Information Technology: OPM Needs to Adopt Key Practices in Modernizing Legacy Financial System
Fast Facts
The Office of Personnel Management's outdated and struggling Federal Financial System helps manage over $1 trillion in assets to support over 8 million federal employees and retirees. In FY 2017, OPM began a program to replace the system.
OPM has completed several phases of the replacement effort. However, estimated costs have increased by $13.4 million to $71.9 million, and several phases are delayed.
While OPM adopted some leading practices—particularly those for ensuring that systems are built to specifications—it hasn't adopted others for estimating costs and schedule or ensuring cybersecurity. Our recommendations address this.
Highlights
What GAO Found
The U.S. Office of Personnel Management (OPM) has completed several phases of its effort to modernize its Trust Funds Federal Financial System (FFS). Among other activities, OPM defined the project's charter, selected a service provider, and gathered requirements. However, as shown below, OPM had to extend the planned completion date of two upcoming milestones by 1 year to October 2022 and October 2023. These milestones focus on the transition to the shared service provider and the new system. In addition, OPM increased the estimated cost of project development and implementation by $13.4 million to $71.9 million.
Status of the Office of Personnel Management's (OPM) Financial System Modernization
|
Phase |
Completed or planned completion date |
|
Assessment, Readiness, and Selection |
Completed September 2018 |
|
Engagement Phase 1 |
Completed February 2020 |
|
Engagement Phase 2 |
Completed September 2020 |
|
Migration Release 1 |
Planned completion by October 2022 (originally estimated to be completed in October 2021) |
|
Migration Release 2 |
Planned completion by October 2023 (originally estimated to be completed in October 2022) |
Legend:
_____ = milestones that have been completed
Source: GAO analysis of OPM's documentation and interviews. | GAO-22-104206
OPM attributed the delay to a variety of reasons, including poor documentation and insufficient staff expertise regarding the legacy system.
OPM partially implemented key practices for using a shared service provider. Specifically, while OPM performed risk assessments of the modernization, the assessments were not comprehensive or did not accurately reflect the risks the program was facing. Specifically, while OPM performed recommended assessments of the modernization, it did not address all known risks. For example, the risk assessment during Engagement Phase 2 did not reflect that OPM had not defined service level agreements for operations and maintenance; applicable guidance considers this omission a high risk at this stage. Further, while OPM conducted recommended reviews at the conclusion of each phase, in two cases the agency moved forward on the modernization without meeting defined exit criteria.
In addition, while OPM fully adopted leading information technology (IT) management practices for requirements management, it did not do so for cost and schedule estimation, and cybersecurity. Specifically:
- OPM did not fully adopt best practices for developing program cost and schedule estimates. As a result, its estimates were not reliable.
- OPM adopted one key cybersecurity practice for systems engineering and partially adopted four other practices. For example, although OPM had identified security expectations for the migration phase, the agency had not defined the level of service to be supplied by the shared service provider. Following these practices help ensure that security requirements and needs are addressed throughout the life cycle of the system.
Until the agency fully implements appropriate practices, OPM increases the risk that the program will incur schedule delays, cost overruns, unmet performance targets, and cybersecurity shortfalls.
Why GAO Did This Study
OPM's legacy financial system, FFS, helps manage over $1 trillion in combined assets and supports over 8 million federal employees and retirees. However, according to OPM, FFS is outdated and consists of unsupported software. In fiscal year 2017, OPM created the Trust Funds Modernization (TFM) Program to replace FFS. In 2019, the agency selected a shared service provider to provide the replacement system.
The House report accompanying the Consolidated Appropriations Act, 2020 included a provision for GAO to examine OPM's effort to modernize and replace FFS. This report (1) describes the status of OPM's effort to modernize and replace FFS; (2) evaluates the progress OPM has made in implementing key modernization practices for using a shared service provider; and (3) determines to what extent the TFM program has adopted leading practices for requirements management, cost and schedule estimation, and cybersecurity. To do so, GAO analyzed relevant TFM program documentation; assessed documentation against key modernization practices; and compared the program's requirements management, cost and schedule estimation, and cybersecurity to leading practices. GAO also interviewed OPM officials.
