Recommendation: The Commissioner of the Social Security Administration should ensure the Office of Acquisition and Grants, in consultation with the Chief Information Officer, revises relevant guidance to identify the role of contracting officials in the Agile software development process.

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration agreed with the recommendation but has not yet taken actions to implement it.

Recommendation: The Director of the Office of Management and Budget should require agencies to explicitly report, at least on a quarterly basis, the savings and cost avoidance associated with cloud computing investments. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of May 2020, the Office of Management and Budget (OMB) has not yet taken any actions to implement our recommendation. We will continue to monitor OMB's progress in implementing this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the CIO of Agriculture establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture (Agriculture) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. Specifically, Agriculture officials reported in April 2020 that the department had established an office to assist with cloud migration efforts and instituted a process that requires cloud migration efforts to submit cost data and report cloud savings in accordance with OMB guidance. Officials noted that the department would implement a mechanism within one year once OMB issues guidance related to tracking savings (OMB has not yet implemented guidance in this area). We will continue to monitor Agriculture's progress on these efforts.

Recommendation: The Secretary of Commerce should ensure that the CIO of Commerce establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 4)

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce (Commerce) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. In October 2019, Commerce officials noted that the department would update its current procedures related to tracking savings and cost avoidances within one year once OMB issues guidance related to tracking cloud savings (OMB has not yet implemented guidance in this area). As of May 2020, the procedures have not yet been updated. We will continue to monitor Commerce's progress with these efforts.

Recommendation: The Secretary of Defense should ensure that the CIO of Defense completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense (Defense) concurred with our recommendation and stated that the department planned to publish guidance in this area. Specifically, in April 2020, Defense officials reported that the department planned to publish guidance by July 2020 that required all department components to rationalize business and IT applications in alignment with the department's enterprise-wide process for conducting software application rationalization and the department's Cloud Strategy. We will continue to monitor Defense's progress on this effort.

Recommendation: The Secretary of Defense should ensure that the CIO of Defense establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: As of May 2020, the Department of Defense (Defense) has not yet taken any actions to implement our recommendation. We will continue to monitor Defense's progress in implementing this recommendation.

Recommendation: The Secretary of Education should ensure that the CIO of Education completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 8)

Agency: Department of Education
Status: Open

Comments: The Department of Education (Education) concurred with our recommendation and stated that the department would complete an assessment of all IT investments for cloud services. In February 2020, Education officials reported that the department had taken action to update its guidance to include a requirement for assessing new and existing investments for cloud services. However, as of May 2020, based on our review of IT Dashboard data, Education has not yet completed an assessment of 23 investments for these services. We will continue to monitor Education's progress with this effort.

Recommendation: The Secretary of Education should ensure that the CIO of Education establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 9)

Agency: Department of Education
Status: Open

Comments: The Department of Education (Education) concurred with our recommendation and stated that the department would take action to address it. In May 2020, Education officials reported that the department had taken steps to identify a number of cloud investments with cost savings and avoidance data as a part of the integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Education's progress with this effort.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess new acquisitions for these services. (Recommendation 10)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the department would update its IT budget guidance to address our recommendation. In February 2020, Energy officials provided a portion of a guidance document, but it did not include language that addressed our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 11)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the department would update its IT budget guidance to address our recommendation. In February 2020, Energy officials provided a portion of a guidance document, but it did not include language on assessing investments for cloud services. In addition, as of May 2020, based on our review of data on the IT Dashboard, Energy has not yet completed an assessment of 107 investments for these services. We will continue to monitor Energy's progress with this effort.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 12)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the CIO would establish a mechanism to address our recommendation. In February 2020, Energy officials reported that they had identified a number of cloud investments with cost savings as part of the integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Energy's progress with this effort.

Recommendation: The Secretary of the Department of Health and Human Services (HHS) should ensure that the CIO of HHS establishes guidance on assessing new and existing IT investments for suitability for cloud computing services, in accordance with OMB guidance. (Recommendation 13)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the Office of the CIO would revise its guidance by September 30, 2019 to address it. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the CIO of HHS completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 14)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the CIO would complete an assessment of all IT investments as part of its portfolio review for fiscal year 2021. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the CIO of HHS establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 15)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the CIO would take action to track savings as part of its portfolio review process for fiscal year 2021. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Homeland Security should ensure that the CIO of the Department of Homeland Security (DHS) completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 16)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the department was taking steps to implement it. Specifically, in October 2019, DHS officials reported that the department was in the process of accessing its remaining systems to determine whether a cloud computing assessment should be completed but did not provide a date when this effort would be finished. As of May 2020, we have not received a more recent update from DHS regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Homeland Security should ensure that the CIO of DHS establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 17)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the department was taking steps to implement it. Specifically, in October 2019, DHS officials reported that the department was working on a plan to define the resources and processes needed to implement a mechanism to track savings that would be completed by October 2020. As of May 2020, we have not received a more recent update from DHS regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Attorney General of the United States should ensure that the CIO of Justice completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 18)

Agency: Department of Justice
Status: Open

Comments: The Department of Justice (Justice) concurred with our recommendation, and stated that it would require components to assess all investments for cloud. However as of April 2020, based on our review of IT Dashboard data, Justice had not yet completed cloud assessments for 80 investments. We will continue to monitor Justice's progress with this effort.

Recommendation: The Attorney General of the United States should ensure that the CIO of Justice establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 19)

Agency: Department of Justice
Status: Open

Comments: The Department of Justice (Justice) concurred with our recommendation and stated that it would take action to address it. In December 2019, Justice officials reported that the department had taken steps to identify cloud investments and related savings data as part of an integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Justice's progress in implementing this recommendation.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess existing investments for these services. (Recommendation 20)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that the department was taking steps to integrate a process for assessing investments for cloud computing suitability into its budgeting process. Specifically, in February 2020, Labor officials reported that the department was updating its policy to reflect a Cloud First policy that will ensure that all department investment migrations to cloud services are Cloud smart but did not identify a time frame when the policy would be finalized. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 21)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that the department planned to undertake a full review of data center-based applications for cloud suitability. Specifically, in February 2020, Labor officials reported that the department had created an Engineering Review Board in October 2019 to review proposed IT investments to ensure compliance with the department's cloud architecture, but did not provide a time frame for when all assessments of investments would be completed. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 22)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. Specifically, in February 2020, Labor officials reported that the department was implementing a tool called Cloudchekr for tracking costs associated with cloud services that would also track related savings and cost avoidances, but no timeframe was provided for when the tool would consistently capture all savings from these efforts. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of State should ensure that the CIO of State establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 23)

Agency: Department of State
Status: Open

Comments: The Department of State (State) concurred with our recommendation and stated that the department would develop a prototype tracking system ready for testing by the beginning of fiscal year 2020. As of May 2020, we have not received a more recent update from State regarding its implementation of our recommendation. We will continue to monitor State's progress in implementing this recommendation.

Recommendation: The Secretary of the Treasury should ensure that the CIO of Treasury completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 24)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury (Treasury) has not yet taken any actions to implement our recommendation. As of May 2020, we have not received any update from the department regarding its implementation of our recommendation. We will continue to monitor Treasury's progress in implementing this recommendation.

Recommendation: The Secretary of the Treasury should ensure that the CIO of Treasury establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 25)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury (Treasury) has not yet taken any actions to implement our recommendation. As of May 2020, we have not received any update from the department regarding its implementation of our recommendation. We will continue to monitor Treasury's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation establishes guidance on assessing new and existing IT investments for suitability for cloud computing services. (Recommendation 26)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 27)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 28)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation, but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Veterans Affairs should ensure that the CIO of the Department of Veterans Affairs (VA) completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 29)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and stated that the department would take action to address it. In February 2020, VA officials reported that the department had begun an assessment process and expected to complete this effort by June 30, 2024. We will continue to monitor VA's progress in implementing this recommendation.

Recommendation: The Secretary of Veterans Affairs should ensure that the CIO of VA establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 30)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and stated that the department would take action to address it. In February 2020, VA officials reported that the department had begun populating a financial management application with data to track overall IT spending and cost savings, but did not provide a timeframe for when a mechanism to track this data would be finalized. We will continue to monitor VA's progress in implementing this recommendation.

Recommendation: The Administrator of General Services should ensure that the CIO of the General Services Administration establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 31)

Agency: General Services Administration
Status: Open

Comments: The General Services Administration (GSA) concurred with our recommendation and stated that the agency planned to develop a process for collecting cost savings data. Specifically, in January 2020, GSA officials reported that the agency intended to develop and document a process for collecting cost and savings data for current and new investments using cloud services. Officials noted that the documentation would provide guidance as to what savings data would be required to be collected, how frequent the data would be reported, and the process for approval, but did not provide a timeframe for when the guidance would be finalized. In addition, officials reported that, once the new process was finalized, the agency would pilot the new process in order to test the approach and the collection of data. As of May 2020, the process has not been finalized. We will continue to monitor GSA's progress in implementing this recommendation.

Recommendation: The Administrator of the Small Business Administration should ensure that the CIO of the Small Business Administration establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 32)

Agency: Small Business Administration
Status: Open

Comments: The Small Business Administration (SBA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SBA officials reported that the agency had established a tool for monitoring the costs associated with the migration and deployment of cloud services. However, the documentation SBA provided did not indicate how cloud savings and cost avoidances would be isolated and reported. We will continue to monitor SBA's progress toward implementing this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of the Social Security Administration (SSA) updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess existing investments for these services. (Recommendation 33)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials provided a copy of the agency's updated guidance but the guidance did not include language that addressed our recommendation. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of SSA completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 34)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials reported that the agency had completed an assessment of all investments for cloud services. However, our review of the agency's IT Dashboard data in November found that 24 investments remained to be reviewed. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of SSA establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 35)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials reported that the agency was working toward implementing a tool that would track cloud savings and avoidances but did not provide a timeframe for when the tool would be finalized. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Program Director for Financial Integration should collect and document requirements to define project scope and meet project objectives. These requirements should be updated periodically throughout the life of the project. (Recommendation 2)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: As of August 2020, NNSA provided a project plan for tasks to be completed for common financial reporting through 2021. However, NNSA has not developed requirements that define specific or detailed requirements for successful implementation of common financial reporting, such as the types of information that program managers need.

Recommendation: The Program Director for Financial Integration should develop a detailed project schedule. The detailed schedule should be documented as part of the annual report to Congress required in the National Defense Authorization Act for Fiscal Year 2017. (Recommendation 3)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: As of August 2020, NNSA established a detailed project schedule for the common financial reporting effort through fiscal year 2021. However, NNSA should communicate this detailed project schedule for the effort to Congress on an annual basis.

