Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau develops and obtains management approval of mitigation and contingency plans for all risks that require them. (Recommendation 1)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: As of May 2020, the Bureau's program risk registers included a clear indication of the status of mitigation plans; however, the Bureau's portfolio risk register did not, without which there was not a clear indication of which portfolio risk mitigation plans had been approved by management. As of August 2020, the Bureau's portfolio risk register also included a clear indication of mitigation plan status. At that time, we reviewed the Bureau's program and portfolio risk registers to determine whether the Bureau had developed and obtained management approval of mitigation and contingency plans for all risks that required them. We found six risks that met the Bureau's requirements for a contingency plan but did not have an approved contingency plan in place. We notified the Bureau and asked them to ensure that approved mitigation and contingency plans were in place for all risks that required them. We will continue to monitor the Bureau's actions to implement this recommendation.

Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's decennial risk management plan to require that risk mitigation and contingency plans, including the risk register descriptions and separate plans, have the seven key attributes for helping to ensure they contain the information needed to manage risk. (Recommendation 4)

Agency: Department of Commerce
Status: Open

Comments: In July 2020, the Bureau updated its decennial risk management plan and, in doing so, implemented this recommendation for six of the seven key attributes we identified. The missing attribute was monitoring plans: a description in each mitigation and contingency plan of how the agency will monitor the risk response-with performance measures and milestones, where appropriate-to help track whether the plan is working as intended. According to Bureau officials, rather than requiring this attribute, they instead noted it as a lesson learned for the 2030 Census and documented it in their knowledge management tool. In August 2020, we requested documentation of these actions. Once received, we will assess whether these actions suffice to close the recommendation.

Recommendation: The Secretary of Agriculture should take action to meet the data center optimization metric targets established by OMB under DCOI. (Recommendation 1)

Agency: Department of Agriculture
Status: Open

Comments: In comments on our report, the Department of Agriculture (Agriculture) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department subsequently reported meeting its targets for the advanced energy metering and server utilization metrics. However, the department also reported that it had not yet met its target for the virtualization metric. We will continue to monitor Agriculture's progress in implementing this recommendation.

Recommendation: The Secretary of Commerce should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 2)

Agency: Department of Commerce
Status: Open

Comments: In comments on our report, the Department of Commerce (Commerce) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department subsequently reported meeting its targets for server utilization. However, the department also reported that it had not yet met its target for the virtualization and advanced energy metering metrics. We will continue to monitor Commerce's progress in implementing this recommendation.

Recommendation: The Secretary of Defense should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: In comments on our report, the Department of Defense agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closures target. The department subsequently reported meeting its closure target for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor the department's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of Defense should identify additional savings opportunities to achieve the targets for data center-related cost savings established under DCOI by OMB. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense is taking action to implement our recommendation. In comments on our report, the department stated that it had already identified significant cost savings through activities such as the identification of system migration candidates and the use of cloud services. The department also said that while it would continue to optimize its data centers, the need for IT would continue to grow, and this growth might ultimately lead to an increase in total data center costs, despite overall per unit cost reductions. In addition, after the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department reported achieving a total savings of $102.30 million and reported plans to save an additional $109.50 million in savings for fiscal year 2020. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor the department's efforts through fiscal year 2020 to address the recommendation.

Recommendation: The Secretary of Defense should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department subsequently reported meeting its target for server utilization. However, the department also reported that it had not yet met its target for the virtualization metric and advanced energy metering. We will continue to monitor the department's efforts to address the recommendation.

Recommendation: The Secretary of Energy should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 6)

Agency: Department of Energy
Status: Open

Comments: In comments on our report, the Department of Energy (Energy) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closure target. The department subsequently reported meeting its closure target for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor Energy's progress in implementing this recommendation through fiscal year 2020.

Recommendation: The Secretary of Energy should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 7)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. The department subsequently reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor Energy's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of the Department of Health and Human Services (HHS) should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 8)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closure target. The department subsequently reported meeting its closure target for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor HHS's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of HHS should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 9)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. Subsequently, the department reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor HHS's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of the Department of Homeland Security (DHS) should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: In comments on our report, the Department of Homeland Security (DHS) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closure target. Subsequently, the department reported meeting its closure target for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor DHS's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of DHS should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 11)

Agency: Department of Homeland Security
Status: Open

Comments: In comments on our report, The Department of Homeland Security (DHS) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. The department subsequently reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor DHS's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of Interior should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 12)

Agency: Department of the Interior
Status: Open

Comments: The Department of the Interior (Interior) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closure target. Subsequently, the department reported meeting its closure goal for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor Interior's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of Interior should take action to meet the data center-related cost savings established under DCOI by OMB. (Recommendation 13)

Agency: Department of the Interior
Status: Open

Comments: The Department of Interior (Interior) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center related cost savings targets. Subsequently, the department reported achieving $0.2 million in data center-related cost savings and planned to save an additional $0.5 million in fiscal year 2020. We will continue to monitor the department's efforts through fiscal year 2020 to address the recommendation.

Recommendation: The Secretary of Interior should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 14)

Agency: Department of the Interior
Status: Open

Comments: The Department of Interior (Interior) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. The department subsequently reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor Interior's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Attorney General should take action to meet the data center optimization metric targets established for Justice under DCOI by OMB. (Recommendation 15)

Agency: Department of Justice
Status: Open

Comments: In comments on our report, the Department of Justice (Justice) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. The department subsequently reported meeting its targets for the virtualization and advanced energy metering metrics. However, the department did not have an established target for the server utilization metric. Justice stated that, due to OMB issuance of the revised DCOI guidance and metrics, the department had not developed a baseline and target for server utilization. Once it can track server utilization for a few reporting periods, the department stated that it will finalize its definition for underutilized severs and establish an appropriate target for the metric. We will continue to monitor the department's progress in implementing this recommendation.

Recommendation: The Secretary of the Department of Labor (Labor) should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 16)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. Subsequently, the department reported meeting its target for the server utilization metric. However, the department had not yet met its targets for the advanced energy metering and virtualization metrics. We will continue to monitor Labor's progress in implementing this recommendation.

