Recommendation: The Secretary of Agriculture should ensure that the agency fully implements the category management activity to reduce unaligned IT spending, by performing an analysis of alternatives to justify the agency's unaligned IT contracts. (Recommendation 1)

Agency: Department of Agriculture
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Agriculture should ensure that the agency fully implements the category management activity to develop and implement vendor management strategies, by implementing the strategies it had developed. (Recommendation 2)

Agency: Department of Agriculture
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Agriculture should ensure that the agency fully implements the category management activity to share prices paid, terms, and conditions for purchased IT goods and services. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Agriculture should ensure that the agency finishes implementing its process to analyze IT contract data. (Recommendation 4)

Agency: Department of Agriculture
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Agriculture should ensure that the agency develops and implements strategies to address duplication identified through the use of spend analyses. (Recommendation 5)

Agency: Department of Agriculture
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the agency fully implements the category management activity to reduce unaligned IT spending. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the agency documents its annual spend analyses used to identify opportunities to reduce IT contract duplication. (Recommendation 7)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Health and Human Services should ensure that the agency uses a spend analysis on a regular basis to identify IT contract duplication. (Recommendation 8)

Agency: Department of Health and Human Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the Department of Justice fully implements the category management activity to reduce unaligned IT spending, by performing an analysis of alternatives to justify the agency's unaligned IT contracts. (Recommendation 9)

Agency: Department of Justice
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the Department of Justice fully implements the category management activity to share prices paid, terms and conditions for purchased IT goods and services. (Recommendation 10)

Agency: Department of Justice
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the Department of Justice fully implements the category management activity to engage the workforce in training regarding category management principles and practices, by tracking its workforce's attendance in the training. (Recommendation 11)

Agency: Department of Justice
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the Department of Justice uses a spend analysis to identify opportunities to reduce IT contract duplication. (Recommendation 12)

Agency: Department of Justice
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the Department of Justice develops and implements strategies to address duplication identified through the use of spend analyses. (Recommendation 13)

Agency: Department of Justice
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of State should ensure that the agency fully implements the category management activity to develop and implement vendor relationship management strategies, by executing its vendor management plan. (Recommendation 14)

Agency: Department of State
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency fully implements the category management activity to develop processes and policies for implementing the agency's category management efforts. (Recommendation 15)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency fully implements the category management activity to reduce unaligned IT spending, by performing an analysis of alternatives to justify the agency's unaligned IT contracts. (Recommendation 16)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency fully implements the category management activity to develop and implement vendor relationship management strategies. (Recommendation 17)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency fully implements the category management activity to share prices paid, terms and conditions for purchased IT goods and services. (Recommendation 18)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency uses a spend analysis to identify opportunities to reduce IT contract duplication. (Recommendation 19)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency develops and implements strategies to address duplication identified through the use of spend analyses. (Recommendation 20)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should develop formal procedures that include specific steps to be taken in the APD review process, including how CMS will document the review (including the name of the reviewer, date of review, and what was reviewed); what documentation should be retained after the review; as well as decision-making criteria for approval or denial decisions for state Medicaid IT funding requests. (Recommendation 1)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should, as part of the APD review process and prior to approval, verify that all of the required information (e.g. alternatives analysis, feasibility study, and cost benefit analysis) is included in the funding request. (Recommendation 2)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should ensure that all APD-related artifacts are retained within the designated CMS document management system, including documentation of key information from meetings and email communications with the states, the MITA self-assessment and independent verification and validation reports, when creating APD decision packages. (Recommendation 3)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should require analysts to maintain relevant MMIS and E&E system artifacts based on the entire system life cycle instead of individual APDs. (Recommendation 4)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should, in consultation with the HHS and CMS CIOs, develop a documented, comprehensive, and risk-based process for how CMS will select IT projects for technical assistance and provide recommendations to states to assist them in improving the performance of the systems, with consideration to those that are high-cost and performing poorly. (Recommendation 5)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should encourage state Medicaid program officials to consider involving state CIOs in overseeing Medicaid IT projects. (Recommendation 6)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should establish a timeline for implementing the outcome-based certification process for MMIS and E&E systems. (Recommendation 7)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should establish documented procedures for how the results of the outcome-based certification process will be used for conducting oversight and making funding decisions. The procedures should include specific steps that CMCS will take to oversee individual state MMIS and E&E projects and how it will demonstrate that the steps have been taken. (Recommendation 8)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Prior to approving funding for MMIS and E&E systems, the Administrator of CMS should identify areas of duplication or common functionality, such as core MMIS modules, in order to facilitate sharing, leveraging, or reusing Medicaid technologies. CMS should share the results of the review with the state or territory requesting federal funding for a duplicative or similar project and take steps to encourage states to share, leverage, or reuse Medicaid technologies, where possible. (Recommendation 9)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of the Social Security Administration should ensure the Office of Acquisition and Grants, in consultation with the Chief Information Officer, revises relevant guidance to identify the role of contracting officials in the Agile software development process.

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration agreed with the recommendation but has not yet taken actions to implement it.

Recommendation: The Secretary should ensure that the Director of Strategic Technology Management (STM), in collaboration with other members of the Information Technology Program Management Center of Excellence (ITPM COE), identifies the skills and resources needed to complete the work intended for the upcoming fiscal year, including the availability of supplementary staff, such as subject matter experts. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the Executive Steering Committee overseeing the activities of the ITPM COE establishes target measures for the department's desired outcomes of its transition to Agile development. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the DHS Chief Information Officer (CIO) defines a process and associated set of controls to ensure that Agile programs and projects are reporting a set of core required performance metrics for monitoring and measuring Agile adoption. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the ITPM COE, in coordination with the CIO, begins measuring results associated with the transition to Agile and the success of the transition based on its impact on the department. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, in collaboration with the Chief Procurement Officer, through the Homeland Security Acquisition Institute, establish Agile training requirements for senior stakeholders. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the Chief Human Capital Officer, in collaboration with the CIO, consider modifications to the current employee recognition and performance management governance to ensure that teamwork and team performance of Agile programs and projects are incentivized. (Recommendation 6)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, in collaboration with the Chief Procurement Officer, through the Homeland Security Acquisition Institute, establish Agile training requirements for staff outside of the acquisition workforce but assigned to Agile programs. (Recommendation 7)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, upon establishing a set of core performance metrics, tracks and monitors the pace of Agile team development. (Recommendation 8)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, in collaboration with the Executive Director of the Office of Program Accountability and Risk Management (PARM), update or develop new guidance on Agile methodologies to describe how Agile teams can estimate the relative complexity of user stories. (Recommendation 9)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, upon establishing a set of core performance metrics, sets expectations for automated testing and code quality, and tracks and monitors against those expectations. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Office of Management and Budget should (1) require that agencies explicitly document annual data center closure goals in their DCOI strategic plans and (2) track those goals on the IT Dashboard. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) has not yet taken action to address this recommendation. We will continue to monitor the agency's efforts to implement this recommendation.

Recommendation: The Director of the Office of Management and Budget should require agencies to report in their quarterly inventory submissions those facilities previously reported as data centers, even if those facilities are not subject to the closure and optimization requirements of DCOI. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) has not yet taken action to address this recommendation. We will continue to monitor the agency's efforts to implement this recommendation.

Recommendation: The Director of the Office of Management and Budget should document OMB's decisions on whether to approve individual data centers when designated by agencies as either a mission critical facility or as a facility not subject to DCOI. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) has not yet taken action to address this recommendation. We will continue to monitor the agency's efforts to implement this recommendation.

Recommendation: The Director of the Office of Management and Budget should take action to address the key performance measurement characteristics missing from the DCOI optimization metrics, as identified in this report. (Recommendation 4)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) has not yet taken action to address this recommendation. We will continue to monitor the agency's efforts to implement this recommendation.

Recommendation: The Secretary of Agriculture should take action to achieve its data center-related cost savings target established under DCOI by OMB. (Recommendation 5)

Agency: Department of Agriculture
Status: Open

Comments: In comments on our report, the Department of Agriculture (Agriculture) agreed with our recommendation and stated that it planned to meet the cost savings target in 2020. We will continue to monitor Agriculture's efforts to implement this recommendation.

Recommendation: The Secretary of Commerce should take action to achieve its data center-related cost savings target established under DCOI by OMB. (Recommendation 6)

Agency: Department of Commerce: Office of the Secretary
Status: Open

Comments: In comments on our report, the Department of Commerce (Commerce) agreed with our recommendation and described actions that they planned to take in order to address the recommendation. We will continue to monitor Commerce's efforts to implement this recommendation.

Recommendation: The Secretary of Commerce should take action to meet its data center optimization metric targets established under DCOI by OMB. (Recommendation 7)

Agency: Department of Commerce: Office of the Secretary
Status: Open

Comments: In comments on our report, the Department of Commerce (Commerce) agreed with our recommendation and described actions that they planned to take in order to address the recommendation. We will continue to monitor Commerce's efforts to implement this recommendation.

Recommendation: The Administrator of the National Aeronautics and Space Administration should take action to achieve its data center-related cost savings target established under DCOI by OMB. (Recommendation 8)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: In comments on our report, the National Aeronautics and Space Administration (NASA) agreed with our recommendation and described actions that the agency planned to take to address the recommendation. NASA stated that it expected to complete these actions by March 31, 2020. Once we have obtained and assessed evidence of the agency's actions taken, we will update the status of this recommendation.

Recommendation: The Secretary of Homeland Security should develop a strategy to independently validate selected agencies' self-reported actions on meeting binding operational directive requirements, where feasible, using a risk-based approach. (Recommendation 2)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: DHS has drafted a preliminary strategy to independently validate agencies' actions, using a risk-based approach. However, this strategy has not yet been finalized and needs to more clearly align to the existing directive development process, to which it serves as an addendum. The strategy should include when and how primary and secondary sources of information for independent validation are selected within the directive development process.

Recommendation: The Secretary of Homeland Security should develop a schedule and plan for completing the high value asset program reassessment and addressing the outstanding issues on completing the required high value asset assessments, identifying needed resources, and finalizing guidance for Tier 2 and 3 HVA systems. (Recommendation 4)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FAA should develop a plan for analyzing currently-collected UAS test site data to determine how they could be used to advance UAS integration, and whether the collection of any additional test site data, within the agency's authority to request, could be useful for informing integration. (Recommendation 1)

Agency: Department of Transportation: Federal Aviation Administration: Office of the Administrator
Status: Open

Comments: DOT partially concurred with this recommendation. In DOT's official response dated March 2020, DOT officials indicated that FAA does not intend to collect any additional type of test site data, unless FAA funds new research or demonstrations. Further, officials noted that FAA has gathered data since the UAS test site program became operational in 2014, through several vehicles including details of flight tests entered into the Mission Logging System (MLS). Officials noted that FAA has and will continue to use data collected from the test sites to, among other things, better understand the challenges facing future UAS integration. We continue to believe that FAA implementing this recommendation would enable the agency to better leverage test site research and data to inform its decisions related to UAS integration. When we confirm what actions FAA has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB should develop and implement a plan with GSA that outlines the actions needed to fully recover the TMF Program Management Office's operating expenses with administrative fee collection in a timely manner. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: The Office of Management and Budget (OMB) has not yet taken any actions to implement our recommendation. We will continue to monitor OMB's progress in implementing this recommendation.

Recommendation: The Director of OMB should work with GSA to clarify the requirement in the TMF guidance that agencies follow the cost estimating process outlined in Circular A-11 (that references GAO's cost estimating guidance discussed in this report), when developing the proposal cost estimate. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: The Office of Management and Budget (OMB) has not yet taken any actions to implement our recommendation. We will continue to monitor OMB's progress in implementing this recommendation.

Recommendation: The Administrator of General Services should develop and implement a plan with OMB that outlines the actions needed to fully recover the TMF Program Management Office's operating expenses with administrative fee collection in a timely manner. (Recommendation 3)

Agency: General Services Administration
Status: Open

Comments: The General Services Administration (GSA) has not yet taken any actions to implement our recommendation. We will continue to monitor GSA's progress in implementing this recommendation.

Recommendation: The Administrator of General Services should work with OMB to clarify the requirement in the TMF guidance that agencies follow the cost estimating process outlined in Circular A-11 (that references GAO's cost estimating guidance discussed in this report), when developing the proposal cost estimate. (Recommendation 4)

Agency: General Services Administration
Status: Open

Comments: The General Services Administration (GSA) has not yet taken any actions to implement our recommendation. We will continue to monitor GSA's progress in implementing this recommendation.

Recommendation: The Administrator of General Services should develop detailed guidance for completing the Technology Modernization Fund project cost estimate template, including information on the data elements and the fields required to be completed, in order to help ensure the accuracy and completeness of the provided information. (Recommendation 5)

Agency: General Services Administration
Status: Open

Comments: In comments on our report, the General Services Administration (GSA) concurred with our recommendation but has not yet taken any actions to implement our recommendation. We will continue to monitor GSA's progress in implementing this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 1)

Agency: Department of Agriculture
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 2)

Agency: Department of Education
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Energy should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 3)

Agency: Department of Energy
Status: Open

Comments: In July 2020, the department reported actions it had taken to fully implement the activities associated with assessing competencies and needs regularly; assessing gaps in competencies and staffing; monitoring the agency's progress in addressing competency and staffing gaps; and reporting to agency leadership on progress in addressing competency and staffing gaps. The department also reported actions it had taken to address the remaining four activities and provided estimated time frames for fully implementing them. As of August 2020, we were following up with the department to obtain supporting documentation for the activities it claimed it had fully implemented and status updates for the remaining activities.

