Recommendation: The Secretary of Defense should direct the DOD CIO to complete a department-wide inventory of existing IP-compliant devices and technologies to help with planning efforts and requirements development for the transition to IPv6. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct the DOD CIO to develop a cost estimate as described in OMB memorandum M-05-22 for the department's transition to IPv6. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct the DOD CIO to develop a risk analysis as described in OMB memorandum M-05-22 for the department's transition to IPv6. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the DOD CIO takes appropriate steps to ensure implementation of the DC3I tasks. (Recommendation 1)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense partially concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that DOD components develop plans with scheduled completion dates to implement the four remaining CDIP tasks overseen by DOD CIO. (Recommendation 2)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense partially concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the Deputy Secretary of Defense identifies a DOD component to oversee the implementation of the seven CDIP tasks not overseen by DOD CIO and report on progress implementing them. (Recommendation 3)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense did not concur with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that DOD components accurately monitor and report information on the extent that users have completed the Cyber Awareness Challenge training as well as the number of users whose access to the network was revoked because they have not completed the training. (Recommendation 4)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: The Department of Defense partially concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the DOD CIO ensures all DOD components, including DARPA, require their users to take the Cyber Awareness Challenge training developed by DISA. (Recommendation 5)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: The Department of Defense concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct a component to monitor the extent to which practices are implemented to protect the department's network from key cyberattack techniques. (Recommendation 6)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense did not concur with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the DOD CIO assesses the extent to which senior leaders' have more complete information to make risk-based decisions—and revise the recurring reports (or develop a new report) accordingly. Such information could include DOD's progress on implementing (a) cybersecurity practices identified in cyber hygiene initiatives and (b) cyber hygiene practices to protect DOD networks from key cyberattack techniques. (Recommendation 7)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense partially concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the Director of CAPE, in coordination with the Deputy Assistant Secretary of Defense for Nuclear Matters, the Deputy Assistant Secretary of Defense for Nuclear and Missile Defense Policy, and the Joint Staff Deputy Director for Strategic Stability, as co-chairs of the Nuclear Deterrent Senior Oversight Group, update the applicable guidance for methods of tracking and evaluating progress on implementation of the recommendations from the 2014 nuclear enterprise reviews, requiring DOD components to keep information—including any revised time frames—current. (Recommendation 1)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: DOD concurred with our recommendation and stated that the Nuclear Deterrent Senior Oversight Group co-chairs or, as necessary, the Deputy Secretary of Defense as the chair of Nuclear Deterrent Enterprise Review Group (NDERG), will update the applicable guidance to ensure that time frames and other information associated with planned actions are kept up to date. In April 2020, the acting Deputy Assistant Secretary of Defense for Nuclear Matters issued a memo requesting updates to information that is included in the 2014 tracker by June 1, 2020; however, no additional guidance requiring continuing updates beyond June 1 has been issued as of September 2020.

Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Acquisition and Sustainment updates the applicable guidance for methods of tracking and evaluating progress on implementation of the recommendations of the 2015 NC3 report, requiring DOD components to keep information—including metrics for measuring progress and outcomes as well as any revised time frames that may extend out more than 1 year—complete and current. 49 (Recommendation 2)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: DOD concurred with our recommendation and stated that the DOD Chief Information Officer and, as appropriate, the Under Secretary of Defense for Acquisition and Sustainment as the NC3 capability portfolio manager, will update the applicable guidance to ensure that metrics, time frames, and other information associated with planned actions are kept up to date and complete.

Recommendation: The Director of OMB should develop and implement a plan with GSA that outlines the actions needed to fully recover the TMF Program Management Office's operating expenses with administrative fee collection in a timely manner. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: The Office of Management and Budget (OMB) has not yet taken any actions to implement our recommendation. We will continue to monitor OMB's progress in implementing this recommendation.

Recommendation: The Director of OMB should work with GSA to clarify the requirement in the TMF guidance that agencies follow the cost estimating process outlined in Circular A-11 (that references GAO's cost estimating guidance discussed in this report), when developing the proposal cost estimate. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: The Office of Management and Budget (OMB) has not yet taken any actions to implement our recommendation. We will continue to monitor OMB's progress in implementing this recommendation.

Recommendation: The Administrator of General Services should develop and implement a plan with OMB that outlines the actions needed to fully recover the TMF Program Management Office's operating expenses with administrative fee collection in a timely manner. (Recommendation 3)

Agency: General Services Administration
Status: Open

Comments: The General Services Administration (GSA) has not yet taken any actions to implement our recommendation. We will continue to monitor GSA's progress in implementing this recommendation.

Recommendation: The Administrator of General Services should work with OMB to clarify the requirement in the TMF guidance that agencies follow the cost estimating process outlined in Circular A-11 (that references GAO's cost estimating guidance discussed in this report), when developing the proposal cost estimate. (Recommendation 4)

Agency: General Services Administration
Status: Open

Comments: The General Services Administration (GSA) has not yet taken any actions to implement our recommendation. We will continue to monitor GSA's progress in implementing this recommendation.

Recommendation: The Administrator of General Services should develop detailed guidance for completing the Technology Modernization Fund project cost estimate template, including information on the data elements and the fields required to be completed, in order to help ensure the accuracy and completeness of the provided information. (Recommendation 5)

Agency: General Services Administration
Status: Open

Comments: In comments on our report, the General Services Administration (GSA) concurred with our recommendation but has not yet taken any actions to implement our recommendation. We will continue to monitor GSA's progress in implementing this recommendation.

Recommendation: The Director of OMB should establish a process for monitoring and holding agencies accountable for authorizing cloud services through FedRAMP. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open
Priority recommendation

Comments: OMB neither agreed nor disagreed with this recommendation and as of September 2020, the office has not provided information on its actions to implement our recommendation. To fully implement this recommendation, OMB needs to collect data on the extent to which federal agencies are using cloud services authorized outside of FedRAMP and oversee agencies' compliance with using the program. According to an OMB Associate General Counsel, the agency does not have a mechanism for enforcing agencies' compliance with its guidance on FedRAMP. However, we believe that OMB can and should hold agencies accountable for complying with its policies. By implementing this recommendation, OMB could substantially improve participation in the FedRAMP program, which is intended to standardize security requirements for federal agencies' authorizations of cloud services. We will update the status of this recommendation when OMB provides information on its corrective actions.

Recommendation: The Administrator of GSA should direct the Director of FedRAMP to clarify guidance to agencies and cloud service providers on program requirements and responsibilities. (Recommendation 2)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should direct the Director of FedRAMP to improve the program's continuous monitoring process by allowing more automated capabilities, including for agencies to review documentation. (Recommendation 3)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should update security plans for selected systems to include the description of security controls and reviews and approvals plan. (Recommendation 4)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should update the security assessment report for the selected system to identify the summarized results of control effectiveness tests. (Recommendation 5)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should update the list of corrective actions for selected systems to identify the responsible office and estimated funding required and anticipated source of funding. (Recommendation 6)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should develop guidance requiring that cloud service authorization letters be provided to the FedRAMP program management office. (Recommendation 7)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of CDC to update the security plan for the selected system to identify the authorization boundary, the system operational environment and connections, a description of security controls, and the individual reviewing and approving the plan and date of approval. (Recommendation 8)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, CDC stated it has taken actions to address our recommendations, but we have not received evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CDC provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of CDC to update the security assessment report for the selected system to identify the summarized results of control effectiveness tests. (Recommendation 9)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, CDC stated it has taken actions to address our recommendations, but we have not received evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CDC provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of CDC to update the list of corrective actions for the selected system to identify the specific weaknesses, funding source, changes to milestones and completion dates, identified source of weaknesses, and status of corrective actions. (Recommendation 10)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, CDC stated it has taken actions to address our recommendations, but we have not received evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status once CDC provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to update the system security plans for selected systems to identify a description of security controls. (Recommendation 11)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to update the security assessment report for selected system to identify the summarized results of control effectiveness tests. (Recommendation 12)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to update and document the CMS remedial action plan for the selected system to identify the anticipated source of funding. (Recommendation 13)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to prepare letters authorizing the use of cloud services for the selected systems and submit the letters to the FedRAMP program management office. (Recommendation 14)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to update security plans for selected systems to identify the authorization boundary, system operation in terms of mission and business processes, operational environment and connections, and a description of security controls. (Recommendation 15)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to update the security assessment report for selected systems to identify summarized results of control effectiveness tests. (Recommendation 16)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to update the NIH list of corrective actions for selected systems to identify estimated funding and anticipated source of funding, key milestones with completion dates, and changes to milestones and completion dates. (Recommendation 17)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to submit the division's letters authorizing the use of cloud services for the selected systems to the FedRAMP program management office. (Recommendation 18)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Administrator of EPA should update security plan for the selected operational system to identify a description of security controls, and the individual reviewing and approving the plan and date of approval. (Recommendation 19)

Agency: Environmental Protection Agency
Status: Open

Comments: In June 2020, EPA stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should update the security assessment report for the selected operational system to identify the summarized results of control effectiveness tests. (Recommendation 20)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA did not concur with this recommendation and as of September 2020, the agency has not provided any evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should update the list of corrective actions for the selected operational system to identify the specific weakness, estimated funding and anticipated source of funding, key remediation milestones with completion dates, changes to milestones and completion dates, and source of the weaknesses. (Recommendation 21)

Agency: Environmental Protection Agency
Status: Open

Comments: In June 2020, EPA stated it is taking action to address this recommendation, but the agency did not provide evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should prepare the letter authorizing the use of cloud service for the selected operational system and submit the letter to the FedRAMP program management office. (Recommendation 22)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA did not concur with this recommendation and as of September 2020, the agency has not provided any evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should develop guidance requiring that cloud service authorization letter be provided to the FedRAMP program management office. (Recommendation 23)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA did not concur with this recommendation and as of September 2020, the agency has not provided any additional evidence. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Secretary of Agriculture should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 1)

Agency: Department of Agriculture
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 2)

Agency: Department of Education
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Energy should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 3)

Agency: Department of Energy
Status: Open

Comments: In July 2020, the department reported actions it had taken to fully implement the activities associated with assessing competencies and needs regularly; assessing gaps in competencies and staffing; monitoring the agency's progress in addressing competency and staffing gaps; and reporting to agency leadership on progress in addressing competency and staffing gaps. The department also reported actions it had taken to address the remaining four activities and provided estimated time frames for fully implementing them. As of August 2020, we were following up with the department to obtain supporting documentation for the activities it claimed it had fully implemented and status updates for the remaining activities.

Recommendation: The Secretary of Homeland Security should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 5)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Interior should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 6)

Agency: Department of the Interior
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 7)

Agency: Department of Justice
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Labor should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 8)

Agency: Department of Labor
Status: Open

Comments: In December 2019, Labor officials provided additional documentation on actions taken to address the recommendation. We plan to review the documentation, and when we confirm what actions the agency has taken, we will provide updated information.

Recommendation: The Secretary of State should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 9)

Agency: Department of State
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency fully implements each of the five key IT workforce planning activities it did not fully implement. (Recommendation 10)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Environmental Protection Agency should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 11)

Agency: Environmental Protection Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the General Services Administration should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 12)

Agency: General Services Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the National Science Foundation should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 13)

Agency: National Science Foundation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of the Nuclear Regulatory Commission should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 14)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Office of Personnel Management should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 15)

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: In December 2019, OPM stated that it had partnered with the General Services Administration's IT Modernization Center of Excellence to assess the current state of its IT workforce planning activities, but had not yet implemented any of the eight key planning activities we recommended. We will continue to monitor OPM's efforts to implement the recommendation.

Recommendation: The Administrator of the Small Business Administration should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 16)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of the Social Security Administration should ensure that the agency fully implements each of the five key IT workforce planning activities it did not fully implement. (Recommendation 17)

Agency: Social Security Administration
Status: Open

Comments: In November 2019, Social Security Administration officials provided the agency's recently issued IT workforce strategy for fiscal year 2019 to fiscal year 2022. We plan to review the strategy, and when we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the U.S. Agency for International Development should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 18)

Agency: United States Agency for International Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Agriculture should take action to meet the data center optimization metric targets established by OMB under DCOI. (Recommendation 1)

Agency: Department of Agriculture
Status: Open

Comments: In comments on our report, the Department of Agriculture (Agriculture) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department subsequently reported meeting its targets for the advanced energy metering and server utilization metrics. However, the department also reported that it had not yet met its target for the virtualization metric. We will continue to monitor Agriculture's progress in implementing this recommendation.

Recommendation: The Secretary of Commerce should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 2)

Agency: Department of Commerce
Status: Open

Comments: In comments on our report, the Department of Commerce (Commerce) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department subsequently reported meeting its targets for server utilization. However, the department also reported that it had not yet met its target for the virtualization and advanced energy metering metrics. We will continue to monitor Commerce's progress in implementing this recommendation.

Recommendation: The Secretary of Defense should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: In comments on our report, the Department of Defense agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closures target. The department subsequently reported meeting its closure target for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor the department's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of Defense should identify additional savings opportunities to achieve the targets for data center-related cost savings established under DCOI by OMB. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense is taking action to implement our recommendation. In comments on our report, the department stated that it had already identified significant cost savings through activities such as the identification of system migration candidates and the use of cloud services. The department also said that while it would continue to optimize its data centers, the need for IT would continue to grow, and this growth might ultimately lead to an increase in total data center costs, despite overall per unit cost reductions. In addition, after the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department reported achieving a total savings of $102.30 million and reported plans to save an additional $109.50 million in savings for fiscal year 2020. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor the department's efforts through fiscal year 2020 to address the recommendation.

Recommendation: The Secretary of Defense should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department subsequently reported meeting its target for server utilization. However, the department also reported that it had not yet met its target for the virtualization metric and advanced energy metering. We will continue to monitor the department's efforts to address the recommendation.

Recommendation: The Secretary of Energy should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 6)

Agency: Department of Energy
Status: Open

Comments: In comments on our report, the Department of Energy (Energy) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closure target. The department subsequently reported meeting its closure target for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor Energy's progress in implementing this recommendation through fiscal year 2020.

Recommendation: The Secretary of Energy should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 7)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. The department subsequently reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor Energy's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of the Department of Health and Human Services (HHS) should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 8)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closure target. The department subsequently reported meeting its closure target for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor HHS's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of HHS should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 9)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. Subsequently, the department reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor HHS's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of the Department of Homeland Security (DHS) should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: In comments on our report, the Department of Homeland Security (DHS) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closure target. Subsequently, the department reported meeting its closure target for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor DHS's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of DHS should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 11)

Agency: Department of Homeland Security
Status: Open

Comments: In comments on our report, The Department of Homeland Security (DHS) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. The department subsequently reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor DHS's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of Interior should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 12)

Agency: Department of the Interior
Status: Open

Comments: The Department of the Interior (Interior) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closure target. Subsequently, the department reported meeting its closure goal for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor Interior's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of Interior should take action to meet the data center-related cost savings established under DCOI by OMB. (Recommendation 13)

Agency: Department of the Interior
Status: Open

Comments: The Department of Interior (Interior) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center related cost savings targets. Subsequently, the department reported achieving $0.2 million in data center-related cost savings and planned to save an additional $0.5 million in fiscal year 2020. We will continue to monitor the department's efforts through fiscal year 2020 to address the recommendation.

Recommendation: The Secretary of Interior should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 14)

Agency: Department of the Interior
Status: Open

Comments: The Department of Interior (Interior) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. The department subsequently reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor Interior's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Attorney General should take action to meet the data center optimization metric targets established for Justice under DCOI by OMB. (Recommendation 15)

Agency: Department of Justice
Status: Open

Comments: In comments on our report, the Department of Justice (Justice) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. The department subsequently reported meeting its targets for the virtualization and advanced energy metering metrics. However, the department did not have an established target for the server utilization metric. Justice stated that, due to OMB issuance of the revised DCOI guidance and metrics, the department had not developed a baseline and target for server utilization. Once it can track server utilization for a few reporting periods, the department stated that it will finalize its definition for underutilized severs and establish an appropriate target for the metric. We will continue to monitor the department's progress in implementing this recommendation.

Recommendation: The Secretary of the Department of Labor (Labor) should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 16)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. Subsequently, the department reported meeting its target for the server utilization metric. However, the department had not yet met its targets for the advanced energy metering and virtualization metrics. We will continue to monitor Labor's progress in implementing this recommendation.

Recommendation: The Secretary of State should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 17)

Agency: Department of State
Status: Open

Comments: In comments on our report, the Department of State (State) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center optimization closure target. The department subsequently reported meeting its closure goal for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor State's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of State should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 18)

Agency: Department of State
Status: Open

Comments: In comments on our report, the Department of State (State) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. Subsequently, the department reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor State's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of Transportation should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 19)

Agency: Department of Transportation
Status: Open

Comments: In comments on our report, the Department of Transportation (Transportation) neither agreed nor disagreed with the recommendation and has begun taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closure target. The department subsequently reported meeting its closure goal for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor Transportation's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of Transportation should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 20)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. Subsequently, the department reported meeting its target for server utilization. However, the department had not yet met its targets for the advanced energy metering and virtualization metrics. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Treasury should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 21)

Agency: Department of the Treasury
Status: Open

Comments: The Department of Treasury (Treasury) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. The department subsequently reported meeting its target for server utilization. However, the department had not yet met its targets for the advanced energy metering and virtualization metrics. We will continue to monitor Treasury's progress in implementing this recommendation.

Recommendation: The Secretary of the Department of Veterans Affairs (VA) should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 22)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: VA agreed with our recommendation and, as of January 2020, the department reported that it had closed 16 data centers to meet its fiscal year 2019 closure target. To fully implement this recommendation, VA will need to demonstrate sustained implementation progress over time, including meeting its fiscal year 2020 data center closure target.