Recommendation: The Secretary of State should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 17)

Agency: Department of State
Status: Open

Comments: In comments on our report, the Department of State (State) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center optimization closure target. The department subsequently reported meeting its closure goal for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor State's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of State should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 18)

Agency: Department of State
Status: Open

Comments: In comments on our report, the Department of State (State) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. Subsequently, the department reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor State's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of Transportation should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 19)

Agency: Department of Transportation
Status: Open

Comments: In comments on our report, the Department of Transportation (Transportation) neither agreed nor disagreed with the recommendation and has begun taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closure target. The department subsequently reported meeting its closure goal for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor Transportation's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of Transportation should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 20)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. Subsequently, the department reported meeting its target for server utilization. However, the department had not yet met its targets for the advanced energy metering and virtualization metrics. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Treasury should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 21)

Agency: Department of the Treasury
Status: Open

Comments: The Department of Treasury (Treasury) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. The department subsequently reported meeting its target for server utilization. However, the department had not yet met its targets for the advanced energy metering and virtualization metrics. We will continue to monitor Treasury's progress in implementing this recommendation.

Recommendation: The Secretary of the Department of Veterans Affairs (VA) should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 22)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: VA agreed with our recommendation and, as of January 2020, the department reported that it had closed 16 data centers to meet its fiscal year 2019 closure target. To fully implement this recommendation, VA will need to demonstrate sustained implementation progress over time, including meeting its fiscal year 2020 data center closure target.

Recommendation: The Secretary of VA should take action to meet the data center-related cost savings established under DCOI by OMB. (Recommendation 23)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: VA agreed with our recommendation and, as of January 2020, the department reported that it had met its fiscal year 2019 cost savings target. To fully implement this recommendation, VA will need to demonstrate sustained implementation progress over time, including meeting its fiscal year 2020 data center cost savings target.

Recommendation: The Secretary of VA should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 24)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: VA agreed with our recommendation and, as of January 2020, the department reported that it had met its fiscal year 2019 targets for three of the four data center optimization metrics tracked by the Office of Management and Budget (OMB). To fully implement this recommendation, VA will need to meet all four of OMB's metrics, and also demonstrate sustained implementation progress over time by continuing to meet the four metrics across fiscal years.

Recommendation: The Administrator of the Environmental Protection Agency (EPA) should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 25)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established a new data center closure target. EPA subsequently reported that it based its three planned closures for fiscal year 2019 on the data center definition applicable while developing its fiscal year 2019 DCOI strategic plan. However, when OMB updated its data center guidance it changed the definition of a data center, and as a result, the three facilities EPA planned to close no longer qualified as data centers. Further, EPA did not have plans to close any additional data centers. While EPA reported to us that it completed the planned closures, the three facilities did not represent what OMB now considers a data center, and so, EPA did not report the closures in its data center inventory update. However, we acknowledge that EPA closed the facilities identified in its April 2019 plan and did not plan to close any data centers that met OMB's new definition, meaning that the agency met its revised fiscal year 2019 goal of zero closures. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor EPA's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Administrator of EPA should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 26)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) is taking action to implement our recommendation. The agency established new data center optimization targets after the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019. Subsequently, the agency reported meeting its targets for the advanced energy metering and server utilization metrics. However, the agency had not yet met its target for the virtualization metric. We will continue to monitor EPA's progress in implementing this recommendation.

Recommendation: The Administrator of the National Aeronautics and Space Administration should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 28)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: In comments on our report, the National Aeronautics and Space Administration (NASA) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. The agency subsequently reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor NASA's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Director of the National Science Foundation should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 29)

Agency: National Science Foundation
Status: Open

Comments: The National Science Foundation (NSF) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. Subsequently, the agency reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor NSF's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Chairman of the Nuclear Regulatory Commission should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 30)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: The Nuclear Regulatory Commission (NRC) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. The agency subsequently reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor NRC's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Director of the Office of Personnel Management (OPM) should take action to meet the data center-related cost savings established under DCOI by OMB. (Recommendation 31)

Agency: Office of Personnel Management
Status: Open

Comments: In comments on our report, The Office of Personnel Management (OPM) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established a new data center-related cost savings target. Subsequently, the agency reported meeting its fiscal year 2019 target of $7.65 million and planned to save an additional $7.65 million in fiscal year 2020. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor OPM's progress in implementing this recommendation through fiscal year 2020.

Recommendation: The Director of OPM should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 32)

Agency: Office of Personnel Management
Status: Open

Comments: In comments on our report, the Office of Personnel Management (OPM) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. The agency subsequently reported meeting its targets for the virtualization and server utilization metrics. However, it had not met its target for advanced energy metering. We will continue to monitor OPM's progress in implementing this recommendation.

Recommendation: The Administrator of the Small Business Administration should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 33)

Agency: Small Business Administration
Status: Open

Comments: In comments on our report, the Small Business Administration (SBA) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. Subsequently, the agency reported meeting its target for server utilization. However, the agency had not yet met its targets for the advanced energy metering and virtualization metrics. We will continue to monitor SBA's progress in implementing this recommendation.

Recommendation: The Commissioner of the Social Security Administration (SSA) should take action to meet the data center-related cost savings established under DCOI by OMB. (Recommendation 34)

Agency: Social Security Administration
Status: Open

Comments: In comments on our report, the Social Security Administration (SSA) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established a new data center-related cost savings target. The agency subsequently reported meeting its fiscal year 2019 cost savings target of $0. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor SSA's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Commissioner of SSA should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 35)

Agency: Social Security Administration
Status: Open

Comments: In comments on our report, the Social Security Administration (SSA) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. Subsequently, the agency reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor SSA's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Director of the Office of Management and Budget should require agencies to explicitly report, at least on a quarterly basis, the savings and cost avoidance associated with cloud computing investments. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of May 2020, the Office of Management and Budget (OMB) has not yet taken any actions to implement our recommendation. We will continue to monitor OMB's progress in implementing this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the CIO of Agriculture establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture (Agriculture) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. Specifically, Agriculture officials reported in April 2020 that the department had established an office to assist with cloud migration efforts and instituted a process that requires cloud migration efforts to submit cost data and report cloud savings in accordance with OMB guidance. Officials noted that the department would implement a mechanism within one year once OMB issues guidance related to tracking savings (OMB has not yet implemented guidance in this area). We will continue to monitor Agriculture's progress on these efforts.