Recommendation: The Secretary of Homeland Security should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 5)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Interior should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 6)

Agency: Department of the Interior
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 7)

Agency: Department of Justice
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Labor should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 8)

Agency: Department of Labor
Status: Open

Comments: In December 2019, Labor officials provided additional documentation on actions taken to address the recommendation. We plan to review the documentation, and when we confirm what actions the agency has taken, we will provide updated information.

Recommendation: The Secretary of State should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 9)

Agency: Department of State
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency fully implements each of the five key IT workforce planning activities it did not fully implement. (Recommendation 10)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Environmental Protection Agency should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 11)

Agency: Environmental Protection Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the General Services Administration should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 12)

Agency: General Services Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the National Science Foundation should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 13)

Agency: National Science Foundation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of the Nuclear Regulatory Commission should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 14)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Office of Personnel Management should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 15)

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: In December 2019, OPM stated that it had partnered with the General Services Administration's IT Modernization Center of Excellence to assess the current state of its IT workforce planning activities, but had not yet implemented any of the eight key planning activities we recommended. We will continue to monitor OPM's efforts to implement the recommendation.

Recommendation: The Administrator of the Small Business Administration should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 16)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of the Social Security Administration should ensure that the agency fully implements each of the five key IT workforce planning activities it did not fully implement. (Recommendation 17)

Agency: Social Security Administration
Status: Open

Comments: In November 2019, Social Security Administration officials provided the agency's recently issued IT workforce strategy for fiscal year 2019 to fiscal year 2022. We plan to review the strategy, and when we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the U.S. Agency for International Development should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 18)

Agency: United States Agency for International Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure the department implements the pilot program by releasing at least 20 percent of newly custom-developed code as open source software (OSS). (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense did not concur with this recommendation and as of July 2020 has not yet implemented it. According to a December 2019 department letter provided to GAO, the 20 percent software release target is unlikely achievable due to the nature of code that is custom developed by the department. However, the department is mandated by law to implement the open source software pilot program established by the Office of Management and Budget's memorandum M-16-21. Releasing at least 20 percent of newly custom-developed code is a requirement of this program. GAO will continue to follow-up on the status of the pilot program.

Recommendation: The Secretary of Defense should ensure the department identifies a measure to calculate the percentage of code released to gauge its progress on implementing the pilot program. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense partially agreed with this recommendation and as of July 2020 has not yet implemented it. According to a December 2019 department letter sent to GAO, the department intends to release updated guidance on the release of custom-developed code as open-source software and will include metrics. The department estimated that the updated policy will be completed in the 3rd quarter of fiscal year 2020. GAO will follow-up with the agency to obtain the status of the updated guidance.

Recommendation: The Secretary of VA should direct the Under Secretary for Health and the Assistant Secretary for Information and Technology/Chief Information Officer to develop and implement a methodology for reliably identifying and reporting the total costs of VistA. The methodology should include steps to identify the definition of VistA and what is to be included in its sustainment activities, as well as ensure that comprehensive costs are corroborated by reliable data. (Recommendation 1)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) generally agreed with our conclusions and concurred with our recommendation. In a January 2020 update, the department described steps it planned to take to address the recommendation including establishing a team of experts to formulate a comprehensive taxonomy for VistA and all of its components, identifying authoritative and reliable data sources to assign costs to those components, and developing a methodology for ongoing cost tracking and reporting. The department expects these steps to be implemented by September 30, 2020. We will continue to monitor the department's progress to address this recommendation.

Recommendation: The Under Secretary of Health should require that all failures to meet quality standards are cited as deficiencies on SVH inspections. (Recommendation 2)

Agency: Department of Veterans Affairs: Veterans Health Administration
Status: Open

Comments: VA concurred with this recommendation and, as of July 2020, had taken some initial steps to address the recommendation such as modifying the SVH contractor's contract to stop the practice of using 'recommendations' for low-level deficiencies and beginning the process of revising a VA policy to address this practice.

Recommendation: The Under Secretary of Health should develop guidance for Veterans Affairs Medical Center staff conducting optional onsite CNH reviews. (Recommendation 3)

Agency: Department of Veterans Affairs: Veterans Health Administration
Status: Open

Comments: VA concurred in principle with this recommendation and indicated in January 2020 that it had begun taking actions to address this recommendation such as developing a memo of clarification and planning the release of additional guidance for staff.

Recommendation: The Under Secretary of Health should provide information on the quality of all SVHs that is comparable to the information provided on the other nursing home settings on its Access to Care website. (Recommendation 4)

Agency: Department of Veterans Affairs: Veterans Health Administration
Status: Open

Comments: VA concurred in principle and, as of July 2020, had begun taking some steps to address this recommendation such as exploring options for presenting SVH quality measure data.

Recommendation: The Secretary of Agriculture should take action to meet the data center optimization metric targets established by OMB under DCOI. (Recommendation 1)

Agency: Department of Agriculture
Status: Open

Comments: In comments on our report, the Department of Agriculture (Agriculture) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department subsequently reported meeting its targets for the advanced energy metering and server utilization metrics. However, the department also reported that it had not yet met its target for the virtualization metric. We will continue to monitor Agriculture's progress in implementing this recommendation.

Recommendation: The Secretary of Commerce should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 2)

Agency: Department of Commerce
Status: Open

Comments: In comments on our report, the Department of Commerce (Commerce) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department subsequently reported meeting its targets for server utilization. However, the department also reported that it had not yet met its target for the virtualization and advanced energy metering metrics. We will continue to monitor Commerce's progress in implementing this recommendation.

Recommendation: The Secretary of Defense should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: In comments on our report, the Department of Defense agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closures target. The department subsequently reported meeting its closure target for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor the department's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of Defense should identify additional savings opportunities to achieve the targets for data center-related cost savings established under DCOI by OMB. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense is taking action to implement our recommendation. In comments on our report, the department stated that it had already identified significant cost savings through activities such as the identification of system migration candidates and the use of cloud services. The department also said that while it would continue to optimize its data centers, the need for IT would continue to grow, and this growth might ultimately lead to an increase in total data center costs, despite overall per unit cost reductions. In addition, after the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department reported achieving a total savings of $102.30 million and reported plans to save an additional $109.50 million in savings for fiscal year 2020. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor the department's efforts through fiscal year 2020 to address the recommendation.

Recommendation: The Secretary of Defense should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department subsequently reported meeting its target for server utilization. However, the department also reported that it had not yet met its target for the virtualization metric and advanced energy metering. We will continue to monitor the department's efforts to address the recommendation.

Recommendation: The Secretary of Energy should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 6)

Agency: Department of Energy
Status: Open

Comments: In comments on our report, the Department of Energy (Energy) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closure target. The department subsequently reported meeting its closure target for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor Energy's progress in implementing this recommendation through fiscal year 2020.

Recommendation: The Secretary of Energy should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 7)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. The department subsequently reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor Energy's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of the Department of Health and Human Services (HHS) should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 8)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closure target. The department subsequently reported meeting its closure target for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor HHS's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of HHS should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 9)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. Subsequently, the department reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor HHS's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of the Department of Homeland Security (DHS) should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: In comments on our report, the Department of Homeland Security (DHS) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closure target. Subsequently, the department reported meeting its closure target for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor DHS's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of DHS should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 11)

Agency: Department of Homeland Security
Status: Open

Comments: In comments on our report, The Department of Homeland Security (DHS) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. The department subsequently reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor DHS's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of Interior should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 12)

Agency: Department of the Interior
Status: Open

Comments: The Department of the Interior (Interior) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closure target. Subsequently, the department reported meeting its closure goal for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor Interior's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of Interior should take action to meet the data center-related cost savings established under DCOI by OMB. (Recommendation 13)

Agency: Department of the Interior
Status: Open

Comments: The Department of Interior (Interior) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center related cost savings targets. Subsequently, the department reported achieving $0.2 million in data center-related cost savings and planned to save an additional $0.5 million in fiscal year 2020. We will continue to monitor the department's efforts through fiscal year 2020 to address the recommendation.

Recommendation: The Secretary of Interior should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 14)

Agency: Department of the Interior
Status: Open

Comments: The Department of Interior (Interior) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. The department subsequently reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor Interior's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Attorney General should take action to meet the data center optimization metric targets established for Justice under DCOI by OMB. (Recommendation 15)

Agency: Department of Justice
Status: Open

Comments: In comments on our report, the Department of Justice (Justice) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. The department subsequently reported meeting its targets for the virtualization and advanced energy metering metrics. However, the department did not have an established target for the server utilization metric. Justice stated that, due to OMB issuance of the revised DCOI guidance and metrics, the department had not developed a baseline and target for server utilization. Once it can track server utilization for a few reporting periods, the department stated that it will finalize its definition for underutilized severs and establish an appropriate target for the metric. We will continue to monitor the department's progress in implementing this recommendation.

Recommendation: The Secretary of the Department of Labor (Labor) should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 16)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. Subsequently, the department reported meeting its target for the server utilization metric. However, the department had not yet met its targets for the advanced energy metering and virtualization metrics. We will continue to monitor Labor's progress in implementing this recommendation.

Recommendation: The Secretary of State should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 17)

Agency: Department of State
Status: Open

Comments: In comments on our report, the Department of State (State) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center optimization closure target. The department subsequently reported meeting its closure goal for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor State's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of State should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 18)

Agency: Department of State
Status: Open

Comments: In comments on our report, the Department of State (State) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. Subsequently, the department reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor State's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of Transportation should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 19)

Agency: Department of Transportation
Status: Open

Comments: In comments on our report, the Department of Transportation (Transportation) neither agreed nor disagreed with the recommendation and has begun taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established a new data center closure target. The department subsequently reported meeting its closure goal for fiscal year 2019. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor Transportation's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Secretary of Transportation should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 20)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. Subsequently, the department reported meeting its target for server utilization. However, the department had not yet met its targets for the advanced energy metering and virtualization metrics. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Treasury should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 21)

Agency: Department of the Treasury
Status: Open

Comments: The Department of Treasury (Treasury) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the department established new data center optimization targets. The department subsequently reported meeting its target for server utilization. However, the department had not yet met its targets for the advanced energy metering and virtualization metrics. We will continue to monitor Treasury's progress in implementing this recommendation.

Recommendation: The Secretary of the Department of Veterans Affairs (VA) should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 22)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: VA agreed with our recommendation and, as of January 2020, the department reported that it had closed 16 data centers to meet its fiscal year 2019 closure target. To fully implement this recommendation, VA will need to demonstrate sustained implementation progress over time, including meeting its fiscal year 2020 data center closure target.

Recommendation: The Secretary of VA should take action to meet the data center-related cost savings established under DCOI by OMB. (Recommendation 23)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: VA agreed with our recommendation and, as of January 2020, the department reported that it had met its fiscal year 2019 cost savings target. To fully implement this recommendation, VA will need to demonstrate sustained implementation progress over time, including meeting its fiscal year 2020 data center cost savings target.

Recommendation: The Secretary of VA should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 24)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: VA agreed with our recommendation and, as of January 2020, the department reported that it had met its fiscal year 2019 targets for three of the four data center optimization metrics tracked by the Office of Management and Budget (OMB). To fully implement this recommendation, VA will need to meet all four of OMB's metrics, and also demonstrate sustained implementation progress over time by continuing to meet the four metrics across fiscal years.

Recommendation: The Administrator of the Environmental Protection Agency (EPA) should take action to meet the data center closure targets established under DCOI by OMB. (Recommendation 25)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established a new data center closure target. EPA subsequently reported that it based its three planned closures for fiscal year 2019 on the data center definition applicable while developing its fiscal year 2019 DCOI strategic plan. However, when OMB updated its data center guidance it changed the definition of a data center, and as a result, the three facilities EPA planned to close no longer qualified as data centers. Further, EPA did not have plans to close any additional data centers. While EPA reported to us that it completed the planned closures, the three facilities did not represent what OMB now considers a data center, and so, EPA did not report the closures in its data center inventory update. However, we acknowledge that EPA closed the facilities identified in its April 2019 plan and did not plan to close any data centers that met OMB's new definition, meaning that the agency met its revised fiscal year 2019 goal of zero closures. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor EPA's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Administrator of EPA should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 26)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) is taking action to implement our recommendation. The agency established new data center optimization targets after the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019. Subsequently, the agency reported meeting its targets for the advanced energy metering and server utilization metrics. However, the agency had not yet met its target for the virtualization metric. We will continue to monitor EPA's progress in implementing this recommendation.

Recommendation: The Administrator of the National Aeronautics and Space Administration should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 28)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: In comments on our report, the National Aeronautics and Space Administration (NASA) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. The agency subsequently reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor NASA's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Director of the National Science Foundation should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 29)

Agency: National Science Foundation
Status: Open

Comments: The National Science Foundation (NSF) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. Subsequently, the agency reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor NSF's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Chairman of the Nuclear Regulatory Commission should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 30)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: The Nuclear Regulatory Commission (NRC) is taking action to implement our recommendation. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. The agency subsequently reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor NRC's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Director of the Office of Personnel Management (OPM) should take action to meet the data center-related cost savings established under DCOI by OMB. (Recommendation 31)

Agency: Office of Personnel Management
Status: Open

Comments: In comments on our report, The Office of Personnel Management (OPM) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established a new data center-related cost savings target. Subsequently, the agency reported meeting its fiscal year 2019 target of $7.65 million and planned to save an additional $7.65 million in fiscal year 2020. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor OPM's progress in implementing this recommendation through fiscal year 2020.

