Recommendation: The Secretary of Agriculture should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 1)

Agency: Department of Agriculture
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 2)

Agency: Department of Education
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Energy should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 3)

Agency: Department of Energy
Status: Open

Comments: In July 2020, the department reported actions it had taken to fully implement the activities associated with assessing competencies and needs regularly; assessing gaps in competencies and staffing; monitoring the agency's progress in addressing competency and staffing gaps; and reporting to agency leadership on progress in addressing competency and staffing gaps. The department also reported actions it had taken to address the remaining four activities and provided estimated time frames for fully implementing them. As of August 2020, we were following up with the department to obtain supporting documentation for the activities it claimed it had fully implemented and status updates for the remaining activities.

Recommendation: The Secretary of Homeland Security should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 5)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Interior should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 6)

Agency: Department of the Interior
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 7)

Agency: Department of Justice
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Labor should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 8)

Agency: Department of Labor
Status: Open

Comments: In December 2019, Labor officials provided additional documentation on actions taken to address the recommendation. We plan to review the documentation, and when we confirm what actions the agency has taken, we will provide updated information.

Recommendation: The Secretary of State should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 9)

Agency: Department of State
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency fully implements each of the five key IT workforce planning activities it did not fully implement. (Recommendation 10)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Environmental Protection Agency should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 11)

Agency: Environmental Protection Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the General Services Administration should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 12)

Agency: General Services Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the National Science Foundation should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 13)

Agency: National Science Foundation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of the Nuclear Regulatory Commission should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 14)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Office of Personnel Management should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 15)

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: In December 2019, OPM stated that it had partnered with the General Services Administration's IT Modernization Center of Excellence to assess the current state of its IT workforce planning activities, but had not yet implemented any of the eight key planning activities we recommended. We will continue to monitor OPM's efforts to implement the recommendation.

Recommendation: The Administrator of the Small Business Administration should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 16)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of the Social Security Administration should ensure that the agency fully implements each of the five key IT workforce planning activities it did not fully implement. (Recommendation 17)

Agency: Social Security Administration
Status: Open

Comments: In November 2019, Social Security Administration officials provided the agency's recently issued IT workforce strategy for fiscal year 2019 to fiscal year 2022. We plan to review the strategy, and when we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the U.S. Agency for International Development should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 18)

Agency: United States Agency for International Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director should update the enterprise governance policy to specify (1) the CIO's current role and responsibilities on the Executive Resources Board, to include developing and reviewing the IT budget formulation and execution; and (2) the Deputy CIO's role and responsibilities on the Enterprise Governance Council. (Recommendation 2)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: DHS concurred with this recommendation. In March 2020, Secret Service officials stated that the component had drafted a revised enterprise governance policy that outlines the CIO's and Deputy CIO's roles and responsibilities. We will continue to monitor the component's efforts to finalize this policy.

Recommendation: The Director should ensure that the Secret Service develops a charter for its Executive Resources Board that specifies the roles and responsibilities of all board members, including the CIO. (Recommendation 3)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: DHS concurred with this recommendation. In March 2020, Secret Service officials stated that the component had drafted a charter for its Executive Resources Board that specifies the roles and responsibilities of Board members, including the CIO. We will continue to monitor the component's efforts to finalize this charter.

Recommendation: The Director should ensure that the CIO includes product quality and post-deployment user satisfaction metrics in the modular outcomes and target measures that the CIO sets for monitoring agile projects. (Recommendation 4)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that Secret Service acquisition directives require the component to conduct a Post Implementation Review of IT programs after such a program achieves Initial Operating Capability. However, it is unclear whether and how this requirement applies to agile projects, and if the Secret Service has included post-deployment user satisfaction metrics in the modular outcomes and target measures that the CIO sets for monitoring such projects. DHS's draft agile guidance strongly recommends that user satisfaction be assessed at the end of each production deployment, not just one time after Initial Operating Capability. Moreover, the Secret Service has not yet demonstrated that the CIO has included product quality in the modular outcomes and target measures that the CIO sets for monitoring agile projects. We will continue to monitor the department's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO identifies all of the required knowledge and skills for the IT workforce. (Recommendation 5)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: In 2018 and 2019, the Secret Service participated in the Department of Homeland Security's Strategic Workforce Planning initiative, during which the department identified critical competencies and target proficiency levels for various IT workforce roles across the department (e.g., systems analysis, network management). However, it is unclear whether the Secret Service's participation in this initiative included the identification of the required knowledge and skills for all of the roles within the component's IT workforce, or just certain roles. In addition, while the Secret Service also established a standard operating procedure document in December 2019 that, among other things, identified recommended training and certifications for each OCIO division (e.g., network management, cyber security), this procedure document did not identify the required knowledge and skills for the workforce roles within each of those OCIO divisions. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO regularly analyzes the IT workforce to identify its competency needs and any gaps it may have. (Recommendation 6)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component analyzed its IT workforce to identify its competency needs, as well as determined the projected staffing and competency gaps that it would have in fiscal year 2019. However, it has not yet provided supporting documentation of the analyses that the CIO conducted to determine these competency needs and projected competency gaps. We will continue to follow-up with the Secret Service for documentation of its efforts to implement this recommendation.