Recommendation: The Secretary of Commerce should ensure that the CIO of Commerce establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 4)

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce (Commerce) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. In October 2019, Commerce officials noted that the department would update its current procedures related to tracking savings and cost avoidances within one year once OMB issues guidance related to tracking cloud savings (OMB has not yet implemented guidance in this area). As of May 2020, the procedures have not yet been updated. We will continue to monitor Commerce's progress with these efforts.

Recommendation: The Secretary of Defense should ensure that the CIO of Defense completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense (Defense) concurred with our recommendation and stated that the department planned to publish guidance in this area. Specifically, in April 2020, Defense officials reported that the department planned to publish guidance by July 2020 that required all department components to rationalize business and IT applications in alignment with the department's enterprise-wide process for conducting software application rationalization and the department's Cloud Strategy. We will continue to monitor Defense's progress on this effort.

Recommendation: The Secretary of Defense should ensure that the CIO of Defense establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: As of May 2020, the Department of Defense (Defense) has not yet taken any actions to implement our recommendation. We will continue to monitor Defense's progress in implementing this recommendation.

Recommendation: The Secretary of Education should ensure that the CIO of Education completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 8)

Agency: Department of Education
Status: Open

Comments: The Department of Education (Education) concurred with our recommendation and stated that the department would complete an assessment of all IT investments for cloud services. In February 2020, Education officials reported that the department had taken action to update its guidance to include a requirement for assessing new and existing investments for cloud services. However, as of May 2020, based on our review of IT Dashboard data, Education has not yet completed an assessment of 23 investments for these services. We will continue to monitor Education's progress with this effort.

Recommendation: The Secretary of Education should ensure that the CIO of Education establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 9)

Agency: Department of Education
Status: Open

Comments: The Department of Education (Education) concurred with our recommendation and stated that the department would take action to address it. In May 2020, Education officials reported that the department had taken steps to identify a number of cloud investments with cost savings and avoidance data as a part of the integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Education's progress with this effort.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess new acquisitions for these services. (Recommendation 10)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the department would update its IT budget guidance to address our recommendation. In February 2020, Energy officials provided a portion of a guidance document, but it did not include language that addressed our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 11)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the department would update its IT budget guidance to address our recommendation. In February 2020, Energy officials provided a portion of a guidance document, but it did not include language on assessing investments for cloud services. In addition, as of May 2020, based on our review of data on the IT Dashboard, Energy has not yet completed an assessment of 107 investments for these services. We will continue to monitor Energy's progress with this effort.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 12)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the CIO would establish a mechanism to address our recommendation. In February 2020, Energy officials reported that they had identified a number of cloud investments with cost savings as part of the integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Energy's progress with this effort.

Recommendation: The Secretary of the Department of Health and Human Services (HHS) should ensure that the CIO of HHS establishes guidance on assessing new and existing IT investments for suitability for cloud computing services, in accordance with OMB guidance. (Recommendation 13)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the Office of the CIO would revise its guidance by September 30, 2019 to address it. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the CIO of HHS completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 14)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the CIO would complete an assessment of all IT investments as part of its portfolio review for fiscal year 2021. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the CIO of HHS establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 15)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the CIO would take action to track savings as part of its portfolio review process for fiscal year 2021. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Homeland Security should ensure that the CIO of the Department of Homeland Security (DHS) completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 16)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the department was taking steps to implement it. Specifically, in October 2019, DHS officials reported that the department was in the process of accessing its remaining systems to determine whether a cloud computing assessment should be completed but did not provide a date when this effort would be finished. As of May 2020, we have not received a more recent update from DHS regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Homeland Security should ensure that the CIO of DHS establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 17)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the department was taking steps to implement it. Specifically, in October 2019, DHS officials reported that the department was working on a plan to define the resources and processes needed to implement a mechanism to track savings that would be completed by October 2020. As of May 2020, we have not received a more recent update from DHS regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Attorney General of the United States should ensure that the CIO of Justice completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 18)

Agency: Department of Justice
Status: Open

Comments: The Department of Justice (Justice) concurred with our recommendation, and stated that it would require components to assess all investments for cloud. However as of April 2020, based on our review of IT Dashboard data, Justice had not yet completed cloud assessments for 80 investments. We will continue to monitor Justice's progress with this effort.

Recommendation: The Attorney General of the United States should ensure that the CIO of Justice establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 19)

Agency: Department of Justice
Status: Open

Comments: The Department of Justice (Justice) concurred with our recommendation and stated that it would take action to address it. In December 2019, Justice officials reported that the department had taken steps to identify cloud investments and related savings data as part of an integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Justice's progress in implementing this recommendation.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess existing investments for these services. (Recommendation 20)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that the department was taking steps to integrate a process for assessing investments for cloud computing suitability into its budgeting process. Specifically, in February 2020, Labor officials reported that the department was updating its policy to reflect a Cloud First policy that will ensure that all department investment migrations to cloud services are Cloud smart but did not identify a time frame when the policy would be finalized. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 21)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that the department planned to undertake a full review of data center-based applications for cloud suitability. Specifically, in February 2020, Labor officials reported that the department had created an Engineering Review Board in October 2019 to review proposed IT investments to ensure compliance with the department's cloud architecture, but did not provide a time frame for when all assessments of investments would be completed. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 22)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. Specifically, in February 2020, Labor officials reported that the department was implementing a tool called Cloudchekr for tracking costs associated with cloud services that would also track related savings and cost avoidances, but no timeframe was provided for when the tool would consistently capture all savings from these efforts. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of State should ensure that the CIO of State establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 23)

Agency: Department of State
Status: Open

Comments: The Department of State (State) concurred with our recommendation and stated that the department would develop a prototype tracking system ready for testing by the beginning of fiscal year 2020. As of May 2020, we have not received a more recent update from State regarding its implementation of our recommendation. We will continue to monitor State's progress in implementing this recommendation.