Recommendation: The Director of OPM should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 32)

Agency: Office of Personnel Management
Status: Open

Comments: In comments on our report, the Office of Personnel Management (OPM) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. The agency subsequently reported meeting its targets for the virtualization and server utilization metrics. However, it had not met its target for advanced energy metering. We will continue to monitor OPM's progress in implementing this recommendation.

Recommendation: The Administrator of the Small Business Administration should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 33)

Agency: Small Business Administration
Status: Open

Comments: In comments on our report, the Small Business Administration (SBA) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. Subsequently, the agency reported meeting its target for server utilization. However, the agency had not yet met its targets for the advanced energy metering and virtualization metrics. We will continue to monitor SBA's progress in implementing this recommendation.

Recommendation: The Commissioner of the Social Security Administration (SSA) should take action to meet the data center-related cost savings established under DCOI by OMB. (Recommendation 34)

Agency: Social Security Administration
Status: Open

Comments: In comments on our report, the Social Security Administration (SSA) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established a new data center-related cost savings target. The agency subsequently reported meeting its fiscal year 2019 cost savings target of $0. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor SSA's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The Commissioner of SSA should take action to meet the data center optimization metric targets established under DCOI by OMB. (Recommendation 35)

Agency: Social Security Administration
Status: Open

Comments: In comments on our report, the Social Security Administration (SSA) agreed with our recommendation and began taking action to implement it. After the Office of Management and Budget (OMB) released the updated Data Center Optimization Initiative policy in June 2019, the agency established new data center optimization targets. Subsequently, the agency reported meeting its targets for the virtualization, advanced energy metering, and server utilization metrics. However, given the short time to evaluate implementation efforts between when OMB released the updated policy in June 2019 and the end of fiscal year 2019, we will continue to monitor SSA's efforts to implement this recommendation through fiscal year 2020.

Recommendation: The FEMA Administrator should ensure that the GMM program management office finalizes the organizational change management plan and time frames for implementing change management actions. (Recommendation 1)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the GMM program management office updates the program schedule to address the leading practices for a reliable schedule identified in this report. (Recommendation 4)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the FEMA Office of the Chief Information Officer (OCIO) defines sufficiently detailed planned evaluation methods and actual evaluation methods for assessing security controls. (Recommendation 5)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the FEMA OCIO approves a security assessment plan before security assessment reviews are conducted. (Recommendation 6)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the GMM program management office follows DHS guidance on preparing corrective action plans for all security vulnerabilities. (Recommendation 7)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the GMM program management office fully tests all of its security controls for the system. (Recommendation 8)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The Director of the Office of Management and Budget should require agencies to explicitly report, at least on a quarterly basis, the savings and cost avoidance associated with cloud computing investments. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of May 2020, the Office of Management and Budget (OMB) has not yet taken any actions to implement our recommendation. We will continue to monitor OMB's progress in implementing this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the CIO of Agriculture establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture (Agriculture) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. Specifically, Agriculture officials reported in April 2020 that the department had established an office to assist with cloud migration efforts and instituted a process that requires cloud migration efforts to submit cost data and report cloud savings in accordance with OMB guidance. Officials noted that the department would implement a mechanism within one year once OMB issues guidance related to tracking savings (OMB has not yet implemented guidance in this area). We will continue to monitor Agriculture's progress on these efforts.

Recommendation: The Secretary of Commerce should ensure that the CIO of Commerce establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 4)

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce (Commerce) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. In October 2019, Commerce officials noted that the department would update its current procedures related to tracking savings and cost avoidances within one year once OMB issues guidance related to tracking cloud savings (OMB has not yet implemented guidance in this area). As of May 2020, the procedures have not yet been updated. We will continue to monitor Commerce's progress with these efforts.

Recommendation: The Secretary of Defense should ensure that the CIO of Defense completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense (Defense) concurred with our recommendation and stated that the department planned to publish guidance in this area. Specifically, in April 2020, Defense officials reported that the department planned to publish guidance by July 2020 that required all department components to rationalize business and IT applications in alignment with the department's enterprise-wide process for conducting software application rationalization and the department's Cloud Strategy. We will continue to monitor Defense's progress on this effort.

Recommendation: The Secretary of Defense should ensure that the CIO of Defense establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: As of May 2020, the Department of Defense (Defense) has not yet taken any actions to implement our recommendation. We will continue to monitor Defense's progress in implementing this recommendation.

Recommendation: The Secretary of Education should ensure that the CIO of Education completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 8)

Agency: Department of Education
Status: Open

Comments: The Department of Education (Education) concurred with our recommendation and stated that the department would complete an assessment of all IT investments for cloud services. In February 2020, Education officials reported that the department had taken action to update its guidance to include a requirement for assessing new and existing investments for cloud services. However, as of May 2020, based on our review of IT Dashboard data, Education has not yet completed an assessment of 23 investments for these services. We will continue to monitor Education's progress with this effort.

Recommendation: The Secretary of Education should ensure that the CIO of Education establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 9)

Agency: Department of Education
Status: Open

Comments: The Department of Education (Education) concurred with our recommendation and stated that the department would take action to address it. In May 2020, Education officials reported that the department had taken steps to identify a number of cloud investments with cost savings and avoidance data as a part of the integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Education's progress with this effort.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess new acquisitions for these services. (Recommendation 10)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the department would update its IT budget guidance to address our recommendation. In February 2020, Energy officials provided a portion of a guidance document, but it did not include language that addressed our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 11)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the department would update its IT budget guidance to address our recommendation. In February 2020, Energy officials provided a portion of a guidance document, but it did not include language on assessing investments for cloud services. In addition, as of May 2020, based on our review of data on the IT Dashboard, Energy has not yet completed an assessment of 107 investments for these services. We will continue to monitor Energy's progress with this effort.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 12)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the CIO would establish a mechanism to address our recommendation. In February 2020, Energy officials reported that they had identified a number of cloud investments with cost savings as part of the integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Energy's progress with this effort.

Recommendation: The Secretary of the Department of Health and Human Services (HHS) should ensure that the CIO of HHS establishes guidance on assessing new and existing IT investments for suitability for cloud computing services, in accordance with OMB guidance. (Recommendation 13)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the Office of the CIO would revise its guidance by September 30, 2019 to address it. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the CIO of HHS completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 14)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the CIO would complete an assessment of all IT investments as part of its portfolio review for fiscal year 2021. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the CIO of HHS establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 15)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the CIO would take action to track savings as part of its portfolio review process for fiscal year 2021. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Homeland Security should ensure that the CIO of the Department of Homeland Security (DHS) completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 16)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the department was taking steps to implement it. Specifically, in October 2019, DHS officials reported that the department was in the process of accessing its remaining systems to determine whether a cloud computing assessment should be completed but did not provide a date when this effort would be finished. As of May 2020, we have not received a more recent update from DHS regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Homeland Security should ensure that the CIO of DHS establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 17)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the department was taking steps to implement it. Specifically, in October 2019, DHS officials reported that the department was working on a plan to define the resources and processes needed to implement a mechanism to track savings that would be completed by October 2020. As of May 2020, we have not received a more recent update from DHS regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Attorney General of the United States should ensure that the CIO of Justice completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 18)

Agency: Department of Justice
Status: Open

Comments: The Department of Justice (Justice) concurred with our recommendation, and stated that it would require components to assess all investments for cloud. However as of April 2020, based on our review of IT Dashboard data, Justice had not yet completed cloud assessments for 80 investments. We will continue to monitor Justice's progress with this effort.

Recommendation: The Attorney General of the United States should ensure that the CIO of Justice establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 19)

Agency: Department of Justice
Status: Open

Comments: The Department of Justice (Justice) concurred with our recommendation and stated that it would take action to address it. In December 2019, Justice officials reported that the department had taken steps to identify cloud investments and related savings data as part of an integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Justice's progress in implementing this recommendation.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess existing investments for these services. (Recommendation 20)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that the department was taking steps to integrate a process for assessing investments for cloud computing suitability into its budgeting process. Specifically, in February 2020, Labor officials reported that the department was updating its policy to reflect a Cloud First policy that will ensure that all department investment migrations to cloud services are Cloud smart but did not identify a time frame when the policy would be finalized. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 21)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that the department planned to undertake a full review of data center-based applications for cloud suitability. Specifically, in February 2020, Labor officials reported that the department had created an Engineering Review Board in October 2019 to review proposed IT investments to ensure compliance with the department's cloud architecture, but did not provide a time frame for when all assessments of investments would be completed. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 22)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. Specifically, in February 2020, Labor officials reported that the department was implementing a tool called Cloudchekr for tracking costs associated with cloud services that would also track related savings and cost avoidances, but no timeframe was provided for when the tool would consistently capture all savings from these efforts. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of State should ensure that the CIO of State establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 23)

Agency: Department of State
Status: Open

Comments: The Department of State (State) concurred with our recommendation and stated that the department would develop a prototype tracking system ready for testing by the beginning of fiscal year 2020. As of May 2020, we have not received a more recent update from State regarding its implementation of our recommendation. We will continue to monitor State's progress in implementing this recommendation.

Recommendation: The Secretary of the Treasury should ensure that the CIO of Treasury completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 24)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury (Treasury) has not yet taken any actions to implement our recommendation. As of May 2020, we have not received any update from the department regarding its implementation of our recommendation. We will continue to monitor Treasury's progress in implementing this recommendation.

Recommendation: The Secretary of the Treasury should ensure that the CIO of Treasury establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 25)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury (Treasury) has not yet taken any actions to implement our recommendation. As of May 2020, we have not received any update from the department regarding its implementation of our recommendation. We will continue to monitor Treasury's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation establishes guidance on assessing new and existing IT investments for suitability for cloud computing services. (Recommendation 26)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 27)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 28)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation, but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Veterans Affairs should ensure that the CIO of the Department of Veterans Affairs (VA) completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 29)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and stated that the department would take action to address it. In February 2020, VA officials reported that the department had begun an assessment process and expected to complete this effort by June 30, 2024. We will continue to monitor VA's progress in implementing this recommendation.

Recommendation: The Secretary of Veterans Affairs should ensure that the CIO of VA establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 30)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and stated that the department would take action to address it. In February 2020, VA officials reported that the department had begun populating a financial management application with data to track overall IT spending and cost savings, but did not provide a timeframe for when a mechanism to track this data would be finalized. We will continue to monitor VA's progress in implementing this recommendation.

Recommendation: The Administrator of General Services should ensure that the CIO of the General Services Administration establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 31)

Agency: General Services Administration
Status: Open

Comments: The General Services Administration (GSA) concurred with our recommendation and stated that the agency planned to develop a process for collecting cost savings data. Specifically, in January 2020, GSA officials reported that the agency intended to develop and document a process for collecting cost and savings data for current and new investments using cloud services. Officials noted that the documentation would provide guidance as to what savings data would be required to be collected, how frequent the data would be reported, and the process for approval, but did not provide a timeframe for when the guidance would be finalized. In addition, officials reported that, once the new process was finalized, the agency would pilot the new process in order to test the approach and the collection of data. As of May 2020, the process has not been finalized. We will continue to monitor GSA's progress in implementing this recommendation.

Recommendation: The Administrator of the Small Business Administration should ensure that the CIO of the Small Business Administration establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 32)

Agency: Small Business Administration
Status: Open

Comments: The Small Business Administration (SBA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SBA officials reported that the agency had established a tool for monitoring the costs associated with the migration and deployment of cloud services. However, the documentation SBA provided did not indicate how cloud savings and cost avoidances would be isolated and reported. We will continue to monitor SBA's progress toward implementing this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of the Social Security Administration (SSA) updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess existing investments for these services. (Recommendation 33)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials provided a copy of the agency's updated guidance but the guidance did not include language that addressed our recommendation. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of SSA completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 34)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials reported that the agency had completed an assessment of all investments for cloud services. However, our review of the agency's IT Dashboard data in November found that 24 investments remained to be reviewed. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of SSA establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 35)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials reported that the agency was working toward implementing a tool that would track cloud savings and avoidances but did not provide a timeframe for when the tool would be finalized. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Defense should ensure the department's guidance that addresses software development provides specific, required direction on when and how often to involve users so that such involvement is early and continues through the development of the software and related program components. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation and issued an interim Software Acquisition Pathway policy in January 2020 that addresses software development, including direction on user involvement. As of August 2020, this interim policy has not yet been finalized. According to DOD officials, a final policy is currently under development and is expected to be issued by the end of December 2020.

