IT Investment Management: Social Security Administration Needs to Oversee Investments in Operations and Better Evaluate Performance

What GAO Found

The Social Security Administration (SSA) has defined processes to manage IT investments under development that are consistent with relevant federal legislation, federal guidance, and key practices. However, the agency does not have a process to oversee investments in operations—including those in operations and maintenance (O&M), infrastructure, and cybersecurity. These investments accounted for $2 billion or about 90 percent of SSA's IT budget in fiscal year 2024. SSA officials told GAO that, among other things, maintaining investments in O&M is necessary and the agency cannot have debates on whether to continue to fund them. Without a process for the IT investment review board (IRB) to oversee these investments, SSA lacks the enterprise-wide perspective to make the most appropriate strategic IT investment decisions. In addition, the agency is hampered in its ability to effectively manage the entire IT portfolio and identify opportunities for cost savings and efficiencies.

SSA has not fully evaluated investments under development and those in operations:

• While SSA has policies and procedures to oversee investments under development, it has not fully implemented them. SSA's IT IRB meeting minutes for fiscal years 2022 to 2024 showed that the board primarily focused on funding allocations for the upcoming fiscal year and did not regularly discuss investment performance. SSA officials said that this was primarily due to the uncertain budget environment. However, without regular oversight, the IT IRB will not know whether the investments are meeting performance targets. The IRB also risks identifying corrective actions late, when they are more difficult and costly to address.
• SSA did not have complete performance documentation for three selected investments under development. Without complete and current performance data, SSA is unable to determine investment progress and value.

Analysis of Selected IT Investment Management Documentation, Fiscal Years 2022 to 2024

✔ Yes = documentation existed and was complete/current; △ Partial = documentation existed but was not complete/current; ✘ No = documentation did not exist.

Source: GAO analysis of Social Security Administration documentation. | GAO-25-107200

• SSA also does not have a process to regularly review the performance of investments in O&M, as called for in federal guidance. Officials stated that they maintain performance information for investments in O&M which is available to project staff and executives. In addition, project staff are responsible for monitoring investment performance and raising issues as needed to leadership. However, SSA's IT IRB meeting minutes did not show evidence of this. Until SSA defines and implements processes to review investments in O&M, it risks not knowing whether its multibillion-dollar IT investments continue to support agency needs.

Why GAO Did This Study

SSA relies extensively on IT to deliver retirement, disability, survivor, and family benefits programs to millions of Americans. In fiscal year 2024, SSA spent about $2.2 billion on IT.

GAO was asked to review SSA's IT investment management process. This report assesses (1) the extent to which SSA's IT investment management process complies with federal legislation, guidance, and relevant key practices; and (2) SSA's efforts to evaluate its IT investments.

In performing its work, GAO analyzed SSA's IT investment management processes and compared them to relevant provisions of federal IT acquisition legislation, federal guidance, and key practices. GAO also selected three mission-critical IT investments under development, and reviewed investment management documentation, including performance information, to determine if they were consistent with SSA's procedures. GAO also reviewed the contents of IT IRB meeting minutes and compared them to the responsibilities stated in the board's charter.