Recommendation: The Director should ensure that, after OCIO completes an analysis of the IT workforce to identify any competency and staffing gaps it may have, the Secret Service updates its recruiting and hiring strategies and plans to address those gaps, as necessary. (Recommendation 7)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component determined that it had a projected staffing gap for fiscal year 2019 of 35 staff within the 2210 occupational job series (i.e., IT management staff). The officials also said that they had identified projected competency gaps related to positions such as Cyber Intelligence Analyst and Intelligence Research Specialist. While the Secret Service has not yet provided documentation of the analyses it conducted to determine these gaps, the component provided documentation to demonstrate that it targeted its fiscal year 2019 recruiting events to focus on addressing IT staffing and competency gaps. For example, among other things, in fiscal year 2019 the component conducted outreach and recruiting events focused on defense, cyber, IT, and intelligence hiring, as well as conducted a targeted cyber security hiring campaign with a large online job search service. We will continue to follow-up with the Secret Service for documentation of the analyses the OCIO conducted to determine its IT staffing and competency gaps, in order to verify whether the 2019 recruiting events conducted were focused on addressing such gaps.

Recommendation: The Director should ensure that the Office of Human Resources (1) develops and tracks metrics to monitor the effectiveness of the Secret Service's recruitment activities for the IT workforce, including their effectiveness at addressing skill and staffing gaps; and (2) reports to component leadership on those metrics. (Recommendation 8)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that the component has conducted recruitment and outreach efforts focused on IT, cyber, and engineering careers, and monitors the effectiveness of these efforts. However, the Secret Service has not yet provided supporting documentation demonstrating that it has (1) developed and tracked metrics to monitor the effectiveness of these recruitment activities, including their effectiveness at addressing skill and staffing gaps within the IT workforce; and (2) reported to component leadership on those metrics. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the Office of Human Resources and OCIO adjust their recruitment and hiring plans and activities, as necessary, after establishing and tracking metrics for assessing the effectiveness of these activities for the IT workforce. (Recommendation 9)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: The Secret Service has not yet demonstrated that it has established and tracked metrics for assessing the effectiveness of its recruitment and hiring plans and activities for the IT workforce. As such, the component is not yet able to demonstrate that its Office of Human Resources and OCIO have adjusted their recruitment and hiring plans and activities based on these metrics. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO (1) defines the required training for each IT workforce group, (2) determines the activities that OCIO will include in its IT workforce training and development program based on its available training budget, and (3) implements those activities. (Recommendation 10)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: In December 2019, the Secret Service established a standard operating procedure document that identifies, among other things, recommended training and certifications for each OCIO division (e.g., network management, cyber security). However, this procedure document does not identify required training for each of these divisions. In March 2020, Secret Service officials stated that OCIO supervisors issued individual development plans to their team members that identified training requirements for continued professional development. However, the Secret Service has not yet provided documentation of these training requirements, nor evidence to support that the planned professional development activities are based on the required training for each IT workforce group. Moreover, the officials stated that, in response to the Coronavirus Disease 2019 (COVID-19), training is suspended. As such, the component is not implementing IT workforce training activities at this time. The officials plan to continue staff training once it is reinstated. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO ensures that the IT workforce completes training specific to their positions (after defining the training required for each workforce group). (Recommendation 11)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: While Secret Service officials stated that the component's Office of Training establishes the required curriculum for Secret Service personnel, the component has not yet demonstrated that the CIO has defined the training required for each IT workforce group, as we previously recommended. As such, the component is also not able to demonstrate that it is ensuring that each IT workforce group completes the training specific to their positions, as we also recommended. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO collects and assesses performance data (including qualitative or quantitative measures, as appropriate) to determine how the IT training program contributes to improved performance and results (once the training program is implemented). (Recommendation 12)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that they are assessing how IT training has contributed to improved performance and results by comparing IT course completion results to the results of related training exercises that the component conducts (for example, the Secret Service may compare the completion rates for an IT security awareness training course to the results of a related IT security awareness exercise that the component conducts). However, the Secret Service has not yet provided supporting documentation of these assessments. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO updates the performance plans for each occupational series within the IT workforce to include the relevant technical competencies, once identified, against which IT staff performance should be assessed. (Recommendation 13)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component has implemented a performance management system that enables OCIO supervisors to update the individual performance plans of each IT workforce staff member to include the relevant technical competencies against which each staff member's performance is to be assessed. However, the Secret Service has not yet provided supporting documentation demonstrating that OCIO has updated the performance plans for each IT workforce staff member to include the relevant technical competencies. We will continue to monitor the component's efforts to address this recommendation.