Recommendation: The Secretary of Defense should ensure the department's guidance that addresses software development provides specific, required direction on documenting and communicating user feedback to stakeholders during software system development. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. As of August 2020, DOD has issued an interim Software Acquisition Pathway that addresses software development, including direction on user involvement. According to DOD officials, this interim pathway is planned to be replaced by a final policy that is currently under development and is expected to be issued by the end of December 2020.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Agriculture should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate National Initiative for Cybersecurity Education (NICE) framework work role codes. (Recommendation 1)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: The Department of Agriculture concurred with our recommendation and stated that it was identifying an internal team of subject-matter experts to collaborate with organizations across the department to review the assignment of the "000" code to positions and assist in determining the appropriate work role codes. As of April 2020, USDA expected to complete this activity by fall 2020. To fully implement this recommendation, USDA will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Commerce should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 2)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: The Department of Commerce concurred with the recommendation, but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Defense should complete the identification and coding of vacant positions in the department performing IT, cybersecurity, or cyber-related functions. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Defense should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 4)

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense concurred with the recommendation. As of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. To fully implement this recommendation, DOD will need to provide evidence that it has assigned appropriate National Initiative for Cybersecurity Education framework work role codes to its positions in the 2210 Information Technology management occupational series and assessed the accuracy of position descriptions.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Health and Human Services should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 8)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services concurred with the recommendation and stated that it would complete a review of the assignment of the "000" code to its positions in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. As of March 2020, HHS has made significant progress toward reviewing the assignment of work role codes to its positions in the 2210 IT management occupational series and ensuring that such positions are not coded with the "000" code. To fully implement this recommendation, HHS will need to provide evidence that it has assigned the appropriate NICE framework work role codes to all or nearly all of its remaining positions in the 2210 IT management occupational series. We will continue to monitor the situation.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Homeland Security should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 9)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security (DHS) concurred with our recommendation. DHS conducted an audit of its components' cybersecurity coding efforts in fiscal year 2018 and identified actions that components needed to take to complete the assignment of appropriate NICE framework work role codes and assess the accuracy of position descriptions; a second audit for fiscal year 2019 is underway, and the department expects to complete its coding efforts by December 2020. As of January 2020, DHS has not yet provided sufficient evidence to demonstrate that it has implemented this recommendation. To fully implement this recommendation, DHS will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series and assessed the accuracy of position descriptions.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Housing and Urban Development should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 10)

Agency: Department of Housing and Urban Development
Status: Open
Priority recommendation

Comments: The Department of Housing and Urban Development (HUD) agreed with this recommendation. In January 2020, HUD stated that it was in the process of reviewing its positions in the 2210 IT management occupational series and assigning appropriate work role codes. To fully implement this recommendation, HUD will need to correctly categorize the work roles and functions performed by IT and cyber-related personnel in order to be able to identify critical cybersecurity staffing needs.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of State should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 15)

Agency: Department of State
Status: Open
Priority recommendation

Comments: The Department of State concurred with the recommendation. In January 2020, we confirmed that State had assigned National Initiative for Cybersecurity Education (NICE) framework work role codes to its positions in the 2210 IT management occupational series. However, the department has not yet provided sufficient evidence to demonstrate that it has completed its efforts to assess the accuracy of position descriptions. To fully implement this recommendation, State will need to provide evidence that it has assessed the accuracy of position descriptions.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Treasury should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 17)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: Treasury partially concurred with the recommendation and stated that some positions may not align to work roles in the National Initiative for Cybersecurity Education's (NICE) cybersecurity workforce framework. Treasury stated that it planned to review and validate the work role codes of its IT, cybersecurity, or cyber-related positions by March 2019. However, as of February 2020 Treasury had not provided evidence that it has implemented our recommendation. Until it assigns work role codes that are consistent with the IT, cybersecurity, and cyber-related functions performed by these positions, Treasury will continue to have unreliable information about its cybersecurity workforce that the department will need to identify its workforce roles of critical need.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the Environmental Protection Agency should complete the identification and coding of vacant positions in the agency performing IT, cybersecurity, or cyber-related functions. (Recommendation 19)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the Environmental Protection Agency should take steps to review the assignment of the "000" code to any positions in the agency in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 20)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: The Environmental Protection Agency concurred with the recommendation and stated that it would complete a review of the assignment of the "000" code to its positions in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. As of January 2020, EPA has not yet provided sufficient evidence to demonstrate that it has implemented this recommendation. To fully implement this recommendation, EPA will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series and assessed the accuracy of position descriptions.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the National Aeronautics and Space Administration should complete the identification and coding of vacant positions at NASA performing IT, cybersecurity, or cyber-related functions. (Recommendation 23)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration did not concur with the recommendation. As of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the National Aeronautics and Space Administration should take steps to review the assignment of the "000" code to any positions at NASA in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 24)

Agency: National Aeronautics and Space Administration
Status: Open
Priority recommendation

Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation and stated that it would complete a review of the assignment of the "000" code to its positions in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. In March 2020, NASA indicated that it expected to implement the recommendation by September 30, 2020. To fully implement this recommendation, NASA will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series and assessed the accuracy of position descriptions.

Recommendation: The Director of the Bureau of Consumer Financial Protection should, in coordination with the federal banking regulators and with input from relevant stakeholders, communicate in writing to fintech lenders on the appropriate use of alternative data in the underwriting process, including issues to consider when selecting types of alternative data to use. (Recommendation 1)

Agency: Consumer Financial Protection Bureau
Status: Open

Comments: In December 2019, the Board of Governors of the Federal Reserve System, the Consumer Financial Protection Bureau, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency (the agencies) issued an interagency statement on the use of alternative data in credit underwriting. The statement broadly highlights some potential benefits and risks of using alternative data and encourages firms to responsibly use alternative data, but does not provide firms or banks with specific direction on the appropriate use of alternative data, including issues to consider when selecting types of alternative data to use. We will continue to monitor the agencies' actions related to this recommendation.

Recommendation: The Chair of the Board of Governors of the Federal Reserve System should, in coordination with the other federal banking regulators and the Bureau of Consumer Financial Protection and with input from relevant stakeholders, communicate in writing to banks that engage in third-party relationships with fintech lenders on the appropriate use of alternative data in the underwriting process, including issues to consider when selecting types of alternative data to use. (Recommendation 2)

Agency: Federal Reserve System
Status: Open
Priority recommendation

Comments: In December 2019, the Board of Governors of the Federal Reserve System, the Consumer Financial Protection Bureau, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency (the agencies) issued an interagency statement on the use of alternative data in credit underwriting. The statement broadly highlights some potential benefits and risks of using alternative data and encourages firms to responsibly use alternative data, but does not provide firms or banks with specific direction on the appropriate use of alternative data, including issues to consider when selecting types of alternative data to use. We will continue to monitor the agencies' actions related to this recommendation.

Recommendation: The Chairman of the Federal Deposit Insurance Corporation should, in coordination with the other federal banking regulators and the Bureau of Consumer Financial Protection and with input from relevant stakeholders, communicate in writing to banks that engage in third-party relationships with fintech lenders on the appropriate use of alternative data in the underwriting process, including issues to consider when selecting types of alternative data to use. (Recommendation 3)

Agency: Federal Deposit Insurance Corporation
Status: Open
Priority recommendation

Comments: In December 2019, the Board of Governors of the Federal Reserve System, the Consumer Financial Protection Bureau, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency (the agencies) issued an interagency statement on the use of alternative data in credit underwriting. The statement broadly highlights some potential benefits and risks of using alternative data and encourages firms to responsibly use alternative data, but does not provide firms or banks with specific direction on the appropriate use of alternative data, including issues to consider when selecting types of alternative data to use. We will continue to monitor the agencies' actions related to this recommendation.

Recommendation: The Comptroller of the Currency should, in coordination with the other federal banking regulators and the Bureau of Consumer Financial Protection and with input from relevant stakeholders, communicate in writing to banks that engage in third-party relationships with fintech lenders on the appropriate use of alternative data in the underwriting process, including issues to consider when selecting types of alternative data to use. (Recommendation 4)

Agency: Department of the Treasury: Office of the Comptroller of the Currency
Status: Open
Priority recommendation

Comments: In December 2019, the Board of Governors of the Federal Reserve System, the Consumer Financial Protection Bureau, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency (the agencies) issued an interagency statement on the use of alternative data in credit underwriting. The statement broadly highlights some potential benefits and risks of using alternative data and encourages firms to responsibly use alternative data, but does not provide firms or banks with specific direction on the appropriate use of alternative data, including issues to consider when selecting types of alternative data to use. We will continue to monitor the agencies' actions related to this recommendation.

Recommendation: The Secretary of the Treasury should fully comply with OMB's requirements by providing metadata in a single location that are easy to find on the USAspending.gov website. (Recommendation 3)

Agency: Department of the Treasury
Status: Open

Comments: Treasury agreed with the recommendation. As of September 2020, metadata are not available on USAspending.gov.

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Acquisition and Sustainment to identify the reasons behind the high rate of miscoding for orders awarded under multiple award contracts and use this information to identify and take action to improve the reliability of the competition data entered into FPDS-NG. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: In November 2018, and in response to our draft report, DOD stated that it would analyze the Federal Procurement Data System- Next Generation data in an effort to identify why the miscoding of orders under multiple award contracts occurs, and use this information to advise the contracting community of actions to improve the reliability of the competition data. In July 2019, DOD officials stated they did not have an update regarding planned actions to address the recommendation. As of September 2020, DOD officials did not respond to our multiple requests for updates to this recommendation.

Recommendation: The Secretary of Health and Human Services should direct the Associate Deputy Assistant Secretary for Acquisition to identify the reasons behind the high rate of miscoding for orders awarded under multiple award contracts and use this information to identify and take action to improve the reliability of the competition data entered into FPDS-NG. (Recommendation 2)

Agency: Department of Health and Human Services
Status: Open

Comments: In February 2019, HHS stated it was performing analysis and research to understand the reasons for the miscoding of orders. Once this analysis and research is completed, HHS reported it plans to work to address the root causes of the previously identified miscodings, so as to prevent future errors. In July 2019, HHS officials stated they did not have an update regarding planned actions to address the recommendation. As of September 2020, HHS officials did not respond to our multiple requests for updates to this recommendation.

Recommendation: The Director should update the enterprise governance policy to specify (1) the CIO's current role and responsibilities on the Executive Resources Board, to include developing and reviewing the IT budget formulation and execution; and (2) the Deputy CIO's role and responsibilities on the Enterprise Governance Council. (Recommendation 2)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: DHS concurred with this recommendation. In March 2020, Secret Service officials stated that the component had drafted a revised enterprise governance policy that outlines the CIO's and Deputy CIO's roles and responsibilities. We will continue to monitor the component's efforts to finalize this policy.

Recommendation: The Director should ensure that the Secret Service develops a charter for its Executive Resources Board that specifies the roles and responsibilities of all board members, including the CIO. (Recommendation 3)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: DHS concurred with this recommendation. In March 2020, Secret Service officials stated that the component had drafted a charter for its Executive Resources Board that specifies the roles and responsibilities of Board members, including the CIO. We will continue to monitor the component's efforts to finalize this charter.

Recommendation: The Director should ensure that the CIO includes product quality and post-deployment user satisfaction metrics in the modular outcomes and target measures that the CIO sets for monitoring agile projects. (Recommendation 4)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that Secret Service acquisition directives require the component to conduct a Post Implementation Review of IT programs after such a program achieves Initial Operating Capability. However, it is unclear whether and how this requirement applies to agile projects, and if the Secret Service has included post-deployment user satisfaction metrics in the modular outcomes and target measures that the CIO sets for monitoring such projects. DHS's draft agile guidance strongly recommends that user satisfaction be assessed at the end of each production deployment, not just one time after Initial Operating Capability. Moreover, the Secret Service has not yet demonstrated that the CIO has included product quality in the modular outcomes and target measures that the CIO sets for monitoring agile projects. We will continue to monitor the department's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO identifies all of the required knowledge and skills for the IT workforce. (Recommendation 5)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: In 2018 and 2019, the Secret Service participated in the Department of Homeland Security's Strategic Workforce Planning initiative, during which the department identified critical competencies and target proficiency levels for various IT workforce roles across the department (e.g., systems analysis, network management). However, it is unclear whether the Secret Service's participation in this initiative included the identification of the required knowledge and skills for all of the roles within the component's IT workforce, or just certain roles. In addition, while the Secret Service also established a standard operating procedure document in December 2019 that, among other things, identified recommended training and certifications for each OCIO division (e.g., network management, cyber security), this procedure document did not identify the required knowledge and skills for the workforce roles within each of those OCIO divisions. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO regularly analyzes the IT workforce to identify its competency needs and any gaps it may have. (Recommendation 6)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component analyzed its IT workforce to identify its competency needs, as well as determined the projected staffing and competency gaps that it would have in fiscal year 2019. However, it has not yet provided supporting documentation of the analyses that the CIO conducted to determine these competency needs and projected competency gaps. We will continue to follow-up with the Secret Service for documentation of its efforts to implement this recommendation.

Recommendation: The Director should ensure that, after OCIO completes an analysis of the IT workforce to identify any competency and staffing gaps it may have, the Secret Service updates its recruiting and hiring strategies and plans to address those gaps, as necessary. (Recommendation 7)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component determined that it had a projected staffing gap for fiscal year 2019 of 35 staff within the 2210 occupational job series (i.e., IT management staff). The officials also said that they had identified projected competency gaps related to positions such as Cyber Intelligence Analyst and Intelligence Research Specialist. While the Secret Service has not yet provided documentation of the analyses it conducted to determine these gaps, the component provided documentation to demonstrate that it targeted its fiscal year 2019 recruiting events to focus on addressing IT staffing and competency gaps. For example, among other things, in fiscal year 2019 the component conducted outreach and recruiting events focused on defense, cyber, IT, and intelligence hiring, as well as conducted a targeted cyber security hiring campaign with a large online job search service. We will continue to follow-up with the Secret Service for documentation of the analyses the OCIO conducted to determine its IT staffing and competency gaps, in order to verify whether the 2019 recruiting events conducted were focused on addressing such gaps.