Recommendation: The Secretary of VA should take action to meet the data center-related cost savings established under DCOI by OMB. (Recommendation 23)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: VA agreed with our recommendation and, as of January 2020, the department reported that it had met its fiscal year 2019 cost savings target. To fully implement this recommendation, VA will need to demonstrate sustained implementation progress over time, including meeting its fiscal year 2020 data center cost savings target.

Recommendation: The Secretary of VA should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 24)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: VA agreed with our recommendation and, as of January 2020, the department reported that it had met its fiscal year 2019 targets for three of the four data center optimization metrics tracked by the Office of Management and Budget (OMB). To fully implement this recommendation, VA will need to meet all four of OMB's metrics, and also demonstrate sustained implementation progress over time by continuing to meet the four metrics across fiscal years.

Recommendation: The Administrator of the Environmental Protection Agency (EPA) should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 25)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established a new data center closure target. EPA subsequently reported that it based its three planned closures for fiscal year 2019 on the data center definition applicable while developing its fiscal year 2019 DCOI strategic plan. However, when OMB updated its data center guidance it changed the definition of a data center, and as a result, the three facilities EPA planned to close no longer qualified as data centers. Further, EPA did not have plans to close any additional data centers. While EPA reported to us that it completed the planned closures, the three facilities did not represent what OMB now considers a data center, and so, EPA did not report the closures in its data center inventory update. However, we acknowledge that EPA closed the facilities identified in its April 2019 plan and did not plan to close any data centers that met OMB's new definition, meaning that the agency met its revised fiscal year 2019 goal of zero closures. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor EPA's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Administrator of EPA should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 26)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) is taking action to implement our recommendation. The agency established new data center optimization targets after the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019. Subsequently, the agency reported meeting its targets for the advanced energy metering and server utilization metrics. However, the agency had not yet met its target for the virtualization metric. We will continue to monitor EPA's progress in implementing this recommendation.

Recommendation: The Administrator of the National Aeronautics and Space Administration should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 28)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: In comments on our report, the National Aeronautics and Space Administration (NASA) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. The agency subsequently reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor NASA's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Director of the National Science Foundation should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 29)

Agency: National Science Foundation
Status: Open

Comments: The National Science Foundation (NSF) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. Subsequently, the agency reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor NSF's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Chairman of the Nuclear Regulatory Commission should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 30)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: The Nuclear Regulatory Commission (NRC) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. The agency subsequently reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor NRC's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Director of the Office of Personnel Management (OPM) should take action to meet the data center-related cost savings established under DCOI by OMB. (Recommendation 31)

Agency: Office of Personnel Management
Status: Open

Comments: In comments on our report, The Office of Personnel Management (OPM) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established a new data center-related cost savings target. Subsequently, the agency reported meeting its fiscal year 2019 target of $7.65 million and planned to save an additional $7.65 million in fiscal year 2020. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor OPM's progress in implementing this recommendation through fiscal year 2020.

Recommendation: The Director of OPM should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 32)

Agency: Office of Personnel Management
Status: Open

Comments: In comments on our report, the Office of Personnel Management (OPM) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. The agency subsequently reported meeting its targets for the virtualization and server utilization metrics. However, it had not met its target for advanced energy metering. We will continue to monitor OPM's progress in implementing this recommendation.

Recommendation: The Administrator of the Small Business Administration should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 33)

Agency: Small Business Administration
Status: Open

Comments: In comments on our report, the Small Business Administration (SBA) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. Subsequently, the agency reported meeting its target for server utilization. However, the agency had not yet met its targets for the advanced energy metering and virtualization metrics. We will continue to monitor SBA's progress in implementing this recommendation.

Recommendation: The Commissioner of the Social Security Administration (SSA) should take action to meet the data center-related cost savings established under DCOI by OMB. (Recommendation 34)

Agency: Social Security Administration
Status: Open

Comments: In comments on our report, the Social Security Administration (SSA) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established a new data center-related cost savings target. The agency subsequently reported meeting its fiscal year 2019 cost savings target of $0. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor SSA's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Commissioner of SSA should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 35)

Agency: Social Security Administration
Status: Open

Comments: In comments on our report, the Social Security Administration (SSA) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. Subsequently, the agency reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor SSA's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Director of the Office of Management and Budget should require agencies to explicitly report, at least on a quarterly basis, the savings and cost avoidance associated with cloud computing investments. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of May 2020, the Office of Management and Budget (OMB) has not yet taken any actions to implement our recommendation. We will continue to monitor OMB's progress in implementing this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the CIO of Agriculture establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture (Agriculture) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. Specifically, Agriculture officials reported in April 2020 that the department had established an office to assist with cloud migration efforts and instituted a process that requires cloud migration efforts to submit cost data and report cloud savings in accordance with OMB guidance. Officials noted that the department would implement a mechanism within one year once OMB issues guidance related to tracking savings (OMB has not yet implemented guidance in this area). We will continue to monitor Agriculture's progress on these efforts.

Recommendation: The Secretary of Commerce should ensure that the CIO of Commerce establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 4)

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce (Commerce) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. In October 2019, Commerce officials noted that the department would update its current procedures related to tracking savings and cost avoidances within one year once OMB issues guidance related to tracking cloud savings (OMB has not yet implemented guidance in this area). As of May 2020, the procedures have not yet been updated. We will continue to monitor Commerce's progress with these efforts.

Recommendation: The Secretary of Defense should ensure that the CIO of Defense completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense (Defense) concurred with our recommendation and stated that the department planned to publish guidance in this area. Specifically, in April 2020, Defense officials reported that the department planned to publish guidance by July 2020 that required all department components to rationalize business and IT applications in alignment with the department's enterprise-wide process for conducting software application rationalization and the department's Cloud Strategy. We will continue to monitor Defense's progress on this effort.

Recommendation: The Secretary of Defense should ensure that the CIO of Defense establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: As of May 2020, the Department of Defense (Defense) has not yet taken any actions to implement our recommendation. We will continue to monitor Defense's progress in implementing this recommendation.

Recommendation: The Secretary of Education should ensure that the CIO of Education completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 8)

Agency: Department of Education
Status: Open

Comments: The Department of Education (Education) concurred with our recommendation and stated that the department would complete an assessment of all IT investments for cloud services. In February 2020, Education officials reported that the department had taken action to update its guidance to include a requirement for assessing new and existing investments for cloud services. However, as of May 2020, based on our review of IT Dashboard data, Education has not yet completed an assessment of 23 investments for these services. We will continue to monitor Education's progress with this effort.

Recommendation: The Secretary of Education should ensure that the CIO of Education establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 9)

Agency: Department of Education
Status: Open

Comments: The Department of Education (Education) concurred with our recommendation and stated that the department would take action to address it. In May 2020, Education officials reported that the department had taken steps to identify a number of cloud investments with cost savings and avoidance data as a part of the integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Education's progress with this effort.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess new acquisitions for these services. (Recommendation 10)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the department would update its IT budget guidance to address our recommendation. In February 2020, Energy officials provided a portion of a guidance document, but it did not include language that addressed our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 11)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the department would update its IT budget guidance to address our recommendation. In February 2020, Energy officials provided a portion of a guidance document, but it did not include language on assessing investments for cloud services. In addition, as of May 2020, based on our review of data on the IT Dashboard, Energy has not yet completed an assessment of 107 investments for these services. We will continue to monitor Energy's progress with this effort.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 12)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the CIO would establish a mechanism to address our recommendation. In February 2020, Energy officials reported that they had identified a number of cloud investments with cost savings as part of the integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Energy's progress with this effort.

Recommendation: The Secretary of the Department of Health and Human Services (HHS) should ensure that the CIO of HHS establishes guidance on assessing new and existing IT investments for suitability for cloud computing services, in accordance with OMB guidance. (Recommendation 13)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the Office of the CIO would revise its guidance by September 30, 2019 to address it. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the CIO of HHS completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 14)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the CIO would complete an assessment of all IT investments as part of its portfolio review for fiscal year 2021. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the CIO of HHS establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 15)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the CIO would take action to track savings as part of its portfolio review process for fiscal year 2021. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Homeland Security should ensure that the CIO of the Department of Homeland Security (DHS) completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 16)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the department was taking steps to implement it. Specifically, in October 2019, DHS officials reported that the department was in the process of accessing its remaining systems to determine whether a cloud computing assessment should be completed but did not provide a date when this effort would be finished. As of May 2020, we have not received a more recent update from DHS regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Homeland Security should ensure that the CIO of DHS establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 17)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the department was taking steps to implement it. Specifically, in October 2019, DHS officials reported that the department was working on a plan to define the resources and processes needed to implement a mechanism to track savings that would be completed by October 2020. As of May 2020, we have not received a more recent update from DHS regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Attorney General of the United States should ensure that the CIO of Justice completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 18)

Agency: Department of Justice
Status: Open

Comments: The Department of Justice (Justice) concurred with our recommendation, and stated that it would require components to assess all investments for cloud. However as of April 2020, based on our review of IT Dashboard data, Justice had not yet completed cloud assessments for 80 investments. We will continue to monitor Justice's progress with this effort.

Recommendation: The Attorney General of the United States should ensure that the CIO of Justice establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 19)

Agency: Department of Justice
Status: Open

Comments: The Department of Justice (Justice) concurred with our recommendation and stated that it would take action to address it. In December 2019, Justice officials reported that the department had taken steps to identify cloud investments and related savings data as part of an integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Justice's progress in implementing this recommendation.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess existing investments for these services. (Recommendation 20)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that the department was taking steps to integrate a process for assessing investments for cloud computing suitability into its budgeting process. Specifically, in February 2020, Labor officials reported that the department was updating its policy to reflect a Cloud First policy that will ensure that all department investment migrations to cloud services are Cloud smart but did not identify a time frame when the policy would be finalized. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 21)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that the department planned to undertake a full review of data center-based applications for cloud suitability. Specifically, in February 2020, Labor officials reported that the department had created an Engineering Review Board in October 2019 to review proposed IT investments to ensure compliance with the department's cloud architecture, but did not provide a time frame for when all assessments of investments would be completed. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 22)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. Specifically, in February 2020, Labor officials reported that the department was implementing a tool called Cloudchekr for tracking costs associated with cloud services that would also track related savings and cost avoidances, but no timeframe was provided for when the tool would consistently capture all savings from these efforts. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of State should ensure that the CIO of State establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 23)

Agency: Department of State
Status: Open

Comments: The Department of State (State) concurred with our recommendation and stated that the department would develop a prototype tracking system ready for testing by the beginning of fiscal year 2020. As of May 2020, we have not received a more recent update from State regarding its implementation of our recommendation. We will continue to monitor State's progress in implementing this recommendation.

Recommendation: The Secretary of the Treasury should ensure that the CIO of Treasury completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 24)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury (Treasury) has not yet taken any actions to implement our recommendation. As of May 2020, we have not received any update from the department regarding its implementation of our recommendation. We will continue to monitor Treasury's progress in implementing this recommendation.

Recommendation: The Secretary of the Treasury should ensure that the CIO of Treasury establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 25)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury (Treasury) has not yet taken any actions to implement our recommendation. As of May 2020, we have not received any update from the department regarding its implementation of our recommendation. We will continue to monitor Treasury's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation establishes guidance on assessing new and existing IT investments for suitability for cloud computing services. (Recommendation 26)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 27)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 28)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation, but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Veterans Affairs should ensure that the CIO of the Department of Veterans Affairs (VA) completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 29)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and stated that the department would take action to address it. In February 2020, VA officials reported that the department had begun an assessment process and expected to complete this effort by June 30, 2024. We will continue to monitor VA's progress in implementing this recommendation.

Recommendation: The Secretary of Veterans Affairs should ensure that the CIO of VA establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 30)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and stated that the department would take action to address it. In February 2020, VA officials reported that the department had begun populating a financial management application with data to track overall IT spending and cost savings, but did not provide a timeframe for when a mechanism to track this data would be finalized. We will continue to monitor VA's progress in implementing this recommendation.

Recommendation: The Administrator of General Services should ensure that the CIO of the General Services Administration establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 31)

Agency: General Services Administration
Status: Open

Comments: The General Services Administration (GSA) concurred with our recommendation and stated that the agency planned to develop a process for collecting cost savings data. Specifically, in January 2020, GSA officials reported that the agency intended to develop and document a process for collecting cost and savings data for current and new investments using cloud services. Officials noted that the documentation would provide guidance as to what savings data would be required to be collected, how frequent the data would be reported, and the process for approval, but did not provide a timeframe for when the guidance would be finalized. In addition, officials reported that, once the new process was finalized, the agency would pilot the new process in order to test the approach and the collection of data. As of May 2020, the process has not been finalized. We will continue to monitor GSA's progress in implementing this recommendation.

Recommendation: The Administrator of the Small Business Administration should ensure that the CIO of the Small Business Administration establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 32)

Agency: Small Business Administration
Status: Open

Comments: The Small Business Administration (SBA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SBA officials reported that the agency had established a tool for monitoring the costs associated with the migration and deployment of cloud services. However, the documentation SBA provided did not indicate how cloud savings and cost avoidances would be isolated and reported. We will continue to monitor SBA's progress toward implementing this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of the Social Security Administration (SSA) updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess existing investments for these services. (Recommendation 33)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials provided a copy of the agency's updated guidance but the guidance did not include language that addressed our recommendation. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of SSA completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 34)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials reported that the agency had completed an assessment of all investments for cloud services. However, our review of the agency's IT Dashboard data in November found that 24 investments remained to be reviewed. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of SSA establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 35)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials reported that the agency was working toward implementing a tool that would track cloud savings and avoidances but did not provide a timeframe for when the tool would be finalized. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Defense should ensure that the Deputy Secretary of Defense makes a determination as to how the CMO is to direct the business-related activities of the military departments. (Recommendation 1)

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: DOD concurred with this recommendation. The National Defense Authorization Act for Fiscal Year 2020 mandated that DOD assess the CMO's position, and the accompanying conference report indicated that the conferees intend to disestablish the position, pending the outcome of DOD's assessments. We continue to believe that DOD needs a CMO, codified in statute as a separate position, at the right level, and with the adequate amount of resources and appropriate authority to be responsible and accountable for its business transformation efforts. In light of pending requirements to assess the CMO position, GAO will continue to monitor the department's response to these recommendations as those assessments and any related actions are completed.

Recommendation: The Secretary of Defense should ensure that the Deputy Secretary of Defense makes a determination regarding the CMO's relationship with the DAFAs, including whether additional DAFAs should be identified as providing shared business services and which DAFAs will be required to submit their proposed budgets for enterprise business operations to the CMO for review. (Recommendation 2)

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: DOD concurred with this recommendation. The National Defense Authorization Act for Fiscal Year 2020 mandated that DOD assess the CMO's position, and the accompanying conference report indicated that the conferees intend to disestablish the position, pending the outcome of DOD's assessments. We continue to believe that DOD needs a CMO, codified in statute as a separate position, at the right level, and with the adequate amount of resources and appropriate authority to be responsible and accountable for its business transformation efforts. In light of pending requirements to assess the CMO position, GAO will continue to monitor the department's response to these recommendations as those assessments and any related actions are completed.

Recommendation: The Secretary of Defense should ensure that the CMO and Chief Information Officer (CIO) conduct an analysis to determine which responsibilities should transfer from the CIO to the CMO, including identifying any associated resource impacts, and share the results of that analysis with the Congress. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. The National Defense Authorization Act for Fiscal Year 2020 mandated that DOD assess the CMO's position, and the accompanying conference report indicated that the conferees intend to disestablish the position, pending the outcome of DOD's assessments. We continue to believe that DOD needs a CMO, codified in statute as a separate position, at the right level, and with the adequate amount of resources and appropriate authority to be responsible and accountable for its business transformation efforts. In light of pending requirements to assess the CMO position, GAO will continue to monitor the department's response to these recommendations as those assessments and any related actions are completed.

Recommendation: The Secretary of Defense should ensure that the Deputy Secretary of Defense, on the basis of the determinations regarding the CMO's statutory and discretionary authorities, codify those authorities and how they are to be operationalized in formal department-wide guidance. (Recommendation 4)

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: DOD concurred with this recommendation. The National Defense Authorization Act for Fiscal Year 2020 mandated that DOD assess the CMO's position, and the accompanying conference report indicated that the conferees intend to disestablish the position, pending the outcome of DOD's assessments. We continue to believe that DOD needs a CMO, codified in statute as a separate position, at the right level, and with the adequate amount of resources and appropriate authority to be responsible and accountable for its business transformation efforts. In light of pending requirements to assess the CMO position, GAO will continue to monitor the department's response to these recommendations as those assessments and any related actions are completed.

Recommendation: The Director should update the enterprise governance policy to specify (1) the CIO's current role and responsibilities on the Executive Resources Board, to include developing and reviewing the IT budget formulation and execution; and (2) the Deputy CIO's role and responsibilities on the Enterprise Governance Council. (Recommendation 2)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: DHS concurred with this recommendation. In March 2020, Secret Service officials stated that the component had drafted a revised enterprise governance policy that outlines the CIO's and Deputy CIO's roles and responsibilities. We will continue to monitor the component's efforts to finalize this policy.

Recommendation: The Director should ensure that the Secret Service develops a charter for its Executive Resources Board that specifies the roles and responsibilities of all board members, including the CIO. (Recommendation 3)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: DHS concurred with this recommendation. In March 2020, Secret Service officials stated that the component had drafted a charter for its Executive Resources Board that specifies the roles and responsibilities of Board members, including the CIO. We will continue to monitor the component's efforts to finalize this charter.