Recommendation: The Director of the Office of Management and Budget should issue guidance that addresses the 12 CIO responsibilities discussed in this report that are not included in existing OMB guidance--in particular those relating to IT workforce matters. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency partially agreed with the recommendation, and planned to issue guidance that addressed eight of the 12 CIO responsibilities discussed in this report that were not included in existing OMB guidance. As of July 2020, the agency had not issued such guidance and asserted that its existing Circular A-130 guidance is adequate to address this recommendation. However, the Circular A-130 does not address these 12 CIO responsibilities. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Director of the Office of Management and Budget should define the authority that CIOs are to have when agencies report on CIO authority over IT spending. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency agreed with the recommendation to define the authority that Chief Information Officers (CIOs) are to have when agencies report on CIO authority over information technology spending. However, as of July 2020, the agency had not updated its definition. We will continue to monitor the steps the agency takes to address this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 4)

Agency: Department of Agriculture
Status: Open

Comments: The agency agreed with the recommendation and, in May 2019, the agency revised its departmental policies to address 21 of the 22 responsibility gaps identified in the report. The remaining responsibility is for the Chief Information Officer (CIO) to report annually to the head of the agency on progress made in improving IT personnel capabilities. In particular, while USDA's CIO is required to conduct an annual assessment on IT personnel, there is no indication that the results are reported to the agency head. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Commerce should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: The agency agreed with the recommendation and, in October 2018, described a a number of steps it planned to take to address the responsibility gaps identified in the report. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Defense should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: We will provide updated information when we confirm what actions the agency has taken in response to this recommendation.

Recommendation: The Secretary of Education should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 7)

Agency: Department of Education
Status: Open

Comments: We will provide updated information when we confirm what actions the agency has taken in response to this recommendation.

Recommendation: The Secretary of Energy should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 8)

Agency: Department of Energy
Status: Open

Comments: The department planned to complete several steps by the end of 2019. When we confirm these actions, we will provide updated information.

Recommendation: The Secretary of Health and Human Services should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 9)

Agency: Department of Health and Human Services
Status: Open

Comments: The agency agreed with the recommendation and revised its policies to address three of the 23 responsibility gaps identified in the report. In particular, it has addressed the responsibilities for the Chief Information Officer to: 1) report directly to the agency head or that official's deputy, 2) improve the management of the agency's IT through portfolio review (PortfolioStat), and 3) maintain an inventory of data centers. We will continue to monitor the steps the agency takes to address the remaining responsibilities.

Recommendation: The Secretary of Homeland Security should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: The agency agreed with the recommendation, and revised and provided additional departmental directives and delegations to address 19 of the 21 responsibility gaps identified in the report. The remaining responsibilities are for the Chief Information Officer (CIO) to 1) review and approve IT contracts, acquisition plans, or strategies; and 2) ensure that all personnel are held accountable for complying with the agency-wide information security program. In particular, while the DHS CIO has the authority to coordinate with the Chief Acquisition Officer on acquisition strategies, coordination is not the same as reviewing and approving. Regarding holding agency personnel accountable for information security, DHS's Sensitive Systems Policy Directive gives that authority to the heads of DHS's components, rather than the DHS CIO. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Housing and Urban Development should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 11)

Agency: Department of Housing and Urban Development
Status: Open

Comments: The department indicated that it has work underway to address this recommendation, which it plans to complete in March 2020. When we confirm those actions, we will provide updated information.