Recommendation: The Secretary of the Treasury should ensure that the CIO of Treasury completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 24)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury (Treasury) has not yet taken any actions to implement our recommendation. As of May 2020, we have not received any update from the department regarding its implementation of our recommendation. We will continue to monitor Treasury's progress in implementing this recommendation.

Recommendation: The Secretary of the Treasury should ensure that the CIO of Treasury establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 25)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury (Treasury) has not yet taken any actions to implement our recommendation. As of May 2020, we have not received any update from the department regarding its implementation of our recommendation. We will continue to monitor Treasury's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation establishes guidance on assessing new and existing IT investments for suitability for cloud computing services. (Recommendation 26)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 27)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 28)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation, but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Veterans Affairs should ensure that the CIO of the Department of Veterans Affairs (VA) completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 29)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and stated that the department would take action to address it. In February 2020, VA officials reported that the department had begun an assessment process and expected to complete this effort by June 30, 2024. We will continue to monitor VA's progress in implementing this recommendation.

Recommendation: The Secretary of Veterans Affairs should ensure that the CIO of VA establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 30)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and stated that the department would take action to address it. In February 2020, VA officials reported that the department had begun populating a financial management application with data to track overall IT spending and cost savings, but did not provide a timeframe for when a mechanism to track this data would be finalized. We will continue to monitor VA's progress in implementing this recommendation.

Recommendation: The Administrator of General Services should ensure that the CIO of the General Services Administration establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 31)

Agency: General Services Administration
Status: Open

Comments: The General Services Administration (GSA) concurred with our recommendation and stated that the agency planned to develop a process for collecting cost savings data. Specifically, in January 2020, GSA officials reported that the agency intended to develop and document a process for collecting cost and savings data for current and new investments using cloud services. Officials noted that the documentation would provide guidance as to what savings data would be required to be collected, how frequent the data would be reported, and the process for approval, but did not provide a timeframe for when the guidance would be finalized. In addition, officials reported that, once the new process was finalized, the agency would pilot the new process in order to test the approach and the collection of data. As of May 2020, the process has not been finalized. We will continue to monitor GSA's progress in implementing this recommendation.

Recommendation: The Administrator of the Small Business Administration should ensure that the CIO of the Small Business Administration establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 32)

Agency: Small Business Administration
Status: Open

Comments: The Small Business Administration (SBA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SBA officials reported that the agency had established a tool for monitoring the costs associated with the migration and deployment of cloud services. However, the documentation SBA provided did not indicate how cloud savings and cost avoidances would be isolated and reported. We will continue to monitor SBA's progress toward implementing this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of the Social Security Administration (SSA) updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess existing investments for these services. (Recommendation 33)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials provided a copy of the agency's updated guidance but the guidance did not include language that addressed our recommendation. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of SSA completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 34)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials reported that the agency had completed an assessment of all investments for cloud services. However, our review of the agency's IT Dashboard data in November found that 24 investments remained to be reviewed. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of SSA establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 35)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials reported that the agency was working toward implementing a tool that would track cloud savings and avoidances but did not provide a timeframe for when the tool would be finalized. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Director should update the enterprise governance policy to specify (1) the CIO's current role and responsibilities on the Executive Resources Board, to include developing and reviewing the IT budget formulation and execution; and (2) the Deputy CIO's role and responsibilities on the Enterprise Governance Council. (Recommendation 2)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: DHS concurred with this recommendation. In March 2020, Secret Service officials stated that the component had drafted a revised enterprise governance policy that outlines the CIO's and Deputy CIO's roles and responsibilities. We will continue to monitor the component's efforts to finalize this policy.

Recommendation: The Director should ensure that the Secret Service develops a charter for its Executive Resources Board that specifies the roles and responsibilities of all board members, including the CIO. (Recommendation 3)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: DHS concurred with this recommendation. In March 2020, Secret Service officials stated that the component had drafted a charter for its Executive Resources Board that specifies the roles and responsibilities of Board members, including the CIO. We will continue to monitor the component's efforts to finalize this charter.

Recommendation: The Director should ensure that the CIO includes product quality and post-deployment user satisfaction metrics in the modular outcomes and target measures that the CIO sets for monitoring agile projects. (Recommendation 4)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that Secret Service acquisition directives require the component to conduct a Post Implementation Review of IT programs after such a program achieves Initial Operating Capability. However, it is unclear whether and how this requirement applies to agile projects, and if the Secret Service has included post-deployment user satisfaction metrics in the modular outcomes and target measures that the CIO sets for monitoring such projects. DHS's draft agile guidance strongly recommends that user satisfaction be assessed at the end of each production deployment, not just one time after Initial Operating Capability. Moreover, the Secret Service has not yet demonstrated that the CIO has included product quality in the modular outcomes and target measures that the CIO sets for monitoring agile projects. We will continue to monitor the department's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO identifies all of the required knowledge and skills for the IT workforce. (Recommendation 5)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: In 2018 and 2019, the Secret Service participated in the Department of Homeland Security's Strategic Workforce Planning initiative, during which the department identified critical competencies and target proficiency levels for various IT workforce roles across the department (e.g., systems analysis, network management). However, it is unclear whether the Secret Service's participation in this initiative included the identification of the required knowledge and skills for all of the roles within the component's IT workforce, or just certain roles. In addition, while the Secret Service also established a standard operating procedure document in December 2019 that, among other things, identified recommended training and certifications for each OCIO division (e.g., network management, cyber security), this procedure document did not identify the required knowledge and skills for the workforce roles within each of those OCIO divisions. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO regularly analyzes the IT workforce to identify its competency needs and any gaps it may have. (Recommendation 6)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component analyzed its IT workforce to identify its competency needs, as well as determined the projected staffing and competency gaps that it would have in fiscal year 2019. However, it has not yet provided supporting documentation of the analyses that the CIO conducted to determine these competency needs and projected competency gaps. We will continue to follow-up with the Secret Service for documentation of its efforts to implement this recommendation.