Recommendation: The Director should ensure that the CIO includes product quality and post-deployment user satisfaction metrics in the modular outcomes and target measures that the CIO sets for monitoring agile projects. (Recommendation 4)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that Secret Service acquisition directives require the component to conduct a Post Implementation Review of IT programs after such a program achieves Initial Operating Capability. However, it is unclear whether and how this requirement applies to agile projects, and if the Secret Service has included post-deployment user satisfaction metrics in the modular outcomes and target measures that the CIO sets for monitoring such projects. DHS's draft agile guidance strongly recommends that user satisfaction be assessed at the end of each production deployment, not just one time after Initial Operating Capability. Moreover, the Secret Service has not yet demonstrated that the CIO has included product quality in the modular outcomes and target measures that the CIO sets for monitoring agile projects. We will continue to monitor the department's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO identifies all of the required knowledge and skills for the IT workforce. (Recommendation 5)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: In 2018 and 2019, the Secret Service participated in the Department of Homeland Security's Strategic Workforce Planning initiative, during which the department identified critical competencies and target proficiency levels for various IT workforce roles across the department (e.g., systems analysis, network management). However, it is unclear whether the Secret Service's participation in this initiative included the identification of the required knowledge and skills for all of the roles within the component's IT workforce, or just certain roles. In addition, while the Secret Service also established a standard operating procedure document in December 2019 that, among other things, identified recommended training and certifications for each OCIO division (e.g., network management, cyber security), this procedure document did not identify the required knowledge and skills for the workforce roles within each of those OCIO divisions. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO regularly analyzes the IT workforce to identify its competency needs and any gaps it may have. (Recommendation 6)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component analyzed its IT workforce to identify its competency needs, as well as determined the projected staffing and competency gaps that it would have in fiscal year 2019. However, it has not yet provided supporting documentation of the analyses that the CIO conducted to determine these competency needs and projected competency gaps. We will continue to follow-up with the Secret Service for documentation of its efforts to implement this recommendation.

Recommendation: The Director should ensure that, after OCIO completes an analysis of the IT workforce to identify any competency and staffing gaps it may have, the Secret Service updates its recruiting and hiring strategies and plans to address those gaps, as necessary. (Recommendation 7)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component determined that it had a projected staffing gap for fiscal year 2019 of 35 staff within the 2210 occupational job series (i.e., IT management staff). The officials also said that they had identified projected competency gaps related to positions such as Cyber Intelligence Analyst and Intelligence Research Specialist. While the Secret Service has not yet provided documentation of the analyses it conducted to determine these gaps, the component provided documentation to demonstrate that it targeted its fiscal year 2019 recruiting events to focus on addressing IT staffing and competency gaps. For example, among other things, in fiscal year 2019 the component conducted outreach and recruiting events focused on defense, cyber, IT, and intelligence hiring, as well as conducted a targeted cyber security hiring campaign with a large online job search service. We will continue to follow-up with the Secret Service for documentation of the analyses the OCIO conducted to determine its IT staffing and competency gaps, in order to verify whether the 2019 recruiting events conducted were focused on addressing such gaps.

Recommendation: The Director should ensure that the Office of Human Resources (1) develops and tracks metrics to monitor the effectiveness of the Secret Service's recruitment activities for the IT workforce, including their effectiveness at addressing skill and staffing gaps; and (2) reports to component leadership on those metrics. (Recommendation 8)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that the component has conducted recruitment and outreach efforts focused on IT, cyber, and engineering careers, and monitors the effectiveness of these efforts. However, the Secret Service has not yet provided supporting documentation demonstrating that it has (1) developed and tracked metrics to monitor the effectiveness of these recruitment activities, including their effectiveness at addressing skill and staffing gaps within the IT workforce; and (2) reported to component leadership on those metrics. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the Office of Human Resources and OCIO adjust their recruitment and hiring plans and activities, as necessary, after establishing and tracking metrics for assessing the effectiveness of these activities for the IT workforce. (Recommendation 9)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: The Secret Service has not yet demonstrated that it has established and tracked metrics for assessing the effectiveness of its recruitment and hiring plans and activities for the IT workforce. As such, the component is not yet able to demonstrate that its Office of Human Resources and OCIO have adjusted their recruitment and hiring plans and activities based on these metrics. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO (1) defines the required training for each IT workforce group, (2) determines the activities that OCIO will include in its IT workforce training and development program based on its available training budget, and (3) implements those activities. (Recommendation 10)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: In December 2019, the Secret Service established a standard operating procedure document that identifies, among other things, recommended training and certifications for each OCIO division (e.g., network management, cyber security). However, this procedure document does not identify required training for each of these divisions. In March 2020, Secret Service officials stated that OCIO supervisors issued individual development plans to their team members that identified training requirements for continued professional development. However, the Secret Service has not yet provided documentation of these training requirements, nor evidence to support that the planned professional development activities are based on the required training for each IT workforce group. Moreover, the officials stated that, in response to the Coronavirus Disease 2019 (COVID-19), training is suspended. As such, the component is not implementing IT workforce training activities at this time. The officials plan to continue staff training once it is reinstated. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO ensures that the IT workforce completes training specific to their positions (after defining the training required for each workforce group). (Recommendation 11)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: While Secret Service officials stated that the component's Office of Training establishes the required curriculum for Secret Service personnel, the component has not yet demonstrated that the CIO has defined the training required for each IT workforce group, as we previously recommended. As such, the component is also not able to demonstrate that it is ensuring that each IT workforce group completes the training specific to their positions, as we also recommended. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO collects and assesses performance data (including qualitative or quantitative measures, as appropriate) to determine how the IT training program contributes to improved performance and results (once the training program is implemented). (Recommendation 12)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that they are assessing how IT training has contributed to improved performance and results by comparing IT course completion results to the results of related training exercises that the component conducts (for example, the Secret Service may compare the completion rates for an IT security awareness training course to the results of a related IT security awareness exercise that the component conducts). However, the Secret Service has not yet provided supporting documentation of these assessments. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO updates the performance plans for each occupational series within the IT workforce to include the relevant technical competencies, once identified, against which IT staff performance should be assessed. (Recommendation 13)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component has implemented a performance management system that enables OCIO supervisors to update the individual performance plans of each IT workforce staff member to include the relevant technical competencies against which each staff member's performance is to be assessed. However, the Secret Service has not yet provided supporting documentation demonstrating that OCIO has updated the performance plans for each IT workforce staff member to include the relevant technical competencies. We will continue to monitor the component's efforts to address this recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 1)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided documentation regarding its IT budget procedures. However, DOE has not yet developed procedures that explicitly require that all transactions with an IT component be included in the expenditure reporting to the CIO. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 2)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided documentation regarding its IT budget procedures. However, DOE has not yet documented procedures for ensuring the CIO is included in budget decisions for all programs with IT resources, including those within NNSA and the national laboratories. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 3)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided charters that included the CIO as a member of department-level governance boards that inform IT decisions. However, DOE has not provided charters that include the CIO as a member of component-level IT governance boards. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 4)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided IT governance board and budget procedures. However, DOE has not documented procedures by which the CIO is to work with program leadership in planning IT resources for all programs, including those within NNSA and the national laboratories. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 5)

Agency: Department of Energy
Status: Open

Comments: The department has provided IT budget procedures. However, DOE has not documented procedures by which the CIO is to review and approve all major IT investments, including those within NNSA and the national laboratories. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 6)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided IT budget procedures. However, DOE has not documented procedures for the CIO's review of IT resources that are to support major program objectives and significant increases and decreases in IT resources for department and component agency budget requests. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 7)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided IT budget procedures. However, DOE has not developed procedures for documenting steps the CIO is to take to ensure that the IT portfolio includes appropriate estimates of all IT resources. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 8)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 9)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation and is planning to take steps towards implementing it. Specifically, DOE plans to implement the Technology Business Management Framework by December 2021. Additionally, the department is coordinating internally to update its financial and procurement systems to better identify IT spending. DOE anticipates that its updates will allow the agency to compare actual IT spending against estimates in the portfolio. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that establish agency-wide policy for the level of detail with which planned expenditures for all transactions that include IT resources are to be reported to the CIO. (Recommendation 10)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 11)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources. (Recommendation 12)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 13)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 14)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 15)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 16)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with this recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT investment planning policy to include requirements for reporting expenditures that apply to all transactions with an IT component. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 17)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT investment planning policy to amplify the CIO's role in the planning and budgeting stages for all programs with IT resources. Also, HHS intends to document procedures for ensuring that all delegated authorities are carried out. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 18)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation. The department has provided charters that included the CIO as a member of department-level governance boards that inform IT decisions. However, HHS has not provided charters that include the CIO as a member of component-level IT governance boards. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 19)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. For example, HHS plans to develop an asset management policy and introduce a pilot program to manage inventories across the agency. However, the department has not developed policies and procedures that incorporate the processes by which the program leadership are planning the IT portfolio with the CIO for existing investments greater than or equal to $20 million annually and for investments delegated to components. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 20)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the department intends to update its IT investment planning policy to amplify the CIO's role in reviewing major investments. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 21)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with this recommendation and has taken steps towards implementing it. Specifically, HHS documented procedures that require the CIO to hold annual IT investment review meetings with components to review changes in IT resources. However, HHS has not documented procedures for the CIO's role in reviewing major program objectives. We will continue to monitor the department's progress toward implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 22)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the department intends to assess and update its existing policies and procedures to document the steps the CIO is to take to review the IT portfolio for appropriate estimates of all IT resources. We will continue to monitor the department's progress toward implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should direct the department CIO to establish, for any OMB common baseline requirements that are related to IT budgeting that have been delegated, a plan that specifies the requirement being delegated, demonstrates how the CIO intends to retain accountability for the requirement, and ensures through quality assurance processes that the delegated official will execute such responsibilities with the appropriate level of rigor. (Recommendation 23)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the department intends to develop an IT governance policy to define the accountability of the CIO over all IT projects and establish processes detailing quality reviews and the level of rigor that should be applied by its IT governance board. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 24)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT acquisition program policy and related processes. HHS also plans to document standard operating procedures for agency wide dissemination to ensure the effectiveness and efficiency of IT investment governance through transparent and repeatable procedures. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 25)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and are planning to take steps towards implementing it. Specifically, HHS established a working group and developed a roadmap for implementing the Technology Business Management Framework by fiscal year 2022. The agency anticipates that its strategy and approach will enable HHS to, among other things, link IT portfolio data, procurement system data, and financial system data. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 26)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 27)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 28)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 29)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 31)

Agency: Department of Justice
Status: Open

Comments: The department agreed with the recommendation and has taken steps towards implementing it. Specifically, in October 2019, the DOJ CIO issued a memorandum requiring component CIOs to establish a process for providing IT investment information to the DOJ CIO. The component CIO's process is to either include the DOJ CIO as a member of component investment review boards or provide an alternative mechanism for obtaining the DOJ CIO's input on component IT investments. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The FBI Director should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 34)

Agency: Department of Justice: Federal Bureau of Investigation
Status: Open

Comments: FBI agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 35)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 36)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 37)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 38)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 39)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should direct the department CIO to establish, for any OMB common baseline requirements that are related to IT budgeting that have been delegated, a plan that specifies the requirement being delegated, demonstrates how the CIO intends to retain accountability for the requirement, and ensures through quality assurance processes that the delegated official will execute such responsibilities with the appropriate level of rigor. (Recommendation 40)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 41)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 42)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the Deputy Secretary of Defense--in coordination with the military departments; U.S. Strategic Command; the Assistant Secretary of Defense for Nuclear, Chemical, and Biological Defense Programs; CAPE; and other relevant components of DOD--identify in the planned charter and DOD directive clear roles and responsibilities for the members of the NDERG. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with the recommendation. In June 2019, in response to our recommendation, the Deputy Secretary of Defense issued a charter for the NDERG that included information about the roles and responsibilities for the members of the NDERG. The charter also indicated that this information should be included in the appropriate DOD directive and/or issuance. This effort is still in progress.

Recommendation: The Secretary of Defense should ensure that the Deputy Secretary of Defense--in coordination with the military departments; U.S. Strategic Command; the Assistant Secretary of Defense for Nuclear, Chemical, and Biological Defense Programs; CAPE; and other relevant components of DOD--establish in the planned charter and DOD directive methods for the NDERG to communicate and collaborate with other organizations that have oversight responsibilities for portions of the nuclear enterprise. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with the recommendation. In June 2019, in response to our recommendation, the Deputy Secretary of Defense issued a charter for the NDERG that included information about the roles and responsibilities for the members of the NDERG. The charter also indicated that this information should be included in the appropriate DOD directive and/or issuance. This effort is still in progress.

Recommendation: The Secretary of Defense should ensure that the Deputy Secretary of Defense and Chairman of the Joint Chiefs of Staff--in coordination with the Vice Chairman of the Joint Chiefs of Staff, the Under Secretary of Defense for Acquisition and Sustainment (as the Council on Oversight of the National Leadership Command, Control, and Communications System (NLC3S Council) co-chairs), and U.S. Strategic Command--update the applicable DOD guidance (such as the NLC3S Council's and Executive Management Board's charters) and identify whether there is a need to request changes to statutory or presidential guidance in order to clarify changes to roles and responsibilities for NC3 oversight. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with the recommendation. As of July 2020, according to DOD officials, DOD is working to update applicable guidance.

Recommendation: The Secretary of Defense should ensure that the Deputy Secretary of Defense and Chairman of the Joint Chiefs of Staff--in coordination with the Vice Chairman of the Joint Chiefs of Staff, the Under Secretary of Defense for Acquisition and Sustainment (as NLC3S Council co-chairs),and U.S. Strategic Command--update the applicable guidance to establish methods for communication and collaboration among organizations that have oversight responsibilities for portions of the nuclear enterprise as changes are considered for charters, guidance, and laws to reflect the changes to NC3 oversight. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with the recommendation. As of July 2020, according to DOD officials, DOD is working to update applicable guidance.

Recommendation: The Director of the Office of Management and Budget should issue guidance that addresses the 12 CIO responsibilities discussed in this report that are not included in existing OMB guidance--in particular those relating to IT workforce matters. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency partially agreed with the recommendation, and planned to issue guidance that addressed eight of the 12 CIO responsibilities discussed in this report that were not included in existing OMB guidance. As of July 2020, the agency had not issued such guidance and asserted that its existing Circular A-130 guidance is adequate to address this recommendation. However, the Circular A-130 does not address these 12 CIO responsibilities. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Director of the Office of Management and Budget should define the authority that CIOs are to have when agencies report on CIO authority over IT spending. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency agreed with the recommendation to define the authority that Chief Information Officers (CIOs) are to have when agencies report on CIO authority over information technology spending. However, as of July 2020, the agency had not updated its definition. We will continue to monitor the steps the agency takes to address this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 4)

Agency: Department of Agriculture
Status: Open

Comments: The agency agreed with the recommendation and, in May 2019, the agency revised its departmental policies to address 21 of the 22 responsibility gaps identified in the report. The remaining responsibility is for the Chief Information Officer (CIO) to report annually to the head of the agency on progress made in improving IT personnel capabilities. In particular, while USDA's CIO is required to conduct an annual assessment on IT personnel, there is no indication that the results are reported to the agency head. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Commerce should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: The agency agreed with the recommendation and, in October 2018, described a a number of steps it planned to take to address the responsibility gaps identified in the report. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Defense should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: We will provide updated information when we confirm what actions the agency has taken in response to this recommendation.

Recommendation: The Secretary of Education should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 7)

Agency: Department of Education
Status: Open

Comments: We will provide updated information when we confirm what actions the agency has taken in response to this recommendation.

Recommendation: The Secretary of Energy should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 8)

Agency: Department of Energy
Status: Open

Comments: The department planned to complete several steps by the end of 2019. When we confirm these actions, we will provide updated information.

Recommendation: The Secretary of Health and Human Services should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 9)

Agency: Department of Health and Human Services
Status: Open

Comments: The agency agreed with the recommendation and revised its policies to address three of the 23 responsibility gaps identified in the report. In particular, it has addressed the responsibilities for the Chief Information Officer to: 1) report directly to the agency head or that official's deputy, 2) improve the management of the agency's IT through portfolio review (PortfolioStat), and 3) maintain an inventory of data centers. We will continue to monitor the steps the agency takes to address the remaining responsibilities.

Recommendation: The Secretary of Homeland Security should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: The agency agreed with the recommendation, and revised and provided additional departmental directives and delegations to address 19 of the 21 responsibility gaps identified in the report. The remaining responsibilities are for the Chief Information Officer (CIO) to 1) review and approve IT contracts, acquisition plans, or strategies; and 2) ensure that all personnel are held accountable for complying with the agency-wide information security program. In particular, while the DHS CIO has the authority to coordinate with the Chief Acquisition Officer on acquisition strategies, coordination is not the same as reviewing and approving. Regarding holding agency personnel accountable for information security, DHS's Sensitive Systems Policy Directive gives that authority to the heads of DHS's components, rather than the DHS CIO. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Housing and Urban Development should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 11)

Agency: Department of Housing and Urban Development
Status: Open

Comments: The department indicated that it has work underway to address this recommendation, which it plans to complete in March 2020. When we confirm those actions, we will provide updated information.

Recommendation: The Secretary of the Interior should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 12)

Agency: Department of the Interior
Status: Open

Comments: The department planned to review its policies and take corrective actions, as necessary. When we confirm those actions, we will provide updated information.

Recommendation: The Attorney General should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 13)

Agency: Department of Justice
Status: Open

Comments: Justice concurred with our recommendation and started work to address it. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Labor should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 14)

Agency: Department of Labor
Status: Open

Comments: Labor has taken a number of steps in response to this recommendation. However, the agency's policies did not address the six key areas of responsibility for CIOs.

Recommendation: The Secretary of State should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 15)

Agency: Department of State
Status: Open

Comments: The department has begun changing its policies to address this recommendation. When we review those changes, we will provide updated information.