Recommendation: The Secretary of the Interior should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 12)

Agency: Department of the Interior
Status: Open

Comments: The department planned to review its policies and take corrective actions, as necessary. When we confirm those actions, we will provide updated information.

Recommendation: The Attorney General should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 13)

Agency: Department of Justice
Status: Open

Comments: Justice concurred with our recommendation and started work to address it. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Labor should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 14)

Agency: Department of Labor
Status: Open

Comments: Labor has taken a number of steps in response to this recommendation. However, the agency's policies did not address the six key areas of responsibility for CIOs.

Recommendation: The Secretary of State should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 15)

Agency: Department of State
Status: Open

Comments: The department has begun changing its policies to address this recommendation. When we review those changes, we will provide updated information.

Recommendation: The Secretary of Transportation should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 16)

Agency: Department of Transportation
Status: Open

Comments: DOT agreed with many of the responsibilities in our recommendation, and in September 2019, the agency planned to leverage their technical infrastructure modernization initiative to further define the CIO responsibilities identified in the 18 responsibility gaps identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 17)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the four areas we identified. (Recommendation 18)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA agreed with our recommendation and, as of January 2020, is working to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Environmental Protection Agency should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 19)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA neither agreed nor disagreed with our recommendation, but agreed that CIO authorities should be adequately documented in appropriate policies. EPA officials have stated that they continue to work to address this recommendation. When we confirm what actions the agency has taken to address the 20 responsibility gaps identified in the report, we will provide updated information.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 21)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with our recommendation and stated that the agency was updating its policies to address the responsibilities identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the National Science Foundation should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 22)

Agency: National Science Foundation
Status: Open

Comments: NSF agreed with our recommendations, and in February 2020, the agency issued a new CIO Authorities Policy and revised other departmental policies to address 22 of the 23 responsibility gaps identified in the report. The remaining responsibility for the CIO to benchmark agency processes against private and public sector performance has not been established through the agencies' policies. When we confirm what actions the agency has taken in response to the remaining responsibility, we will provide updated information.

Recommendation: The Chairman of the Nuclear Regulatory Commission should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 23)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC disagreed with our recommendation but generally agreed with our findings, and the agency had departmental policies to address three of the 15 responsibilities identified in the report. In March 2020, the agency stated it was identifying the appropriate agency policy to amend to address the remaining responsibility gaps. It anticipated that it would complete those updates by the end of the second quarter of FY 2020. We will continue to monitor the steps the agency takes to address this requirement.

Recommendation: The Director of the Office of Personnel Management should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 24)

Agency: Office of Personnel Management
Status: Open

Comments: OPM agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Small Business Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 25)