Recommendations
GAO is making five recommendations to OPM to improve its effort. OPM concurred with two recommendations, partially concurred with two, and did not concur with one. GAO maintains the recommendations as discussed in this report are warranted.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Personnel Management | The Director of OPM should direct the CFO to ensure that the FFS-R project conducts a comprehensive M3 risk assessment and defines and meets exit criteria for the Migration phase Release 1 and Release 2 tollgates before proceeding to the next phase of the modernization. (Recommendation 1) |
OPM partially agreed with this recommendation because it did not believe that a comprehensive M3 risk assessment was a wise use of their resources. OPM stated that it would pay attention to the exit criteria for Release 1 and assess implementation plans for Release 2 against the M3 playbook. However, OPM did not conduct a comprehensive M3 risk assessment for the modernization. In addition, while OPM provided evidence that exit criteria had been defined and met for Release 1, it did not do so for Release 2. OPM provided documentation related to FFS-R Release 2 such as cost, schedule, and the implementation briefing. However, the evidence provided did not demonstrate that it had defined and met exit criteria for Release 2. Given that the agency did not fully implement the recommendation, and in November 2024, completed the modernization of the system, we are closing this recommendation as no longer valid.
|
| Office of Personnel Management | The Director of OPM should direct the CFO to ensure that the TFM program develops cost estimates using best practices described in GAO's Cost Estimating and Assessment Guide. (Recommendation 2) |
OPM partially agreed with this recommendation because it based its cost estimate on another entity's cost estimate. We reviewed OPM's cost estimation documentation most recently in March 2025. While we saw improvement in the 12 best practices and all four characteristics of the provided cost documentation, three characteristics were not fully met resulting in an unreliable cost estimate. Given that the agency did not fully implement the recommendation, and in November 2024, completed the modernization of the system, we are closing this recommendation as no longer valid.
|
| Office of Personnel Management | The Director of OPM should direct the CFO to ensure that the TFM program updates the TFM schedule using best practices described in GAO's Schedule Assessment Guide, in particular, by addressing those schedule characteristics that were not substantially or fully met. (Recommendation 3) |
OPM agreed with this recommendation. We reviewed OPM's schedule estimation documentation most recently in January 2024. OPM provided a schedule file for only one completed portion of the modernization and not the integrated master schedule needed for our analysis despite multiple attempts from GAO to collect it. As a result, we could not assess the extent to which relevant best practices in GAO's schedule guide were used. Given that the agency did not fully implement the recommendation, and in November 2024, completed the modernization of the system, we are closing this recommendation as no longer valid.
|
| Office of Personnel Management | The Director of OPM should direct the CFO to ensure that interagency agreements, including service level agreements, identify how security requirements will be conducted and the level of services, including cybersecurity, that will be provided. (Recommendation 4) |
The agency agreed with the recommendation. In July 2025, OPM provided us with its service level agreement with the shared service provider. This agreement details how security requirements will be conducted and the level of services, including cybersecurity, that will be provided. As a result, OPM will be better positioned to ensure that the modernized system will meet the security needs of the agency.
|
| Office of Personnel Management | The Director of OPM should direct the CFO to ensure that the OCIO and TFM Program Management Office have identified and acquired sufficient systems and cybersecurity experts to adequately staff the TFM program, including the FFS-R project. (Recommendation 5) |
OPM did not agree with this recommendation and, and at the time of our report, stated that it had identified and acquired sufficient cybersecurity experts to adequately staff the program. While OPM provided documentation which included a role mapping tracker identifying systems and roles, none were cybersecurity or security related. In addition, we reviewed OPM's most recent risk register (February 2023) and the lack of OCIO resources remained open with a note and they did not provide documentation that they mitigated the risk. Given that the agency did not fully implement the recommendation, and in November 2024, completed the modernization of the system, we are closing this recommendation as no longer valid.
|