Recommendation: The Secretary of Transportation should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 16)

Agency: Department of Transportation
Status: Open

Comments: DOT agreed with many of the responsibilities in our recommendation, and in September 2019, the agency planned to leverage their technical infrastructure modernization initiative to further define the CIO responsibilities identified in the 18 responsibility gaps identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 17)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the four areas we identified. (Recommendation 18)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA agreed with our recommendation and, as of January 2020, is working to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Environmental Protection Agency should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 19)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA neither agreed nor disagreed with our recommendation, but agreed that CIO authorities should be adequately documented in appropriate policies. EPA officials have stated that they continue to work to address this recommendation. When we confirm what actions the agency has taken to address the 20 responsibility gaps identified in the report, we will provide updated information.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 21)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with our recommendation and stated that the agency was updating its policies to address the responsibilities identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the National Science Foundation should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 22)

Agency: National Science Foundation
Status: Open

Comments: NSF agreed with our recommendations, and in February 2020, the agency issued a new CIO Authorities Policy and revised other departmental policies to address 22 of the 23 responsibility gaps identified in the report. The remaining responsibility for the CIO to benchmark agency processes against private and public sector performance has not been established through the agencies' policies. When we confirm what actions the agency has taken in response to the remaining responsibility, we will provide updated information.

Recommendation: The Chairman of the Nuclear Regulatory Commission should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 23)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC disagreed with our recommendation but generally agreed with our findings, and the agency had departmental policies to address three of the 15 responsibilities identified in the report. In March 2020, the agency stated it was identifying the appropriate agency policy to amend to address the remaining responsibility gaps. It anticipated that it would complete those updates by the end of the second quarter of FY 2020. We will continue to monitor the steps the agency takes to address this requirement.

Recommendation: The Director of the Office of Personnel Management should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 24)

Agency: Office of Personnel Management
Status: Open

Comments: OPM agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Small Business Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 25)

Agency: Small Business Administration
Status: Open

Comments: SBA agreed with most of our recommendations and, in September 2018, the agency said it is revising its departmental policies to address the responsibility gaps identified in the report. SBA's Data Center Optimization Initiative (DCOI) Strategic Plan's revised in 2019 addresses two of the 19 responsibility gaps identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Agriculture should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The agency concurred with our recommendation, and in June 2018, USDA CIO delegated the review and approval of acquisition plans and strategies to the Capital Planning and Information Technology Governance Division (CPITGD) through the Associate CIO of the Information Resource Management Center. However, as of June 2020, the agency had not provided evidence to demonstrate that these reviews and approvals are taking place as required by OMB's guidance. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of Commerce should ensure that the office of the CAO is involved in the process to identify IT acquisitions. (Recommendation 4)

Agency: Department of Commerce
Status: Open

Comments: In a March 2018 response to our report, the agency agreed with our recommendation and stated that the CIO and the Senior Procurement Executive will issue a memo to their acquisition and CIO member offices clarifying the offices joint responsibilities to ensure that all IT acquisitions are submitted to the CIO for review and approval. The memo is also to provide guidance on the process by which the CIO will review proposed contract actions. However, as of February 2020, the agency had not responded to requests for updates. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of Commerce should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: In a March 2018 response to our report, the agency agreed with our recommendation and stated that it intended to clarify its policies and procedures to comply with OMB rules, including the IT acquisition checklist, which must be completed for every proposed contract action. In addition, the CIO and Senior Procurement Executive will work together to review existing acquisition plan review and approval processes. However, as of February 2020, the agency had not responded to requests for updates. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of HHS should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 10)

Agency: Department of Health and Human Services
Status: Open

Comments: The agency agreed with our recommendation and in an April 2018 update stated that HHS has a policy for the HHS IT acquisition review process for acquisition strategies. However, as of February 21, 2020, the agency had not provided evidence that the CIO (or designee) was reviewing and approving IT acquisition plans, as required. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of State should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 22)

Agency: Department of State
Status: Open

Comments: The agency agreed with our recommendation, and in a December 2019 update provided information on the agency's CPIC process and a template for IT acquisition strategies. However, it is not clear whether the CIO is reviewing and approving IT acquisitions plans through the CPIC process and the template does not provide a place for the CIO review and approval. In addition, we have requested evidence of CIO approval of selected IT acquisitions. We will continue to monitor the implementation of this recommendation

Recommendation: The Secretary of the Treasury should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 23)

Agency: Department of the Treasury
Status: Open

Comments: The agency did not state whether it agreed or disagreed with the recommendation. In March 2019, Treasury issued a memo that requires the CIO to review and approve IT acquisition plans for acquisitions with a total value of $68 million or more, or for actions with a period of performance longer than 5 years. The review and approval of all other IT acquisition plans are delegated to the component CIOs or Chief Technology Officers. However, the agency had not yet provided evidence that the CIO (or designee) was reviewing and approving selected IT acquisition plans, as required. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of Transportation should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 26)

Agency: Department of Transportation
Status: Open

Comments: The agency concurred with the recommendation. In October 2019, Transportation issued guidance requiring that the CIO or designee to review and approve all IT acquisition plans. We have requested that the agency provide us evidence of CIO-approved IT acquisition plans. The agency stated that it planned to respond by May 15, 2020. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of VA should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 28)

Agency: Department of Veterans Affairs
Status: Open

Comments: The agency concurred with the recommendation. In November 2019, VA issued guidance that requires the CIO, in conjunction with the Chief Acquisition Officer, to review and approve all IT acquisition strategies and plans. Specifically, the CIO is to review and approve IT acquisitions valued at $15 million or more. The CIO has delegated the review and approval of IT acquisitions less than $15 million to other designees, based on the value of the contract. However, the agency had not provided evidence that the CIO (or designee) was reviewing and approving selected IT acquisition plans, as required. We will continue to monitor the implementation of this recommendation.

Recommendation: The Administrator of NASA should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 32)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The agency concurred with the recommendation, and in September 2017, NASA's CIO delegated the review and approval authority of IT acquisitions to the Center CIOs. We have requested evidence of CIO-approved IT acquisitions. We will continue to monitor the implementation of this recommendation.

Recommendation: The Director of the Office of Personnel Management should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 34)

Agency: Office of Personnel Management
Status: Open

Comments: The agency concurred with the recommendation and in an April 2020 updated stated that OPM has contracted with a third-party vendor to evaluate the OPM IT human capital, architecture, and governance processes from planning to acquisition to implementation. The agency further stated that it is working to fully implement an IT governance process where the OPM CIO fully reviews and approves IT acquisition plans and processes. We will continue to monitor the implementation of this recommendation.

Recommendation: The Director of OMB should continue to identify and report to Congress on the status of the top 10 high priority information technology programs and the extent to which USDS is involved in the programs, as was done in June 2015 and June 2016. In doing so, the Director should ensure that these reports are issued quarterly. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: We have been requesting periodic updates from OMB on actions it has taken to address the recommendation. As of April 2020, the agency did not have any updates.

Recommendation: The Director of OMB should ensure that the Federal CIO is directly involved in the oversight of high priority programs. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open
Priority recommendation

Comments: OMB has not taken actions to address this recommendation, stating that the Federal CIO is not typically involved with overseeing individual IT programs. However, we continue to believe it is important for OMB to take this action, as the results of past CIO-led reviews of troubled programs show that CIO oversight can have significant positive results, including producing significant savings. In December 2019, OMB stated that it had no ongoing or planned action to address the recommendation, noting that the recommendation represents a "fundamental disagreement" between OMB and GAO on the role of the Federal CIO in overseeing programs.

Recommendation: The Director of OMB should continue to report on the status of USDS projects. In doing so, the Director should ensure that the reports are issued quarterly. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: We have been requesting periodic updates from OMB on actions it has taken to address the recommendation. As of April 2020, the agency did not have any updates.

Recommendation: The Secretary of Agriculture should ensure that the CIO of USDA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 9)

Agency: Department of Agriculture
Status: Open

Comments: In September 2019, a Department of Agriculture official stated that the department was working to establish a policy to include the information noted in our recommendation and planned to finalize a policy by the end of December 2019. We will continue to monitor the department's progress on these efforts.

Recommendation: The Secretary of Veterans Affairs (VA) should ensure that the CIO of VA updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 10)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) has taken action, and stated that it would draft a policy to address our recommendation. In November 2019, a VA official stated that the department is working to address our recommendation but did not identify timeframes for when all activities would be completed. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: The Administrator of the Environmental Protection Agency (EPA) should ensure that the CIO of EPA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 11)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) concurred with our recommendation and stated that it planned to develop a policy to implement this recommendation and other FITARA issues. Specifically, EPA officials reported in July 2019 that the agency was continuing to work to address the recommendation but did not provided a time frame for when a policy would be finalized. We will continue to monitor EPA's progress on these efforts.

Recommendation: The Administrator of the National Aeronautics and Space Administration (NASA) should ensure that the CIO of NASA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 13)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation and reported that the agency was in the process of addressing it. Specifically, NASA officials reported in June 2020 that its guidance is currently being updated to include the information noted in our recommendation and will be finalized by September 2020. We will continue to monitor NASA's progress on these efforts.

Recommendation: The Director of the Office of Personnel Management (OPM) should ensure that the CIO of OPM updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 16)

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) concurred with our recommendation and stated that it would update its policies and processes to include the elements we recommended. Specifically, OPM officials reported in November 2019 that guidance on CIO certification was being developed but the agency had not yet determined a time frame for finalizing the policy. We will continue to monitor OPM's progress on these efforts.

Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to task an integrated project team, made up of an IT project manager and business owner, with including specific actions in the Public Health and Medical Situational Awareness Strategy Implementation Plan for conducting all activities required to establish and operate the network.

Agency: Department of Health and Human Services
Status: Open

Comments: Officials have previously acknowledged that a public health situational awareness network capability is important for identifying, processing, and comprehending data in real-time and stated that such a capability requires coordination and participation from numerous federal entities, including numerous HHS's operating divisions. However, as of January 2020, GAO has not received any information demonstrating progress made to implement our recommendation. Further, HHS has not provided us with a plan of action describing how they would implement the recommendation. Until steps are taken to implement our recommendation, HHS may not make the progress needed to establish an electronic public health situational awareness network capability mandated by PAHPRA in 2013 and the Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2019.

Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to task the integrated project team with developing a project management plan that includes measurable steps--including a timeline of tasks, resource requirements, estimates of costs, and performance metrics--that can be used to guide and monitor HHS's actions to establish the network defined in the plans.

Agency: Department of Health and Human Services
Status: Open

Comments: Officials have previously acknowledged that a public health situational awareness network capability is important for identifying, processing, and comprehending data in real-time and stated that such a capability requires coordination and participation from numerous federal entities, including numerous HHS's operating divisions. However, as of February 2020 agency officials have not indicated whether or not they concur with the recommendation, nor have they taken any action or provided a plan of action describing how they would implement the recommendation. Until steps are taken to implement our recommendation, HHS may not make progress toward establishing an electronic public health situational awareness network capability mandated by PAHPRA in 2013 and in the Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2019 .

Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to conduct all IT management and oversight processes related to the establishment of the network in accordance with Enterprise Performance Life Cycle Framework guidance, under the leadership of the HHS CIO.

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: In HHS' Public Health and Social Services Emergency Fund's fiscal year 2021 budget justification-which includes the Office of the Assistant Secretary for Preparedness and Response-the agency stated it "concurred" with this recommendation. However, as of February 2020, GAO has not received any information demonstrating progress made to implement our recommendation. Until then, HHS may continue to lack the necessary progress needed in order to establish an electronic public health situational awareness network capability mandated by PAHPRA. To address this recommendation, HHS needs to direct the Assistant Secretary for Preparedness and Response to conduct all IT management and oversight processes related to the establishment of the network in accordance with Enterprise Performance Life Cycle Framework guidance.

Recommendation: To better ensure that agencies complete important DCOI planning documentation and that the initiative improves governmental efficiency and achieves intended cost savings, the Director of OMB should direct the Federal chief information officer to formally document a requirement for agencies to include plans, as part of existing OMB reporting mechanisms, to implement automated monitoring tools at their agency-owned data centers.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: In June 2019, the Office of Management and Budget (OMB) issued an updated Data Center Optimization Initiative (DCOI) policy that encouraged federal agencies to implement automated monitoring tools at agency-owned data centers using more than 100 kilowatt hours of electricity. However, the updated policy did not require agencies to document a plan for implementing the tools as we recommended. As of January 2020, we have not received further update from OMB and the recommended action has not yet been taken. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce (Commerce) agreed with our recommendation and described planned actions to address it. Specifically, the department noted that, as part of its effort to consolidate, define, and establish a plan to deploy an enterprise-wide automated monitoring tool, it had identified two component agencies that would offer a data center infrastructure management tool as a service. The department added that this approach would allow it to monitor and report cost savings and avoidances more efficiently. In November 2019, Commerce reported that it had 73 agency-owned data centers that the department planned to keep open. However, of those 73, only seven had implemented the required advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 66 of its agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and described planned actions to implement it. Specifically, the department stated that it established plans to implement automated monitoring tools at its 78 department-owned tiered data centers and planned to evaluate whether its 68 department-owned non-tiered data centers should be consolidated or closed. In November 2017 correspondence to GAO, the department further stated that, for the non-tiered centers projected to remain open, it expected to complete plans for automated server utilization by September 30, 2019. In November 2019, Energy reported that it had 92 agency-owned data centers that the department planned to keep open, of which the Office of Management and Budget exempted three from optimization requirements by. However, of the remaining 89 data centers, only 37 had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 52 agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and described planned actions to implement it. Specifically, the department stated that HHS would direct its operating and staff divisions to acquire and install automated monitoring tools in all agency-owned data centers by the close of fiscal year 2018. In November 2019, HHS reported that it had 35 agency-owned data centers that the department planned to keep open. Of those 35, 22 had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 12 of its agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of the Interior
Status: Open

Comments: The Department of the Interior (Interior) partially concurred with our recommendation. Specifically, the department stated that it was committed to completing its plan on schedule, but that its ability to meet the Office of Management and Budget's (OMB) requirement to implement automated monitoring tools at all department-owned data centers by the end of fiscal year 2018 depended on many factors and variables, including the availability of funding and other resources. Nevertheless, in October 2017 correspondence to GAO, the department stated that it expected to complete planning for the deployment of automated monitoring in agency-owned data centers by September 30, 2018 and to complete implementation by December 31,2023. The letter noted that Interior would prioritize implementation at major tiered data centers, with implementation at other data centers as budgets permitted. In November 2019, Interior reported that it had 55 agency-owned data centers that the department planned to keep open, one of which OMB exempted from optimization requirements. However, of the remaining 54 data centers, only 17 had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 37 agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) agreed with our recommendation and, in November 2017 correspondence to GAO, described planned actions to implement it. Specifically, the department stated that its Office of the Chief Information Officer would create a plan of action to address the multi-layer requirements applicable to the department. Transportation expected to develop a plan of action that addressed the Office of Management and Budget's August 2016 Data Center Optimization Initiative (DCOI) guidance memorandum. The department expected to implement its plan by September 30, 2018. In November 2019, Transportation reported that it had 17 agency-owned data centers that the department planned to keep open. However, of those 17 data centers, only one had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 17 agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of the Treasury
Status: Open

Comments: In November 2019, the Department of the Treasury reported that it had 16 agency-owned data centers that the department planned to keep open. However, of those 16 data centers, only four had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 12 agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) agreed with our recommendation, and in November 2017 correspondence to GAO, described completed and planned actions to address it. Specifically, the department stated that it's Office of Information and Technology (OI&T) was developing a plan to fully comply with the Office of Management and Budget (OMB) requirements to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018. According to the department, OI&T had taken a series of actions such as determining a strategy to meet OMB reporting requirements and reviewing the existing automated tools in use at VA. As part of its planning effort, OI&T was analyzing its data centers, collecting data through a web-based portal and automated tools, and implementing change management processes to manage IT assets in VA data centers. According to the department, OI&T expected to complete a written comprehensive plan by November?30, 2017. In May 2018, VA indicated that it had engaged OMB in discussions regarding how to classify its data centers and that the comprehensive plan would be completed by October 2018. In November 2019, VA reported that it had 279 agency-owned data centers that the department planned to keep open, of which OMB exempted 67 from optimization requirements and another 204 were pending OMB review to determine whether they would also be exempt. However, of the remaining eight data centers, none had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining eight agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of State
Status: Open

Comments: The Department of State agreed with our recommendation and described completed and planned actions to address it. Specifically, the department stated that it performed an analysis of tools, including shared services and commercial-off-the-shelf products. The department also stated that it was developing an acquisition strategy based on its research and planned to pursue a commercially available product. However, the department noted that budgetary constraints may delay the acquisition until fiscal year 2019 or later. In October 2019, staff from State's Office of the Chief Information Officer reported that 3,897 of the department's 4,137 servers (94.2 percent) had monitoring tools installed. In January 2020, the staff indicated that the department planned to continue installing tools as funds were available, with the goal of completing installation by the end of fiscal year 2020. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) described planned actions to address our recommendation. Specifically, the agency detailed plans to address OMB's requirements, such as leveraging EPA's current investment in a network monitoring tool and the intent to procure and deploy a data center infrastructure management tool by the end of fiscal year 2018. However, in December 2018, EPA determined it will leverage its current network monitoring tool for server utilization monitoring. The agency expects to have most data center servers monitored by the end of CY 2019. Once servers are monitored, the agency said that it will follow the most current OMB guidance to report required metrics. In November 2019, EPA reported that it had four agency-owned data centers that the agency planned to keep open. However, of those four data centers, one had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the agency about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining three agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) stated that it partially concurred with our recommendation and described plans to address it. Specifically, the agency stated that it plans to consolidate its remaining data centers into two main locations by the end of fiscal year 2018. OPM further stated that this consolidation will obviate the need to implement automated monitoring tools at the data centers that are closing. Finally, the agency noted that it is implementing automated monitoring tools at the designated core data centers. In November 2019, OPM reported that it had two agency-owned data centers that the agency planned to keep open. However, of those two data centers, only one had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the agency about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining agency-owned data center. We will continue to monitor the status of this recommendation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified.