Recommendation: The Program Director for Financial Integration should develop a formal process to identify risks, document those risks, and plan how to minimize risk exposure. (Recommendation 6)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: In June 2020, NNSA developed a risk management plan for common financial reporting which established a framework for identifying and managing risks. GAO will continue to monitor NNSA's efforts to implement the plan, including how NNSA identifies and documents risks and mitigates risk exposure using its management plan.

Recommendation: The Program Director for Financial Integration should develop an approach to effectively engage with all project stakeholders that incorporates their expectations into project decisions. (Recommendation 7)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: As of September 2020, NNSA has continued to engage on a regular basis with its M&O contractors. However, similar efforts have not continued with stakeholders of the program offices.

Recommendation: The Director should update the enterprise governance policy to specify (1) the CIO's current role and responsibilities on the Executive Resources Board, to include developing and reviewing the IT budget formulation and execution; and (2) the Deputy CIO's role and responsibilities on the Enterprise Governance Council. (Recommendation 2)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: DHS concurred with this recommendation. In March 2020, Secret Service officials stated that the component had drafted a revised enterprise governance policy that outlines the CIO's and Deputy CIO's roles and responsibilities. We will continue to monitor the component's efforts to finalize this policy.

Recommendation: The Director should ensure that the Secret Service develops a charter for its Executive Resources Board that specifies the roles and responsibilities of all board members, including the CIO. (Recommendation 3)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: DHS concurred with this recommendation. In March 2020, Secret Service officials stated that the component had drafted a charter for its Executive Resources Board that specifies the roles and responsibilities of Board members, including the CIO. We will continue to monitor the component's efforts to finalize this charter.

Recommendation: The Director should ensure that the CIO includes product quality and post-deployment user satisfaction metrics in the modular outcomes and target measures that the CIO sets for monitoring agile projects. (Recommendation 4)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that Secret Service acquisition directives require the component to conduct a Post Implementation Review of IT programs after such a program achieves Initial Operating Capability. However, it is unclear whether and how this requirement applies to agile projects, and if the Secret Service has included post-deployment user satisfaction metrics in the modular outcomes and target measures that the CIO sets for monitoring such projects. DHS's draft agile guidance strongly recommends that user satisfaction be assessed at the end of each production deployment, not just one time after Initial Operating Capability. Moreover, the Secret Service has not yet demonstrated that the CIO has included product quality in the modular outcomes and target measures that the CIO sets for monitoring agile projects. We will continue to monitor the department's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO identifies all of the required knowledge and skills for the IT workforce. (Recommendation 5)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: In 2018 and 2019, the Secret Service participated in the Department of Homeland Security's Strategic Workforce Planning initiative, during which the department identified critical competencies and target proficiency levels for various IT workforce roles across the department (e.g., systems analysis, network management). However, it is unclear whether the Secret Service's participation in this initiative included the identification of the required knowledge and skills for all of the roles within the component's IT workforce, or just certain roles. In addition, while the Secret Service also established a standard operating procedure document in December 2019 that, among other things, identified recommended training and certifications for each OCIO division (e.g., network management, cyber security), this procedure document did not identify the required knowledge and skills for the workforce roles within each of those OCIO divisions. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO regularly analyzes the IT workforce to identify its competency needs and any gaps it may have. (Recommendation 6)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component analyzed its IT workforce to identify its competency needs, as well as determined the projected staffing and competency gaps that it would have in fiscal year 2019. However, it has not yet provided supporting documentation of the analyses that the CIO conducted to determine these competency needs and projected competency gaps. We will continue to follow-up with the Secret Service for documentation of its efforts to implement this recommendation.

Recommendation: The Director should ensure that, after OCIO completes an analysis of the IT workforce to identify any competency and staffing gaps it may have, the Secret Service updates its recruiting and hiring strategies and plans to address those gaps, as necessary. (Recommendation 7)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component determined that it had a projected staffing gap for fiscal year 2019 of 35 staff within the 2210 occupational job series (i.e., IT management staff). The officials also said that they had identified projected competency gaps related to positions such as Cyber Intelligence Analyst and Intelligence Research Specialist. While the Secret Service has not yet provided documentation of the analyses it conducted to determine these gaps, the component provided documentation to demonstrate that it targeted its fiscal year 2019 recruiting events to focus on addressing IT staffing and competency gaps. For example, among other things, in fiscal year 2019 the component conducted outreach and recruiting events focused on defense, cyber, IT, and intelligence hiring, as well as conducted a targeted cyber security hiring campaign with a large online job search service. We will continue to follow-up with the Secret Service for documentation of the analyses the OCIO conducted to determine its IT staffing and competency gaps, in order to verify whether the 2019 recruiting events conducted were focused on addressing such gaps.

Recommendation: The Director should ensure that the Office of Human Resources (1) develops and tracks metrics to monitor the effectiveness of the Secret Service's recruitment activities for the IT workforce, including their effectiveness at addressing skill and staffing gaps; and (2) reports to component leadership on those metrics. (Recommendation 8)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that the component has conducted recruitment and outreach efforts focused on IT, cyber, and engineering careers, and monitors the effectiveness of these efforts. However, the Secret Service has not yet provided supporting documentation demonstrating that it has (1) developed and tracked metrics to monitor the effectiveness of these recruitment activities, including their effectiveness at addressing skill and staffing gaps within the IT workforce; and (2) reported to component leadership on those metrics. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the Office of Human Resources and OCIO adjust their recruitment and hiring plans and activities, as necessary, after establishing and tracking metrics for assessing the effectiveness of these activities for the IT workforce. (Recommendation 9)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: The Secret Service has not yet demonstrated that it has established and tracked metrics for assessing the effectiveness of its recruitment and hiring plans and activities for the IT workforce. As such, the component is not yet able to demonstrate that its Office of Human Resources and OCIO have adjusted their recruitment and hiring plans and activities based on these metrics. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO (1) defines the required training for each IT workforce group, (2) determines the activities that OCIO will include in its IT workforce training and development program based on its available training budget, and (3) implements those activities. (Recommendation 10)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: In December 2019, the Secret Service established a standard operating procedure document that identifies, among other things, recommended training and certifications for each OCIO division (e.g., network management, cyber security). However, this procedure document does not identify required training for each of these divisions. In March 2020, Secret Service officials stated that OCIO supervisors issued individual development plans to their team members that identified training requirements for continued professional development. However, the Secret Service has not yet provided documentation of these training requirements, nor evidence to support that the planned professional development activities are based on the required training for each IT workforce group. Moreover, the officials stated that, in response to the Coronavirus Disease 2019 (COVID-19), training is suspended. As such, the component is not implementing IT workforce training activities at this time. The officials plan to continue staff training once it is reinstated. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO ensures that the IT workforce completes training specific to their positions (after defining the training required for each workforce group). (Recommendation 11)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: While Secret Service officials stated that the component's Office of Training establishes the required curriculum for Secret Service personnel, the component has not yet demonstrated that the CIO has defined the training required for each IT workforce group, as we previously recommended. As such, the component is also not able to demonstrate that it is ensuring that each IT workforce group completes the training specific to their positions, as we also recommended. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO collects and assesses performance data (including qualitative or quantitative measures, as appropriate) to determine how the IT training program contributes to improved performance and results (once the training program is implemented). (Recommendation 12)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that they are assessing how IT training has contributed to improved performance and results by comparing IT course completion results to the results of related training exercises that the component conducts (for example, the Secret Service may compare the completion rates for an IT security awareness training course to the results of a related IT security awareness exercise that the component conducts). However, the Secret Service has not yet provided supporting documentation of these assessments. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO updates the performance plans for each occupational series within the IT workforce to include the relevant technical competencies, once identified, against which IT staff performance should be assessed. (Recommendation 13)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component has implemented a performance management system that enables OCIO supervisors to update the individual performance plans of each IT workforce staff member to include the relevant technical competencies against which each staff member's performance is to be assessed. However, the Secret Service has not yet provided supporting documentation demonstrating that OCIO has updated the performance plans for each IT workforce staff member to include the relevant technical competencies. We will continue to monitor the component's efforts to address this recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 1)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided documentation regarding its IT budget procedures. However, DOE has not yet developed procedures that explicitly require that all transactions with an IT component be included in the expenditure reporting to the CIO. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 2)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided documentation regarding its IT budget procedures. However, DOE has not yet documented procedures for ensuring the CIO is included in budget decisions for all programs with IT resources, including those within NNSA and the national laboratories. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 3)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided charters that included the CIO as a member of department-level governance boards that inform IT decisions. However, DOE has not provided charters that include the CIO as a member of component-level IT governance boards. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 4)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided IT governance board and budget procedures. However, DOE has not documented procedures by which the CIO is to work with program leadership in planning IT resources for all programs, including those within NNSA and the national laboratories. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 5)

