Information Technology: OPM Needs to Adopt Key Practices in Modernizing Legacy Financial System

GAO-22-104206 Published: Feb 23, 2022. Publicly Released: Feb 23, 2022.
Jump To:
Fast Facts

The Office of Personnel Management's outdated and struggling Federal Financial System helps manage over $1 trillion in assets to support over 8 million federal employees and retirees. In FY 2017, OPM began a program to replace the system.

OPM has completed several phases of the replacement effort. However, estimated costs have increased by $13.4 million to $71.9 million, and several phases are delayed.

While OPM adopted some leading practices—particularly those for ensuring that systems are built to specifications—it hasn't adopted others for estimating costs and schedule or ensuring cybersecurity. Our recommendations address this.

illustration showing code on a computer screen

Highlights

What GAO Found

The U.S. Office of Personnel Management (OPM) has completed several phases of its effort to modernize its Trust Funds Federal Financial System (FFS). Among other activities, OPM defined the project's charter, selected a service provider, and gathered requirements. However, as shown below, OPM had to extend the planned completion date of two upcoming milestones by 1 year to October 2022 and October 2023. These milestones focus on the transition to the shared service provider and the new system. In addition, OPM increased the estimated cost of project development and implementation by $13.4 million to $71.9 million.

Status of the Office of Personnel Management's (OPM) Financial System Modernization

Phase

Completed or planned completion date

Assessment, Readiness, and Selection

Completed September 2018

Engagement Phase 1

Completed February 2020

Engagement Phase 2

Completed September 2020

Migration Release 1

Planned completion by October 2022 (originally estimated to be completed in October 2021)

Migration Release 2

Planned completion by October 2023 (originally estimated to be completed in October 2022)

Legend:

_____ = milestones that have been completed

Source: GAO analysis of OPM's documentation and interviews. | GAO-22-104206

OPM attributed the delay to a variety of reasons, including poor documentation and insufficient staff expertise regarding the legacy system.

OPM partially implemented key practices for using a shared service provider. Specifically, while OPM performed risk assessments of the modernization, the assessments were not comprehensive or did not accurately reflect the risks the program was facing. Specifically, while OPM performed recommended assessments of the modernization, it did not address all known risks. For example, the risk assessment during Engagement Phase 2 did not reflect that OPM had not defined service level agreements for operations and maintenance; applicable guidance considers this omission a high risk at this stage. Further, while OPM conducted recommended reviews at the conclusion of each phase, in two cases the agency moved forward on the modernization without meeting defined exit criteria.

In addition, while OPM fully adopted leading information technology (IT) management practices for requirements management, it did not do so for cost and schedule estimation, and cybersecurity. Specifically:

  • OPM did not fully adopt best practices for developing program cost and schedule estimates. As a result, its estimates were not reliable.
  • OPM adopted one key cybersecurity practice for systems engineering and partially adopted four other practices. For example, although OPM had identified security expectations for the migration phase, the agency had not defined the level of service to be supplied by the shared service provider. Following these practices help ensure that security requirements and needs are addressed throughout the life cycle of the system.

Until the agency fully implements appropriate practices, OPM increases the risk that the program will incur schedule delays, cost overruns, unmet performance targets, and cybersecurity shortfalls.

Why GAO Did This Study

OPM's legacy financial system, FFS, helps manage over $1 trillion in combined assets and supports over 8 million federal employees and retirees. However, according to OPM, FFS is outdated and consists of unsupported software. In fiscal year 2017, OPM created the Trust Funds Modernization (TFM) Program to replace FFS. In 2019, the agency selected a shared service provider to provide the replacement system.

The House report accompanying the Consolidated Appropriations Act, 2020 included a provision for GAO to examine OPM's effort to modernize and replace FFS. This report (1) describes the status of OPM's effort to modernize and replace FFS; (2) evaluates the progress OPM has made in implementing key modernization practices for using a shared service provider; and (3) determines to what extent the TFM program has adopted leading practices for requirements management, cost and schedule estimation, and cybersecurity. To do so, GAO analyzed relevant TFM program documentation; assessed documentation against key modernization practices; and compared the program's requirements management, cost and schedule estimation, and cybersecurity to leading practices. GAO also interviewed OPM officials.