Agency: Department of Homeland Security
Status: Open

Comments: In 2018 and 2019, the DHS Office of the Chief Information Officer implemented a Strategic Workforce Planning initiative that included (1) identifying the department's future IT skillset needs, and (2) conducting a skills gap analysis related to these needs. The department is currently working to resolve the skills gaps identified during the initiative. We will continue to monitor and evaluate the Department's efforts to resolve these skills gaps.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities.

Agency: Department of Homeland Security
Status: Open

Comments: In response to our recommendation, DHS updated its agile development policy to specify that the DHS CIO is responsible for certifying investments' incremental development activities, which is consistent with the Department's Acquisition Management Instruction. However, DHS has not yet updated its Systems Engineering Life Cycle Instruction and Guidebook to be consistent in specifying that this certification is the responsibility of the DHS CIO. We will continue to monitor the Department's progress in implementing this recommendation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable).

Agency: Department of Homeland Security
Status: Open

Comments: In response to our recommendation, Customs and Border Protection implemented a process to track the IT investments associated with each contract and agreement. The U.S. Coast Guard also implemented a process to track the IT investments associated with its contracts; however, it has not yet demonstrated that it has implemented such a process for tracking the IT investments associated with its agreements. Further, DHS headquarters is still working to establish a process for tracking the IT investments associated with its contracts and agreements. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with our recommendation. In May 2020, DHS officials stated that the Office of the CIO began piloting a new program health assessment process in the second quarter of fiscal year 2020, and DHS intends to report the program ratings resulting from that process to the IT Dashboard. We will continue to monitor and evaluate the Department's efforts to implement this new process.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Commerce should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process; (2) develop competency and staffing requirements; (3) assess competency and staffing needs regularly; (4) assess gaps in competencies for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, cross-functional training of acquisition and program personnel, a career path for program managers, and special hiring authorities, if justified and cost-effective; (7) monitor the department's progress in addressing IT competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: The department agreed with the recommendation and stated that it plans to fully implement it. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had substantially implemented the activity to develop competency and staffing requirements, minimally or partially implemented four activities, and not implemented the remaining three activities. In July 2020, the department provided a summary of actions it claimed it had taken to close the recommendation. The department also provided supporting documentation. We are reviewing the documentation to determine whether it fully addresses the recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Defense should require the Chief Information Officer, the Under Secretary of Defense for Personnel and Readiness, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) develop competencies for all staff; (2) assess competency needs regularly for all positions; (3) assess gaps in competencies for all components of the workforce; (4) develop strategies and plans to address gaps in competencies; (5) implement activities that address gaps, including developing a program management career path, if justified and cost-effective; (6) monitor the department's progress in addressing competency gaps identified for IT staff; and (7) report to department leadership on progress in addressing competency gaps.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the Department of Defense's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had fully implemented the activities to develop competency and staffing requirements and assess competency and staffing needs regularly, substantially implemented four other activities, and partially implemented the remaining two activities. We will continue to monitor the department's efforts to address our recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Health and Human Services should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process inclusive of all staff; (2) develop staffing requirements for all positions; (3) assess staffing needs regularly; (4) assess gaps in competencies and staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, if justified and cost-effective; (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

Agency: Department of Health and Human Services
Status: Open

Comments: The department agreed with our recommendation and identified plans for (1) collecting and analyzing additional workforce data and (2) conducting targeted recruitment, staff planning, career development, and training. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had substantially implemented the activity to develop competency and staffing requirements, partially implemented three other activities, and either minimally or not implemented the remaining four activities. We will continue to monitor the department's efforts to address our recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Transportation should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish a time frame for when the department is to finalize its draft workforce planning process and maintain that process; (2) develop staffing requirements for all positions; (3) assess competency and staffing needs regularly for all positions; (4) assess gaps in staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, cross-functional training of acquisition and program personnel, a career path for program managers, and use of special hiring authorities, if justified and cost-effective;e (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

Agency: Department of Transportation
Status: Open
Priority recommendation

Comments: The department agreed with the recommendation and stated that it plans to fully implement it. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had fully implemented the activity to develop competency and staffing requirements, but had not yet fully implemented the remaining seven activities, including developing a workforce planning process. In January 2020, the department stated that its Office of the Chief Information Officer and Office of Human Resource Management had established a workgroup to lead and conduct workforce planning activities, and had defined the strategic goals and objectives for the department's IT workforce. The department also stated that the workgroup was planning on subsequently completing additional activities, including completing a workforce analysis with a competency gap assessment, by the end of calendar year 2020, and developing strategies to address any identified gaps by the end of 2021. We will continue to monitor the department's efforts to implement our recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of the Treasury should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process; (2) develop competency and staffing requirements for all positions; (3) assess competency and staffing needs regularly; (4) assess gaps in competencies and staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing for all components of the workforce; (6) implement activities that address gaps, including a career path for program managers and special hiring authorities, if justified and cost-effective; (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps for all components of the workforce.

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The department agreed with our recommendation and identified planned and ongoing efforts to address it. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that it had fully implemented the activity to develop competency and staffing requirements, but had not yet fully implemented the remaining seven activities, including developing a workforce planning process. In January 2020, the department stated that its Office of the Chief Human Capital Officer and Office of the Chief Information Officer would be presenting a decision paper to the Human Capital Advisory Council that month to request approval and resources to complete an IT Competency Framework, conduct a competency assessment, and conduct a department-wide workforce planning study for the 2210 (IT management) occupation. We will continue to monitor the department's efforts to implement our recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Commerce
Status: Open

Comments: We reported that the Department of Commerce did not meet the following software application inventory practice: regularly updates the inventory with quality controls to ensure reliability. Specifically, the department did not provide evidence of a process to regularly update its inventory or quality controls to ensure the reliability of the data collected. In October 2017, the department reported that application inventory information will be captured through the Department of Commerce Capital Planning and Investment Control (CPIC) system, as part of its regular updating of investment information. Further, the department stated that it will update its CPIC handbook to provide guidance on quality control to ensure reliability of the data collected. In November 2018 and November 2019 we followed-up with Commerce on the status of their efforts; however, as of January 2020, we had not received an update. We plan to continue to follow up with Commerce to monitor the status of these planned actions.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Energy
Status: Open

Comments: We reported that the Department of Energy partially met the following three software application inventory practices, (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In May 2017, the department reported that it plans to implement automated monitoring and inventory tools by the end of fiscal year 2020, which it expects will address the key practices. In December 2019, the department reported that it anticipates completing a refresh of its application inventory by the end of February 2020. We plan to monitor the department's efforts to implement the tools and to develop a complete application inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Housing and Urban Development
Status: Open

Comments: We reported that the Department of Housing and Urban Development (HUD) partially met the following three software application inventory practices, (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In June 2017, the department reported that it is working to identify applications in field offices, and planned for this effort to be completed in fiscal year 2018. In addition, the department stated it planned to update the inventory to include business functions for each system by the end of fiscal year 2017. Further, department officials stated that to ensure the accuracy and reliability of the application inventory, the department planned to conduct quarterly portfolio reviews starting in fiscal year 2018. In October 2018, HUD officials reported that CTO performed a technical assessment of HUD's IT assets, which resulted in identifying systems in the inventory that had been decommissioned and will be decommissioned. In addition, the department provided its strategy for performing the assessment. In August 2019, HUD reported that it completed an assessment of its legacy applications and the current inventory system is outdated. However, as of January 2020, HUD had not yet provided an updated inventory. We plan to continue to monitor the department's efforts to address the recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Social Security Administration
Status: Open

Comments: We reported that the Social Security Administration (SSA) partially met the following two software application inventory practices, (1) includes systems from all organizational components, and (2) regularly updates the inventory with quality controls to ensure reliability. In March 2017, SSA officials reported that the agency's Office of Systems and Office of Operations continue to collaborate on integrating application information into the Enterprise Application Inventory. The officials reported that regionally developed applications that have been granted authority to operate have been imported into the enterprise application inventory. In addition, the officials stated that the Office of Operations was in the process of redesigning their repository to accommodate requirements to support the Enterprise Application Inventory, including the ability to update and maintain application information in the enterprise repository. Lastly, SSA officials reported that its Office of Information Security and Office of Systems were continuing to work to identify additional headquarters applications and develop process and automation to include applications in the inventory. In June 2019, SSA officials reported that they were continuing to make progress to update the inventory to include systems from all organizational components. However, as of January 2020, we had not received an updated inventory. We will continue to monitor SSA's efforts to develop a complete application inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Labor
Status: Open

Comments: We reported that the Department of Labor did not meet one software application inventory practice, and partially met three practices. Specifically, we reported that the department did not meet the practice to ensure that the inventory is regularly updated with quality controls to ensure reliability, and partially met the practices to (1) include business and enterprise IT systems, (2) include systems from all organizational components, and (3) specify basic application attributes. In March 2018, department officials provided an updated inventory, which included business and enterprise IT systems from all organizational components, and specified basic attributes, including the name, owner, and business function. In addition, officials stated that they plan to update the inventory on a periodic basis as necessary, at minimum annually, as part of the department's IT budgeting process. Further, in June 2019, officials reported that the department performs biannual reviews of all IT investments and associated systems and applications to verify reported data. The officials also reported that the department uses quality control processes and procedures to ensure consistent, standard, and complete reporting to align with all investment artifacts. However, the department did not provide evidence of these data quality efforts. In June 2019, officials also reported that the department is implementing a new system in order to maintain an ongoing comprehensive inventory of all IT assets, including applications, which it expects to have fully operational by the end of the second quarter of fiscal year 2020. We will continue to monitor the department's efforts.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of the Treasury
Status: Open

Comments: We reported that the Department of the Treasury had partially met the following two practices for establishing a complete software application inventory, (1) specifies basic application attributes, and (2) is regularly updated with quality controls to ensure reliability. In September 2017, the department provided evidence showing that it had taken steps to address these practices. Specifically, the department provided an export of its inventory, which showed that most of the systems listed contained a system description. According to department officials, some systems do not have a system description because the department's inventory policy allows bureaus to attach documents to the inventory, which include the system description, instead of populating the system description field. Further, the policy does not require a system description for systems in the disposal state. Moreover, the inventory did not include the business segment or function that the system supports. According to Treasury officials, the Bureau and Functional Unit fields within the inventory allow the department to map the systems to the business segments that they support. We followed up with the department to obtain this mapping. However, as of January 2020, the department had not provided it. We will continue to monitor the department's efforts to ensure that the inventory is regularly updated with quality controls to ensure its reliability.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of State
Status: Open

Comments: We reported that the Department of State partially met the following software application inventory practices: (1) specifies basic application attributes; and (2) is regularly updated with quality controls to ensure reliability. Specifically, we reported that while the inventory included basic application attributes (e.g. name, description), it did not include the business function for the majority of inventory entries. Further, we reported that the agency did not provide evidence that quality control processes were in place to ensure the reliability of the data in the inventory. In July 2017, department officials stated that the department recently began a department-wide data call to obtain information on all IT assets and applications from each bureau, including aligning the assets and applications to a business function. Further, officials stated that they plan to analyze the results against their current data to ensure the accuracy and reliability of the IT asset inventory. In June 2019, the department provided evidence demonstrating that its inventory includes the business function for IT assets. In addition, State officials stated that the IT asset inventory that is posted internally for review is a high-level summary to facilitate monthly validation. However, as of January 2020, the department has not provided documentation showing that it has implemented the quality control processes to ensure the reliability of the data. We plan to continue to monitor the department's efforts to address the recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Environmental Protection Agency
Status: Open

Comments: We reported that the Environmental Protection Agency had fully met three of the four practices to establish a complete application inventory, and partially met one. Specifically, the agency partially met the practice for including application attributes in the inventory, as although EPA did not identify the business function for every application. In December 2019, Environmental Protection Agency officials stated that the inventory now requires the business function to be included, and provided inventory update instructions that show the business function is to be included. In addition, agency officials provided instructions for senior information managers to update the inventory in fiscal year 2019. However, as of January 2020, agency officials had not provided an updated inventory, and thus we were not able to verify that the business function was added for all applications. We will follow up with the agency to obtain the updated inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Office of Personnel Management
Status: Open

Comments: We reported that the Office of Personnel Management (OPM) partially met the software application inventory practice to regularly update the inventory with quality controls to ensure reliability. In November 2016, OPM officials stated that they were validating the data in the application inventory. In addition, officials stated that they were making progress in using automated scanning tools to update the inventory, including coordinating with the General Services Administration's Software Management Group which is working to standardize the use of automated inventory tools across the government. In June 2017, November 2018, and November 2019, we followed up with OPM to obtain documentation of these reported actions; however, as of January 2020, the agency had not yet provided supporting documentation. We are continuing to follow up with OPM to obtain documentation of its reported actions.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Defense should direct the responsible official to modify the department's existing processes to collect and review cost, technical, and business information for the enterprise and business IT systems within the Enterprise Information Environment Mission Area applications which are currently not reviewed as part of the department's process for business systems.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense did not concur with our recommendation, noting, among other things, in its written response to our draft report, that a majority of the Enterprise Information Environment Mission Area systems are IT infrastructure, and not applications. However, we reported that the mission area nevertheless included a large number of enterprise and business IT applications which could benefit from rationalization, and we therefore believed our recommendation was still warranted. In March 2020, the department stated that it is formalizing a guide to assist components with implementing an application rationalization process, that will be used to rationalize the Enterprise Information Environment Mission Area systems. The department stated that it plans to perform annual reviews, and expects to start by the end of fiscal year 2020.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Homeland Security should direct the department's CIO to identify one high-cost function it could collect detailed cost, technical, and business information for and modify existing processes to collect and review this information.

Agency: Department of Homeland Security
Status: Open

Comments: In April 2018, DHS officials stated that they identified FOIA systems as a high cost function, and will modify existing processes to collect and review the cost, technical, and business information. In November 2019, DHS reported that it is continuing to make progress in acquiring a new enterprise-wide FOIA system by reviewing current capabilities. We plan to continue to monitor the department's efforts.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Labor should direct the department's CIO to consider a segmented approach to further rationalize and identify a function for which it would modify existing processes to collect and review application-specific cost, technical, and business value information.

Agency: Department of Labor
Status: Open

Comments: In February 2017, department officials stated that the department's portfolio of IT investments, which includes the systems, sub-systems, and applications in the IT asset inventory, are rationalized bi-annually as part of the Office of the Chief Information Officer's IT Capital Planning and Investment Control (CPIC) review processes. Further, officials stated that the systems and applications were also being rationalized as part of the process for updating the IT asset inventory. Officials stated that the department plans to review and update the department's CPIC guide to describe the IT asset inventory management process including the basic quality controls. In July 2019, officials reported that the department plans to have the updated guide completed by the end of fiscal year 2019. However, as of January 2020, the department had not provided documentation supporting these efforts. We plan to follow-up with the department to obtain documentation of its efforts to address the recommendation.

Recommendation: To assist CISOs in carrying out their responsibilities, the Director of OMB should issue guidance for agencies' implementation of the FISMA 2014 requirements to ensure that (1) senior agency officials carry out information security responsibilities and (2) agency personnel are held accountable for complying with the agency-wide information security program. This guidance should clarify the role of the agency CISO with respect to these requirements, as well as implementing the other elements of an agency-wide information security program, taking into account the challenges identified in this report.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) partially concurred with this recommendation, but does not intend to directly issue guidance as recommended. As of June 2020, OMB has not provided sufficient evidence that it has implemented this recommendation. We will continue to monitor OMB's implementation of this recommendation.

Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

Agency: Department of Defense
Status: Open

Comments: In response to our report, DOD partially concurred with our recommendation; however, DOD subsequently concurred with the recommendation and is taking steps to implement it. The department stated that the issuance of an updated Cyber Incident Handling guidance is on track to be completed and coordinated in the third quarter of fiscal year 2018. As of June 2020, it has not yet provided sufficient evidence that it has implemented the recommendation. When we confirm what actions DOD has taken, we will provide updated information.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of State should define the CISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

Agency: Department of State
Status: Open

Comments: The Department of State (State) concurred with this recommendation. However, as of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. When we receive additional evidence from State, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (DOT) concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2019. As of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. Upon receiving additional evidence from DOT, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that security controls are tested periodically.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (DOT) concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2019. As of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. Upon receiving additional evidence from DOT, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the National Aeronautics and Space Administration should define the SAISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation. As of June 2020, NASA stated that the agency is working to update the relevant policy to address this recommendation, but the update is taking longer than expected; NASA expects the policy to be updated and the review process to be completed by November 30, 2020. We will examine the evidence when NASA provides it.

Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and has taken steps to establish a department policy and process for the certification of major IT investments' use of incremental development. Specifically, in September 2020, HHS officials reported that they have established a draft policy and anticipate publishing the finalized guidance by March 2021. We will continue to evaluate HHS's progress in implementing this recommendation.

Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

Agency: Department of the Treasury
Status: Open

Comments: In September 2020, an official from the Department of the Treasury (Treasury) reported that the department had developed draft guidance to address our recommendation, but did not provide time frames for when the guidance would be finalized. Until the department establishes a CIO certification policy, Treasury will not be able to fully ensure adequate implement of, or benefit from, incremental development practices. We will continue to evaluate Treasury's progress in implementing this recommendation.