Agency: Department of Energy
Status: Open

Comments: The department has provided IT budget procedures. However, DOE has not documented procedures by which the CIO is to review and approve all major IT investments, including those within NNSA and the national laboratories. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 6)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided IT budget procedures. However, DOE has not documented procedures for the CIO's review of IT resources that are to support major program objectives and significant increases and decreases in IT resources for department and component agency budget requests. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 7)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided IT budget procedures. However, DOE has not developed procedures for documenting steps the CIO is to take to ensure that the IT portfolio includes appropriate estimates of all IT resources. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 8)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 9)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation and is planning to take steps towards implementing it. Specifically, DOE plans to implement the Technology Business Management Framework by December 2021. Additionally, the department is coordinating internally to update its financial and procurement systems to better identify IT spending. DOE anticipates that its updates will allow the agency to compare actual IT spending against estimates in the portfolio. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that establish agency-wide policy for the level of detail with which planned expenditures for all transactions that include IT resources are to be reported to the CIO. (Recommendation 10)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 11)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources. (Recommendation 12)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 13)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 14)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 15)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 16)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with this recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT investment planning policy to include requirements for reporting expenditures that apply to all transactions with an IT component. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 17)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT investment planning policy to amplify the CIO's role in the planning and budgeting stages for all programs with IT resources. Also, HHS intends to document procedures for ensuring that all delegated authorities are carried out. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 18)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation. The department has provided charters that included the CIO as a member of department-level governance boards that inform IT decisions. However, HHS has not provided charters that include the CIO as a member of component-level IT governance boards. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 19)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. For example, HHS plans to develop an asset management policy and introduce a pilot program to manage inventories across the agency. However, the department has not developed policies and procedures that incorporate the processes by which the program leadership are planning the IT portfolio with the CIO for existing investments greater than or equal to $20 million annually and for investments delegated to components. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 20)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the department intends to update its IT investment planning policy to amplify the CIO's role in reviewing major investments. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 21)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with this recommendation and has taken steps towards implementing it. Specifically, HHS documented procedures that require the CIO to hold annual IT investment review meetings with components to review changes in IT resources. However, HHS has not documented procedures for the CIO's role in reviewing major program objectives. We will continue to monitor the department's progress toward implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 22)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the department intends to assess and update its existing policies and procedures to document the steps the CIO is to take to review the IT portfolio for appropriate estimates of all IT resources. We will continue to monitor the department's progress toward implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should direct the department CIO to establish, for any OMB common baseline requirements that are related to IT budgeting that have been delegated, a plan that specifies the requirement being delegated, demonstrates how the CIO intends to retain accountability for the requirement, and ensures through quality assurance processes that the delegated official will execute such responsibilities with the appropriate level of rigor. (Recommendation 23)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the department intends to develop an IT governance policy to define the accountability of the CIO over all IT projects and establish processes detailing quality reviews and the level of rigor that should be applied by its IT governance board. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 24)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT acquisition program policy and related processes. HHS also plans to document standard operating procedures for agency wide dissemination to ensure the effectiveness and efficiency of IT investment governance through transparent and repeatable procedures. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 25)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and are planning to take steps towards implementing it. Specifically, HHS established a working group and developed a roadmap for implementing the Technology Business Management Framework by fiscal year 2022. The agency anticipates that its strategy and approach will enable HHS to, among other things, link IT portfolio data, procurement system data, and financial system data. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 26)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 27)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 28)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 29)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 31)

Agency: Department of Justice
Status: Open

Comments: The department agreed with the recommendation and has taken steps towards implementing it. Specifically, in October 2019, the DOJ CIO issued a memorandum requiring component CIOs to establish a process for providing IT investment information to the DOJ CIO. The component CIO's process is to either include the DOJ CIO as a member of component investment review boards or provide an alternative mechanism for obtaining the DOJ CIO's input on component IT investments. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The FBI Director should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 34)

Agency: Department of Justice: Federal Bureau of Investigation
Status: Open

Comments: FBI agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 35)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 36)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 37)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 38)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 39)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should direct the department CIO to establish, for any OMB common baseline requirements that are related to IT budgeting that have been delegated, a plan that specifies the requirement being delegated, demonstrates how the CIO intends to retain accountability for the requirement, and ensures through quality assurance processes that the delegated official will execute such responsibilities with the appropriate level of rigor. (Recommendation 40)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 41)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 42)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Office of Management and Budget should issue guidance that addresses the 12 CIO responsibilities discussed in this report that are not included in existing OMB guidance--in particular those relating to IT workforce matters. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency partially agreed with the recommendation, and planned to issue guidance that addressed eight of the 12 CIO responsibilities discussed in this report that were not included in existing OMB guidance. As of July 2020, the agency had not issued such guidance and asserted that its existing Circular A-130 guidance is adequate to address this recommendation. However, the Circular A-130 does not address these 12 CIO responsibilities. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Director of the Office of Management and Budget should define the authority that CIOs are to have when agencies report on CIO authority over IT spending. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency agreed with the recommendation to define the authority that Chief Information Officers (CIOs) are to have when agencies report on CIO authority over information technology spending. However, as of July 2020, the agency had not updated its definition. We will continue to monitor the steps the agency takes to address this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 4)

Agency: Department of Agriculture
Status: Open

Comments: The agency agreed with the recommendation and, in May 2019, the agency revised its departmental policies to address 21 of the 22 responsibility gaps identified in the report. The remaining responsibility is for the Chief Information Officer (CIO) to report annually to the head of the agency on progress made in improving IT personnel capabilities. In particular, while USDA's CIO is required to conduct an annual assessment on IT personnel, there is no indication that the results are reported to the agency head. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Commerce should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: The agency agreed with the recommendation and, in October 2018, described a a number of steps it planned to take to address the responsibility gaps identified in the report. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Defense should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: We will provide updated information when we confirm what actions the agency has taken in response to this recommendation.

Recommendation: The Secretary of Education should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 7)

Agency: Department of Education
Status: Open

Comments: We will provide updated information when we confirm what actions the agency has taken in response to this recommendation.

Recommendation: The Secretary of Energy should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 8)

Agency: Department of Energy
Status: Open

Comments: The department planned to complete several steps by the end of 2019. When we confirm these actions, we will provide updated information.

Recommendation: The Secretary of Health and Human Services should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 9)

Agency: Department of Health and Human Services
Status: Open

Comments: The agency agreed with the recommendation and revised its policies to address three of the 23 responsibility gaps identified in the report. In particular, it has addressed the responsibilities for the Chief Information Officer to: 1) report directly to the agency head or that official's deputy, 2) improve the management of the agency's IT through portfolio review (PortfolioStat), and 3) maintain an inventory of data centers. We will continue to monitor the steps the agency takes to address the remaining responsibilities.

Recommendation: The Secretary of Homeland Security should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: The agency agreed with the recommendation, and revised and provided additional departmental directives and delegations to address 19 of the 21 responsibility gaps identified in the report. The remaining responsibilities are for the Chief Information Officer (CIO) to 1) review and approve IT contracts, acquisition plans, or strategies; and 2) ensure that all personnel are held accountable for complying with the agency-wide information security program. In particular, while the DHS CIO has the authority to coordinate with the Chief Acquisition Officer on acquisition strategies, coordination is not the same as reviewing and approving. Regarding holding agency personnel accountable for information security, DHS's Sensitive Systems Policy Directive gives that authority to the heads of DHS's components, rather than the DHS CIO. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Housing and Urban Development should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 11)

Agency: Department of Housing and Urban Development
Status: Open

Comments: The department indicated that it has work underway to address this recommendation, which it plans to complete in March 2020. When we confirm those actions, we will provide updated information.

Recommendation: The Secretary of the Interior should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 12)

Agency: Department of the Interior
Status: Open

Comments: The department planned to review its policies and take corrective actions, as necessary. When we confirm those actions, we will provide updated information.

Recommendation: The Attorney General should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 13)

Agency: Department of Justice
Status: Open

Comments: Justice concurred with our recommendation and started work to address it. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Labor should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 14)

Agency: Department of Labor
Status: Open

Comments: Labor has taken a number of steps in response to this recommendation. However, the agency's policies did not address the six key areas of responsibility for CIOs.

Recommendation: The Secretary of State should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 15)

Agency: Department of State
Status: Open

Comments: The department has begun changing its policies to address this recommendation. When we review those changes, we will provide updated information.

Recommendation: The Secretary of Transportation should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 16)

Agency: Department of Transportation
Status: Open

Comments: DOT agreed with many of the responsibilities in our recommendation, and in September 2019, the agency planned to leverage their technical infrastructure modernization initiative to further define the CIO responsibilities identified in the 18 responsibility gaps identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 17)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the four areas we identified. (Recommendation 18)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA agreed with our recommendation and, as of January 2020, is working to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Environmental Protection Agency should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 19)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA neither agreed nor disagreed with our recommendation, but agreed that CIO authorities should be adequately documented in appropriate policies. EPA officials have stated that they continue to work to address this recommendation. When we confirm what actions the agency has taken to address the 20 responsibility gaps identified in the report, we will provide updated information.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 21)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with our recommendation and stated that the agency was updating its policies to address the responsibilities identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the National Science Foundation should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 22)

Agency: National Science Foundation
Status: Open

Comments: NSF agreed with our recommendations, and in February 2020, the agency issued a new CIO Authorities Policy and revised other departmental policies to address 22 of the 23 responsibility gaps identified in the report. The remaining responsibility for the CIO to benchmark agency processes against private and public sector performance has not been established through the agencies' policies. When we confirm what actions the agency has taken in response to the remaining responsibility, we will provide updated information.

Recommendation: The Chairman of the Nuclear Regulatory Commission should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 23)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC disagreed with our recommendation but generally agreed with our findings, and the agency had departmental policies to address three of the 15 responsibilities identified in the report. In March 2020, the agency stated it was identifying the appropriate agency policy to amend to address the remaining responsibility gaps. It anticipated that it would complete those updates by the end of the second quarter of FY 2020. We will continue to monitor the steps the agency takes to address this requirement.

Recommendation: The Director of the Office of Personnel Management should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 24)

Agency: Office of Personnel Management
Status: Open

Comments: OPM agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Small Business Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 25)