Recommendation: The Director should ensure that the Office of Human Resources (1) develops and tracks metrics to monitor the effectiveness of the Secret Service's recruitment activities for the IT workforce, including their effectiveness at addressing skill and staffing gaps; and (2) reports to component leadership on those metrics. (Recommendation 8)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that the component has conducted recruitment and outreach efforts focused on IT, cyber, and engineering careers, and monitors the effectiveness of these efforts. However, the Secret Service has not yet provided supporting documentation demonstrating that it has (1) developed and tracked metrics to monitor the effectiveness of these recruitment activities, including their effectiveness at addressing skill and staffing gaps within the IT workforce; and (2) reported to component leadership on those metrics. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the Office of Human Resources and OCIO adjust their recruitment and hiring plans and activities, as necessary, after establishing and tracking metrics for assessing the effectiveness of these activities for the IT workforce. (Recommendation 9)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: The Secret Service has not yet demonstrated that it has established and tracked metrics for assessing the effectiveness of its recruitment and hiring plans and activities for the IT workforce. As such, the component is not yet able to demonstrate that its Office of Human Resources and OCIO have adjusted their recruitment and hiring plans and activities based on these metrics. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO (1) defines the required training for each IT workforce group, (2) determines the activities that OCIO will include in its IT workforce training and development program based on its available training budget, and (3) implements those activities. (Recommendation 10)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: In December 2019, the Secret Service established a standard operating procedure document that identifies, among other things, recommended training and certifications for each OCIO division (e.g., network management, cyber security). However, this procedure document does not identify required training for each of these divisions. In March 2020, Secret Service officials stated that OCIO supervisors issued individual development plans to their team members that identified training requirements for continued professional development. However, the Secret Service has not yet provided documentation of these training requirements, nor evidence to support that the planned professional development activities are based on the required training for each IT workforce group. Moreover, the officials stated that, in response to the Coronavirus Disease 2019 (COVID-19), training is suspended. As such, the component is not implementing IT workforce training activities at this time. The officials plan to continue staff training once it is reinstated. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO ensures that the IT workforce completes training specific to their positions (after defining the training required for each workforce group). (Recommendation 11)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: While Secret Service officials stated that the component's Office of Training establishes the required curriculum for Secret Service personnel, the component has not yet demonstrated that the CIO has defined the training required for each IT workforce group, as we previously recommended. As such, the component is also not able to demonstrate that it is ensuring that each IT workforce group completes the training specific to their positions, as we also recommended. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO collects and assesses performance data (including qualitative or quantitative measures, as appropriate) to determine how the IT training program contributes to improved performance and results (once the training program is implemented). (Recommendation 12)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that they are assessing how IT training has contributed to improved performance and results by comparing IT course completion results to the results of related training exercises that the component conducts (for example, the Secret Service may compare the completion rates for an IT security awareness training course to the results of a related IT security awareness exercise that the component conducts). However, the Secret Service has not yet provided supporting documentation of these assessments. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO updates the performance plans for each occupational series within the IT workforce to include the relevant technical competencies, once identified, against which IT staff performance should be assessed. (Recommendation 13)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component has implemented a performance management system that enables OCIO supervisors to update the individual performance plans of each IT workforce staff member to include the relevant technical competencies against which each staff member's performance is to be assessed. However, the Secret Service has not yet provided supporting documentation demonstrating that OCIO has updated the performance plans for each IT workforce staff member to include the relevant technical competencies. We will continue to monitor the component's efforts to address this recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 1)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided documentation regarding its IT budget procedures. However, DOE has not yet developed procedures that explicitly require that all transactions with an IT component be included in the expenditure reporting to the CIO. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 2)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided documentation regarding its IT budget procedures. However, DOE has not yet documented procedures for ensuring the CIO is included in budget decisions for all programs with IT resources, including those within NNSA and the national laboratories. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 3)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided charters that included the CIO as a member of department-level governance boards that inform IT decisions. However, DOE has not provided charters that include the CIO as a member of component-level IT governance boards. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 4)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided IT governance board and budget procedures. However, DOE has not documented procedures by which the CIO is to work with program leadership in planning IT resources for all programs, including those within NNSA and the national laboratories. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 5)

Agency: Department of Energy
Status: Open

Comments: The department has provided IT budget procedures. However, DOE has not documented procedures by which the CIO is to review and approve all major IT investments, including those within NNSA and the national laboratories. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 6)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided IT budget procedures. However, DOE has not documented procedures for the CIO's review of IT resources that are to support major program objectives and significant increases and decreases in IT resources for department and component agency budget requests. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 7)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided IT budget procedures. However, DOE has not developed procedures for documenting steps the CIO is to take to ensure that the IT portfolio includes appropriate estimates of all IT resources. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 8)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 9)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation and is planning to take steps towards implementing it. Specifically, DOE plans to implement the Technology Business Management Framework by December 2021. Additionally, the department is coordinating internally to update its financial and procurement systems to better identify IT spending. DOE anticipates that its updates will allow the agency to compare actual IT spending against estimates in the portfolio. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that establish agency-wide policy for the level of detail with which planned expenditures for all transactions that include IT resources are to be reported to the CIO. (Recommendation 10)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 11)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources. (Recommendation 12)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 13)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 14)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 15)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 16)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with this recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT investment planning policy to include requirements for reporting expenditures that apply to all transactions with an IT component. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 17)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT investment planning policy to amplify the CIO's role in the planning and budgeting stages for all programs with IT resources. Also, HHS intends to document procedures for ensuring that all delegated authorities are carried out. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 18)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation. The department has provided charters that included the CIO as a member of department-level governance boards that inform IT decisions. However, HHS has not provided charters that include the CIO as a member of component-level IT governance boards. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 19)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. For example, HHS plans to develop an asset management policy and introduce a pilot program to manage inventories across the agency. However, the department has not developed policies and procedures that incorporate the processes by which the program leadership are planning the IT portfolio with the CIO for existing investments greater than or equal to $20 million annually and for investments delegated to components. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 20)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the department intends to update its IT investment planning policy to amplify the CIO's role in reviewing major investments. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 21)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with this recommendation and has taken steps towards implementing it. Specifically, HHS documented procedures that require the CIO to hold annual IT investment review meetings with components to review changes in IT resources. However, HHS has not documented procedures for the CIO's role in reviewing major program objectives. We will continue to monitor the department's progress toward implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 22)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the department intends to assess and update its existing policies and procedures to document the steps the CIO is to take to review the IT portfolio for appropriate estimates of all IT resources. We will continue to monitor the department's progress toward implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should direct the department CIO to establish, for any OMB common baseline requirements that are related to IT budgeting that have been delegated, a plan that specifies the requirement being delegated, demonstrates how the CIO intends to retain accountability for the requirement, and ensures through quality assurance processes that the delegated official will execute such responsibilities with the appropriate level of rigor. (Recommendation 23)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the department intends to develop an IT governance policy to define the accountability of the CIO over all IT projects and establish processes detailing quality reviews and the level of rigor that should be applied by its IT governance board. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 24)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT acquisition program policy and related processes. HHS also plans to document standard operating procedures for agency wide dissemination to ensure the effectiveness and efficiency of IT investment governance through transparent and repeatable procedures. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 25)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and are planning to take steps towards implementing it. Specifically, HHS established a working group and developed a roadmap for implementing the Technology Business Management Framework by fiscal year 2022. The agency anticipates that its strategy and approach will enable HHS to, among other things, link IT portfolio data, procurement system data, and financial system data. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 26)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 27)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 28)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 29)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 31)

Agency: Department of Justice
Status: Open

Comments: The department agreed with the recommendation and has taken steps towards implementing it. Specifically, in October 2019, the DOJ CIO issued a memorandum requiring component CIOs to establish a process for providing IT investment information to the DOJ CIO. The component CIO's process is to either include the DOJ CIO as a member of component investment review boards or provide an alternative mechanism for obtaining the DOJ CIO's input on component IT investments. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The FBI Director should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 34)

Agency: Department of Justice: Federal Bureau of Investigation
Status: Open

Comments: FBI agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 35)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 36)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 37)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 38)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 39)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should direct the department CIO to establish, for any OMB common baseline requirements that are related to IT budgeting that have been delegated, a plan that specifies the requirement being delegated, demonstrates how the CIO intends to retain accountability for the requirement, and ensures through quality assurance processes that the delegated official will execute such responsibilities with the appropriate level of rigor. (Recommendation 40)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 41)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 42)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the role and responsibilities of the Interagency Program Office are clearly defined within the governance plans for acquisition of the department's new electronic health record system. (Recommendation 1)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation to ensure that the role and responsibilities of the Interagency Program Office (IPO) were clearly defined within the governance plans for acquisition of the department's new electronic health record system. As of December 2019, VA and the Department of Defense (DOD) have replaced the IPO with a new joint governance body. Specifically, the Federal Electronic Health Record Modernization (FEHRM) program office has been established to serve as the single point of accountability in the delivery of a common health record between the departments and the advancement of interoperability with the private sector. In its charter, the FEHRM was described as a single decision-making authority to manage issues in support of the departments' integrated electronic health record objectives and its leadership is responsible for, among other things, working to formulate, oversee, de-conflict, and ensure adherence to electronic health record-related VA and DOD policies. However, the corresponding Implementation Plan that is intended to document how the FEHRM executes its full responsibilities has yet to be issued. To fully implement this recommendation, VA needs to document the role and responsibilities of the FEHRM with respect to VA's acquisition of its new electronic health record system, explaining the role, if any, the FEHRM will have in the governance process. We will continue to monitor the departments' incorporation of the FEHRM into the plans for the ongoing acquisition.

Recommendation: The Director of the Office of Management and Budget should issue guidance that addresses the 12 CIO responsibilities discussed in this report that are not included in existing OMB guidance--in particular those relating to IT workforce matters. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency partially agreed with the recommendation, and planned to issue guidance that addressed eight of the 12 CIO responsibilities discussed in this report that were not included in existing OMB guidance. As of July 2020, the agency had not issued such guidance and asserted that its existing Circular A-130 guidance is adequate to address this recommendation. However, the Circular A-130 does not address these 12 CIO responsibilities. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Director of the Office of Management and Budget should define the authority that CIOs are to have when agencies report on CIO authority over IT spending. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency agreed with the recommendation to define the authority that Chief Information Officers (CIOs) are to have when agencies report on CIO authority over information technology spending. However, as of July 2020, the agency had not updated its definition. We will continue to monitor the steps the agency takes to address this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 4)

Agency: Department of Agriculture
Status: Open

Comments: The agency agreed with the recommendation and, in May 2019, the agency revised its departmental policies to address 21 of the 22 responsibility gaps identified in the report. The remaining responsibility is for the Chief Information Officer (CIO) to report annually to the head of the agency on progress made in improving IT personnel capabilities. In particular, while USDA's CIO is required to conduct an annual assessment on IT personnel, there is no indication that the results are reported to the agency head. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Commerce should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: The agency agreed with the recommendation and, in October 2018, described a a number of steps it planned to take to address the responsibility gaps identified in the report. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Defense should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: We will provide updated information when we confirm what actions the agency has taken in response to this recommendation.

Recommendation: The Secretary of Education should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 7)

Agency: Department of Education
Status: Open

Comments: We will provide updated information when we confirm what actions the agency has taken in response to this recommendation.

Recommendation: The Secretary of Energy should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 8)

Agency: Department of Energy
Status: Open

Comments: The department planned to complete several steps by the end of 2019. When we confirm these actions, we will provide updated information.

Recommendation: The Secretary of Health and Human Services should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 9)

Agency: Department of Health and Human Services
Status: Open

Comments: The agency agreed with the recommendation and revised its policies to address three of the 23 responsibility gaps identified in the report. In particular, it has addressed the responsibilities for the Chief Information Officer to: 1) report directly to the agency head or that official's deputy, 2) improve the management of the agency's IT through portfolio review (PortfolioStat), and 3) maintain an inventory of data centers. We will continue to monitor the steps the agency takes to address the remaining responsibilities.

Recommendation: The Secretary of Homeland Security should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: The agency agreed with the recommendation, and revised and provided additional departmental directives and delegations to address 19 of the 21 responsibility gaps identified in the report. The remaining responsibilities are for the Chief Information Officer (CIO) to 1) review and approve IT contracts, acquisition plans, or strategies; and 2) ensure that all personnel are held accountable for complying with the agency-wide information security program. In particular, while the DHS CIO has the authority to coordinate with the Chief Acquisition Officer on acquisition strategies, coordination is not the same as reviewing and approving. Regarding holding agency personnel accountable for information security, DHS's Sensitive Systems Policy Directive gives that authority to the heads of DHS's components, rather than the DHS CIO. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Housing and Urban Development should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 11)

Agency: Department of Housing and Urban Development
Status: Open

Comments: The department indicated that it has work underway to address this recommendation, which it plans to complete in March 2020. When we confirm those actions, we will provide updated information.

Recommendation: The Secretary of the Interior should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 12)

Agency: Department of the Interior
Status: Open

Comments: The department planned to review its policies and take corrective actions, as necessary. When we confirm those actions, we will provide updated information.

Recommendation: The Attorney General should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 13)

Agency: Department of Justice
Status: Open

Comments: Justice concurred with our recommendation and started work to address it. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Labor should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 14)

Agency: Department of Labor
Status: Open

Comments: Labor has taken a number of steps in response to this recommendation. However, the agency's policies did not address the six key areas of responsibility for CIOs.

Recommendation: The Secretary of State should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 15)

Agency: Department of State
Status: Open

Comments: The department has begun changing its policies to address this recommendation. When we review those changes, we will provide updated information.