Recommendations

GAO is making five recommendations to OPM to improve its effort. OPM concurred with two recommendations, partially concurred with two, and did not concur with one. GAO maintains the recommendations as discussed in this report are warranted.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Personnel Management The Director of OPM should direct the CFO to ensure that the FFS-R project conducts a comprehensive M3 risk assessment and defines and meets exit criteria for the Migration phase Release 1 and Release 2 tollgates before proceeding to the next phase of the modernization. (Recommendation 1)
Open
OPM partially concurred with this recommendation. In September 2022, OPM noted it conducts activities identified in the M3 risk assessment as part of the ongoing and comprehensive project management activities,. In addition, OPM stated it will define and meet exit criteria before continuing to the next phase of the FFS Modernization. We will continue to monitor OPM's implementation of this recommendation.
Office of Personnel Management The Director of OPM should direct the CFO to ensure that the TFM program develops cost estimates using best practices described in GAO's Cost Estimating and Assessment Guide. (Recommendation 2)
Open
OPM partially concurred with this recommendation. In September 2022, OPM stated that it will use the leading practices in the GAO cost guide for the FFS-R project and its releases, while noting that the agency would only use the guide as appropriate for the TFM program. We will continue to monitor OPM's implementation of this recommendation.
Office of Personnel Management The Director of OPM should direct the CFO to ensure that the TFM program updates the TFM schedule using best practices described in GAO's Schedule Assessment Guide, in particular, by addressing those schedule characteristics that were not substantially or fully met. (Recommendation 3)
Open
OPM concurred with this recommendation. In September 2022, OPM officials stated that the Technology Modernization Fund program schedule has been updated to address our recommendation. However, no supporting documentation was provided. In addition, OPM noted it intends to continue improving its schedule estimates by implementing policies that align with leading practices. We will continue to monitor OPM's implementation of this recommendation.
Office of Personnel Management The Director of OPM should direct the CFO to ensure that interagency agreements, including service level agreements, identify how security requirements will be conducted and the level of services, including cybersecurity, that will be provided. (Recommendation 4)
Open
OPM concurred with this recommendation. In September 2022, OPM noted that the interagency agreements for its operational support will identify the necessary service levels including cybersecurity requirements. In addition, OPM noted subsequent agreements such as service level and operations and management, will include cybersecurity requirements and follow industry practices. We will continue to monitor OPM's implementation of this recommendation.
Office of Personnel Management The Director of OPM should direct the CFO to ensure that the OCIO and TFM Program Management Office have identified and acquired sufficient systems and cybersecurity experts to adequately staff the TFM program, including the FFS-R project. (Recommendation 5)
Open
OPM did not concur with this recommendation. In September 2022, OPM stated that its CFO, TFM program manager, and the OCIO were involved in ensuring cybersecurity expertise and system support were identified and provided. In addition, OPM noted that the cybersecurity experts identified by the OCIO are responsible for verifying connectivity and ensuring system access standards comply with current cybersecurity standards, among other things and regular meetings were held with the CIO, Deputy CIO, and OCIO point of contact to discuss program status and security-related activities. However, as discussed in the report, we, we maintain that OPM should direct the CFO to identify and acquire the system and cybersecurity expertise for its modernization of the TFM program, including the FFS-Project. We will continue to monitor OPM's implementation of this recommendation.
See All 5 Recommendations

Full Report

Highlights Page (1 page)
Full Report (62 pages)
GAO Contacts
Office of Public Affairs
Topics
Information Technology
Best practicesBusiness systems modernizationCost estimatesCybersecurityInformation technologyPersonnel managementRisk assessmentTrust fundsCost and scheduleOperations and maintenance