Agency: Small Business Administration
Status: Open

Comments: SBA agreed with most of our recommendations and, in September 2018, the agency said it is revising its departmental policies to address the responsibility gaps identified in the report. SBA's Data Center Optimization Initiative (DCOI) Strategic Plan's revised in 2019 addresses two of the 19 responsibility gaps identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for IMF fully addresses greater utilization of technology or consolidation of investments to better meet organizational goals. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year 2018 Operational Analysis Results report, dated June 24, 2019. The report demonstrated that IRS, in response to our recommendation, had ensured that the operational analysis for IMF fully addressed greater utilization of technology or consolidation of investments to better meet organizational goals. However, the operational analysis did not reflect IRS's progress to date in modernizing IMF and the associated challenges. As we reported, this omission is concerning given the risk exposure from the agency's continued use of the legacy assembly language code. In order to close the recommendation, IRS needs to update the operational analysis to reflect its progress modernizing IMF.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for Telecommunications Systems and Support (TSS) addresses the extent to which the investments support customer processes as designed, and how well the investments are delivering the goods or services they were designed to deliver. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year (FY) 2018 Operational Analysis Results report, dated June 24, 2019. While the report included a summary of the FY 2018 operational analysis for TSS, it did not identify the metrics used to determine whether TSS supported customer processes or delivered the goods and services that it is intended to deliver. To close this recommendation, IRS will need to provide the detailed operational analysis for TSS incorporating these metrics. As of December 2019, IRS has not provided the full TSS operational analysis to GAO. Upon receiving the document, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for TSS includes a comparison of current performance with a pre-established cost baseline. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided GAO its fiscal year (FY) 2018 Operational Analysis Results report. While the report included a summary of the FY 2018 operational analysis for the Telecommunications Systems and Support (TSS) investment , including planned and actual cost figures for FY2018, the report did not indicate whether the planned cost figure for FY2018 accounted for reimbursable costs and user fees, as we reported. To address this recommendation, IRS will need to provide a full operational analysis for TSS, as well as documentation showing whether reimbursable costs and user fees are included in the planned cost figure. As of December 2019, IRS has not provided a full TSS operational analysis to GAO. Upon receiving the document, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for End User Systems and Services includes a comparison of current performance with a pre-established cost baseline. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year (FY) 2018 Operational Analysis Results report, dated June 24, 2019. While the report included a summary of the FY 2018 operational analysis for End User Systems and Services (EUSS) investment, including planned and actual cost figures for FY2018, it did not specify whether the planned cost figure accounted for multi-year funding and user fees, as we reported. To address this recommendation, IRS will need to provide a full operational analysis for EUSS, as well as documentation showing whether multi-year funding and user fees are included in the planned cost figure. As of December 2019, IRS has not provided the full EUSS operational analysis to GAO. Upon receiving it, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the IMF investment. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the IMF investment. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice for prioritizing risk for the IMF investment. (Recommendation 9)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the IMF investment. (Recommendation 10)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the IMF investment. (Recommendation 11)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the IDRS investment. (Recommendation 12)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the IDRS investment. (Recommendation 13)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the IDRS investment. (Recommendation 14)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the IDRS investment. (Recommendation 15)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the MSSS investment. (Recommendation 16)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019. While the plan addressed most of the activities associated with the preparing for risk management key practice, it did not identify risk constraints, risk assumptions, or risk tolerance for the MSSS investment. Upon receiving further information, we will review it to determine if IRS has fully addressed this recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the MSSS investment. (Recommendation 18)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has implemented the activities associated with the Analyze Risk key practice. Specifically, while the plan describes a risk analysis process in which risks are classified as high, medium, or low risk, neither the plan nor any of the other documents describes criteria for evaluating and quantifying risk likelihood and severity (impact) levels. Additionally, the Risk Management Plan does not indicate whether analysis of MSSS risks includes both inherent and residual risks. Upon receiving additional information indicating that IRS has addressed these activities, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the MSSS investment. (Recommendation 19)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has established threshold values for MSSS risk categories or alternative courses of action for critical risks. Upon receiving additional information indicating that it has addressed these activities. we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the MSSS investment. (Recommendation 20)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframes and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has fully implemented all of the activities associated with the monitoring, reporting, and controlling key practice. Specifically, our review of the documents shows that IRS has not established threshold values for MSSS risk categories, and as a result is unable to compare the status of risks to acceptability thresholds to determine the need for implementing a risk mitigation plan. In addition, although the MSSS Risk Management Plan was updated in October 2019, its previous revision occurred in October 2017, indicating that IRS has not yet reviewed all aspects of the risk management program at least once a year. Upon receiving additional information that IRS has addressed these activities, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement IT workforce planning practices, including the following actions (1) setting the strategic direction for workforce planning; (2) analyzing the workforce to identify skill gaps; (3) developing strategies and implementing activities to address skill gaps; and (4) monitoring and reporting on progress in addressing skill gaps. (Recommendation 21)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it had initiated efforts to address workforce planning agency-wide. The agency stated that the Human Capital Office in coordination with the Information Technology organization prioritizes critical skills gaps to develop gap mitigation strategies, which are implemented through IT annual training plans and succession planning efforts. IRS also stated that the mitigation plans will be monitored in the current Project and Portfolio Management System and that the Human Capital and Information Technology organizations will monitor resource capacity, skills, assigned work effort, and staff availability. In addition, IRS stated that it would utilize special hiring authorities as a competency and staffing mitigation strategy. The agency noted that the special authorities are subject to the availability of resources and agency approval. Further, IRS stated that, due to the diversion of IT resources to the Tax Cuts and Jobs implementation, development of a plan for scaling and expansion of workforce planning efforts will commence after the opening of Filing Season 2020. IRS stated that, due to those constraints, it could not provide a date for fully implementing the recommendation. As of December 2019, IRS has not provided any updates indicating whether it has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Administrator should direct the Chief Information Officer to address, in conjunction with the Chief Human Capital Officer, gaps in IT workforce planning by fully implementing the eight key IT workforce planning activities noted in this report. (Recommendation 3)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA did not concur with this recommendation. As of October 2019, the agency reported that the Office of the Chief Information Officer was beginning its involvement with the agency's Mission Support Architecture Program which aims at re-aligning mission support functions from a decentralized model to an enterprise model. The office's participation in the re-alignment effort has an estimated completion date in fiscal year 2023.

Recommendation: The Administrator should direct the Chief Information Officer to address weaknesses in oversight practices and ensure routine oversight of all investments by taking action to document criteria for escalating investments among governance boards and establish procedures for tracking corrective actions for underperforming investments. (Recommendation 6)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. In July 2018, NASA reported that the agency intended to address this recommendation by documenting its approach for governing IT investments. In February 2020, NASA reported that the agency remained committed to taking action to address this recommendation and reported that the Office of the Chief Information Officer had established a process to govern IT investment funds and had planned additional modifications for that framework. The agency now expects to complete actions to address this recommendation by November 2020.

Recommendation: The Administrator should ensure that the Chief Information Officer fully defines policies and procedures for developing the portfolio criteria, creating the portfolio, and evaluating the portfolio. (Recommendation 7)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. In July 2018, NASA reported that it had begun updating policies and procedures for developing the portfolio criteria. In April 2019, NASA provided copies of its updated guidance. Among other things, the guidance described criteria for the portfolio and defined policies and procedures for creating the portfolio. As of April 2020, the agency had not yet provided evidence that it had developed policies and procedures for evaluating the portfolio. We plan to continue following up on the status of efforts to address this recommendation.

Recommendation: The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes a cybersecurity strategy that, among other things, makes explicit the agency's risk tolerance, accepted risk assessment methodologies, a process for consistently evaluating risk across the organization, response strategies and approaches for monitoring risk over time, and priorities for risk management investments. (Recommendation 8)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. In July 2018, NASA reported that it had hired a Chief Cybersecurity Risk Officer in April 2018 and that it had also approved a charter for an agency-wide Cybersecurity Integration Team. As of September 2020, NASA reported that it intends to deliver a cybersecurity risk management strategy that addresses the elements outlined in this recommendation by 2021.

Recommendation: The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes policies and procedures with well-defined roles and responsibilities that are integrated and reflect NASA's current security practices and operating environment. (Recommendation 10)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. As of September 2020, NASA reported that the Chief Information Officer had initiated a review of the agency's cyber policy management framework and that any related updates were expected to be completed by 2021.

Recommendation: The Secretary of Agriculture should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The agency concurred with our recommendation, and in June 2018, USDA CIO delegated the review and approval of acquisition plans and strategies to the Capital Planning and Information Technology Governance Division (CPITGD) through the Associate CIO of the Information Resource Management Center. However, as of June 2020, the agency had not provided evidence to demonstrate that these reviews and approvals are taking place as required by OMB's guidance. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of Commerce should ensure that the office of the CAO is involved in the process to identify IT acquisitions. (Recommendation 4)

Agency: Department of Commerce
Status: Open

Comments: In a March 2018 response to our report, the agency agreed with our recommendation and stated that the CIO and the Senior Procurement Executive will issue a memo to their acquisition and CIO member offices clarifying the offices joint responsibilities to ensure that all IT acquisitions are submitted to the CIO for review and approval. The memo is also to provide guidance on the process by which the CIO will review proposed contract actions. However, as of February 2020, the agency had not responded to requests for updates. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of Commerce should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: In a March 2018 response to our report, the agency agreed with our recommendation and stated that it intended to clarify its policies and procedures to comply with OMB rules, including the IT acquisition checklist, which must be completed for every proposed contract action. In addition, the CIO and Senior Procurement Executive will work together to review existing acquisition plan review and approval processes. However, as of February 2020, the agency had not responded to requests for updates. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of HHS should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 10)

Agency: Department of Health and Human Services
Status: Open

Comments: The agency agreed with our recommendation and in an April 2018 update stated that HHS has a policy for the HHS IT acquisition review process for acquisition strategies. However, as of February 21, 2020, the agency had not provided evidence that the CIO (or designee) was reviewing and approving IT acquisition plans, as required. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of State should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 22)

Agency: Department of State
Status: Open

Comments: The agency agreed with our recommendation, and in a December 2019 update provided information on the agency's CPIC process and a template for IT acquisition strategies. However, it is not clear whether the CIO is reviewing and approving IT acquisitions plans through the CPIC process and the template does not provide a place for the CIO review and approval. In addition, we have requested evidence of CIO approval of selected IT acquisitions. We will continue to monitor the implementation of this recommendation

Recommendation: The Secretary of the Treasury should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 23)

Agency: Department of the Treasury
Status: Open

Comments: The agency did not state whether it agreed or disagreed with the recommendation. In March 2019, Treasury issued a memo that requires the CIO to review and approve IT acquisition plans for acquisitions with a total value of $68 million or more, or for actions with a period of performance longer than 5 years. The review and approval of all other IT acquisition plans are delegated to the component CIOs or Chief Technology Officers. However, the agency had not yet provided evidence that the CIO (or designee) was reviewing and approving selected IT acquisition plans, as required. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of Transportation should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 26)

Agency: Department of Transportation
Status: Open

Comments: The agency concurred with the recommendation. In October 2019, Transportation issued guidance requiring that the CIO or designee to review and approve all IT acquisition plans. We have requested that the agency provide us evidence of CIO-approved IT acquisition plans. The agency stated that it planned to respond by May 15, 2020. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of VA should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 28)

Agency: Department of Veterans Affairs
Status: Open

Comments: The agency concurred with the recommendation. In November 2019, VA issued guidance that requires the CIO, in conjunction with the Chief Acquisition Officer, to review and approve all IT acquisition strategies and plans. Specifically, the CIO is to review and approve IT acquisitions valued at $15 million or more. The CIO has delegated the review and approval of IT acquisitions less than $15 million to other designees, based on the value of the contract. However, the agency had not provided evidence that the CIO (or designee) was reviewing and approving selected IT acquisition plans, as required. We will continue to monitor the implementation of this recommendation.

Recommendation: The Administrator of NASA should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 32)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The agency concurred with the recommendation, and in September 2017, NASA's CIO delegated the review and approval authority of IT acquisitions to the Center CIOs. We have requested evidence of CIO-approved IT acquisitions. We will continue to monitor the implementation of this recommendation.