Recommendation: The Secretary of Transportation should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 16)

Agency: Department of Transportation
Status: Open

Comments: DOT agreed with many of the responsibilities in our recommendation, and in September 2019, the agency planned to leverage their technical infrastructure modernization initiative to further define the CIO responsibilities identified in the 18 responsibility gaps identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 17)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the four areas we identified. (Recommendation 18)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA agreed with our recommendation and, as of January 2020, is working to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Environmental Protection Agency should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 19)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA neither agreed nor disagreed with our recommendation, but agreed that CIO authorities should be adequately documented in appropriate policies. EPA officials have stated that they continue to work to address this recommendation. When we confirm what actions the agency has taken to address the 20 responsibility gaps identified in the report, we will provide updated information.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 21)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with our recommendation and stated that the agency was updating its policies to address the responsibilities identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the National Science Foundation should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 22)

Agency: National Science Foundation
Status: Open

Comments: NSF agreed with our recommendations, and in February 2020, the agency issued a new CIO Authorities Policy and revised other departmental policies to address 22 of the 23 responsibility gaps identified in the report. The remaining responsibility for the CIO to benchmark agency processes against private and public sector performance has not been established through the agencies' policies. When we confirm what actions the agency has taken in response to the remaining responsibility, we will provide updated information.

Recommendation: The Chairman of the Nuclear Regulatory Commission should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 23)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC disagreed with our recommendation but generally agreed with our findings, and the agency had departmental policies to address three of the 15 responsibilities identified in the report. In March 2020, the agency stated it was identifying the appropriate agency policy to amend to address the remaining responsibility gaps. It anticipated that it would complete those updates by the end of the second quarter of FY 2020. We will continue to monitor the steps the agency takes to address this requirement.

Recommendation: The Director of the Office of Personnel Management should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 24)

Agency: Office of Personnel Management
Status: Open

Comments: OPM agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Small Business Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 25)

Agency: Small Business Administration
Status: Open

Comments: SBA agreed with most of our recommendations and, in September 2018, the agency said it is revising its departmental policies to address the responsibility gaps identified in the report. SBA's Data Center Optimization Initiative (DCOI) Strategic Plan's revised in 2019 addresses two of the 19 responsibility gaps identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for IMF fully addresses greater utilization of technology or consolidation of investments to better meet organizational goals. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year 2018 Operational Analysis Results report, dated June 24, 2019. The report demonstrated that IRS, in response to our recommendation, had ensured that the operational analysis for IMF fully addressed greater utilization of technology or consolidation of investments to better meet organizational goals. However, the operational analysis did not reflect IRS's progress to date in modernizing IMF and the associated challenges. As we reported, this omission is concerning given the risk exposure from the agency's continued use of the legacy assembly language code. In order to close the recommendation, IRS needs to update the operational analysis to reflect its progress modernizing IMF.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for Telecommunications Systems and Support (TSS) addresses the extent to which the investments support customer processes as designed, and how well the investments are delivering the goods or services they were designed to deliver. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year (FY) 2018 Operational Analysis Results report, dated June 24, 2019. While the report included a summary of the FY 2018 operational analysis for TSS, it did not identify the metrics used to determine whether TSS supported customer processes or delivered the goods and services that it is intended to deliver. To close this recommendation, IRS will need to provide the detailed operational analysis for TSS incorporating these metrics. As of December 2019, IRS has not provided the full TSS operational analysis to GAO. Upon receiving the document, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for TSS includes a comparison of current performance with a pre-established cost baseline. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided GAO its fiscal year (FY) 2018 Operational Analysis Results report. While the report included a summary of the FY 2018 operational analysis for the Telecommunications Systems and Support (TSS) investment , including planned and actual cost figures for FY2018, the report did not indicate whether the planned cost figure for FY2018 accounted for reimbursable costs and user fees, as we reported. To address this recommendation, IRS will need to provide a full operational analysis for TSS, as well as documentation showing whether reimbursable costs and user fees are included in the planned cost figure. As of December 2019, IRS has not provided a full TSS operational analysis to GAO. Upon receiving the document, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for End User Systems and Services includes a comparison of current performance with a pre-established cost baseline. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year (FY) 2018 Operational Analysis Results report, dated June 24, 2019. While the report included a summary of the FY 2018 operational analysis for End User Systems and Services (EUSS) investment, including planned and actual cost figures for FY2018, it did not specify whether the planned cost figure accounted for multi-year funding and user fees, as we reported. To address this recommendation, IRS will need to provide a full operational analysis for EUSS, as well as documentation showing whether multi-year funding and user fees are included in the planned cost figure. As of December 2019, IRS has not provided the full EUSS operational analysis to GAO. Upon receiving it, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the IMF investment. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the IMF investment. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice for prioritizing risk for the IMF investment. (Recommendation 9)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the IMF investment. (Recommendation 10)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the IMF investment. (Recommendation 11)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the IDRS investment. (Recommendation 12)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the IDRS investment. (Recommendation 13)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the IDRS investment. (Recommendation 14)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the IDRS investment. (Recommendation 15)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the MSSS investment. (Recommendation 16)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019. While the plan addressed most of the activities associated with the preparing for risk management key practice, it did not identify risk constraints, risk assumptions, or risk tolerance for the MSSS investment. Upon receiving further information, we will review it to determine if IRS has fully addressed this recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the MSSS investment. (Recommendation 18)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has implemented the activities associated with the Analyze Risk key practice. Specifically, while the plan describes a risk analysis process in which risks are classified as high, medium, or low risk, neither the plan nor any of the other documents describes criteria for evaluating and quantifying risk likelihood and severity (impact) levels. Additionally, the Risk Management Plan does not indicate whether analysis of MSSS risks includes both inherent and residual risks. Upon receiving additional information indicating that IRS has addressed these activities, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the MSSS investment. (Recommendation 19)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has established threshold values for MSSS risk categories or alternative courses of action for critical risks. Upon receiving additional information indicating that it has addressed these activities. we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the MSSS investment. (Recommendation 20)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframes and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has fully implemented all of the activities associated with the monitoring, reporting, and controlling key practice. Specifically, our review of the documents shows that IRS has not established threshold values for MSSS risk categories, and as a result is unable to compare the status of risks to acceptability thresholds to determine the need for implementing a risk mitigation plan. In addition, although the MSSS Risk Management Plan was updated in October 2019, its previous revision occurred in October 2017, indicating that IRS has not yet reviewed all aspects of the risk management program at least once a year. Upon receiving additional information that IRS has addressed these activities, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement IT workforce planning practices, including the following actions (1) setting the strategic direction for workforce planning; (2) analyzing the workforce to identify skill gaps; (3) developing strategies and implementing activities to address skill gaps; and (4) monitoring and reporting on progress in addressing skill gaps. (Recommendation 21)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it had initiated efforts to address workforce planning agency-wide. The agency stated that the Human Capital Office in coordination with the Information Technology organization prioritizes critical skills gaps to develop gap mitigation strategies, which are implemented through IT annual training plans and succession planning efforts. IRS also stated that the mitigation plans will be monitored in the current Project and Portfolio Management System and that the Human Capital and Information Technology organizations will monitor resource capacity, skills, assigned work effort, and staff availability. In addition, IRS stated that it would utilize special hiring authorities as a competency and staffing mitigation strategy. The agency noted that the special authorities are subject to the availability of resources and agency approval. Further, IRS stated that, due to the diversion of IT resources to the Tax Cuts and Jobs implementation, development of a plan for scaling and expansion of workforce planning efforts will commence after the opening of Filing Season 2020. IRS stated that, due to those constraints, it could not provide a date for fully implementing the recommendation. As of December 2019, IRS has not provided any updates indicating whether it has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Acquisition and Sustainment to update the policy or guidance for MAIS business programs. Specifically, the update should include the following elements: (1) establishment of initial and current baseline cost and schedule estimates, (2) predetermined threshold cost and schedule estimates to identify the point when programs may be at high risk, and (3) quarterly and annual reports on the performance of programs to stakeholders. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: In January 2020, the Under Secretary of Defense for Acquisition and Sustainment issued an updated instruction on defense business systems requirements and acquisition, which included guidance on establishing baseline cost and schedule estimates and considering progress against the baselines at key decision points. However, the instruction does not make a distinction between initial and current baselines. Further, it did not include thresholds for cost and schedule variances or specify periodic reporting of program performance information to stakeholders. According to an official in the office of the Under Secretary of Defense for Acquisition and Sustainment, the office does not intend to add the elements of the recommendation related to thresholds and reporting. Specifically, according to the official, the office considers specifying predetermined threshold cost and schedule estimates and frequency for status reporting to be matters for implementation guidance issued by department components or determined by a program decision authority. However, until the department demonstrates that it has fully addressed the recommendation, it is limited in its ability to ensure that effective system acquisition management controls are implemented for each major business system investment and that stakeholders have the information needed to make informed decisions for managing and overseeing these investments. We will continue to monitor the department's implementation of the recommendation.

Recommendation: The Secretary of Defense should direct the Director of the Defense Health Agency to direct the program manager for the Defense Healthcare Management System Modernization program to: (1) finalize and approve its requirements management plan, (2) identify and document changes that should be made to plans and work products resulting from changes to the requirements baseline, and (3) quantify costs and benefits of risk mitigation within its program-level risk mitigation plans. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: As of November 2019, the Department of Defense had made progress addressing the intent of the recommendation related to requirements management; however, it needs to do more to improve DHMSM program risk management. Specifically, in March 2019, the DHMSM program manager approved a requirements management plan, which includes identifying and documenting changes that should be made to plans and work products resulting from changes to the baseline requirements. Specifically, it includes forward and backward configuration and change management of the baselined requirements and managing traceability of requirements to design artifacts, test cases, defects, and change requests. However, the program has not demonstrated that it quantifies costs and benefits of risk mitigation in its risk mitigation plans. Specifically, it did not demonstrate that it had updated its guidance to require that costs and benefits of risk mitigation plans be included in these plans. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: The Administrator should direct the Chief Information Officer to address, in conjunction with the Chief Human Capital Officer, gaps in IT workforce planning by fully implementing the eight key IT workforce planning activities noted in this report. (Recommendation 3)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA did not concur with this recommendation. As of October 2019, the agency reported that the Office of the Chief Information Officer was beginning its involvement with the agency's Mission Support Architecture Program which aims at re-aligning mission support functions from a decentralized model to an enterprise model. The office's participation in the re-alignment effort has an estimated completion date in fiscal year 2023.

Recommendation: The Administrator should direct the Chief Information Officer to address weaknesses in oversight practices and ensure routine oversight of all investments by taking action to document criteria for escalating investments among governance boards and establish procedures for tracking corrective actions for underperforming investments. (Recommendation 6)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. In July 2018, NASA reported that the agency intended to address this recommendation by documenting its approach for governing IT investments. In February 2020, NASA reported that the agency remained committed to taking action to address this recommendation and reported that the Office of the Chief Information Officer had established a process to govern IT investment funds and had planned additional modifications for that framework. The agency now expects to complete actions to address this recommendation by November 2020.

Recommendation: The Administrator should ensure that the Chief Information Officer fully defines policies and procedures for developing the portfolio criteria, creating the portfolio, and evaluating the portfolio. (Recommendation 7)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. In July 2018, NASA reported that it had begun updating policies and procedures for developing the portfolio criteria. In April 2019, NASA provided copies of its updated guidance. Among other things, the guidance described criteria for the portfolio and defined policies and procedures for creating the portfolio. As of April 2020, the agency had not yet provided evidence that it had developed policies and procedures for evaluating the portfolio. We plan to continue following up on the status of efforts to address this recommendation.

Recommendation: The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes a cybersecurity strategy that, among other things, makes explicit the agency's risk tolerance, accepted risk assessment methodologies, a process for consistently evaluating risk across the organization, response strategies and approaches for monitoring risk over time, and priorities for risk management investments. (Recommendation 8)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. In July 2018, NASA reported that it had hired a Chief Cybersecurity Risk Officer in April 2018 and that it had also approved a charter for an agency-wide Cybersecurity Integration Team. As of September 2020, NASA reported that it intends to deliver a cybersecurity risk management strategy that addresses the elements outlined in this recommendation by 2021.

Recommendation: The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes policies and procedures with well-defined roles and responsibilities that are integrated and reflect NASA's current security practices and operating environment. (Recommendation 10)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. As of September 2020, NASA reported that the Chief Information Officer had initiated a review of the agency's cyber policy management framework and that any related updates were expected to be completed by 2021.

Recommendation: The Director of the Consumer Financial Protection Bureau should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 5)

Agency: Consumer Financial Protection Bureau
Status: Open

Comments: In a May 2018 letter, the Acting Director of the Bureau stated that the Bureau has previously issued principles that include reasonable and practical means for consumers to dispute and resolve instances of unauthorized payments conducted in connection with or as a result of authorized or unauthorized data sharing access. The letter notes that the Bureau is committed to monitoring developments in data aggregation markets and will continue to assess how the Bureau's consumer protection principles may be best realized, including engaging in discussions with other relevant federal and state financial regulators. In October 2018, Bureau staff advised us that they made a presentation on existing consumer protections that would appear to be applicable to consumers using data aggregators at the June 28, 2018 meeting of the Fintech Interagency Discussion Group, which includes OCC, the Federal Reserve, the Federal Deposit Insurance Corporation, and the National Credit Union Administration. They noted they are monitoring private sector efforts related to resolving data aggregation issues and that additional discussions among the regulators about these issues will be held in the future. We will recontact the agency in the future to obtain information on additional actions it has taken. In January 2020, GAO met with CFPB to discuss the recommendation and potential outcomes that could close the recommendation. CFPB officials stated that they will be hosting a public forum on data aggregation in February 2020. They noted that results from the public forum could include action related to the data aggregation recommendation.