Recommendation: To effectively measure 18F's performance, the Administrator of GSA should direct the Commissioner for the Technology Transformation Service to assess actual results for each performance measure.

Agency: General Services Administration
Status: Open

Comments: The General Services Administration (GSA) agreed with, and has begun to take steps to implement, this recommendation. Specifically, in a March 2020 written response, GSA stated that Technology Transformation Service (TTS) leadership will be briefed on the program's performance measures on a quarterly basis. We are following up with GSA to confirm that its TTS leadership has been briefed on the results on these performance measures. We will continue to evaluate GSA's progress in implementing this recommendation.

Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to ensure that all goals and associated performance measures are outcome-oriented and that performance measures have targets.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in its December 2016 report to Congress, OMB developed three goals for U.S. Digital Service (USDS): (1) rethink how the federal government builds and buys digital services; (2) expand the use of common, platforms, services, and tools; and (3) bring top technical talent into public service. In addition, OMB established performance measures with targets for its third goal and for each of the program's major projects. However, OMB has not established performance measures for the first two USDS goals. Further, the program's third goal is not outcome-oriented. In May 2018, an USDS staff member stated that USDS established goals for and measured performance on each of the projects the program supports in its fall 2017 report to Congress. Although measuring performance on projects can provide USDS with valuable information, this effort does not address goals and performance measurement on the overall USDS program. In May 2020, OMB stated that they would provide an update on the agency's efforts to address the recommendation by June 2020. We will continue to evaluate OMB's progress in implementing this recommendation.

Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to assess actual results for each performance measure.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in its December 2016 report to Congress, OMB assessed the results of performance measures for one of the U.S. Digital Service (USDS) program's goals--bring top technical talent into public service--and for each of the program's major projects. However, OMB has not established performance measures for the other two USDS goals--rethink how the federal government builds and buys digital services; and expand the use of common, platforms, services, and tools. In May 2018, an USDS staff member stated that USDS established goals for and measured performance on each of the projects the program supports in its fall 2017 report to Congress. As of July 2019, USDS has not publicly released any subsequent reports to Congress or additional information on its goals and performance measures. Although measuring performance on projects can provide USDS with valuable information, this effort does not address performance measurement on the overall USDS program. In May 2020, OMB stated that they would provide an update on the agency's efforts to address the recommendation by June 2020. We will continue to evaluate OMB's progress in implementing this recommendation.

Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to update USDS policy to clearly define the responsibilities and authorities governing the relationships between CIOs and the digital service teams and require existing agency digital service teams to address this policy. In doing so, the Federal Chief Information Officer should ensure that this policy is aligned with relevant federal law and OMB guidance on CIO responsibilities and authorities.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. In particular, OMB updated its digital service team policy to require that teams appropriately inform their chief information officers (CIO) regarding U.S. Digital Service (USDS) projects. However, the policy does not describe the responsibilities or authorities governing the relationships between CIOs and digital service teams. In May 2018, an USDS staff member stated that the program updated digital service team charters to address the role of agency CIOs. As of May 2020, USDS has yet to provide us with the updated digital service team charters. In May 2020, OMB stated that they would provide an update on the agency's efforts to address the recommendation by June 2020. We will continue to evaluate OMB's progress in implementing this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. HHS submitted a draft version of this methodology in June 2018. Upon reviewing this documentation, however, we did not see evidence that the department was factoring active risks into its CIO ratings. In May 2019, HHS officials stated that they planned to update their CIO rating methodology to focus on active risk; however, department documentation from August 2020 stated that the new CIO rating methodology is still in draft form and is not finalized. We will continue to monitor HHS's efforts in implementing this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) agreed with the recommendation and, in a written response, stated that the department was amending its CIO rating review process to ensure that active risks are factored into its IT Dashboard CIO ratings. In August 2020, VA submitted documentation for this new process; however, this documentation did not state how the department incorporates active risks into its investments' CIO ratings. We will continue to monitor the implementation of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of State
Status: Open

Comments: The Department of State (State) agreed with the recommendation, and, in an October 2017 response, stated that it currently evaluates risk as part of its IT governance activities. In March 2019, State informed us that its Bureau of Information Resource Management was developing a new policy and associated guidance for calculating its CIO risk ratings; however, as of September 2020, we have not received this new documentation. We will continue to monitor the status of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. According to HHS, these risk areas reflect both internal and external risks that affect an investment's ability to accomplish its goals. HHS submitted a draft version of this methodology in June 2018. While this documentation showed that HHS factored investment qualities related to overall project riskiness, it did not specify that active investment risks were also being factored as part of the evaluation. Without an additional focus on active risk, this methodology is unlikely to ensure that HHS's CIO ratings reflect the level of risk facing an investment. In May 2019, HHS officials stated that they planned to update their CIO rating methodology; however, per HHS documentation dated August 2020, this new methodology is still in draft form and is not finalized. We will continue to monitor HHS's efforts in implementing this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) agreed with the recommendation and, in a written response, stated that it will ensure that CIO ratings reflect the level of risk facing its investments. In August 2020, VA submitted documentation for an updated CIO ratings process; however, this process documentation did not state how the department incorporates active risks into its investments' CIO ratings. Without a consideration of active risks, VA's CIO rating process may not produce ratings that reflect the level of risk facing VA's investments. We will continue to monitor the status of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of State
Status: Open

Comments: The Department of State (State) agreed with the recommendation and has provided information on how investment risk is evaluated as part of its IT governance activities. In March 2019, State informed us that its Bureau of Information Resource Management was developing a new policy and associated guidance for calculating its CIO risk ratings; however, as of September 2020, we have not received this new documentation. We will continue to monitor the status of this recommendation.

Recommendation: To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, goals, and objectives, the Commissioner of FDA should require the CIO to implement the plan to ensure that expected outcomes of the agency's key IT initiatives are achieved.

Agency: Department of Health and Human Services: Food and Drug Administration
Status: Open

Comments: According to agency officials, FDA's CIO met with the FDA Commissioner in 2016 where the updated IT strategic plan was reviewed and approved. The Commissioner identified key IT initiatives to be implemented within FY2017 and incorporated them into the CIO's performance management appraisal program. According to officials, the Commissioner requires the CIO to implement a plan to ensure that expected outcomes of the agency's key IT initiatives are achieved. Although FDA provided us with an excel spreadsheet that identifies IT initiatives at the agency's weekly FDA project meeting, we requested additional documentation regarding the plan the CIO is required to implement to ensure that expected outcomes of the agency's key IT initiatives are fulfilled. We contacted FDA in September and December 2019 and January 2020 to obtain additional information on the actions taken to implement the recommendation, but have not received a response. We will update the recommendation when additional information is obtained.

Recommendation: To provide decision makers with better insight and additional context to identify any significant changes to the estimates in the joint report from the prior year and understand the reasons for such changes, and to improve the completeness and transparency of the budget estimates in the report, we recommend that, for future joint reports, the Secretary of Defense should direct the Secretary of the Air Force, the Secretary of the Navy, and the Department of Defense Chief Information Officer (DOD CIO), and the Secretary of Energy direct the Administrator of the National Nuclear Security Administration (NNSA) to provide more thorough documentation in the joint report on the methodologies used to develop the budget estimates, including information that may be available in related planning documents, and ensure the accuracy and completeness of the information included.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. In the Fiscal Year 2019 Joint Report issued in November 2018, DOD had taken some steps to address this recommendation. For example, DOD provided more information on the methodologies used to develop budget estimates. However, DOD did not provide complete documentation of the methodologies used to determine budget estimates in the Joint Report. Specifically, DOD provided additional methodological information not included in the Joint Report to GAO in order to fully account for the estimates presented in the FY 2019 Joint Report. Both the Navy and the Air Force stated they would provide the additional methodological information in the FY 2020 Joint Report. In addition, we again identified some instances in which the Air Force's underlying budget information did not match its estimates in the Joint Report. Air Force officials explained that these discrepancies were due to an accounting error in the internal funding system and that the errors will be rectified in the FY 2020 Joint Report. We will continue to monitor DOD's response to this recommendation as we review future Joint reports.

Recommendation: To provide decision makers with better insight and additional context to identify any significant changes to the estimates in the joint report from the prior year and understand the reasons for such changes, and to improve the completeness and transparency of the budget estimates in the report, we recommend that, for future joint reports, the Secretary of Defense should direct the Secretary of the Air Force, the Secretary of the Navy, and the Department of Defense Chief Information Officer (DOD CIO), and the Secretary of Energy direct the Administrator of the National Nuclear Security Administration (NNSA) to provide more thorough documentation in the joint report on the methodologies used to develop the budget estimates, including information that may be available in related planning documents, and ensure the accuracy and completeness of the information included.

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (DOE) concurred with our recommendation and has taken steps to address it. In both the fiscal year 2018 Joint Report and the fiscal year 2019 Joint Report, DOE included significantly more information on the methodologies used to develop its budget estimates. However, in the fiscal year 2019 Joint Report, DOE did not provide complete information on budget estimates over a 10-year period. Instead, it provided 5 years of budget estimates. We will re-evaluate DOE's implementation of this recommendation as we review future joint reports.

Recommendation: To provide decision makers with better insight and additional context to identify any significant changes to the estimates in the joint report from the prior year and understand the reasons for such changes, and to improve the completeness and transparency of the budget estimates in the report, we recommend that, for future joint reports, the Secretary of Defense should direct the Secretary of the Air Force, the Secretary of the Navy, and the DOD CIO, and the Secretary of Energy direct the Administrator of NNSA to provide comparative information on changes in the budget estimates from the prior year and explain the reasons for those changes.

Agency: Department of Energy
Status: Open

Comments: DOE concurred with our recommendation. However, as of the issuance of the fiscal year 2019 Joint Report, DOE had not taken steps to address this recommendation. The fiscal year 2019 Joint Report did not provide comparative information on changes in NNSA program costs relative to costs in prior joint reports. We will re-evaluate DOE's implementation of this recommendation as we review future joint reports.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Commerce should ensure a reliable department-wide inventory of mobile service contracts is developed and maintained.

Agency: Department of Commerce
Status: Open

Comments: As of January 2020, the Department of Commerce had not implemented this recommendation. In July 2018, the department provided an inventory that shows, by service provider and department component, the number of devices per rate plan and monthly rate; however, the inventory did not include the number of voice minutes, gigabytes of data, and text messages allowed per line per month. Furthermore, the department had not demonstrated that it had accounted for all of its mobile service contracts. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Commerce should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

Agency: Department of Commerce
Status: Open

Comments: As of January 2020, the department had not addressed the recommendation. In July 2018, the department described steps it was taking to identify lines that were inactive for a period of three or more continuous months (zero usage). However, as of January 2020, the department had not demonstrated that it has established documented procedures that address the elements of our recommendation. We will continue to monitor the department's progress.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Defense should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

Agency: Department of Defense
Status: Open

Comments: The Department of Defense partially concurred with our recommendation; however, as of January 2020, the department had not implemented it. In response to our report, the department stated that it agreed that such an inventory has merits, but that maintaining one comes at considerable expense and effort. The department also stated, in 2016, that while it does not maintain a single, centralized device level inventory, the military departments track and manage their own devices and services . As we stated in our report, the inventory need not be generated centrally at the headquarters level; the department can compile a comprehensive inventory using its components' complete inventories. As of January 2020, the department had not demonstrated that all its components had inventories of unique devices and associated services. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Defense should ensure a reliable department-wide inventory of mobile service contracts is developed and maintained.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense stated that it partially concurred with our recommendation; and has taken steps to address it. However, as of January 2020, the department had not demonstrated that it had implemented the recommendation. In response to our report, the department stated that it agreed that developing an inventory of mobile device contracts has merits, especially in a time of restricted government spending. The department also described several efforts it had undertaken to enhance mobile device management. However, as we stated in our report, any approach to managing mobile device contracts will be hampered by the lack of complete information on the contracts that are already in place. In August 2018, the department developed an inventory of mobile service contracts. However, the department had not demonstrated that the inventory included all its components' mobile service contracts. In August 2019, the department described steps it was taking to ensure that it has a complete inventory of mobile service contracts. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Health and Human Services should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

Agency: Department of Health and Human Services
Status: Open

Comments: As of December 2019, the Department of Health and Human Services had not implemented this recommendation. We will continue to monitor the department's implementation of this recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Homeland Security should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

Agency: Department of Homeland Security
Status: Open

Comments: In October 2019, the Department of Homeland Security developed an asset and inventory management plan for managing devices under its enterprise blanket purchase agreement. The plan includes procedures for assessing devices for zero usage; however, it does not include procedures for assessing over and under usage. The department also has not demonstrated that it has established procedures for devices not covered by its enterprise blanket purchase agreement.We will continue to monitor the department's efforts.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of the Interior should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

Agency: Department of the Interior
Status: Open

Comments: The Department of the Interior has not demonstrated that it has fully implemented this recommendation. As of January 2020, the department demonstrated that only one of its components, the Bureau of Reclamation, had an inventory of mobile devices and associated services. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of the Interior should ensure a reliable department-wide inventory of mobile service contracts is developed and maintained.

Agency: Department of the Interior
Status: Open

Comments: As of January 2020, the Department of the Interior had not demonstrated that it had fully addressed this recommendation. In August 2019, the department developed an inventory of mobile service contracts. However, the department did not demonstrate that it had accounted for all of its mobile service contracts. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Attorney General should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

Agency: Department of Justice
Status: Open

Comments: As of January 2020, the Department of Justice has made progress implementing this recommendation; however, more remains to be done. Specifically, in response to our findings, in April 2015, the department's Chief Information Officer issued a memo that required components to establish procedures for regular reviews of invoices for wireless services to identify unused and underused devices or services, as well as any over-usage charges to service plans. One of the components we reviewed, the Federal Bureau of Investigation, established procedures in July 2016 to monitor mobile device usage. In addition, the Justice Management Division (JMD) established procedures in May 2019 that apply to JMD as well some but not all other components. The other component we reviewed in our report, the Drug Enforcement Agency, had not established procedures that address our recommendation. We will continue to monitor the department's progress.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of State should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

Agency: Department of State
Status: Open

Comments: As of January 2020, the Department of State had not demonstrated that it has implemented this recommendation. The department has inventories of mobile device; however, the inventories do not include the services associated with each device. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of State should ensure a reliable department-wide inventory of mobile service contracts is maintained.

Agency: Department of State
Status: Open

Comments: As of January 2020, the Department of State had not implemented this recommendation. In June 2019, the department said it has a Telecom Expense Management System which can be used to document an inventory of domestic service contracts; however, the department did not provide the inventory. Furthermore, the department did not demonstrate that it has an inventory of international service contracts. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Transportation should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

Agency: Department of Transportation
Status: Open

Comments: As of January 2020, the Department of Transportation had not addressed the recommendation. In December 2019, an official from the department's Audit Relations and Program Improvement office stated that all the department's telecommunication devices are managed through two programs and that these programs have mechanisms in place to ensure that telecommunications are managed in an effective and efficient manner. However, as of January 2020, the department had not provided evidence to demonstrate that it had implemented the recommendation. We will continue to monitor the department's efforts.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of the Treasury should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

Agency: Department of the Treasury
Status: Open

Comments: As of January 2020, the Department of the Treasury had not implemented the recommendation. In August 2019, the department stated that it had established enterprise-wide procurement vehicles for mobile devices. However, as of January 2020, the department had not demonstrated that it has an inventory of mobile devices and associated service information. We will continue to monitor the department's progress in implementing this recommendation.

Recommendation: To help the agency effectively manage spending on mobile devices and services, the Administrator of the National Aeronautics and Space Administration should ensure a complete inventory of mobile devices and associated services is established.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: As of January 2020, the National Aeronautics and Space Administration (NASA) had not implemented the recommendation. We reported in May 2015, that NASA had an inventory of mobile devices and associated service information which included most, but not all, of the devices used by the agency. In November 2019, NASA's Office of the Chief Information Officer (OCIO) stated that the agency was in the process of enrolling devices in a new mobile device management tool, and that when the approximately 15 percent of devices that are not currently on NASA's new End-User Services Technology contract are brought on the contract, NASA will have a monthly deliverable depicting the services of all mobile devices. We will continue to monitor NASA's implementation of this recommendation.

Recommendation: To help the agency effectively manage spending on mobile devices and services, the Administrator of the National Aeronautics and Space Administration should ensure a reliable inventory of mobile service contracts is developed and maintained.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: As of January 2020, the National Aeronautics and Space Administration (NASA) had not demonstrated that it has implemented the recommendation. NASA's Office of the Chief Information Officer (OCIO) stated that NASA had established, on September 1, 2019, the NASA End-User Services and Technology contract to procure mobile services, but as of November 2019, had not yet included 15 percent of its devices on the new contract. We will continue to monitor NASA's efforts to develop and maintain a mobile services contract inventory as described in our report.

Recommendation: To help the agency effectively manage spending on mobile devices and services, the Administrator of the National Aeronautics and Space Administration should ensure procedures to monitor and control spending are established agency-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: As of January 2020, the National Aeronautics and Space Administration (NASA) had not demonstrated that it had implemented the recommendation. In November 2019, NASA's Office of the Chief Information Officer (OCIO) stated that as part of enterprise mobility service contract deliverables, NASA requires monthly reports to monitor and optimize usage (zero, under, and over). NASA's OCIO also stated that the agency established role-based privileges to monitor and report on this activity agency-wide. However, the agency has not demonstrated that it has established procedures to assess device usage in accordance with our recommendation. We will continue to monitor NASA's implementation of the recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of the Treasury should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

Agency: Department of the Treasury
Status: Open

Comments: As of January 2020, the Department of the Treasury had not demonstrated that it has implemented the recommendation. In August 2019, an official from the department's Office of the Chief Information Officer stated that the department was collecting and analyzing information on voice and data utilization. However, as of January 2020, the department had not demonstrated that it had established procedures in accordance with our recommendation. We will continue to monitor the department's progress in implementing this recommendation.

Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for developing cost estimates that includes key practices as discussed in this report.

Agency: Library of Congress
Status: Open

Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer (OCIO). Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing cost estimates. Further, in August 2017 the Project Management Office finalized guidance for developing cost estimates that generally includes the key practices discussed in our report. However, none of the cost estimates for three key investments fully met the practices associated with a comprehensive estimate. In October 2019, the Library provided evidence of its Monte-Carlo risk assessment process. We are currently assessing whether this process is consistent with the practices found in our Cost Estimating and Assessment Guide. We will continue to evaluate the Library's progress in implementing this recommendation.

Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish a time frame for finalizing and implementing an organization-wide policy for developing and maintaining project schedules that includes key practices as discussed in this report, and finalize and implement the policy within the established time frame.

Agency: Library of Congress
Status: Open

Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a Project Management Office within the Office of the Chief Information Officer (OCIO) and tasked the office with communicating and enforcing Library requirements for project management and systems development. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing and maintaining schedules. Further, in August 2017 the Project Management Offices finalized guidance for developing schedules that generally includes the key practices discussed in our report. However, none of the schedules for three key investments fully met the practices associated with a well-constructed schedule. In October 2019, the Library provided the schedules that it uses to manage select projects. We are currently reviewing this scheduling documentation to determine the extent to which the Library is implementing its scheduling guidance.

Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and ensure that the executive-level investment review board meets as outlined in its charter, documents criteria for use by the other boards, and distributes its decisions to appropriate stakeholders.

Agency: Department of Housing and Urban Development
Status: Open

Comments: HUD has not provided information demonstrating that the department has addressed this recommendation. HUD reported that it established a new executive-level investment review board (i.e. the Executive Operations Committee) that replaced the board discussed in our report. The department also provide evidence of the board's initial governance activities, including providing criteria to guide board decision-making in January 2017. However, the board has not continued to meet and act in accordance with its charter. In April 2019, HUD reported that it was updating its governance process and charters and stated an intent to ensure that executive-level decision making is clearly defined including when a decision needs to be made, at what level that decision needs to be made, what criteria should be used, and how that decision will be communicated. HUD has not yet provided evidence that the updated governance process and charter have been finalized and implemented.

Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish and maintain a complete set of governance policies, establish time frames for establishing policies planned but not yet developed, and update key governance documents to reflect changes made to established practices.

Agency: Department of Housing and Urban Development
Status: Open

Comments: The department has taken steps to address this recommendation. In 2015, HUD updated its Project Planning and Management policy. Since that time, the department has developed additional policies (e.g., IT risk management policy), revised policies for the IT management framework and Agile development, and reported that it reviewed OCIO's existing policies in September 2018. In October 2018, HUD provided a copy of the draft of the revisions to its IT Management Framework (dated February 2018) and OCIO reported plans to continue developing and maintaining IT policies for each of the framework's elements and to review policies for currency annually on the anniversary date of the policy. As of March 2019, HUD reported that a central repository had been developed to store, track and monitor policy reviews. GAO is seeking additional evidence from the newly implemented policy review process.

Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish an IT investment selection process that includes (1) articulating how reviews of project proposals are to be conducted; (2) planning how data (including cost estimates) are to be developed and verified and validated; (3) establishing criteria for how cost, schedule, and project risk are to be analyzed; (4) developing procedures for how proposed projects are to be compared to one another in terms of investment size (cost), project longevity (schedule), technical difficulty, project risk, and cost-benefit analysis; and (5) ensuring that final selection decisions made by senior decision makers and governance boards are supported by analysis, consider predefined quantitative measures, and are consistently documented.

Agency: Department of Housing and Urban Development
Status: Open

Comments: HUD has provided information demonstrating that the department has addressed elements of this recommendation. In 2015, HUD reported that it had begun using a new tool to support its IT selection process. In May 2018, the department provided a demonstration of its HUD PLUS tool, including how it had used the tool to automate its selection process. The officials demonstrated how the tool is being used to review proposed projects. They reported that segment sponsors are responsible for validating data submitted but have not provided evidence that the department has developed guidance for that process. The officials demonstrated how the tool supports analysis of investment costs, schedule, and risk. They also demonstrated how the tool helps the Office of the Chief Information Officer compare investments based on cost and showed how decision makers access information and can perform analysis for all projects in the system. Department officials have not yet provided evidence that HUD has improved each of the areas noted in our recommendation. OCIO reported in April 2019 that it intends to: conduct the selection process on a more frequent basis and allow more time for annual budget considerations, improve performance metrics, and further incorporate cost-benefit analysis. OCIO also reported that it intends to better incorporate its management and oversight of the portfolio into a more formal "re-select" process. OCIO also reported that HUD was updating its governance policies to detail the criteria, data, and process used to select investments and targeting action to close this recommendation in 2019.

Recommendation: To establish an enterprise-wide view of cost savings and operational efficiencies generated by investments and governance processes, the Secretary of Housing and Urban Development should direct the Deputy Secretary and Chief Information Officer to place a higher priority on identifying governance-related cost savings and efficiencies and establish and institutionalize a process for identifying and tracking comprehensive, high-quality data on savings and efficiencies resulting from IT investments and the IT governance process.

Agency: Department of Housing and Urban Development
Status: Open
Priority recommendation

Comments: The department has taken steps to address this recommendation. Specifically, in April 2016, HUD provided examples of cost savings that the department had identified by "scrubbing" existing contracts during the budget formulation process, along with copies of a template that it designed and used to help identify such savings. In May 2018, department officials provided a demonstration of the HUD PLUS tool, including screens staff could use to report cost savings and avoidances related to specific projects--although they reported that HUD was not yet using that functionality. In April 2019, OCIO reported that HUD was updating its governance process and charters to ensure that executive-level decision making will be clearly defined. OCIO also reported an intent to implement Technology Business Management to, among other things, improve and expand the tracking of investments. HUD expects these two efforts to facilitate better tracking of the savings and efficiencies resulting from IT decisions. The department has not yet provided evidence that it has established guidance supporting a repeatable process for tracking enterprise-wide IT related cost savings and operational efficiencies, including those related to HUD's governance decisions.

Recommendation: To help ensure the success of PortfolioStat, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to improve transparency of and accountability for PortfolioStat by publicly disclosing planned and actual data consolidation efforts and related cost savings by agency.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2019, OMB had taken steps to improve transparency of and accountability for PortfolioStat, as GAO recommended in November 2013. In October 2015, the agency started displaying actual data consolidation savings data on the federal information technology (IT) dashboard. As of April 2018, however, OMB was not requiring that agencies report planned PortfolioStat cost savings stating this was as a result of agency feedback, and streamlining of data collection efforts based upon the decision that reporting on realized cost savings is more valuable than reporting on planned or projected cost savings.In March 2019, OMB stated that it was "exploring better approaches to cost savings as reported by agencies to the IT Dashboard." We are following up with OMB to determine whether these approaches include publicly disclosing planned and actual data consolidation efforts and related cost savings by agency.

Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Commerce should direct the CIO to reflect 100 percent of information technology investments in the department's enterprise architecture.

Agency: Department of Commerce
Status: Open

Comments: In October 2018, the Commerce described its process for updating its IT asset inventory as part of the budget formulation process and provided a mapping of investments to its enterprise architecture as evidence that it had implemented this recommendation. However, the department did not provide any policies and procedures supporting the process it described to us. In addition, it did not provide any evidence of controls to ensure that all investments had been captured in the enterprise architecture. In January 2020, the department told us that its Office of the Chief Information Officer had new leadership and as a result the department was expected to make significant progress in addressing the recommendation this year.

Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Commerce should direct the CIO to develop a complete commodity IT baseline.

Agency: Department of Commerce
Status: Open

Comments: In October 2018, Commerce officials told GAO about actions taken that they believed addressed the recommendation and provided supporting documentation. Specifically, they stated that they send out an annual data call for bureaus to provide their IT asset inventory as part of the budget submission process. They stated they also perform department-level validation of the bureaus' inventories and aggregate them into a single department inventory. As evidence, they provided a data call memo with supporting instructions and a template for bureaus to establish an IT asset inventory. They also provided examples of three bureau inventories received in response to data calls. In addition, they provided the final aggregated inventory (for fiscal year 2017) and department-level validation of bureau submissions. However, the department did not provide any policies or procedures documenting the process they described. In addition, we could not determine whether the creation of the department-wide inventory was a one-time effort or a recurring activity. In January 2020, the department told us that its Office of the Chief Information Officer had new leadership and as a result the department was expected to make significant progress in addressing the recommendation this year.

Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Defense should direct the CIO to develop a complete commodity IT baseline.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense partially concurred with the recommendation and stated that it had efforts underway to further define the department's commodity IT baseline. In January 2019, our contact from the Office of the Chief Information Officer told us that the department had recently established an IT Purchase Request (ITPR) process for controlling spending that had a built-in IT asset inventory process that would address the recommendation. In August 2019, we received documentation on the ITPR process as part of an ongoing engagement. We are reviewing the documentation to determine whether it is sufficient to close the recommendation.

Recommendation: To improve the department's implementation of PortfolioStat, in the future reporting to OMB, the Secretary of Defense should direct the CIO to fully describe the following PortfolioStat action plan element: consolidate commodity IT spending under the agency CIO.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense did not concur with the recommendation, stating that the commodity IT construct implemented by OMB with PortfolioStat did not work with the department's federated management process. However, the department agreed that a strategy, consistent with the intent of achieving better buying power and control of commodity IT items, should be developed and implemented within the department using existing authorities and stated that it was in the process of implementing this strategy. In January 2019, the Office of the Chief Information Officer's Director for Performance Management stated that while the CIO did not have the authority to consolidate commodity IT spending, the department had taken actions he believed addressed the intent of the recommendation to gain visibility into IT spending. Specifically, he stated that the department established a policy to leverage its buying power for commodity IT purchases (for example for software licenses). In addition, the department recently established an IT Purchase Request (ITPR) process for controlling IT spending. In August 2019, we received documentation related to those actions as part of an ongoing engagement. We are reviewing the documentation to determine whether it is sufficient to close the recommendation.

Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Defense should direct the CIO to obtain support from the relevant component agencies for the estimated savings for fiscal years 2013 to 2015 for the data center consolidation, enterprise software purchasing, and General Fund Enterprise Business System initiatives.

Agency: Department of Defense
Status: Open

Comments: The department of Defense concurred with the recommendation and stated that it already reported data center consolidation savings and would continue to realize savings from the Enterprise Software Initiative, other strategic sourcing efforts and the implementation of the General Fund Enterprise Business System initiatives. Through other engagements, in August 2016, we had collected support for data center consolidation and Enterprise Software Initiative savings for fiscal years 2013 to 2015. In January 2019, the Office of the Chief Information Officer's Director for Performance Management told us that the department had not been tracking savings generated by other commodity IT initiatives due to the difficulty in doing so, however, it was tracking an "other" category of savings through OMB's integrated data collection instrument (IDC) process which he believed the intent of our recommendation. He noted that the "other" category tracks savings from various OMB IT reform initiatives. Mr. Johnson said he had sent a recent IDC report along with supporting documentation to GAO to address a recommendation made in GAO-15-296. We are reviewing the documentation to determine whether it is sufficient to close the recommendation.

Recommendation: To improve the U.S. Army Corps of Engineers' implementation of PortfolioStat, in future reporting to OMB, the Secretary of Defense should direct the Secretary of the Army to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) target duplicative systems or contracts that support common business functions for consolidation; (3) establish criteria for identifying wasteful, low-value, or duplicative investments; and (4) establish a process to identify these potential investments and a schedule for eliminating them from the portfolio.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense concurred with the recommendation and stated that, in the future, USACE would fully describe the four action plan elements when reporting to OMB. In August 2016, the department reported that it had addressed and closed the recommendation in February 2015 and cited policies, procedures, and other supporting documentation as evidence. However, the department did not provide the supporting documentation. In April 2018, the department provided several documents as evidence of its efforts to address this recommendation, including an order outlining the capital planning investment management process for the fiscal year 2017. We determined that the documents did not support the department's claims. In January 2019, the department told us it would provide an update on the status of actions to address the recommendation. As of August 2019, the department had not yet provided any update.

Recommendation: To improve the U.S. Army Corps of Engineers' implementation of PortfolioStat, the Secretary of Defense should direct the Secretary of the Army to report on the agency's progress in consolidating eCPIC to a shared service as part of the OMB integrated data collection quarterly reporting until completed.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense partially concurred with the recommendation and stated that it had efforts underway to further define the department's commodity IT baseline. In August 2016, the department reported that it had addressed and closed the recommendation in October 2014 and described several actions that it believed contributed to addressing the recommendation, including, continued improvements to data center reporting, and greater understanding of IT infrastructure costs. However, the department did not provide any documentation to support its claims. In January 2019, the department told us it would provide an update on the status of actions to address the recommendation. As of August 2019, the department had not yet provided any update.

Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the Environmental Protection Agency should direct the CIO to develop a complete commodity IT baseline.

Agency: Environmental Protection Agency
Status: Open

Comments: In September 2016, we reported that the Environmental Protection Agency's (EPA) Registry of Environmental Protection Agency Applications, Models and Databases (READ) system had a complete inventory of enterprise IT and business systems-two of three categories of IT assets that make up a commodity IT baseline-and that the agency had processes in place to regularly update this inventory to ensure its completeness (see GAO-16-511). We have been following up with EPA to obtain its inventory of IT infrastructure systems-the third commodity IT category--and determine the agency's process to ensure the completeness of this inventory. In a December 2019 update, EPA told us that it was working on a response to the recommendation.

Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Administrator of the Environmental Protection Agency should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) establish targets for commodity IT spending reductions and deadlines for meeting those targets; and (3) establish criteria for identifying wasteful, low-value, or duplicative investments.

Agency: Environmental Protection Agency
Status: Open

Comments: In November 2016, the Environmental Protection Agency (EPA) reported making progress in addressing the three action plan elements through implementation of the Federal Information Technology Acquisition Reform Act (FITARA) and efforts to assess applications in its inventory. In June 2019, the agency provided supporting documentation. We are reviewing the documentation to determine whether it fully addresses the recommendation.

Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the Environmental Protection Agency should direct the CIO to report on the agency's progress in consolidating the managed print services and strategic sourcing of end user computing to shared services as part of the OMB integrated data collection quarterly reporting until completed.

Agency: Environmental Protection Agency
Status: Open

Comments: Between July and December 2016, the Environmental Protection Agency (EPA) reported that it had implemented a managed print service contract for headquarters in 2014 and was preparing to award a new contract to also cover its regions. The agency also reported that it plans to use one of the government-wide contracts identified in OMB's policy on improving the acquisition and management of common IT for its end user computing needs. EPA, however, did not provide documentation supporting these efforts. In a December 2019 update, EPA told us that it was working on a response to the recommendation.

Recommendation: To improve the department's implementation of PortfolioStat, the Attorney General should direct the CIO to reflect 100 percent of information technology investments in the department's enterprise architecture.

Agency: Department of Justice
Status: Open

Comments: In October 2019, the department stated that its budget formulation process ensures that all investments are included in its enterprise architecture (EA). Specifically, the department stated that, as part of the budget formulation process, the EA group reviews investments and aligns them to the business areas within the EA framework by assigning them business reference model codes. To support its claims, in November 2019, the department provided a list of investments showing their alignment with the business reference model codes for the fiscal year 2021 budget formulation process. However, the department did not provide evidence of the EA group's review process. As of January 2020, we were following up with the department to obtain this evidence.

Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the National Aeronautics and Space Administration should direct the CIO to reflect 100 percent of information technology investments in the agency's enterprise architecture.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: In February 2018, NASA reported that it was making revisions to its enterprise architecture policy that would assist with ensuring that 100 percent of the agency's information technology investments are in the enterprise architecture. In July and December 2018, the agency provided updates on its efforts along with supporting documentation, though not enough to fully address the recommendation. In July 2019, the agency stated it also had efforts underway to centralize IT governance under the Chief Information Officer and this would contribute to reflect all investments in the enterprise architecture. The agency stated it would continue to update us on the status of its efforts to address the recommendation.

Recommendation: To improve the agency's implementation of PortfolioStat, the Director of the Office of Personnel Management should direct the CIO to develop a complete commodity IT baseline.

Agency: Office of Personnel Management
Status: Open

Comments: In February 2020, OPM stated that it was developing a service catalog with cost information and allocation components which together with the agency's software inventory would be used for cost avoidance moving forward. However, OPM did not provide supporting documentation. In addition, it was not clear whether the service catalog and software inventory would together include enterprise IT, IT infrastructure, and business systems, the three categories of IT assets that comprise a commodity IT baseline. We will continue to monitor OPM's efforts to address the recommendation.

Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Director of the Office of Personnel Management should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) move at least two commodity IT areas to shared services and (2) target duplicative systems or contracts that support common business functions for consolidation.

Agency: Office of Personnel Management
Status: Open

Comments: In October 2018, OPM provided evidence that it had addressed the action plan element regarding the migration of two commodity IT areas to shared services. Specifically, OPM provided an August 2016 interagency agreement showing plans to migrate its financial management system to a shared service and a May 2018 interagency agreement showing plans to migrate its human resources and time and attendance system to a shared service. However, the interagency agreements were not signed. Regarding the action plan element to target duplicative systems or contracts that support common business functions for consolidation, OPM stated did that it had targeted laptops and mobile phones for consolidation. In addition, OPM did not provide any evidence of reporting to OMB for either action plan element. In February 2020, OPM stated that, in addition to entering into an interagency agreement for its financial management system and consolidating the procurement of agency-wide laptops and cellphones using an enterprise wide contract, it was also working to close two of its five major data centers to consolidate to three. OPM said that it was gathering the documentation to support its claims.