Recommendation: The Director of the Office of Personnel Management should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 34)

Agency: Office of Personnel Management
Status: Open

Comments: The agency concurred with the recommendation and in an April 2020 updated stated that OPM has contracted with a third-party vendor to evaluate the OPM IT human capital, architecture, and governance processes from planning to acquisition to implementation. The agency further stated that it is working to fully implement an IT governance process where the OPM CIO fully reviews and approves IT acquisition plans and processes. We will continue to monitor the implementation of this recommendation.

Recommendation: The Director of OMB should continue to identify and report to Congress on the status of the top 10 high priority information technology programs and the extent to which USDS is involved in the programs, as was done in June 2015 and June 2016. In doing so, the Director should ensure that these reports are issued quarterly. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: We have been requesting periodic updates from OMB on actions it has taken to address the recommendation. As of April 2020, the agency did not have any updates.

Recommendation: The Director of OMB should ensure that the Federal CIO is directly involved in the oversight of high priority programs. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open
Priority recommendation

Comments: OMB has not taken actions to address this recommendation, stating that the Federal CIO is not typically involved with overseeing individual IT programs. However, we continue to believe it is important for OMB to take this action, as the results of past CIO-led reviews of troubled programs show that CIO oversight can have significant positive results, including producing significant savings. In December 2019, OMB stated that it had no ongoing or planned action to address the recommendation, noting that the recommendation represents a "fundamental disagreement" between OMB and GAO on the role of the Federal CIO in overseeing programs.

Recommendation: The Director of OMB should continue to report on the status of USDS projects. In doing so, the Director should ensure that the reports are issued quarterly. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: We have been requesting periodic updates from OMB on actions it has taken to address the recommendation. As of April 2020, the agency did not have any updates.

Recommendation: The Secretary of Agriculture should ensure that the CIO of USDA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 9)

Agency: Department of Agriculture
Status: Open

Comments: In September 2019, a Department of Agriculture official stated that the department was working to establish a policy to include the information noted in our recommendation and planned to finalize a policy by the end of December 2019. We will continue to monitor the department's progress on these efforts.

Recommendation: The Secretary of Veterans Affairs (VA) should ensure that the CIO of VA updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 10)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) has taken action, and stated that it would draft a policy to address our recommendation. In November 2019, a VA official stated that the department is working to address our recommendation but did not identify timeframes for when all activities would be completed. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: The Administrator of the Environmental Protection Agency (EPA) should ensure that the CIO of EPA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 11)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) concurred with our recommendation and stated that it planned to develop a policy to implement this recommendation and other FITARA issues. Specifically, EPA officials reported in July 2019 that the agency was continuing to work to address the recommendation but did not provided a time frame for when a policy would be finalized. We will continue to monitor EPA's progress on these efforts.

Recommendation: The Administrator of the National Aeronautics and Space Administration (NASA) should ensure that the CIO of NASA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 13)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation and reported that the agency was in the process of addressing it. Specifically, NASA officials reported in June 2020 that its guidance is currently being updated to include the information noted in our recommendation and will be finalized by September 2020. We will continue to monitor NASA's progress on these efforts.

Recommendation: The Director of the Office of Personnel Management (OPM) should ensure that the CIO of OPM updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 16)

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) concurred with our recommendation and stated that it would update its policies and processes to include the elements we recommended. Specifically, OPM officials reported in November 2019 that guidance on CIO certification was being developed but the agency had not yet determined a time frame for finalizing the policy. We will continue to monitor OPM's progress on these efforts.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified.

Agency: Department of Homeland Security
Status: Open

Comments: In 2018 and 2019, the DHS Office of the Chief Information Officer implemented a Strategic Workforce Planning initiative that included (1) identifying the department's future IT skillset needs, and (2) conducting a skills gap analysis related to these needs. The department is currently working to resolve the skills gaps identified during the initiative. We will continue to monitor and evaluate the Department's efforts to resolve these skills gaps.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities.

Agency: Department of Homeland Security
Status: Open

Comments: In response to our recommendation, DHS updated its agile development policy to specify that the DHS CIO is responsible for certifying investments' incremental development activities, which is consistent with the Department's Acquisition Management Instruction. However, DHS has not yet updated its Systems Engineering Life Cycle Instruction and Guidebook to be consistent in specifying that this certification is the responsibility of the DHS CIO. We will continue to monitor the Department's progress in implementing this recommendation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable).

Agency: Department of Homeland Security
Status: Open

Comments: In response to our recommendation, Customs and Border Protection implemented a process to track the IT investments associated with each contract and agreement. The U.S. Coast Guard also implemented a process to track the IT investments associated with its contracts; however, it has not yet demonstrated that it has implemented such a process for tracking the IT investments associated with its agreements. Further, DHS headquarters is still working to establish a process for tracking the IT investments associated with its contracts and agreements. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with our recommendation. In May 2020, DHS officials stated that the Office of the CIO began piloting a new program health assessment process in the second quarter of fiscal year 2020, and DHS intends to report the program ratings resulting from that process to the IT Dashboard. We will continue to monitor and evaluate the Department's efforts to implement this new process.

Recommendation: To increase the likelihood that its IT investments develop reliable cost estimates, the Secretary of HUD should finalize, and ensure the implementation of, guidance that incorporates the best practices called for in the GAO Cost Estimating and Assessment Guide.

Agency: Department of Housing and Urban Development
Status: Open

Comments: In April 2017, HUD reported that the department concurred with the recommendation and noted that the Office of the Chief Information Officer (OCIO) intended to establish cost estimation guidance for IT projects within its IT Management Framework Guide, incorporating appropriate best practices from the GAO Cost Estimating and Assessment Guide. In March 2019, HUD reported that, with contractor assistance, the department had begun to develop a standard methodology for investment lifecycle cost estimation; however, the methodology had not been fully institutionalized across all investments, and a policy for cost estimation had not been developed. Lacking an updated IT Management Framework and cost estimation policy, OCIO took additional interim action in the most recent budget cycle to reduce cost estimation risk by having the Chief Technology Officer standardize the cost estimates for IT investments. HUD continues to take action intended to address this recommendation; however, OCIO has not yet finalized a cost estimation methodology or the associated policy for IT investments or established a timeframe for implementing cost estimation practices departmentwide.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Commerce should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process; (2) develop competency and staffing requirements; (3) assess competency and staffing needs regularly; (4) assess gaps in competencies for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, cross-functional training of acquisition and program personnel, a career path for program managers, and special hiring authorities, if justified and cost-effective; (7) monitor the department's progress in addressing IT competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: The department agreed with the recommendation and stated that it plans to fully implement it. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had substantially implemented the activity to develop competency and staffing requirements, minimally or partially implemented four activities, and not implemented the remaining three activities. In July 2020, the department provided a summary of actions it claimed it had taken to close the recommendation. The department also provided supporting documentation. We are reviewing the documentation to determine whether it fully addresses the recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Defense should require the Chief Information Officer, the Under Secretary of Defense for Personnel and Readiness, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) develop competencies for all staff; (2) assess competency needs regularly for all positions; (3) assess gaps in competencies for all components of the workforce; (4) develop strategies and plans to address gaps in competencies; (5) implement activities that address gaps, including developing a program management career path, if justified and cost-effective; (6) monitor the department's progress in addressing competency gaps identified for IT staff; and (7) report to department leadership on progress in addressing competency gaps.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the Department of Defense's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had fully implemented the activities to develop competency and staffing requirements and assess competency and staffing needs regularly, substantially implemented four other activities, and partially implemented the remaining two activities. We will continue to monitor the department's efforts to address our recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Health and Human Services should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process inclusive of all staff; (2) develop staffing requirements for all positions; (3) assess staffing needs regularly; (4) assess gaps in competencies and staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, if justified and cost-effective; (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

Agency: Department of Health and Human Services
Status: Open

Comments: The department agreed with our recommendation and identified plans for (1) collecting and analyzing additional workforce data and (2) conducting targeted recruitment, staff planning, career development, and training. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had substantially implemented the activity to develop competency and staffing requirements, partially implemented three other activities, and either minimally or not implemented the remaining four activities. We will continue to monitor the department's efforts to address our recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Transportation should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish a time frame for when the department is to finalize its draft workforce planning process and maintain that process; (2) develop staffing requirements for all positions; (3) assess competency and staffing needs regularly for all positions; (4) assess gaps in staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, cross-functional training of acquisition and program personnel, a career path for program managers, and use of special hiring authorities, if justified and cost-effective;e (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

Agency: Department of Transportation
Status: Open
Priority recommendation

Comments: The department agreed with the recommendation and stated that it plans to fully implement it. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had fully implemented the activity to develop competency and staffing requirements, but had not yet fully implemented the remaining seven activities, including developing a workforce planning process. In January 2020, the department stated that its Office of the Chief Information Officer and Office of Human Resource Management had established a workgroup to lead and conduct workforce planning activities, and had defined the strategic goals and objectives for the department's IT workforce. The department also stated that the workgroup was planning on subsequently completing additional activities, including completing a workforce analysis with a competency gap assessment, by the end of calendar year 2020, and developing strategies to address any identified gaps by the end of 2021. We will continue to monitor the department's efforts to implement our recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of the Treasury should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process; (2) develop competency and staffing requirements for all positions; (3) assess competency and staffing needs regularly; (4) assess gaps in competencies and staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing for all components of the workforce; (6) implement activities that address gaps, including a career path for program managers and special hiring authorities, if justified and cost-effective; (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps for all components of the workforce.

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The department agreed with our recommendation and identified planned and ongoing efforts to address it. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that it had fully implemented the activity to develop competency and staffing requirements, but had not yet fully implemented the remaining seven activities, including developing a workforce planning process. In January 2020, the department stated that its Office of the Chief Human Capital Officer and Office of the Chief Information Officer would be presenting a decision paper to the Human Capital Advisory Council that month to request approval and resources to complete an IT Competency Framework, conduct a competency assessment, and conduct a department-wide workforce planning study for the 2210 (IT management) occupation. We will continue to monitor the department's efforts to implement our recommendation.

Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and has taken steps to establish a department policy and process for the certification of major IT investments' use of incremental development. Specifically, in September 2020, HHS officials reported that they have established a draft policy and anticipate publishing the finalized guidance by March 2021. We will continue to evaluate HHS's progress in implementing this recommendation.

Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

Agency: Department of the Treasury
Status: Open

Comments: In September 2020, an official from the Department of the Treasury (Treasury) reported that the department had developed draft guidance to address our recommendation, but did not provide time frames for when the guidance would be finalized. Until the department establishes a CIO certification policy, Treasury will not be able to fully ensure adequate implement of, or benefit from, incremental development practices. We will continue to evaluate Treasury's progress in implementing this recommendation.