Recommendation: The Chair of the Board of Governors of the Federal Reserve System should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 6)

Agency: Federal Reserve System: Board of Governors
Status: Open
Priority recommendation

Comments: In a May 2018 letter, the Chair of the Federal Reserve Board noted that the Federal Reserve recognizes the importance of working together to determine how best to encourage socially beneficial innovation in the marketplace, while ensuring that consumers' interests are protected. The letter noted that the Federal Reserve staff have been meeting with other regulators and industry participants. The Chair states that the Federal Reserve will continue to facilitate and engage in collaborative discussions with other relevant financial regulators in these and other settings to help market participants address the important issues surrounding reimbursement for consumers who use financial account aggregators and experience unauthorized transactions. In October 2018, Federal Reserve staff advised us that issues related to data aggregation were discussed at a June 28, 2018 meeting of the Fintech Interagency Discussion Group, which includes OCC, the Federal Reserve, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Consumer Financial Protection Bureau. They noted that they are monitoring private sector efforts related to resolving data aggregation issues and expect to hold additional discussions among the regulators about these issues in the future. In March 2019, the agency noted that it continues to collaborate on this issue. As of February 2020, the agency had no further updates on this recommendation. We plan to follow up with Federal Reserve staff to obtain updates on these efforts in the future.

Recommendation: The Chairman of the Federal Deposit Insurance Corporation should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 7)

Agency: Federal Deposit Insurance Corporation
Status: Open
Priority recommendation

Comments: In November 2018, FDIC staff confirmed that they have engaged in collaborative discussions with other relevant financial regulators regarding issues related to consumers' use of account aggregation services and associated liability issues. We followed up in April 2019 and they confirmed that their collaboration had yet to produce outcomes that would satisfy the recommendation.

Recommendation: The Chairman of the National Credit Union Administration should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 8)

Agency: National Credit Union Administration
Status: Open

Comments: In July 2018, NCUA staff indicated that staff from their agency had recently participated in a discussion forum with other federal regulators and other stakeholders on fintech, and, in particular, account aggregation challenges. They stated that they intend to continue to engage other regulators and related industry stakeholders on fintech topics and emerging technology that can have an impact on credit unions and their consumers. In October 2018, NCUA staff advised us that they have been discussing issues related to data aggregation at meetings of the Fintech Interagency Discussion Group, which includes OCC, the Federal Reserve, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Bureau of Consumer Financial Protection. In November 2019, NCUA staff said that the agency continues to participate in meetings through the Fintech Interagency Discussion Group and had taken part in a Data Symposium held by the San Francisco Federal Reserve. We plan to follow up with NCUA staff to obtain updates on these efforts and resulting outcomes in the future.

Recommendation: The Comptroller of the Currency should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 9)

Agency: Department of the Treasury: Office of the Comptroller of the Currency
Status: Open

Comments: In a May 2018 letter, OCC noted that its staff have met with the other banking regulators and with market participants about account aggregation issues in the past. In October 2018, OCC staff advised us that issues related to data aggregation were discussed at a June 28, 2018 meeting of the Fintech Interagency Discussion Group, which includes OCC, the Federal Reserve, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Bureau of Consumer Financial Protection. We followed up in January 2020 and they confirmed that their collaboration had yet to produce outcomes that would satisfy the recommendation. We plan to follow up with OCC staff to obtain updates on these efforts in the future.

Recommendation: The Chairman of the National Credit Union Administration should formally evaluate the feasibility and benefit of establishing an office of innovation or clear contact point, including at least a website with a dedicated email address. (Recommendation 11)

Agency: National Credit Union Administration
Status: Open

Comments: NCUA officials told us that in August 2018 the agency established a working group to formally evaluate the feasibility of establishing a dedicated work unit to oversee and lead fintech and innovation efforts, including creating a website and monitoring a dedicated e-mail account. NCUA officials indicated that as of November 2019 the working group was deliberating key considerations related to establishing a dedicated work unit. We plan to follow up with NCUA staff to obtain updates on these efforts in the future.

Recommendation: The Chair of the Board of Governors of the Federal Reserve System should formally evaluate the feasibility and benefits to their regulatory capacities of adopting certain knowledge-building initiatives related to financial innovation. (Recommendation 12)

Agency: Federal Reserve System: Board of Governors
Status: Open

Comments: In a May 2018 letter, the Chair of the Federal Reserve Board noted that the Federal Reserve recognizes the importance of formally increasing its knowledge base related to financial innovation. The letter noted that the Federal Reserve has recently organized two nationwide teams of experts tasked with monitoring fintech and related emerging technology trends as they relate to its supervisory and payment system mandates, respectively. These new teams include representation from all of the Federal Reserve System's Reserve Banks and have leadership from Board staff. These teams' critical objectives include ensuring that fintech-related information is shared across the Federal Reserve System and is used to inform relevant supervisory, policy, and outreach strategies. As of February 2020, the agency had no updates on this recommendation. We plan to follow up with Federal Reserve staff to obtain updates on these efforts in the future.

Recommendation: The Chairman of the Commodity Futures Trading Commission should formally evaluate the feasibility and benefits to their regulatory capacities of adopting certain knowledge-building initiatives related to financial innovation. (Recommendation 13)

Agency: Commodity Futures Trading Commission
Status: Open

Comments: We followed up in January 2020 and CFTC described its efforts to address this recommendation, which were encouraging. We are awaiting documentation of these efforts and when we confirm the agency's actions, we will provide updated information.

Recommendation: The Chairman of the National Credit Union Administration should formally evaluate the feasibility and benefits to their regulatory capacities of adopting certain knowledge-building initiatives related to financial innovation. (Recommendation 15)

Agency: National Credit Union Administration
Status: Open

Comments: NCUA officials told us that, as of November 2019, the internal working group that the agency established in August 2018 was evaluating the feasibility and benefits of adopting certain knowledge-building initiatives related to financial innovation. Specifically, the working group was assessing initiatives such as stakeholder outreach, research and collaboration opportunities, grants and other technical assistance, and existing supervisory tools. We plan to follow up with NCUA staff to obtain updates on these efforts in the future.

Recommendation: The Secretary of Agriculture should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The agency concurred with our recommendation, and in June 2018, USDA CIO delegated the review and approval of acquisition plans and strategies to the Capital Planning and Information Technology Governance Division (CPITGD) through the Associate CIO of the Information Resource Management Center. However, as of June 2020, the agency had not provided evidence to demonstrate that these reviews and approvals are taking place as required by OMB's guidance. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of Commerce should ensure that the office of the CAO is involved in the process to identify IT acquisitions. (Recommendation 4)

Agency: Department of Commerce
Status: Open

Comments: In a March 2018 response to our report, the agency agreed with our recommendation and stated that the CIO and the Senior Procurement Executive will issue a memo to their acquisition and CIO member offices clarifying the offices joint responsibilities to ensure that all IT acquisitions are submitted to the CIO for review and approval. The memo is also to provide guidance on the process by which the CIO will review proposed contract actions. However, as of February 2020, the agency had not responded to requests for updates. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of Commerce should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: In a March 2018 response to our report, the agency agreed with our recommendation and stated that it intended to clarify its policies and procedures to comply with OMB rules, including the IT acquisition checklist, which must be completed for every proposed contract action. In addition, the CIO and Senior Procurement Executive will work together to review existing acquisition plan review and approval processes. However, as of February 2020, the agency had not responded to requests for updates. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of HHS should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 10)

Agency: Department of Health and Human Services
Status: Open

Comments: The agency agreed with our recommendation and in an April 2018 update stated that HHS has a policy for the HHS IT acquisition review process for acquisition strategies. However, as of February 21, 2020, the agency had not provided evidence that the CIO (or designee) was reviewing and approving IT acquisition plans, as required. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of State should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 22)

Agency: Department of State
Status: Open

Comments: The agency agreed with our recommendation, and in a December 2019 update provided information on the agency's CPIC process and a template for IT acquisition strategies. However, it is not clear whether the CIO is reviewing and approving IT acquisitions plans through the CPIC process and the template does not provide a place for the CIO review and approval. In addition, we have requested evidence of CIO approval of selected IT acquisitions. We will continue to monitor the implementation of this recommendation

Recommendation: The Secretary of the Treasury should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 23)

Agency: Department of the Treasury
Status: Open

Comments: The agency did not state whether it agreed or disagreed with the recommendation. In March 2019, Treasury issued a memo that requires the CIO to review and approve IT acquisition plans for acquisitions with a total value of $68 million or more, or for actions with a period of performance longer than 5 years. The review and approval of all other IT acquisition plans are delegated to the component CIOs or Chief Technology Officers. However, the agency had not yet provided evidence that the CIO (or designee) was reviewing and approving selected IT acquisition plans, as required. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of Transportation should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 26)

Agency: Department of Transportation
Status: Open

Comments: The agency concurred with the recommendation. In October 2019, Transportation issued guidance requiring that the CIO or designee to review and approve all IT acquisition plans. We have requested that the agency provide us evidence of CIO-approved IT acquisition plans. The agency stated that it planned to respond by May 15, 2020. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of VA should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 28)

Agency: Department of Veterans Affairs
Status: Open

Comments: The agency concurred with the recommendation. In November 2019, VA issued guidance that requires the CIO, in conjunction with the Chief Acquisition Officer, to review and approve all IT acquisition strategies and plans. Specifically, the CIO is to review and approve IT acquisitions valued at $15 million or more. The CIO has delegated the review and approval of IT acquisitions less than $15 million to other designees, based on the value of the contract. However, the agency had not provided evidence that the CIO (or designee) was reviewing and approving selected IT acquisition plans, as required. We will continue to monitor the implementation of this recommendation.

Recommendation: The Administrator of NASA should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 32)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The agency concurred with the recommendation, and in September 2017, NASA's CIO delegated the review and approval authority of IT acquisitions to the Center CIOs. We have requested evidence of CIO-approved IT acquisitions. We will continue to monitor the implementation of this recommendation.

Recommendation: The Director of the Office of Personnel Management should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 34)

Agency: Office of Personnel Management
Status: Open

Comments: The agency concurred with the recommendation and in an April 2020 updated stated that OPM has contracted with a third-party vendor to evaluate the OPM IT human capital, architecture, and governance processes from planning to acquisition to implementation. The agency further stated that it is working to fully implement an IT governance process where the OPM CIO fully reviews and approves IT acquisition plans and processes. We will continue to monitor the implementation of this recommendation.

Recommendation: The Director of OMB should continue to identify and report to Congress on the status of the top 10 high priority information technology programs and the extent to which USDS is involved in the programs, as was done in June 2015 and June 2016. In doing so, the Director should ensure that these reports are issued quarterly. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: We have been requesting periodic updates from OMB on actions it has taken to address the recommendation. As of April 2020, the agency did not have any updates.

Recommendation: The Director of OMB should ensure that the Federal CIO is directly involved in the oversight of high priority programs. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open
Priority recommendation

Comments: OMB has not taken actions to address this recommendation, stating that the Federal CIO is not typically involved with overseeing individual IT programs. However, we continue to believe it is important for OMB to take this action, as the results of past CIO-led reviews of troubled programs show that CIO oversight can have significant positive results, including producing significant savings. In December 2019, OMB stated that it had no ongoing or planned action to address the recommendation, noting that the recommendation represents a "fundamental disagreement" between OMB and GAO on the role of the Federal CIO in overseeing programs.

Recommendation: The Director of OMB should continue to report on the status of USDS projects. In doing so, the Director should ensure that the reports are issued quarterly. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: We have been requesting periodic updates from OMB on actions it has taken to address the recommendation. As of April 2020, the agency did not have any updates.

Recommendation: The Secretary of Agriculture should ensure that the CIO of USDA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 9)

Agency: Department of Agriculture
Status: Open

Comments: In September 2019, a Department of Agriculture official stated that the department was working to establish a policy to include the information noted in our recommendation and planned to finalize a policy by the end of December 2019. We will continue to monitor the department's progress on these efforts.

Recommendation: The Secretary of Veterans Affairs (VA) should ensure that the CIO of VA updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 10)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) has taken action, and stated that it would draft a policy to address our recommendation. In November 2019, a VA official stated that the department is working to address our recommendation but did not identify timeframes for when all activities would be completed. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: The Administrator of the Environmental Protection Agency (EPA) should ensure that the CIO of EPA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 11)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) concurred with our recommendation and stated that it planned to develop a policy to implement this recommendation and other FITARA issues. Specifically, EPA officials reported in July 2019 that the agency was continuing to work to address the recommendation but did not provided a time frame for when a policy would be finalized. We will continue to monitor EPA's progress on these efforts.

Recommendation: The Administrator of the National Aeronautics and Space Administration (NASA) should ensure that the CIO of NASA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 13)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation and reported that the agency was in the process of addressing it. Specifically, NASA officials reported in June 2020 that its guidance is currently being updated to include the information noted in our recommendation and will be finalized by September 2020. We will continue to monitor NASA's progress on these efforts.

Recommendation: The Director of the Office of Personnel Management (OPM) should ensure that the CIO of OPM updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 16)

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) concurred with our recommendation and stated that it would update its policies and processes to include the elements we recommended. Specifically, OPM officials reported in November 2019 that guidance on CIO certification was being developed but the agency had not yet determined a time frame for finalizing the policy. We will continue to monitor OPM's progress on these efforts.

Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to task an integrated project team, made up of an IT project manager and business owner, with including specific actions in the Public Health and Medical Situational Awareness Strategy Implementation Plan for conducting all activities required to establish and operate the network.