Recommendation: The Director should ensure that, after OCIO completes an analysis of the IT workforce to identify any competency and staffing gaps it may have, the Secret Service updates its recruiting and hiring strategies and plans to address those gaps, as necessary. (Recommendation 7)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component determined that it had a projected staffing gap for fiscal year 2019 of 35 staff within the 2210 occupational job series (i.e., IT management staff). The officials also said that they had identified projected competency gaps related to positions such as Cyber Intelligence Analyst and Intelligence Research Specialist. While the Secret Service has not yet provided documentation of the analyses it conducted to determine these gaps, the component provided documentation to demonstrate that it targeted its fiscal year 2019 recruiting events to focus on addressing IT staffing and competency gaps. For example, among other things, in fiscal year 2019 the component conducted outreach and recruiting events focused on defense, cyber, IT, and intelligence hiring, as well as conducted a targeted cyber security hiring campaign with a large online job search service. We will continue to follow-up with the Secret Service for documentation of the analyses the OCIO conducted to determine its IT staffing and competency gaps, in order to verify whether the 2019 recruiting events conducted were focused on addressing such gaps.

Recommendation: The Director should ensure that the Office of Human Resources (1) develops and tracks metrics to monitor the effectiveness of the Secret Service's recruitment activities for the IT workforce, including their effectiveness at addressing skill and staffing gaps; and (2) reports to component leadership on those metrics. (Recommendation 8)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that the component has conducted recruitment and outreach efforts focused on IT, cyber, and engineering careers, and monitors the effectiveness of these efforts. However, the Secret Service has not yet provided supporting documentation demonstrating that it has (1) developed and tracked metrics to monitor the effectiveness of these recruitment activities, including their effectiveness at addressing skill and staffing gaps within the IT workforce; and (2) reported to component leadership on those metrics. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the Office of Human Resources and OCIO adjust their recruitment and hiring plans and activities, as necessary, after establishing and tracking metrics for assessing the effectiveness of these activities for the IT workforce. (Recommendation 9)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: The Secret Service has not yet demonstrated that it has established and tracked metrics for assessing the effectiveness of its recruitment and hiring plans and activities for the IT workforce. As such, the component is not yet able to demonstrate that its Office of Human Resources and OCIO have adjusted their recruitment and hiring plans and activities based on these metrics. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO (1) defines the required training for each IT workforce group, (2) determines the activities that OCIO will include in its IT workforce training and development program based on its available training budget, and (3) implements those activities. (Recommendation 10)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: In December 2019, the Secret Service established a standard operating procedure document that identifies, among other things, recommended training and certifications for each OCIO division (e.g., network management, cyber security). However, this procedure document does not identify required training for each of these divisions. In March 2020, Secret Service officials stated that OCIO supervisors issued individual development plans to their team members that identified training requirements for continued professional development. However, the Secret Service has not yet provided documentation of these training requirements, nor evidence to support that the planned professional development activities are based on the required training for each IT workforce group. Moreover, the officials stated that, in response to the Coronavirus Disease 2019 (COVID-19), training is suspended. As such, the component is not implementing IT workforce training activities at this time. The officials plan to continue staff training once it is reinstated. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO ensures that the IT workforce completes training specific to their positions (after defining the training required for each workforce group). (Recommendation 11)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: While Secret Service officials stated that the component's Office of Training establishes the required curriculum for Secret Service personnel, the component has not yet demonstrated that the CIO has defined the training required for each IT workforce group, as we previously recommended. As such, the component is also not able to demonstrate that it is ensuring that each IT workforce group completes the training specific to their positions, as we also recommended. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO collects and assesses performance data (including qualitative or quantitative measures, as appropriate) to determine how the IT training program contributes to improved performance and results (once the training program is implemented). (Recommendation 12)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that they are assessing how IT training has contributed to improved performance and results by comparing IT course completion results to the results of related training exercises that the component conducts (for example, the Secret Service may compare the completion rates for an IT security awareness training course to the results of a related IT security awareness exercise that the component conducts). However, the Secret Service has not yet provided supporting documentation of these assessments. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO updates the performance plans for each occupational series within the IT workforce to include the relevant technical competencies, once identified, against which IT staff performance should be assessed. (Recommendation 13)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component has implemented a performance management system that enables OCIO supervisors to update the individual performance plans of each IT workforce staff member to include the relevant technical competencies against which each staff member's performance is to be assessed. However, the Secret Service has not yet provided supporting documentation demonstrating that OCIO has updated the performance plans for each IT workforce staff member to include the relevant technical competencies. We will continue to monitor the component's efforts to address this recommendation.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for IMF fully addresses greater utilization of technology or consolidation of investments to better meet organizational goals. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year 2018 Operational Analysis Results report, dated June 24, 2019. The report demonstrated that IRS, in response to our recommendation, had ensured that the operational analysis for IMF fully addressed greater utilization of technology or consolidation of investments to better meet organizational goals. However, the operational analysis did not reflect IRS's progress to date in modernizing IMF and the associated challenges. As we reported, this omission is concerning given the risk exposure from the agency's continued use of the legacy assembly language code. In order to close the recommendation, IRS needs to update the operational analysis to reflect its progress modernizing IMF.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for Telecommunications Systems and Support (TSS) addresses the extent to which the investments support customer processes as designed, and how well the investments are delivering the goods or services they were designed to deliver. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year (FY) 2018 Operational Analysis Results report, dated June 24, 2019. While the report included a summary of the FY 2018 operational analysis for TSS, it did not identify the metrics used to determine whether TSS supported customer processes or delivered the goods and services that it is intended to deliver. To close this recommendation, IRS will need to provide the detailed operational analysis for TSS incorporating these metrics. As of December 2019, IRS has not provided the full TSS operational analysis to GAO. Upon receiving the document, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for TSS includes a comparison of current performance with a pre-established cost baseline. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided GAO its fiscal year (FY) 2018 Operational Analysis Results report. While the report included a summary of the FY 2018 operational analysis for the Telecommunications Systems and Support (TSS) investment , including planned and actual cost figures for FY2018, the report did not indicate whether the planned cost figure for FY2018 accounted for reimbursable costs and user fees, as we reported. To address this recommendation, IRS will need to provide a full operational analysis for TSS, as well as documentation showing whether reimbursable costs and user fees are included in the planned cost figure. As of December 2019, IRS has not provided a full TSS operational analysis to GAO. Upon receiving the document, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for End User Systems and Services includes a comparison of current performance with a pre-established cost baseline. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year (FY) 2018 Operational Analysis Results report, dated June 24, 2019. While the report included a summary of the FY 2018 operational analysis for End User Systems and Services (EUSS) investment, including planned and actual cost figures for FY2018, it did not specify whether the planned cost figure accounted for multi-year funding and user fees, as we reported. To address this recommendation, IRS will need to provide a full operational analysis for EUSS, as well as documentation showing whether multi-year funding and user fees are included in the planned cost figure. As of December 2019, IRS has not provided the full EUSS operational analysis to GAO. Upon receiving it, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the IMF investment. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the IMF investment. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice for prioritizing risk for the IMF investment. (Recommendation 9)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the IMF investment. (Recommendation 10)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the IMF investment. (Recommendation 11)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the IDRS investment. (Recommendation 12)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the IDRS investment. (Recommendation 13)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the IDRS investment. (Recommendation 14)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the IDRS investment. (Recommendation 15)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the MSSS investment. (Recommendation 16)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019. While the plan addressed most of the activities associated with the preparing for risk management key practice, it did not identify risk constraints, risk assumptions, or risk tolerance for the MSSS investment. Upon receiving further information, we will review it to determine if IRS has fully addressed this recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the MSSS investment. (Recommendation 18)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has implemented the activities associated with the Analyze Risk key practice. Specifically, while the plan describes a risk analysis process in which risks are classified as high, medium, or low risk, neither the plan nor any of the other documents describes criteria for evaluating and quantifying risk likelihood and severity (impact) levels. Additionally, the Risk Management Plan does not indicate whether analysis of MSSS risks includes both inherent and residual risks. Upon receiving additional information indicating that IRS has addressed these activities, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the MSSS investment. (Recommendation 19)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has established threshold values for MSSS risk categories or alternative courses of action for critical risks. Upon receiving additional information indicating that it has addressed these activities. we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the MSSS investment. (Recommendation 20)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframes and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has fully implemented all of the activities associated with the monitoring, reporting, and controlling key practice. Specifically, our review of the documents shows that IRS has not established threshold values for MSSS risk categories, and as a result is unable to compare the status of risks to acceptability thresholds to determine the need for implementing a risk mitigation plan. In addition, although the MSSS Risk Management Plan was updated in October 2019, its previous revision occurred in October 2017, indicating that IRS has not yet reviewed all aspects of the risk management program at least once a year. Upon receiving additional information that IRS has addressed these activities, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement IT workforce planning practices, including the following actions (1) setting the strategic direction for workforce planning; (2) analyzing the workforce to identify skill gaps; (3) developing strategies and implementing activities to address skill gaps; and (4) monitoring and reporting on progress in addressing skill gaps. (Recommendation 21)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it had initiated efforts to address workforce planning agency-wide. The agency stated that the Human Capital Office in coordination with the Information Technology organization prioritizes critical skills gaps to develop gap mitigation strategies, which are implemented through IT annual training plans and succession planning efforts. IRS also stated that the mitigation plans will be monitored in the current Project and Portfolio Management System and that the Human Capital and Information Technology organizations will monitor resource capacity, skills, assigned work effort, and staff availability. In addition, IRS stated that it would utilize special hiring authorities as a competency and staffing mitigation strategy. The agency noted that the special authorities are subject to the availability of resources and agency approval. Further, IRS stated that, due to the diversion of IT resources to the Tax Cuts and Jobs implementation, development of a plan for scaling and expansion of workforce planning efforts will commence after the opening of Filing Season 2020. IRS stated that, due to those constraints, it could not provide a date for fully implementing the recommendation. As of December 2019, IRS has not provided any updates indicating whether it has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that state-based marketplace annual sustainability plans, to the extent possible, have complete 5-year budget forecasts. (Recommendation 1)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS did not concur with our recommendation and stated that it had updated its requirement to request 2-year budget forecasts instead of 5-year budget forecasts. In its December 2017 statement of actions, HHS stated that it was working to streamline and simplify its data collection effort as part of the annual sustainability plan. In April 2018, HHS provided a revised 2-year budget forecast template as well as related state marketplace training documentation. As of April 2020, HHS had not provided further documented evidence of its streamlined process using the 2-year budget forecast template or justification that a 5-year budget is not necessary for assessing long-term financial sustainability and state marketplace sustainability risks.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that all state-based marketplaces provide required annual financial audit reports which are in accordance with generally accepted government auditing standards. (Recommendation 2)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS concurred with our recommendation and stated in its December 2017 update that it continued to provide technical assistance such as webinars and other trainings on independent financial and programmatic audit submission requirements. In April 2018, HHS provided evidence that it had taken some steps to ensure that state-based marketplaces provide required annual financial audit reports, including draft financial audit procedures, documentation of related training provided to states, and a revised HHS state officer annual review checklist emphasizing financial audit reporting. However as of April 2020, the department had not provided evidence of finalized procedures, examples of checklist usage, or of states providing annual financial audit reports. Further, HHS training documentation stated that state-based marketplaces could provide alternate financial audit reports, such as a state-wide financial audit report, in lieu of a marketplace specific report. It is not clear from the provided evidence that the department has ensured that state-based marketplaces are in compliance with financial audit reporting requirements. We will continue to monitor the department's progress in implementing the recommendation and provide updates when the agency takes further action.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that marketplace IT self-sustainability risk assessments are based on fully defined measurable terms, a clear categorization process, and a defined response to high risks. (Recommendation 3)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS concurred with our recommendation and stated in its December 2017 update that it would refine its marketplace self-sustainability risk assessment process to provide greater insight into the state marketplace sustainability efforts and to identify areas where states may need assistance. In April 2018, HHS provided evidence that it had taken some steps to base its risk assessments on fully defined processes. CMS provided documentation of clearly defined and measurable terms used for state marketplace budget analysis. However, HHS did not provide evidence that these defined terms were incorporated into analyses or risk assessments. As of April 2020, CMS has not provided evidence that it took steps to develop a clear categorization process or a defined response to high risks. We will continue to monitor the department's progress in implementing the recommendation and provide updates when the agency takes action.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that states develop, update, and follow performance measurement plans that allow the states to continuously identify and assess the most important IT metrics for their state marketplaces. (Recommendation 4)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS partially concurred with our recommendation and stated in its December 2017 update that though each marketplace was accountable for managing and reporting its own IT metrics in accordance with federal and state law, HHS would work with states on the improvement of their management and operations through technical assistance and oversight and accountability measures. As of April 2020, the agency had not yet provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the department's progress in implementing the recommendation and provide updates when the agency takes action.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to conduct operational analysis reviews and systematically monitor the performance of states' marketplace IT systems using key performance indicators. (Recommendation 5)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS did not concur with our recommendation and stated that it conducted Open Enrollment Readiness Reviews to assess marketplace key performance indicators, which according to CMS officials, are similar to operational analysis reviews. However, as of October 2018, HHS had not provided evidence that the Open Enrollment Readiness Reviewed systematically and comprehensively reported on the key performance indicators or include discussion of other key elements identified in best practices for operational analysis reviews, such as how objectives could be better met, or costs could be saved. As of April 2020, the agency had not yet provided sufficient evidence that it has implemented the recommendation.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that metrics collected from states to monitor marketplaces' operational performance link to performance goals and include baselines and targets to monitor progress. (Recommendation 6)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS partially concurred with our recommendation and stated in its December 2017 update that states were responsible for monitoring their own performance measures but HHS would continue to review IT metrics of state marketplaces in the implementation phase of their systems through technical assistance activities and oversight and accountability measures. As of April 2020, the agency had not yet provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the department's progress in implementing the recommendation and provide updates when the agency takes action.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Commerce
Status: Open