Recommendation: To enhance the budget process and to improve transparency, the Commissioner of Internal Revenue, to the extent feasible, should ensure that the CJ includes data by appropriation account on the amount of funding requested to maintain current services for each future state theme.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its fiscal year 2017 congressional justification, IRS modified how its budget data were organized, including linking requested increases to future state themes, but did not clarify how current spending by themes relates to appropriation accounts. Information on current spending by theme and account is important to ensure transparency on the current funding levels to assist Congress in making informed budget decisions. As reported in October 2018 in GAO-19-108R, the themes under the Future State vision are now being pursued as part of IRS's strategic plan for fiscal years 2018 to 2022-issued in May 2018. IRS has been phasing out the use of the term Future State and did not include it in its fiscal year 2020 congressional justification. Including data on the themes in the strategic plan would provide additional transparency and improve the quality of the information available to Congress for budget deliberations.

Recommendation: As Treasury works with IRS to improve the quality and accuracy of budget data, the Secretary of the Treasury should ensure sufficient controls are in place to make certain that the information technology investment reports generated from the SharePoint Investment Knowledge Exchange are accurate. This includes, for example, taking steps to reduce the need for manual corrections to the data.

Agency: Department of the Treasury
Status: Open

Comments: As of November 2017, Treasury Department officials took steps to address the need to manually correct budget data for the fiscal year 2017 budget request. However, as of October 2019, we have not received documentation that they have done so for future budget years. Improved information would help Treasury and IRS better account for information technology resources. We will continue to monitor Treasury's progress.

Recommendation: To help IRS improve its process for determining IT funding priorities and to provide timely information on the progress of its investments, the Commissioner of IRS should direct the Chief Technology Officer to establish, document, and implement policies and procedures for selecting new and reselecting ongoing business systems modernization activities, consistent with IRS's process for prioritizing operations support priorities, which addresses (1) prioritization and comparison of IT assets against each other, (2) criteria for making selection and prioritization decisions, and (3) ensuring IRS executives' final funding decisions on IT proposals are based on IRS's prioritization process.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS provided GAO a slide deck titled "Prioritization Process for the Business Systems Modernization (BSM) Program/Projects" which describes a process for prioritizing BSM investments and capabilities within the investments. However, the slides were labeled "pre-decisional." In addition, they did not include specific procedures for prioritizing investments. In April 2020, IRS informed us that it had moved its target for fully implementing the recommendation to November 2020. We will continue to monitor IRS's efforts to implement the recommendation.

Recommendation: To help IRS improve its process for determining IT funding priorities and to provide timely information on the progress of its investments, the Commissioner of IRS should direct the Chief Technology Officer to modify existing processes for Foreign Account Tax Compliance Act (FATCA) and Return Review Program (RRP) for measuring work performed by IRS staff to incorporate best practices, including accounting for actual work performed and using the level of effort measure sparingly.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In May 2018, IRS told GAO it had implemented the recommendation. As supporting evidence, the agency provided an April 2018 update to its Investment Performance Tool user guide along with briefing slides specifying actions taken to modify its processes to measure work performed by IRS staff. We reviewed the evidence provided and determined that it was not sufficient to close the recommendation as implemented. Specifically, while the Investment Performance Tool user guide included updated procedures for measuring work performed by IRS staff which aligned with best practices, it did not clearly state that earned value (or work performed) during an iteration should always be based on to the percentage of planned features or user stories that were completed for that iteration. In addition, IRS did not provide evidence that it had used its updated procedures for the Return Review Program investment. We followed up with IRS to obtain this documentation. The agency subsequently provided the requested documentation to us and, as of July 2020, we were reviewing it to determine the extent to which it addresses the recommendation.

Recommendation: The Director of OMB should identify and publish a specific goal associated with its non-provisioned O&M spending measure.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency agreed with the recommendation. However, in July 2020, OMB stated that the implementation of this recommendation would be counter to the Administration's focus of prioritizing modernization activities specifically for High Value Assets and, as a result, it does not intend on implementing this recommendation. We disagree and believe that identifying and publishing a specific goal aimed at reducing non-provisioned spending (i.e., spending associated with systems that are not cloud or shared service-based) aligns with the Administration's Cloud Smart strategy to accelerate agency adoption of cloud-based solutions. We will continue to monitor the implementation of this recommendation.

Recommendation: The Director of OMB should commit to a firm date by which its draft guidance on legacy systems will be issued, and subsequently direct agencies to identify legacy systems and/or investments needing to be modernized or replaced.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency agreed with the recommendation. In July 2020, OMB stated that agencies were directed to manage the risk to High Value Assets associated with legacy systems in OMB's December 2018 guidance. While OMB's guidance does direct agencies to identify, report, assess, and remediate issues associated with High Value Assets, it does not require agencies to do so for all legacy systems. We will continue to monitor the implementation of this recommendation.

Recommendation: To monitor whether existing investments are meeting the needs of their agencies, the Secretaries of Commerce and the Treasury should direct the respective agency CIO to ensure that required analyses are performed on investments in the operations and maintenance phase.

Agency: Department of the Treasury
Status: Open

Comments: The agency had no comment on the recommendation. In June 2017, Treasury provided an update on the IRS's efforts to ensure that operational analyses are performed on investments in the operations and maintenance phase. However, the recommendation is intended to address issues at the department level and not just at the IRS. In 2017, Treasury declined to provide an update at the department level. As of April 2020, Treasury has not responded to requests for updates. We will continue to monitor the implementation of this recommendation.

Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

Agency: Department of Agriculture
Status: Open

Comments: The agency agreed with the recommendation. In May 2019, the agency stated that it had conducted an assessment of its legacy system environment and identified 106 legacy IT assets across 18 components. In a March 2020 update, the agency stated that it is in the process of developing a policy to govern all legacy systems, to include modernization and decommissioning plans. The agency plans to publish this policy by March 2021. We will continue to monitor the implementation of this recommendation.

Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

Agency: Department of the Treasury
Status: Open

Comments: The agency had no comment on the recommendation. In June 2017, Treasury provided an update on the IRS's efforts to modernize the IRS's legacy systems. However, the recommendation is intended to address issues at the department level and not just at the IRS. In 2017, Treasury declined to provide an update at the department level. As of April 2020, Treasury has not responded to requests for updates. We will continue to monitor the implementation of this recommendation.

Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and ensure that the executive-level investment review board meets as outlined in its charter, documents criteria for use by the other boards, and distributes its decisions to appropriate stakeholders.

Agency: Department of Housing and Urban Development
Status: Open

Comments: HUD has not provided information demonstrating that the department has addressed this recommendation. HUD reported that it established a new executive-level investment review board (i.e. the Executive Operations Committee) that replaced the board discussed in our report. The department also provide evidence of the board's initial governance activities, including providing criteria to guide board decision-making in January 2017. However, the board has not continued to meet and act in accordance with its charter. In April 2019, HUD reported that it was updating its governance process and charters and stated an intent to ensure that executive-level decision making is clearly defined including when a decision needs to be made, at what level that decision needs to be made, what criteria should be used, and how that decision will be communicated. HUD has not yet provided evidence that the updated governance process and charter have been finalized and implemented.

Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish and maintain a complete set of governance policies, establish time frames for establishing policies planned but not yet developed, and update key governance documents to reflect changes made to established practices.

Agency: Department of Housing and Urban Development
Status: Open

Comments: The department has taken steps to address this recommendation. In 2015, HUD updated its Project Planning and Management policy. Since that time, the department has developed additional policies (e.g., IT risk management policy), revised policies for the IT management framework and Agile development, and reported that it reviewed OCIO's existing policies in September 2018. In October 2018, HUD provided a copy of the draft of the revisions to its IT Management Framework (dated February 2018) and OCIO reported plans to continue developing and maintaining IT policies for each of the framework's elements and to review policies for currency annually on the anniversary date of the policy. As of March 2019, HUD reported that a central repository had been developed to store, track and monitor policy reviews. GAO is seeking additional evidence from the newly implemented policy review process.

Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish an IT investment selection process that includes (1) articulating how reviews of project proposals are to be conducted; (2) planning how data (including cost estimates) are to be developed and verified and validated; (3) establishing criteria for how cost, schedule, and project risk are to be analyzed; (4) developing procedures for how proposed projects are to be compared to one another in terms of investment size (cost), project longevity (schedule), technical difficulty, project risk, and cost-benefit analysis; and (5) ensuring that final selection decisions made by senior decision makers and governance boards are supported by analysis, consider predefined quantitative measures, and are consistently documented.

Agency: Department of Housing and Urban Development
Status: Open

Comments: HUD has provided information demonstrating that the department has addressed elements of this recommendation. In 2015, HUD reported that it had begun using a new tool to support its IT selection process. In May 2018, the department provided a demonstration of its HUD PLUS tool, including how it had used the tool to automate its selection process. The officials demonstrated how the tool is being used to review proposed projects. They reported that segment sponsors are responsible for validating data submitted but have not provided evidence that the department has developed guidance for that process. The officials demonstrated how the tool supports analysis of investment costs, schedule, and risk. They also demonstrated how the tool helps the Office of the Chief Information Officer compare investments based on cost and showed how decision makers access information and can perform analysis for all projects in the system. Department officials have not yet provided evidence that HUD has improved each of the areas noted in our recommendation. OCIO reported in April 2019 that it intends to: conduct the selection process on a more frequent basis and allow more time for annual budget considerations, improve performance metrics, and further incorporate cost-benefit analysis. OCIO also reported that it intends to better incorporate its management and oversight of the portfolio into a more formal "re-select" process. OCIO also reported that HUD was updating its governance policies to detail the criteria, data, and process used to select investments and targeting action to close this recommendation in 2019.

Recommendation: To establish an enterprise-wide view of cost savings and operational efficiencies generated by investments and governance processes, the Secretary of Housing and Urban Development should direct the Deputy Secretary and Chief Information Officer to place a higher priority on identifying governance-related cost savings and efficiencies and establish and institutionalize a process for identifying and tracking comprehensive, high-quality data on savings and efficiencies resulting from IT investments and the IT governance process.

