provided position description documents for the 12 occupational series within the Secret Service's IT workforce that identified the required knowledge and skills for each occupational series. As a result, the OCIO has improved its ability to identify and address competency gaps within its workforce.
|
| United States Secret Service | The Director should ensure that the CIO regularly analyzes the IT workforce to identify its competency needs and any gaps it may have. (Recommendation 6) |
Closed – Implemented
From 2018 to December 2020, in response to our recommendation, the Secret Service worked with a contractor to develop updated staffing models for its IT workforce. The contractor also determined competency gaps and additional IT workforce staffing needs by conducting an assessment of current and desired workload. The assessment indicated a need for additional staff for the Secret Service IT workforce. In addition, in May 2022, Secret Service officials provided a directive that states that Secret Service should reassess the component's workforce requirements every 3-5 years. Further, the directive states that they should assess workforce analyses results and determinations following any changes in technology, organizational structure, or the mission. As a result, the OCIO has improved its ability to determine whether its IT workforce has the necessary knowledge and skills to meet its mission and goals. In addition, regular assessments of the IT workforce's staffing needs should increase the likelihood that the Secret Service is able to appropriately identify the number of IT staff it needs to meet its mission and programmatic goals.
|
| United States Secret Service | The Director should ensure that, after OCIO completes an analysis of the IT workforce to identify any competency and staffing gaps it may have, the Secret Service updates its recruiting and hiring strategies and plans to address those gaps, as necessary. (Recommendation 7) |
Closed – Implemented
As referenced in recommendation six, the Secret Service conducted an analysis of the IT workforce to identify competency and staffing gaps. Secret Service officials stated that, following this analysis, the Secret Service adjusted its recruiting and hiring strategies to address staffing gaps in its IT workforce. Specifically, the officials provided excerpts from the Secret Service's National Recruitment Strategy that demonstrated these adjustments, such as placing more emphasis on using digital and social media platforms for recruitment. As a result, the OCIO has better assurance that its recruiting and hiring strategies are addressing the IT workforce's competency and staffing gaps.
|
| United States Secret Service | The Director should ensure that the Office of Human Resources (1) develops and tracks metrics to monitor the effectiveness of the Secret Service's recruitment activities for the IT workforce, including their effectiveness at addressing skill and staffing gaps; and (2) reports to component leadership on those metrics. (Recommendation 8) |
Open
In August 2023, Secret Service officials stated that the Secret Service is working on a new end-to-end hiring strategy that will include the use of new hiring solutions. As part of this strategy, the officials plan to incorporate more automation into their recruiting and outreach processes. In addition, the service plans to develop metrics to track the results of recruitment activities for the IT workforce. Further, the officials said the new end-to-end hiring solution should be in place in 2025. As such, we will continue to monitor the Secret Service's efforts to implement this recommendation.
|
| United States Secret Service | The Director should ensure that the Office of Human Resources and OCIO adjust their recruitment and hiring plans and activities, as necessary, after establishing and tracking metrics for assessing the effectiveness of these activities for the IT workforce. (Recommendation 9) |
Open
Secret Service officials stated that the service is working on a new end-to-end hiring strategy, which is expected to produce metrics that track the results of its recruitment activities for the IT workforce. The officials added that the new end-to-end hiring solution should be in place in 2025. As such, as of August 2023, the component is not yet able to demonstrate that its Office of Human Resources and OCIO have adjusted their recruitment and hiring plans and activities based on these metrics. We will continue to monitor the Secret Service's effort.
|
| United States Secret Service | The Director should ensure that the CIO (1) defines the required training for each IT workforce group, (2) determines the activities that OCIO will include in its IT workforce training and development program based on its available training budget, and (3) implements those activities. (Recommendation 10) |
Open
DHS concurred with this recommendation, and in response, the Secret Service established a standard operating procedure document that identifies, among other things, recommended training and certifications for each OCIO division (e.g., network management, cyber security). However, this procedure document does not identify required training for each of these divisions. In addition, in August 2023, the Secret Service reported that the OCIO does not plan to implement a training and development program that is specific to its IT workforce. Instead, Secret Service OCIO officials reported that they believe that the responsibility to train and develop all members of the IT workforce would be better suited at the Secret Service enterprise level. As such, the component is not implementing training and development activities that are specific to the IT workforce group. We will continue to monitor the Secret Service's efforts to implement this recommendation.
|
| United States Secret Service | The Director should ensure that the CIO ensures that the IT workforce completes training specific to their positions (after defining the training required for each workforce group). (Recommendation 11) |
Open
DHS concurred with this recommendation. While the Secret Service OCIO has identified the recommended training and certifications for each OCIO division, the OCIO has not yet identified the required training for each of these divisions as stated in recommendation ten. Further, in August 2023, the Secret Service OCIO reported that it is not planning to track the completion of recommended training, since this training is not required. As such, the Secret Service is not able to demonstrate that it is ensuring that each IT workforce group completes the training specific to their positions, as we also recommended. We will continue to monitor the Secret Service's efforts to implement this recommendation.
|
| United States Secret Service | The Director should ensure that the CIO collects and assesses performance data (including qualitative or quantitative measures, as appropriate) to determine how the IT training program contributes to improved performance and results (once the training program is implemented). (Recommendation 12) |
Open
DHS concurred with this recommendation. However, in August 2023, the Secret Service reported that the OCIO does not currently plan to implement a training and development program that is specific to its IT workforce. As such, we will continue to monitor the component's efforts to implement this recommendation.
|
| United States Secret Service | The Director should ensure that the CIO updates the performance plans for each occupational series within the IT workforce to include the relevant technical competencies, once identified, against which IT staff performance should be assessed. (Recommendation 13) |
Closed – Implemented
In July 2020, the Secret Service OCIO provided the updated performance plans for the occupational series within the Secret Service's IT workforce that included the relevant technical competencies against which IT staff performance should be assessed. As a result, the OCIO has improved its ability to provide IT staff with a complete assessment of their performance. In addition, Secret Service management now have more insight into the extent to which IT staff are meeting their relevant technical competencies.
|