Agency: Small Business Administration
Status: Open

Comments: SBA agreed with most of our recommendations and, in September 2018, the agency said it is revising its departmental policies to address the responsibility gaps identified in the report. SBA's Data Center Optimization Initiative (DCOI) Strategic Plan's revised in 2019 addresses two of the 19 responsibility gaps identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for IMF fully addresses greater utilization of technology or consolidation of investments to better meet organizational goals. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year 2018 Operational Analysis Results report, dated June 24, 2019. The report demonstrated that IRS, in response to our recommendation, had ensured that the operational analysis for IMF fully addressed greater utilization of technology or consolidation of investments to better meet organizational goals. However, the operational analysis did not reflect IRS's progress to date in modernizing IMF and the associated challenges. As we reported, this omission is concerning given the risk exposure from the agency's continued use of the legacy assembly language code. In order to close the recommendation, IRS needs to update the operational analysis to reflect its progress modernizing IMF.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for Telecommunications Systems and Support (TSS) addresses the extent to which the investments support customer processes as designed, and how well the investments are delivering the goods or services they were designed to deliver. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year (FY) 2018 Operational Analysis Results report, dated June 24, 2019. While the report included a summary of the FY 2018 operational analysis for TSS, it did not identify the metrics used to determine whether TSS supported customer processes or delivered the goods and services that it is intended to deliver. To close this recommendation, IRS will need to provide the detailed operational analysis for TSS incorporating these metrics. As of December 2019, IRS has not provided the full TSS operational analysis to GAO. Upon receiving the document, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for TSS includes a comparison of current performance with a pre-established cost baseline. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided GAO its fiscal year (FY) 2018 Operational Analysis Results report. While the report included a summary of the FY 2018 operational analysis for the Telecommunications Systems and Support (TSS) investment , including planned and actual cost figures for FY2018, the report did not indicate whether the planned cost figure for FY2018 accounted for reimbursable costs and user fees, as we reported. To address this recommendation, IRS will need to provide a full operational analysis for TSS, as well as documentation showing whether reimbursable costs and user fees are included in the planned cost figure. As of December 2019, IRS has not provided a full TSS operational analysis to GAO. Upon receiving the document, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for End User Systems and Services includes a comparison of current performance with a pre-established cost baseline. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year (FY) 2018 Operational Analysis Results report, dated June 24, 2019. While the report included a summary of the FY 2018 operational analysis for End User Systems and Services (EUSS) investment, including planned and actual cost figures for FY2018, it did not specify whether the planned cost figure accounted for multi-year funding and user fees, as we reported. To address this recommendation, IRS will need to provide a full operational analysis for EUSS, as well as documentation showing whether multi-year funding and user fees are included in the planned cost figure. As of December 2019, IRS has not provided the full EUSS operational analysis to GAO. Upon receiving it, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the IMF investment. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the IMF investment. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice for prioritizing risk for the IMF investment. (Recommendation 9)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the IMF investment. (Recommendation 10)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the IMF investment. (Recommendation 11)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the IDRS investment. (Recommendation 12)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the IDRS investment. (Recommendation 13)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the IDRS investment. (Recommendation 14)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the IDRS investment. (Recommendation 15)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the MSSS investment. (Recommendation 16)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019. While the plan addressed most of the activities associated with the preparing for risk management key practice, it did not identify risk constraints, risk assumptions, or risk tolerance for the MSSS investment. Upon receiving further information, we will review it to determine if IRS has fully addressed this recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the MSSS investment. (Recommendation 18)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has implemented the activities associated with the Analyze Risk key practice. Specifically, while the plan describes a risk analysis process in which risks are classified as high, medium, or low risk, neither the plan nor any of the other documents describes criteria for evaluating and quantifying risk likelihood and severity (impact) levels. Additionally, the Risk Management Plan does not indicate whether analysis of MSSS risks includes both inherent and residual risks. Upon receiving additional information indicating that IRS has addressed these activities, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the MSSS investment. (Recommendation 19)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has established threshold values for MSSS risk categories or alternative courses of action for critical risks. Upon receiving additional information indicating that it has addressed these activities. we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the MSSS investment. (Recommendation 20)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframes and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has fully implemented all of the activities associated with the monitoring, reporting, and controlling key practice. Specifically, our review of the documents shows that IRS has not established threshold values for MSSS risk categories, and as a result is unable to compare the status of risks to acceptability thresholds to determine the need for implementing a risk mitigation plan. In addition, although the MSSS Risk Management Plan was updated in October 2019, its previous revision occurred in October 2017, indicating that IRS has not yet reviewed all aspects of the risk management program at least once a year. Upon receiving additional information that IRS has addressed these activities, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement IT workforce planning practices, including the following actions (1) setting the strategic direction for workforce planning; (2) analyzing the workforce to identify skill gaps; (3) developing strategies and implementing activities to address skill gaps; and (4) monitoring and reporting on progress in addressing skill gaps. (Recommendation 21)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it had initiated efforts to address workforce planning agency-wide. The agency stated that the Human Capital Office in coordination with the Information Technology organization prioritizes critical skills gaps to develop gap mitigation strategies, which are implemented through IT annual training plans and succession planning efforts. IRS also stated that the mitigation plans will be monitored in the current Project and Portfolio Management System and that the Human Capital and Information Technology organizations will monitor resource capacity, skills, assigned work effort, and staff availability. In addition, IRS stated that it would utilize special hiring authorities as a competency and staffing mitigation strategy. The agency noted that the special authorities are subject to the availability of resources and agency approval. Further, IRS stated that, due to the diversion of IT resources to the Tax Cuts and Jobs implementation, development of a plan for scaling and expansion of workforce planning efforts will commence after the opening of Filing Season 2020. IRS stated that, due to those constraints, it could not provide a date for fully implementing the recommendation. As of December 2019, IRS has not provided any updates indicating whether it has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Commerce should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process; (2) develop competency and staffing requirements; (3) assess competency and staffing needs regularly; (4) assess gaps in competencies for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, cross-functional training of acquisition and program personnel, a career path for program managers, and special hiring authorities, if justified and cost-effective; (7) monitor the department's progress in addressing IT competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: The department agreed with the recommendation and stated that it plans to fully implement it. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had substantially implemented the activity to develop competency and staffing requirements, minimally or partially implemented four activities, and not implemented the remaining three activities. In July 2020, the department provided a summary of actions it claimed it had taken to close the recommendation. The department also provided supporting documentation. We are reviewing the documentation to determine whether it fully addresses the recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Defense should require the Chief Information Officer, the Under Secretary of Defense for Personnel and Readiness, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) develop competencies for all staff; (2) assess competency needs regularly for all positions; (3) assess gaps in competencies for all components of the workforce; (4) develop strategies and plans to address gaps in competencies; (5) implement activities that address gaps, including developing a program management career path, if justified and cost-effective; (6) monitor the department's progress in addressing competency gaps identified for IT staff; and (7) report to department leadership on progress in addressing competency gaps.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the Department of Defense's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had fully implemented the activities to develop competency and staffing requirements and assess competency and staffing needs regularly, substantially implemented four other activities, and partially implemented the remaining two activities. We will continue to monitor the department's efforts to address our recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Health and Human Services should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process inclusive of all staff; (2) develop staffing requirements for all positions; (3) assess staffing needs regularly; (4) assess gaps in competencies and staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, if justified and cost-effective; (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