Comments: We reported that the Department of Commerce did not meet the following software application inventory practice: regularly updates the inventory with quality controls to ensure reliability. Specifically, the department did not provide evidence of a process to regularly update its inventory or quality controls to ensure the reliability of the data collected. In October 2017, the department reported that application inventory information will be captured through the Department of Commerce Capital Planning and Investment Control (CPIC) system, as part of its regular updating of investment information. Further, the department stated that it will update its CPIC handbook to provide guidance on quality control to ensure reliability of the data collected. In November 2018 and November 2019 we followed-up with Commerce on the status of their efforts; however, as of January 2020, we had not received an update. We plan to continue to follow up with Commerce to monitor the status of these planned actions.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Energy
Status: Open

Comments: We reported that the Department of Energy partially met the following three software application inventory practices, (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In May 2017, the department reported that it plans to implement automated monitoring and inventory tools by the end of fiscal year 2020, which it expects will address the key practices. In December 2019, the department reported that it anticipates completing a refresh of its application inventory by the end of February 2020. We plan to monitor the department's efforts to implement the tools and to develop a complete application inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Housing and Urban Development
Status: Open

Comments: We reported that the Department of Housing and Urban Development (HUD) partially met the following three software application inventory practices, (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In June 2017, the department reported that it is working to identify applications in field offices, and planned for this effort to be completed in fiscal year 2018. In addition, the department stated it planned to update the inventory to include business functions for each system by the end of fiscal year 2017. Further, department officials stated that to ensure the accuracy and reliability of the application inventory, the department planned to conduct quarterly portfolio reviews starting in fiscal year 2018. In October 2018, HUD officials reported that CTO performed a technical assessment of HUD's IT assets, which resulted in identifying systems in the inventory that had been decommissioned and will be decommissioned. In addition, the department provided its strategy for performing the assessment. In August 2019, HUD reported that it completed an assessment of its legacy applications and the current inventory system is outdated. However, as of January 2020, HUD had not yet provided an updated inventory. We plan to continue to monitor the department's efforts to address the recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Social Security Administration
Status: Open

Comments: We reported that the Social Security Administration (SSA) partially met the following two software application inventory practices, (1) includes systems from all organizational components, and (2) regularly updates the inventory with quality controls to ensure reliability. In March 2017, SSA officials reported that the agency's Office of Systems and Office of Operations continue to collaborate on integrating application information into the Enterprise Application Inventory. The officials reported that regionally developed applications that have been granted authority to operate have been imported into the enterprise application inventory. In addition, the officials stated that the Office of Operations was in the process of redesigning their repository to accommodate requirements to support the Enterprise Application Inventory, including the ability to update and maintain application information in the enterprise repository. Lastly, SSA officials reported that its Office of Information Security and Office of Systems were continuing to work to identify additional headquarters applications and develop process and automation to include applications in the inventory. In June 2019, SSA officials reported that they were continuing to make progress to update the inventory to include systems from all organizational components. However, as of January 2020, we had not received an updated inventory. We will continue to monitor SSA's efforts to develop a complete application inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Labor
Status: Open