Agency: Department of Housing and Urban Development
Status: Open
Priority recommendation

Comments: The department has taken steps to address this recommendation. Specifically, in April 2016, HUD provided examples of cost savings that the department had identified by "scrubbing" existing contracts during the budget formulation process, along with copies of a template that it designed and used to help identify such savings. In May 2018, department officials provided a demonstration of the HUD PLUS tool, including screens staff could use to report cost savings and avoidances related to specific projects--although they reported that HUD was not yet using that functionality. In April 2019, OCIO reported that HUD was updating its governance process and charters to ensure that executive-level decision making will be clearly defined. OCIO also reported an intent to implement Technology Business Management to, among other things, improve and expand the tracking of investments. HUD expects these two efforts to facilitate better tracking of the savings and efficiencies resulting from IT decisions. The department has not yet provided evidence that it has established guidance supporting a repeatable process for tracking enterprise-wide IT related cost savings and operational efficiencies, including those related to HUD's governance decisions.

Recommendation: To ensure the effective management of software licenses, the Secretary of Commerce should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

Agency: Department of Commerce
Status: Open

Comments: In April 2018, the Department of Commerce reported that training will be concurrent with the implementation of the new inventory. It estimates the completion of this to be June 30, 2019. In October 2017, the department reported that they were reaching out to another federal agency to learn about the software license management training they offer to incorporate lessons learned into the Commerce's future training plans. However, as of November 2019, the department has not provided an update on these efforts. GAO will continue to monitor the department's progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Secretary of Transportation should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

Agency: Department of Transportation
Status: Open

Comments: In April 2018, the Department of Transportation stated that it has developed a policy addressing components of centralized management and management of software licenses through the entire life cycle. However, Transportation's Order 1351.21 was issued in June 2009 and has not been updated since our report was issued to include the weaknesses we identified. Specifically, the order identifies the roles and responsibility, and central oversight authority for managing enterprise license agreements and does not specify policy on establishing goals and objectives of the software license management program and considering the software license management life-cycle phases to implement effect decision making and incorporate existing standards, processes, and metrics. We will follow up with the department to obtain evidence of the department-wide implementation of this recommendation.

Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

Agency: Environmental Protection Agency
Status: Open

Comments: In April 2018, the Environment Protection Agency reported that it is currently taking steps to develop a comprehensive policy that will address a centralized management program of licenses, an analysis to inform decision making, education and training goals and overall management throughout the lifecycle. In addition, The Agency stated that it is still leveraging the efforts of the Continuous Diagnostics and Mitigation project as well as its Office of Acquisition Management's consolidation of its Microsoft suite. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

Agency: Environmental Protection Agency
Status: Open

Comments: In April 2018, the Environment Protection Agency reported that it is currently taking steps to develop a comprehensive policy that will address a centralized management program of licenses. In addition, the agency stated that it is still leveraging the efforts of the Continuous Diagnostics and Mitigation project as well as leveraging its Office of Acquisition Management's consolidation of enterprise licenses. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Chairman of the Nuclear Regulatory Commission should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

Agency: Nuclear Regulatory Commission
Status: Open

Comments: In March 2019, the Nuclear Regulatory Commission reported that the agency's IT asset management program requires training and communication, as appropriate for all key personnel. The agency also reported that on September 19, 2018, personnel associated with software asset management attended relevant training and will also participate in software training is currently being developed by the Office of Management and Budget, the Federal Acquisition Institute and the Defense Acquisition University. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management concurred with this recommendation and in September 2015, reported that it had developed a guide to capture enterprise architecture lifecycle activities including software licensing management, acquisition, and requirements during several points of the project lifecycle. In April 2018, the office reported they have no changes to the status of this recommendation, but expect substantive updates later this year. We will continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) concurred with this recommendation and in September 2015 reported that it is finalizing a revised Life Cycle Management draft policy which will use stage gate reviews to evaluate the progress of projects including software licenses throughout the agency. According to OPM, once the new policy is approved, OPM subject matter experts will review project documentation during stage gates reviews to make written recommendations on whether projects should continue. OPM's Investment Review Board will then review that recommendation and other procurement documentation to make a final recommendation to the OPM Director. In April 2018, OPM reported they have no changes to the status of this recommendation, but expect substantive updates later this year. We plan to continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) concurred with this recommendation and in September 2015 OPM reported that it acquired an enterprise architecture repository tool and is collecting information on its software applications. OPM also reported that it is assembling and performing quality reviews on hardware and software lists currently maintained in spreadsheets, in its enterprise architecture systems database, and Remedy database in order to consolidate the entire hardware and software asset inventory. In April 2018, OPM reported they have no changes to the status of this recommendation, but expect substantive updates later this year. We will continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) concurred with this recommendation and in September 2015 OPM reported that it acquired an enterprise architecture repository tool and is collecting information on its software applications. In April 2018, OPM reported they have no changes to the status of this recommendation. We will continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) concurred with our recommendations and noted actions the agency plans to take. In April 2018, OPM reported they have no changes to the status of this recommendation. We will continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management concurred with our recommendations and noted actions the agency plans to take. In April 2018, OPM reported they have no changes to the status of this recommendation. We will continue to monitor its progress in implementing this recommendation.

Recommendation: To help ensure the success of PortfolioStat, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to improve transparency of and accountability for PortfolioStat by publicly disclosing planned and actual data consolidation efforts and related cost savings by agency.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2019, OMB had taken steps to improve transparency of and accountability for PortfolioStat, as GAO recommended in November 2013. In October 2015, the agency started displaying actual data consolidation savings data on the federal information technology (IT) dashboard. As of April 2018, however, OMB was not requiring that agencies report planned PortfolioStat cost savings stating this was as a result of agency feedback, and streamlining of data collection efforts based upon the decision that reporting on realized cost savings is more valuable than reporting on planned or projected cost savings.In March 2019, OMB stated that it was "exploring better approaches to cost savings as reported by agencies to the IT Dashboard." We are following up with OMB to determine whether these approaches include publicly disclosing planned and actual data consolidation efforts and related cost savings by agency.

Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Commerce should direct the CIO to reflect 100 percent of information technology investments in the department's enterprise architecture.

Agency: Department of Commerce
Status: Open

Comments: In October 2018, the Commerce described its process for updating its IT asset inventory as part of the budget formulation process and provided a mapping of investments to its enterprise architecture as evidence that it had implemented this recommendation. However, the department did not provide any policies and procedures supporting the process it described to us. In addition, it did not provide any evidence of controls to ensure that all investments had been captured in the enterprise architecture. In January 2020, the department told us that its Office of the Chief Information Officer had new leadership and as a result the department was expected to make significant progress in addressing the recommendation this year.

Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Commerce should direct the CIO to develop a complete commodity IT baseline.

Agency: Department of Commerce
Status: Open

Comments: In October 2018, Commerce officials told GAO about actions taken that they believed addressed the recommendation and provided supporting documentation. Specifically, they stated that they send out an annual data call for bureaus to provide their IT asset inventory as part of the budget submission process. They stated they also perform department-level validation of the bureaus' inventories and aggregate them into a single department inventory. As evidence, they provided a data call memo with supporting instructions and a template for bureaus to establish an IT asset inventory. They also provided examples of three bureau inventories received in response to data calls. In addition, they provided the final aggregated inventory (for fiscal year 2017) and department-level validation of bureau submissions. However, the department did not provide any policies or procedures documenting the process they described. In addition, we could not determine whether the creation of the department-wide inventory was a one-time effort or a recurring activity. In January 2020, the department told us that its Office of the Chief Information Officer had new leadership and as a result the department was expected to make significant progress in addressing the recommendation this year.

Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Defense should direct the CIO to develop a complete commodity IT baseline.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense partially concurred with the recommendation and stated that it had efforts underway to further define the department's commodity IT baseline. In January 2019, our contact from the Office of the Chief Information Officer told us that the department had recently established an IT Purchase Request (ITPR) process for controlling spending that had a built-in IT asset inventory process that would address the recommendation. In August 2019, we received documentation on the ITPR process as part of an ongoing engagement. We are reviewing the documentation to determine whether it is sufficient to close the recommendation.

Recommendation: To improve the department's implementation of PortfolioStat, in the future reporting to OMB, the Secretary of Defense should direct the CIO to fully describe the following PortfolioStat action plan element: consolidate commodity IT spending under the agency CIO.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense did not concur with the recommendation, stating that the commodity IT construct implemented by OMB with PortfolioStat did not work with the department's federated management process. However, the department agreed that a strategy, consistent with the intent of achieving better buying power and control of commodity IT items, should be developed and implemented within the department using existing authorities and stated that it was in the process of implementing this strategy. In January 2019, the Office of the Chief Information Officer's Director for Performance Management stated that while the CIO did not have the authority to consolidate commodity IT spending, the department had taken actions he believed addressed the intent of the recommendation to gain visibility into IT spending. Specifically, he stated that the department established a policy to leverage its buying power for commodity IT purchases (for example for software licenses). In addition, the department recently established an IT Purchase Request (ITPR) process for controlling IT spending. In August 2019, we received documentation related to those actions as part of an ongoing engagement. We are reviewing the documentation to determine whether it is sufficient to close the recommendation.

Recommendation: To improve the department's implementation of PortfolioStat, the Secretary of Defense should direct the CIO to obtain support from the relevant component agencies for the estimated savings for fiscal years 2013 to 2015 for the data center consolidation, enterprise software purchasing, and General Fund Enterprise Business System initiatives.

Agency: Department of Defense
Status: Open

Comments: The department of Defense concurred with the recommendation and stated that it already reported data center consolidation savings and would continue to realize savings from the Enterprise Software Initiative, other strategic sourcing efforts and the implementation of the General Fund Enterprise Business System initiatives. Through other engagements, in August 2016, we had collected support for data center consolidation and Enterprise Software Initiative savings for fiscal years 2013 to 2015. In January 2019, the Office of the Chief Information Officer's Director for Performance Management told us that the department had not been tracking savings generated by other commodity IT initiatives due to the difficulty in doing so, however, it was tracking an "other" category of savings through OMB's integrated data collection instrument (IDC) process which he believed the intent of our recommendation. He noted that the "other" category tracks savings from various OMB IT reform initiatives. Mr. Johnson said he had sent a recent IDC report along with supporting documentation to GAO to address a recommendation made in GAO-15-296. We are reviewing the documentation to determine whether it is sufficient to close the recommendation.

Recommendation: To improve the U.S. Army Corps of Engineers' implementation of PortfolioStat, in future reporting to OMB, the Secretary of Defense should direct the Secretary of the Army to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) target duplicative systems or contracts that support common business functions for consolidation; (3) establish criteria for identifying wasteful, low-value, or duplicative investments; and (4) establish a process to identify these potential investments and a schedule for eliminating them from the portfolio.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense concurred with the recommendation and stated that, in the future, USACE would fully describe the four action plan elements when reporting to OMB. In August 2016, the department reported that it had addressed and closed the recommendation in February 2015 and cited policies, procedures, and other supporting documentation as evidence. However, the department did not provide the supporting documentation. In April 2018, the department provided several documents as evidence of its efforts to address this recommendation, including an order outlining the capital planning investment management process for the fiscal year 2017. We determined that the documents did not support the department's claims. In January 2019, the department told us it would provide an update on the status of actions to address the recommendation. As of August 2019, the department had not yet provided any update.