Recommendation: To improve the agency's implementation of PortfolioStat, the Director of the Office of Personnel Management should direct the CIO to report on the agency's progress in consolidating the help desk consolidation and IT asset inventory to shared services as part of the OMB integrated data collection quarterly reporting until completed.

Agency: Office of Personnel Management
Status: Open

Comments: In February 2020, OPM stated that its IT help desk function had become a shared service starting in October 2019. However, OPM did not provide supporting documentation. In addition, OPM stated it did not have any updates on the IT asset inventory. We will continue to monitor the agency's efforts to address this recommendation.

Recommendation: To improve the department's implementation of PortfolioStat, in future reporting to OMB, the Secretary of the Treasury should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO and (2) establish criteria for identifying wasteful, low-value, or duplicative investments.

Agency: Department of the Treasury
Status: Open

Comments: In September 2014, the Department of the Treasury reported that it did not plan to consolidate commodity IT spending under the agency CIO. Specifically, the department stated that commodity IT investment decisions were consolidated under the Treasury Technology Investment Review Board which is co-chaired by the agency CIO and Assistant Secretary for Management; and that it did not see the benefit of combining the budget authorities of the various bureau infrastructure investments. In regards to establishing criteria to identify wasteful, low-value, and duplicative investments, in September 2014, the department stated that the Treasury Technology Investment Review Board and Technology Advisory Working Group had established an approach that considers risk, value and cost in reviewing investment requests to identify wasteful, low-value, and duplicative investments. As of May 2019, we were reviewing documentation we received from the department in September 2018 to determine whether the recommendation has been fully addressed.

Recommendation: To improve the department's implementation of PortfolioStat, as the department finalizes and matures its enterprise architecture and valuation methodology, the Secretary of the Treasury should direct the CIO to utilize these processes to identify whether there are additional opportunities to reduce duplicative, low-value, or wasteful investments.

Agency: Department of the Treasury
Status: Open

Comments: In September 2014, the Department of the Treasury described several examples of processes it had established to identify opportunities to reduce duplicative, low-value or wasteful investments, including annual reviews of each major IT investment and monthly portfolio reviews. As of May 2019, we were reviewing updated information we received in September 2018 to determine whether the recommendation has been fully addressed.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce has not implemented this recommendation. Since we reported in 2012 that the department had established metrics for measuring enterprise architecture outcomes but not a method for measuring the metrics, the department issued an Enterprise Architecture Value Measurement Plan in April 2018. This plan included outcome metrics; however, the department had not documented a method for measuring the metrics. In January 2020, the department's Office of the Chief Information Officer (CIO) stated that the department recently appointed a new CIO (acting) and was in the process of revisiting strategic planning initiatives and implementation to ensure they are congruent with the IT strategic vision and objectives. The Office of the CIO also said it was hiring a new Chief Enterprise Architect, which would impact previous initiatives and strategies. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

Agency: Department of Defense
Status: Open

Comments: In December 2019, the Department of Defense Office of the Chief Information Officer stated that it would establish an approach to measuring enterprise architecture outcomes defined in the DOD Digital Modernization Strategy, by September 2020.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: The Department of the Navy has not demonstrated that it has implemented our recommendation. In November 2017, the department described steps it had taken to address the recommendation. However, as of January 2020, the department had not provided documentation demonstrating that it had established metrics and a method for measuring enterprise architecture outcomes. We will continue to monitor the department's efforts to address the recommendation.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

Agency: Department of Defense: Department of the Army
Status: Open

Comments: As of January 2020, the Department of the Army had taken steps to address this recommendation, but much more remains to be done. Specifically, in December 2013, the department developed its Army Business Management Strategy, which included metrics to measure the number of business systems retired over five years and cost savings and avoidance through use of the Army's business enterprise architecture. However, as of January 2020, the department had not demonstrated that it had documented the steps to measure the metrics. In January 2020, the department's chief architect stated that the department was in the process of establishing a baseline architecture. We will continue to monitor the Army's efforts to establish an architecture and an approach for measuring architecture outcomes in accordance with our recommendation.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

Agency: Department of Energy
Status: Open

Comments: In August 2020, the Department of Energy demonstrated that it had taken steps to implement the recommendation. Specifically, in March 2020, the department developed a draft plan to measure business architecture performance. We will monitor the department's efforts to finalize and implement its plan.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

Agency: Department of Labor
Status: Open

Comments: The Department of Labor has not addressed the recommendation. In August 2020, the department stated that it was continuing to evaluate processes for reviewing and assessing enterprise architecture value.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

Agency: Department of State
Status: Open

Comments: In February 2020, the Department of State developed an enterprise architecture plan, which identified several benefits that may be achieved by executing the plan. These benefits included, for example, lower support and acquisition costs and reuse of technology and investments. However, the department did not demonstrate that it had established an approach for measuring the potential benefits in the plan. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency has not implemented this recommendation. In December 2019, the agency stated that its chief architect and technical architecture staff were working to reformulate the enterprise architecture program and described several goals and activities that were underway. The agency also stated that the program was examining industry best practices on architecture metrics to determine which would be best for EPA's enterprise architecture program. As metrics are adopted to assess the value of the architecture program, the program will work them into the agency-wide process for performance metrics. We will continue to monitor the agency's efforts to implement the recommendation.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration (NASA) has not yet implemented this recommendation. In July 2019, NASA's Associate Chief Information Officer for Enterprise Service and Integration said the agency was in the process of developing an enterprise architecture policy directive and procedural requirements. He anticipated that they would be completed in October 2020.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

Agency: Small Business Administration
Status: Open

Comments: As of June 2020, the Small Business Administration had not implemented this recommendation. In August 2019, SBA developed an enterprise architecture program performance guide and value measurement plan. According to the plan, the agency plans to measure cost savings/avoidance and reduction of duplication. However, the agency has not demonstrated that it has documented the steps to be followed to measure the outcomes. Specifically, it did not demonstrate that it had established a method to measure the cost savings/avoidance or the number of duplicate investments reduced.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should fully establish an approach for measuring enterprise architecture outcomes, including a documented method (i.e., steps to be followed) and metrics that are measurable, meaningful, repeatable, consistent, actionable, and aligned with the agency's enterprise architecture's strategic goals and intended purpose.

Agency: Office of Personnel Management
Status: Open

Comments: In February 2020, a Senior Analyst in the Office of Personnel Management's (OPM) Office of Internal Oversight and Compliance stated that, as of January 2020, OPM's Office of the Chief Information Officer (CIO) had established an approach for developing an enterprise architecture. The liaison also stated that, since May 2019, the office of the CIO had established bi-weekly checkpoints with leadership and stakeholders to monitor and report progress and to document established metrics. However, the agency has not demonstrated that it has established a documented method and metrics for measuring enterprise architecture outcomes.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

Agency: Department of Agriculture
Status: Open

Comments: In August 2020, the Department of Agriculture demonstrated that it had established an approach to measuring enterprise architecture outcomes; however, it had not yet measured and reported them. The department conducted a survey in February 2020 that collected information such as the number of legacy systems that were identified and subsequently decommissioned, and the number of applications that have been eliminated as a result of application rationalization through use of enterprise architecture. The department stated that it will release the second survey in the first quarter of fiscal year 2021, and the differences in the responses between the first and second surveys will be presented to the CIO Council to show the impact of enterprise architecture. The department did not state when it plans to report the results. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce has not implemented this recommendation. In April 2018, the department issued an Enterprise Architecture Value Measurement Plan; however, the department has not demonstrated that it has measured and reported enterprise architecture outcomes. In January 2020, the department's Office of the Chief Information Officer (CIO) stated that the department recently appointed a new CIO (acting) and was in the process of revisiting all strategic planning initiatives and implementation to ensure they are congruent with the IT strategic vision and objectives. The Office of the CIO also said it was hiring a new Chief Enterprise Architect, which would impact previous initiatives and strategies. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

Agency: Department of Defense
Status: Open

Comments: In December 2019, the Department of Defense Office of the Chief Information Officer stated that it would establish a documented approach to measuring enterprise architecture outcomes defined in the DOD Digital Modernization Strategy by September 2020, and report outcomes by December 2021.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: The Department of the Navy has not demonstrated that it has implemented our recommendation. In November 2017, the department described steps it had taken to address the recommendation. However, as of January 2020, it had not provided documentation demonstrating that it has measured and reported enterprise architecture outcomes. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

Agency: Department of Energy
Status: Open

Comments: As of August 2020, the Department of Energy had not implemented the recommendation. In May 2020, the department described steps it had taken to develop its enterprise architecture. For example, it said that the department had established a Technical Reference Model, which supports processes and criteria for selecting and reviewing software across the department's headquarters. The department said it used the reference model to identify software products that could be eliminated or consolidated to achieve cost savings. However, as of August 2020, the department had not provided documents demonstrating that it had measured and reported architecture outcomes. We will continue to monitor the status of the department's efforts to implement the recommendation.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

Agency: Department of Labor
Status: Open

Comments: The Department of Labor has not addressed the recommendation. In August 2020, the department stated that it was evaluating processes for reviewing and assessing enterprise architecture value.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

Agency: Department of Veterans Affairs
Status: Open

Comments: In January 2020, the Department of Veterans Affairs stated that it plans to measure enterprise architecture performance by the end of March 2020. We will continue to monitor the department's efforts to address the recommendation.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

Agency: Department of State
Status: Open

Comments: In February 2020, the Department of State developed an enterprise architecture plan, which identified several benefits that may be achieved by executing the plan. These benefits included, for example, lower support and acquisition costs and reuse of technology and investments. However, the department did not demonstrate that it had measured and reported outcomes attributed to its architecture. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency has not implemented this recommendation. In December 2019, the agency stated that its chief architect and technical architecture staff were working to reformulate the enterprise architecture program and described several goals and activities that were underway. The agency also stated that the program was examining industry best practices on architecture metrics to determine which would be best for EPA's enterprise architecture program. As metrics are adopted to assess the value of the architecture program, the program will work them into the agency-wide process for performance metrics. We will continue to monitor the agency's efforts to implement the recommendation.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration (NASA) has not implemented this recommendation. In July 2019, NASA's Associate Chief Information Officer for Enterprise Service and Integration said the agency was in the process of developing an enterprise architecture policy directive and procedural requirements. He anticipated that they would be completed in October 2020.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

Agency: Small Business Administration
Status: Open

Comments: As of June 2020, the Small Business Administration (SBA) had not implemented this recommendation. SBA's Office of the CIO stated that it achieved IT cost savings and avoidance as a result of IT infrastructure service and support reduction and data center optimization in fiscal years 2014 through the third quarter of fiscal year 2019. In a March 2020 memo to GAO, the Chief Information Officer explained that the agency's enterprise architecture team reviewed IT acquisition requests, which led to reducing duplicative IT investments and resulted in the cost savings and avoidance. However, the agency did not demonstrate that it had reliably measured the cost savings and avoidance. Specifically, it did not provide documentation demonstrating how it calculated most of the savings it reported.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Homeland Security, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and Small Business Administration; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; and the Directors of the National Science Foundation and the Office of Personnel Management should periodically measure and report enterprise architecture outcomes and benefits to top agency officials (i.e., executives with authority to commit resources or make changes to the program) and to OMB.

Agency: Office of Personnel Management
Status: Open

Comments: In February 2020, a Senior Analyst in the Office of Personnel Management's (OPM) Office of Internal Oversight and Compliance stated that, as of January 2020, OPM's Office of the Chief Information Officer (CIO) had established an approach for developing an enterprise architecture. The liaison also stated that, since May 2019, the office of the CIO had established bi-weekly checkpoints with leadership and stakeholders to monitor and report progress and to document established metrics. However, the agency has not provided documentation demonstrating that it has measured and reported enterprise architecture outcomes.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, the Secretaries of the Departments of Health and Human Services and Housing and Urban Development should ensure that enterprise architecture outcomes are periodically measured and reported to top agency officials.

Agency: Department of Health and Human Services
Status: Open

Comments: As of January 2020, the Department of Health and Human Services had not implemented this recommendation. Specifically, it had not demonstrated that it had measured architecture metrics that it had established in its April 2014 Enterprise Roadmap. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To enhance federal agencies' ability to realize enterprise architecture benefits, and to assist agencies in measuring and reporting outcomes achieved through enterprise architecture, the Director of OMB should ensure that the planned December 2012 guidance for enterprise architecture value measurement and reporting includes (1) sufficient details on the method and metrics that agencies could use to measure their architecture program's value and (2) a requirement for agencies to include in their April 2013 enterprise roadmap submissions a measurement method (i.e., steps to be followed) and metrics, and report on the outcomes and benefits achieved through enterprise architecture.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of December 2019, the Office of Management and Budget (OMB) had not fully addressed our recommendation. In March 2013, the office required agencies to submit annually an Enterprise Roadmap, which was to include an appendix on enterprise architecture outcomes. To prepare the appendix, the office provided agencies with a template to document architecture metrics and measurement methods. The template included examples of outcome metrics and a field where agencies were to document measurement methods. However, OMB did not provide details on the methods that agencies could use to measure architecture outcomes or require that agencies include the steps to be followed for measuring outcomes. In March 2019, OMB said that it was working with agencies to determine approaches for measuring and reporting outcomes achieved through enterprise architecture. However, as of December 2019, OMB had not demonstrated that it had fully addressed the recommendation. We will continue to follow up with OMB on its efforts to implement the recommendation.

Recommendation: To ensure that DOD continues to implement the full range of institutional management controls needed to address its business systems modernization high-risk area, the Secretary of Defense should ensure that the Deputy Secretary of Defense, as the department's Chief Management Officer, establish a policy that clarifies the roles, responsibilities, and relationships among the Chief Management Officer, Deputy Chief Management Officer, DOD and military department Chief Information Officers, Principal Staff Assistants, military department Chief Management Officers, and the heads of the military departments and defense agencies, associated with the development of a federated business enterprise architecture (BEA). Among other things, the policy should address the development and implementation of an overarching taxonomy and associated ontologies to help ensure that each of the respective portions of the architecture will be properly linked and aligned. In addition, the policy should address alignment and coordination of business process areas, military department and defense agency activities associated with developing and implementing each of the various components of the BEA, and relationships among these entities.

Agency: Department of Defense
Status: Open

Comments: While the Department of Defense (DOD) had taken steps to improve its business enterprise architecture, it had not implemented the recommendation as of November 2019. In August 2013, the department established the Business Enterprise Architecture Configuration Control Board, which is chaired by the business enterprise architecture chief architect (Office of the DOD CMO) and includes representatives from the Defense Business Council member organizations. These organizations include, among others, DOD's CIO and the military department CMOs. According to its charter, the Business Enterprise Architecture Configuration Control Board is the principal body for managing the disposition of proposed architecture requirements and change requests. However, the charter does not discuss roles and responsibilities associated with the development of the business enterprise architecture. Specifically, it does not address alignment and coordination of business process areas or military department and defense agency activities associated with developing and implementing each of the various components of the business enterprise architecture, and the relationships among these entities. In addition, in September 2018, the department stated that it was drafting a business enterprise architecture concept of operations that was to outline roles and responsibilities associated with the development of the architecture. However, as of November 2019, the department had not completed the concept of operations or otherwise demonstrated that it had established roles and responsibilities for the development of the architecture. In October 2018, an official from the Office of the CMO described the department's new approach to developing its business enterprise architecture. In addition, the department demonstrated that it had developed a taxonomy for the architecture and was in the process of developing an ontology to help ensure that each of the respective portions of the architecture would be appropriately linked and aligned. In November 2019, the official stated that the ontology had been implemented in the department's new business enterprise architecture tool; however, the department did not demonstrate that it had finished developing the ontology. Specifically, the department's October 2019 ontology document identifies basic concepts, such as "Goal", "Objective", and "LOB" (i.e., line of business) as classes, and the properties and attributes of, and relationships among, classes. However, the document does not include annotations such as for the "description" attribute for an LOB, which would provide information needed to create a specific instance of a class applicability; and had not demonstrated that it had developed ontologies for its business domains, such as acquisition, human resource management, and financial management. Also, the document does not demonstrate if allowed values have been defined for some attributes, such as the options allowed in an "option list" for "status" attributes. Further, the department had not documented general information about the ontology, such as its scope and intended applicability; and had not demonstrated that it had developed ontologies for its business domains, such as acquisition, human resource management, and financial management.

Recommendation: To help ensure the success of FDA's modernization efforts, the Commissioner of FDA should direct the CIO to, in completing the assessment of Mission Accomplishments and Regulatory Compliance Services (MARCS), develop an integrated master schedule (IMS) that (1) identifies which legacy systems will be replaced and when; (2) identifies all current and future tasks to be performed by contractors and FDA; and (3) defines and incorporates information reflecting resources and critical dependencies.

Agency: Department of Health and Human Services: Food and Drug Administration
Status: Open

Comments: In 2018, we confirmed that FDA, in response to our recommendation, began efforts to identify which legacy systems will be replaced. FDA also developed an IMS for fiscal year (FY) 2017 and 2018 that identifies current and future tasks to be performed by contractors and FDA. However, FDA's IMS for FY 2017 and 2018 does not fully and clearly define resources. For example, although the FY 2017 IMS includes 265 names, roles, and teams, only 16 percent of activities have resource assignments. Further, FDA's fiscal year 2018 IMS does not fully define critical dependencies. For example, there are 14 activities and milestones with finish dates that are not properly tied to logic. Specifically, the finish dates of the 14 activities are not clearly tied to succeeding activities in the schedule. We contacted FDA in September and December 2019 and January 2020 for an update on the actions taken to implement the recommendation, but have not received a response. We will update the recommendation when additional information is obtained.