Agency: Department of Health and Human Services
Status: Open

Comments: The department agreed with our recommendation and identified plans for (1) collecting and analyzing additional workforce data and (2) conducting targeted recruitment, staff planning, career development, and training. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had substantially implemented the activity to develop competency and staffing requirements, partially implemented three other activities, and either minimally or not implemented the remaining four activities. We will continue to monitor the department's efforts to address our recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Transportation should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish a time frame for when the department is to finalize its draft workforce planning process and maintain that process; (2) develop staffing requirements for all positions; (3) assess competency and staffing needs regularly for all positions; (4) assess gaps in staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, cross-functional training of acquisition and program personnel, a career path for program managers, and use of special hiring authorities, if justified and cost-effective;e (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

Agency: Department of Transportation
Status: Open
Priority recommendation

Comments: The department agreed with the recommendation and stated that it plans to fully implement it. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had fully implemented the activity to develop competency and staffing requirements, but had not yet fully implemented the remaining seven activities, including developing a workforce planning process. In January 2020, the department stated that its Office of the Chief Information Officer and Office of Human Resource Management had established a workgroup to lead and conduct workforce planning activities, and had defined the strategic goals and objectives for the department's IT workforce. The department also stated that the workgroup was planning on subsequently completing additional activities, including completing a workforce analysis with a competency gap assessment, by the end of calendar year 2020, and developing strategies to address any identified gaps by the end of 2021. We will continue to monitor the department's efforts to implement our recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of the Treasury should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process; (2) develop competency and staffing requirements for all positions; (3) assess competency and staffing needs regularly; (4) assess gaps in competencies and staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing for all components of the workforce; (6) implement activities that address gaps, including a career path for program managers and special hiring authorities, if justified and cost-effective; (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps for all components of the workforce.

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The department agreed with our recommendation and identified planned and ongoing efforts to address it. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that it had fully implemented the activity to develop competency and staffing requirements, but had not yet fully implemented the remaining seven activities, including developing a workforce planning process. In January 2020, the department stated that its Office of the Chief Human Capital Officer and Office of the Chief Information Officer would be presenting a decision paper to the Human Capital Advisory Council that month to request approval and resources to complete an IT Competency Framework, conduct a competency assessment, and conduct a department-wide workforce planning study for the 2210 (IT management) occupation. We will continue to monitor the department's efforts to implement our recommendation.