Comments: We reported that the Department of Labor did not meet one software application inventory practice, and partially met three practices. Specifically, we reported that the department did not meet the practice to ensure that the inventory is regularly updated with quality controls to ensure reliability, and partially met the practices to (1) include business and enterprise IT systems, (2) include systems from all organizational components, and (3) specify basic application attributes. In March 2018, department officials provided an updated inventory, which included business and enterprise IT systems from all organizational components, and specified basic attributes, including the name, owner, and business function. In addition, officials stated that they plan to update the inventory on a periodic basis as necessary, at minimum annually, as part of the department's IT budgeting process. Further, in June 2019, officials reported that the department performs biannual reviews of all IT investments and associated systems and applications to verify reported data. The officials also reported that the department uses quality control processes and procedures to ensure consistent, standard, and complete reporting to align with all investment artifacts. However, the department did not provide evidence of these data quality efforts. In June 2019, officials also reported that the department is implementing a new system in order to maintain an ongoing comprehensive inventory of all IT assets, including applications, which it expects to have fully operational by the end of the second quarter of fiscal year 2020. We will continue to monitor the department's efforts.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of the Treasury
Status: Open

Comments: We reported that the Department of the Treasury had partially met the following two practices for establishing a complete software application inventory, (1) specifies basic application attributes, and (2) is regularly updated with quality controls to ensure reliability. In September 2017, the department provided evidence showing that it had taken steps to address these practices. Specifically, the department provided an export of its inventory, which showed that most of the systems listed contained a system description. According to department officials, some systems do not have a system description because the department's inventory policy allows bureaus to attach documents to the inventory, which include the system description, instead of populating the system description field. Further, the policy does not require a system description for systems in the disposal state. Moreover, the inventory did not include the business segment or function that the system supports. According to Treasury officials, the Bureau and Functional Unit fields within the inventory allow the department to map the systems to the business segments that they support. We followed up with the department to obtain this mapping. However, as of January 2020, the department had not provided it. We will continue to monitor the department's efforts to ensure that the inventory is regularly updated with quality controls to ensure its reliability.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of State
Status: Open

Comments: We reported that the Department of State partially met the following software application inventory practices: (1) specifies basic application attributes; and (2) is regularly updated with quality controls to ensure reliability. Specifically, we reported that while the inventory included basic application attributes (e.g. name, description), it did not include the business function for the majority of inventory entries. Further, we reported that the agency did not provide evidence that quality control processes were in place to ensure the reliability of the data in the inventory. In July 2017, department officials stated that the department recently began a department-wide data call to obtain information on all IT assets and applications from each bureau, including aligning the assets and applications to a business function. Further, officials stated that they plan to analyze the results against their current data to ensure the accuracy and reliability of the IT asset inventory. In June 2019, the department provided evidence demonstrating that its inventory includes the business function for IT assets. In addition, State officials stated that the IT asset inventory that is posted internally for review is a high-level summary to facilitate monthly validation. However, as of January 2020, the department has not provided documentation showing that it has implemented the quality control processes to ensure the reliability of the data. We plan to continue to monitor the department's efforts to address the recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Environmental Protection Agency
Status: Open

Comments: We reported that the Environmental Protection Agency had fully met three of the four practices to establish a complete application inventory, and partially met one. Specifically, the agency partially met the practice for including application attributes in the inventory, as although EPA did not identify the business function for every application. In December 2019, Environmental Protection Agency officials stated that the inventory now requires the business function to be included, and provided inventory update instructions that show the business function is to be included. In addition, agency officials provided instructions for senior information managers to update the inventory in fiscal year 2019. However, as of January 2020, agency officials had not provided an updated inventory, and thus we were not able to verify that the business function was added for all applications. We will follow up with the agency to obtain the updated inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Office of Personnel Management
Status: Open

Comments: We reported that the Office of Personnel Management (OPM) partially met the software application inventory practice to regularly update the inventory with quality controls to ensure reliability. In November 2016, OPM officials stated that they were validating the data in the application inventory. In addition, officials stated that they were making progress in using automated scanning tools to update the inventory, including coordinating with the General Services Administration's Software Management Group which is working to standardize the use of automated inventory tools across the government. In June 2017, November 2018, and November 2019, we followed up with OPM to obtain documentation of these reported actions; however, as of January 2020, the agency had not yet provided supporting documentation. We are continuing to follow up with OPM to obtain documentation of its reported actions.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Defense should direct the responsible official to modify the department's existing processes to collect and review cost, technical, and business information for the enterprise and business IT systems within the Enterprise Information Environment Mission Area applications which are currently not reviewed as part of the department's process for business systems.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense did not concur with our recommendation, noting, among other things, in its written response to our draft report, that a majority of the Enterprise Information Environment Mission Area systems are IT infrastructure, and not applications. However, we reported that the mission area nevertheless included a large number of enterprise and business IT applications which could benefit from rationalization, and we therefore believed our recommendation was still warranted. In March 2020, the department stated that it is formalizing a guide to assist components with implementing an application rationalization process, that will be used to rationalize the Enterprise Information Environment Mission Area systems. The department stated that it plans to perform annual reviews, and expects to start by the end of fiscal year 2020.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Homeland Security should direct the department's CIO to identify one high-cost function it could collect detailed cost, technical, and business information for and modify existing processes to collect and review this information.

Agency: Department of Homeland Security
Status: Open

Comments: In April 2018, DHS officials stated that they identified FOIA systems as a high cost function, and will modify existing processes to collect and review the cost, technical, and business information. In November 2019, DHS reported that it is continuing to make progress in acquiring a new enterprise-wide FOIA system by reviewing current capabilities. We plan to continue to monitor the department's efforts.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Labor should direct the department's CIO to consider a segmented approach to further rationalize and identify a function for which it would modify existing processes to collect and review application-specific cost, technical, and business value information.

Agency: Department of Labor
Status: Open

Comments: In February 2017, department officials stated that the department's portfolio of IT investments, which includes the systems, sub-systems, and applications in the IT asset inventory, are rationalized bi-annually as part of the Office of the Chief Information Officer's IT Capital Planning and Investment Control (CPIC) review processes. Further, officials stated that the systems and applications were also being rationalized as part of the process for updating the IT asset inventory. Officials stated that the department plans to review and update the department's CPIC guide to describe the IT asset inventory management process including the basic quality controls. In July 2019, officials reported that the department plans to have the updated guide completed by the end of fiscal year 2019. However, as of January 2020, the department had not provided documentation supporting these efforts. We plan to follow-up with the department to obtain documentation of its efforts to address the recommendation.