Recommendation: To improve the U.S. Army Corps of Engineers' implementation of PortfolioStat, the Secretary of Defense should direct the Secretary of the Army to report on the agency's progress in consolidating eCPIC to a shared service as part of the OMB integrated data collection quarterly reporting until completed.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense partially concurred with the recommendation and stated that it had efforts underway to further define the department's commodity IT baseline. In August 2016, the department reported that it had addressed and closed the recommendation in October 2014 and described several actions that it believed contributed to addressing the recommendation, including, continued improvements to data center reporting, and greater understanding of IT infrastructure costs. However, the department did not provide any documentation to support its claims. In January 2019, the department told us it would provide an update on the status of actions to address the recommendation. As of August 2019, the department had not yet provided any update.

Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the Environmental Protection Agency should direct the CIO to develop a complete commodity IT baseline.

Agency: Environmental Protection Agency
Status: Open

Comments: In September 2016, we reported that the Environmental Protection Agency's (EPA) Registry of Environmental Protection Agency Applications, Models and Databases (READ) system had a complete inventory of enterprise IT and business systems-two of three categories of IT assets that make up a commodity IT baseline-and that the agency had processes in place to regularly update this inventory to ensure its completeness (see GAO-16-511). We have been following up with EPA to obtain its inventory of IT infrastructure systems-the third commodity IT category--and determine the agency's process to ensure the completeness of this inventory. In a December 2019 update, EPA told us that it was working on a response to the recommendation.

Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Administrator of the Environmental Protection Agency should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO; (2) establish targets for commodity IT spending reductions and deadlines for meeting those targets; and (3) establish criteria for identifying wasteful, low-value, or duplicative investments.

Agency: Environmental Protection Agency
Status: Open

Comments: In November 2016, the Environmental Protection Agency (EPA) reported making progress in addressing the three action plan elements through implementation of the Federal Information Technology Acquisition Reform Act (FITARA) and efforts to assess applications in its inventory. In June 2019, the agency provided supporting documentation. We are reviewing the documentation to determine whether it fully addresses the recommendation.

Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the Environmental Protection Agency should direct the CIO to report on the agency's progress in consolidating the managed print services and strategic sourcing of end user computing to shared services as part of the OMB integrated data collection quarterly reporting until completed.

Agency: Environmental Protection Agency
Status: Open

Comments: Between July and December 2016, the Environmental Protection Agency (EPA) reported that it had implemented a managed print service contract for headquarters in 2014 and was preparing to award a new contract to also cover its regions. The agency also reported that it plans to use one of the government-wide contracts identified in OMB's policy on improving the acquisition and management of common IT for its end user computing needs. EPA, however, did not provide documentation supporting these efforts. In a December 2019 update, EPA told us that it was working on a response to the recommendation.

Recommendation: To improve the department's implementation of PortfolioStat, the Attorney General should direct the CIO to reflect 100 percent of information technology investments in the department's enterprise architecture.

Agency: Department of Justice
Status: Open

Comments: In October 2019, the department stated that its budget formulation process ensures that all investments are included in its enterprise architecture (EA). Specifically, the department stated that, as part of the budget formulation process, the EA group reviews investments and aligns them to the business areas within the EA framework by assigning them business reference model codes. To support its claims, in November 2019, the department provided a list of investments showing their alignment with the business reference model codes for the fiscal year 2021 budget formulation process. However, the department did not provide evidence of the EA group's review process. As of January 2020, we were following up with the department to obtain this evidence.

Recommendation: To improve the agency's implementation of PortfolioStat, the Administrator of the National Aeronautics and Space Administration should direct the CIO to reflect 100 percent of information technology investments in the agency's enterprise architecture.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: In February 2018, NASA reported that it was making revisions to its enterprise architecture policy that would assist with ensuring that 100 percent of the agency's information technology investments are in the enterprise architecture. In July and December 2018, the agency provided updates on its efforts along with supporting documentation, though not enough to fully address the recommendation. In July 2019, the agency stated it also had efforts underway to centralize IT governance under the Chief Information Officer and this would contribute to reflect all investments in the enterprise architecture. The agency stated it would continue to update us on the status of its efforts to address the recommendation.

Recommendation: To improve the agency's implementation of PortfolioStat, the Director of the Office of Personnel Management should direct the CIO to develop a complete commodity IT baseline.

Agency: Office of Personnel Management
Status: Open

Comments: In February 2020, OPM stated that it was developing a service catalog with cost information and allocation components which together with the agency's software inventory would be used for cost avoidance moving forward. However, OPM did not provide supporting documentation. In addition, it was not clear whether the service catalog and software inventory would together include enterprise IT, IT infrastructure, and business systems, the three categories of IT assets that comprise a commodity IT baseline. We will continue to monitor OPM's efforts to address the recommendation.

Recommendation: To improve the agency's implementation of PortfolioStat, in future reporting to OMB, the Director of the Office of Personnel Management should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) move at least two commodity IT areas to shared services and (2) target duplicative systems or contracts that support common business functions for consolidation.

Agency: Office of Personnel Management
Status: Open

Comments: In October 2018, OPM provided evidence that it had addressed the action plan element regarding the migration of two commodity IT areas to shared services. Specifically, OPM provided an August 2016 interagency agreement showing plans to migrate its financial management system to a shared service and a May 2018 interagency agreement showing plans to migrate its human resources and time and attendance system to a shared service. However, the interagency agreements were not signed. Regarding the action plan element to target duplicative systems or contracts that support common business functions for consolidation, OPM stated did that it had targeted laptops and mobile phones for consolidation. In addition, OPM did not provide any evidence of reporting to OMB for either action plan element. In February 2020, OPM stated that, in addition to entering into an interagency agreement for its financial management system and consolidating the procurement of agency-wide laptops and cellphones using an enterprise wide contract, it was also working to close two of its five major data centers to consolidate to three. OPM said that it was gathering the documentation to support its claims.

Recommendation: To improve the agency's implementation of PortfolioStat, the Director of the Office of Personnel Management should direct the CIO to report on the agency's progress in consolidating the help desk consolidation and IT asset inventory to shared services as part of the OMB integrated data collection quarterly reporting until completed.

Agency: Office of Personnel Management
Status: Open

Comments: In February 2020, OPM stated that its IT help desk function had become a shared service starting in October 2019. However, OPM did not provide supporting documentation. In addition, OPM stated it did not have any updates on the IT asset inventory. We will continue to monitor the agency's efforts to address this recommendation.

Recommendation: To improve the department's implementation of PortfolioStat, in future reporting to OMB, the Secretary of the Treasury should direct the CIO to fully describe the following PortfolioStat action plan elements: (1) consolidate commodity IT spending under the agency CIO and (2) establish criteria for identifying wasteful, low-value, or duplicative investments.

Agency: Department of the Treasury
Status: Open

Comments: In September 2014, the Department of the Treasury reported that it did not plan to consolidate commodity IT spending under the agency CIO. Specifically, the department stated that commodity IT investment decisions were consolidated under the Treasury Technology Investment Review Board which is co-chaired by the agency CIO and Assistant Secretary for Management; and that it did not see the benefit of combining the budget authorities of the various bureau infrastructure investments. In regards to establishing criteria to identify wasteful, low-value, and duplicative investments, in September 2014, the department stated that the Treasury Technology Investment Review Board and Technology Advisory Working Group had established an approach that considers risk, value and cost in reviewing investment requests to identify wasteful, low-value, and duplicative investments. As of May 2019, we were reviewing documentation we received from the department in September 2018 to determine whether the recommendation has been fully addressed.

Recommendation: To improve the department's implementation of PortfolioStat, as the department finalizes and matures its enterprise architecture and valuation methodology, the Secretary of the Treasury should direct the CIO to utilize these processes to identify whether there are additional opportunities to reduce duplicative, low-value, or wasteful investments.

Agency: Department of the Treasury
Status: Open

Comments: In September 2014, the Department of the Treasury described several examples of processes it had established to identify opportunities to reduce duplicative, low-value or wasteful investments, including annual reviews of each major IT investment and monthly portfolio reviews. As of May 2019, we were reviewing updated information we received in September 2018 to determine whether the recommendation has been fully addressed.

Recommendation: To ensure that major steady state IT investments are being adequately analyzed, the Secretaries of Defense, Veterans Affairs, and the Treasury should direct appropriate officials to develop an OA policy, annually perform OAs on all investments, and ensure the assessments include all key factors.

Agency: Department of Veterans Affairs
Status: Open

Comments: For fiscal years 2013, 2014, and 2016, the Department of Veterans Affairs provided its operational analyses to GAO for its major information technology investments. These operational analyses addressed a majority of the key factors identified in Office of Management and Budget guidance. Nevertheless, in February 2019, the department was still in the process of finalizing its operational analysis policy and identified a target completion date of September 2019 for when the policy would be complete and ready for publication.

Recommendation: To help ensure the success of FDA's modernization efforts, the Commissioner of FDA should direct the CIO to, in completing the assessment of Mission Accomplishments and Regulatory Compliance Services (MARCS), develop an integrated master schedule (IMS) that (1) identifies which legacy systems will be replaced and when; (2) identifies all current and future tasks to be performed by contractors and FDA; and (3) defines and incorporates information reflecting resources and critical dependencies.

Agency: Department of Health and Human Services: Food and Drug Administration
Status: Open

Comments: In 2018, we confirmed that FDA, in response to our recommendation, began efforts to identify which legacy systems will be replaced. FDA also developed an IMS for fiscal year (FY) 2017 and 2018 that identifies current and future tasks to be performed by contractors and FDA. However, FDA's IMS for FY 2017 and 2018 does not fully and clearly define resources. For example, although the FY 2017 IMS includes 265 names, roles, and teams, only 16 percent of activities have resource assignments. Further, FDA's fiscal year 2018 IMS does not fully define critical dependencies. For example, there are 14 activities and milestones with finish dates that are not properly tied to logic. Specifically, the finish dates of the 14 activities are not clearly tied to succeeding activities in the schedule. We contacted FDA in September and December 2019 and January 2020 for an update on the actions taken to implement the recommendation, but have not received a response. We will update the recommendation when additional information is obtained.