Agency: Department of Health and Human Services
Status: Open

Comments: Officials have previously acknowledged that a public health situational awareness network capability is important for identifying, processing, and comprehending data in real-time and stated that such a capability requires coordination and participation from numerous federal entities, including numerous HHS's operating divisions. However, as of January 2020, GAO has not received any information demonstrating progress made to implement our recommendation. Further, HHS has not provided us with a plan of action describing how they would implement the recommendation. Until steps are taken to implement our recommendation, HHS may not make the progress needed to establish an electronic public health situational awareness network capability mandated by PAHPRA in 2013 and the Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2019.

Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to task the integrated project team with developing a project management plan that includes measurable steps--including a timeline of tasks, resource requirements, estimates of costs, and performance metrics--that can be used to guide and monitor HHS's actions to establish the network defined in the plans.

Agency: Department of Health and Human Services
Status: Open

Comments: Officials have previously acknowledged that a public health situational awareness network capability is important for identifying, processing, and comprehending data in real-time and stated that such a capability requires coordination and participation from numerous federal entities, including numerous HHS's operating divisions. However, as of February 2020 agency officials have not indicated whether or not they concur with the recommendation, nor have they taken any action or provided a plan of action describing how they would implement the recommendation. Until steps are taken to implement our recommendation, HHS may not make progress toward establishing an electronic public health situational awareness network capability mandated by PAHPRA in 2013 and in the Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2019 .

Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to conduct all IT management and oversight processes related to the establishment of the network in accordance with Enterprise Performance Life Cycle Framework guidance, under the leadership of the HHS CIO.

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: In HHS' Public Health and Social Services Emergency Fund's fiscal year 2021 budget justification-which includes the Office of the Assistant Secretary for Preparedness and Response-the agency stated it "concurred" with this recommendation. However, as of February 2020, GAO has not received any information demonstrating progress made to implement our recommendation. Until then, HHS may continue to lack the necessary progress needed in order to establish an electronic public health situational awareness network capability mandated by PAHPRA. To address this recommendation, HHS needs to direct the Assistant Secretary for Preparedness and Response to conduct all IT management and oversight processes related to the establishment of the network in accordance with Enterprise Performance Life Cycle Framework guidance.

Recommendation: The Chief Executive Officer should direct the Chief Information Officer to take steps needed to ensure that system requirements are defined to align with the business needs of CNCS's future risk-based grants monitoring process (Recommendation 1).

Agency: Corporation for National and Community Service
Status: Open

Comments: In November 2018, CNCS officials stated that the agency made the decision to terminate the development of the Grants and Member Management (GMM) system. They subsequently awarded a contract to assess the state of development for the GMM system and to provide recommendations on the actions CNCS needed to take in order to implement a commercial off-the-shelf (COTS) application for core grants management functions. According to CNCS officials, based on the findings from that assessment, further investments in developing customized applications (even an implementation of a COTS application) were not likely to be successful. As of September 2019, CNCS officials stated that they were pursuing the option of a federal shared service as a solution to grants management. As of November 2019, according to CNCS officials, the agency had not yet defined requirements for the grant monitoring system project because the decision to pursue the federal shared services as a solution for grants management is very recent. CNCS officials agreed to provide GAO with an update as further progress is made on this recommendation.

Recommendation: The Chief Executive Officer should direct the Chief Information Officer to ensure that the system development project schedule identifies in the baseline both planned and actual dates for completing all project-level activities, and can be used to monitor and measure progress of the grant monitoring system project (Recommendation 2).

Agency: Corporation for National and Community Service
Status: Open

Comments: In November 2018, CNCS officials stated that the agency made the decision to terminate the development of the GMM system. They subsequently awarded a contract to assess the state of development for the GMM system and to provide recommendations on the actions CNCS needed to take in order to implement a COTS application for core grants management functions. According to CNCS officials, based on the findings from that assessment, further investments in developing customized applications (even an implementation of a COTS application) were not likely to be successful. As of September 2019, CNCS officials stated that they were pursuing the option of a federal shared service as a solution to grants management. As of November 2019, according to CNCS officials, the agency had not yet established a project schedule for completing the grant monitoring system project because the decision to pursue the federal shared services as a solution for grants management is very recent. CNCS officials agreed to provide GAO with an update as further progress is made on this recommendation.

Recommendation: The Chief Executive Officer should direct the Chief Information Officer to ensure that test plans are defined and implemented to include the second version of the grant monitoring system in all stages of testing during development, and results of initial stages are approved before conducting subsequent test stages (Recommendation 3).

Agency: Corporation for National and Community Service
Status: Open

Comments: In November 2018, CNCS officials stated that the agency made the decision to terminate the development of the GMM system. They subsequently awarded a contract to assess the state of development for the GMM system and to provide recommendations on the actions CNCS needed to take in order to implement a COTS application for core grants management functions. According to CNCS officials, based on the findings from that assessment, further investments in developing customized applications (even an implementation of a COTS application) were not likely to be successful. As of September 2019, CNCS officials stated that they were pursuing the option of a federal shared service as a solution to grants management. As of November 2019, according to CNCS officials, the agency had not yet established a timeframe to define test plans for the selected solution for the grant monitoring system project because the decision to pursue the federal shared services as a solution for grants management is very recent. CNCS officials agreed to provide GAO with an update as further progress is made on this recommendation.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that state-based marketplace annual sustainability plans, to the extent possible, have complete 5-year budget forecasts. (Recommendation 1)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS did not concur with our recommendation and stated that it had updated its requirement to request 2-year budget forecasts instead of 5-year budget forecasts. In its December 2017 statement of actions, HHS stated that it was working to streamline and simplify its data collection effort as part of the annual sustainability plan. In April 2018, HHS provided a revised 2-year budget forecast template as well as related state marketplace training documentation. As of April 2020, HHS had not provided further documented evidence of its streamlined process using the 2-year budget forecast template or justification that a 5-year budget is not necessary for assessing long-term financial sustainability and state marketplace sustainability risks.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that all state-based marketplaces provide required annual financial audit reports which are in accordance with generally accepted government auditing standards. (Recommendation 2)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS concurred with our recommendation and stated in its December 2017 update that it continued to provide technical assistance such as webinars and other trainings on independent financial and programmatic audit submission requirements. In April 2018, HHS provided evidence that it had taken some steps to ensure that state-based marketplaces provide required annual financial audit reports, including draft financial audit procedures, documentation of related training provided to states, and a revised HHS state officer annual review checklist emphasizing financial audit reporting. However as of April 2020, the department had not provided evidence of finalized procedures, examples of checklist usage, or of states providing annual financial audit reports. Further, HHS training documentation stated that state-based marketplaces could provide alternate financial audit reports, such as a state-wide financial audit report, in lieu of a marketplace specific report. It is not clear from the provided evidence that the department has ensured that state-based marketplaces are in compliance with financial audit reporting requirements. We will continue to monitor the department's progress in implementing the recommendation and provide updates when the agency takes further action.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that marketplace IT self-sustainability risk assessments are based on fully defined measurable terms, a clear categorization process, and a defined response to high risks. (Recommendation 3)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS concurred with our recommendation and stated in its December 2017 update that it would refine its marketplace self-sustainability risk assessment process to provide greater insight into the state marketplace sustainability efforts and to identify areas where states may need assistance. In April 2018, HHS provided evidence that it had taken some steps to base its risk assessments on fully defined processes. CMS provided documentation of clearly defined and measurable terms used for state marketplace budget analysis. However, HHS did not provide evidence that these defined terms were incorporated into analyses or risk assessments. As of April 2020, CMS has not provided evidence that it took steps to develop a clear categorization process or a defined response to high risks. We will continue to monitor the department's progress in implementing the recommendation and provide updates when the agency takes action.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that states develop, update, and follow performance measurement plans that allow the states to continuously identify and assess the most important IT metrics for their state marketplaces. (Recommendation 4)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS partially concurred with our recommendation and stated in its December 2017 update that though each marketplace was accountable for managing and reporting its own IT metrics in accordance with federal and state law, HHS would work with states on the improvement of their management and operations through technical assistance and oversight and accountability measures. As of April 2020, the agency had not yet provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the department's progress in implementing the recommendation and provide updates when the agency takes action.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to conduct operational analysis reviews and systematically monitor the performance of states' marketplace IT systems using key performance indicators. (Recommendation 5)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS did not concur with our recommendation and stated that it conducted Open Enrollment Readiness Reviews to assess marketplace key performance indicators, which according to CMS officials, are similar to operational analysis reviews. However, as of October 2018, HHS had not provided evidence that the Open Enrollment Readiness Reviewed systematically and comprehensively reported on the key performance indicators or include discussion of other key elements identified in best practices for operational analysis reviews, such as how objectives could be better met, or costs could be saved. As of April 2020, the agency had not yet provided sufficient evidence that it has implemented the recommendation.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that metrics collected from states to monitor marketplaces' operational performance link to performance goals and include baselines and targets to monitor progress. (Recommendation 6)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS partially concurred with our recommendation and stated in its December 2017 update that states were responsible for monitoring their own performance measures but HHS would continue to review IT metrics of state marketplaces in the implementation phase of their systems through technical assistance activities and oversight and accountability measures. As of April 2020, the agency had not yet provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the department's progress in implementing the recommendation and provide updates when the agency takes action.

Recommendation: To better ensure that agencies complete important DCOI planning documentation and that the initiative improves governmental efficiency and achieves intended cost savings, the Director of OMB should direct the Federal chief information officer to formally document a requirement for agencies to include plans, as part of existing OMB reporting mechanisms, to implement automated monitoring tools at their agency-owned data centers.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: In June 2019, the Office of Management and Budget (OMB) issued an updated Data Center Optimization Initiative (DCOI) policy that encouraged federal agencies to implement automated monitoring tools at agency-owned data centers using more than 100 kilowatt hours of electricity. However, the updated policy did not require agencies to document a plan for implementing the tools as we recommended. As of January 2020, we have not received further update from OMB and the recommended action has not yet been taken. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce (Commerce) agreed with our recommendation and described planned actions to address it. Specifically, the department noted that, as part of its effort to consolidate, define, and establish a plan to deploy an enterprise-wide automated monitoring tool, it had identified two component agencies that would offer a data center infrastructure management tool as a service. The department added that this approach would allow it to monitor and report cost savings and avoidances more efficiently. In November 2019, Commerce reported that it had 73 agency-owned data centers that the department planned to keep open. However, of those 73, only seven had implemented the required advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 66 of its agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and described planned actions to implement it. Specifically, the department stated that it established plans to implement automated monitoring tools at its 78 department-owned tiered data centers and planned to evaluate whether its 68 department-owned non-tiered data centers should be consolidated or closed. In November 2017 correspondence to GAO, the department further stated that, for the non-tiered centers projected to remain open, it expected to complete plans for automated server utilization by September 30, 2019. In November 2019, Energy reported that it had 92 agency-owned data centers that the department planned to keep open, of which the Office of Management and Budget exempted three from optimization requirements by. However, of the remaining 89 data centers, only 37 had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 52 agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and described planned actions to implement it. Specifically, the department stated that HHS would direct its operating and staff divisions to acquire and install automated monitoring tools in all agency-owned data centers by the close of fiscal year 2018. In November 2019, HHS reported that it had 35 agency-owned data centers that the department planned to keep open. Of those 35, 22 had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 12 of its agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of the Interior
Status: Open

Comments: The Department of the Interior (Interior) partially concurred with our recommendation. Specifically, the department stated that it was committed to completing its plan on schedule, but that its ability to meet the Office of Management and Budget's (OMB) requirement to implement automated monitoring tools at all department-owned data centers by the end of fiscal year 2018 depended on many factors and variables, including the availability of funding and other resources. Nevertheless, in October 2017 correspondence to GAO, the department stated that it expected to complete planning for the deployment of automated monitoring in agency-owned data centers by September 30, 2018 and to complete implementation by December 31,2023. The letter noted that Interior would prioritize implementation at major tiered data centers, with implementation at other data centers as budgets permitted. In November 2019, Interior reported that it had 55 agency-owned data centers that the department planned to keep open, one of which OMB exempted from optimization requirements. However, of the remaining 54 data centers, only 17 had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 37 agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) agreed with our recommendation and, in November 2017 correspondence to GAO, described planned actions to implement it. Specifically, the department stated that its Office of the Chief Information Officer would create a plan of action to address the multi-layer requirements applicable to the department. Transportation expected to develop a plan of action that addressed the Office of Management and Budget's August 2016 Data Center Optimization Initiative (DCOI) guidance memorandum. The department expected to implement its plan by September 30, 2018. In November 2019, Transportation reported that it had 17 agency-owned data centers that the department planned to keep open. However, of those 17 data centers, only one had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 17 agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of the Treasury
Status: Open

Comments: In November 2019, the Department of the Treasury reported that it had 16 agency-owned data centers that the department planned to keep open. However, of those 16 data centers, only four had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 12 agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) agreed with our recommendation, and in November 2017 correspondence to GAO, described completed and planned actions to address it. Specifically, the department stated that it's Office of Information and Technology (OI&T) was developing a plan to fully comply with the Office of Management and Budget (OMB) requirements to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018. According to the department, OI&T had taken a series of actions such as determining a strategy to meet OMB reporting requirements and reviewing the existing automated tools in use at VA. As part of its planning effort, OI&T was analyzing its data centers, collecting data through a web-based portal and automated tools, and implementing change management processes to manage IT assets in VA data centers. According to the department, OI&T expected to complete a written comprehensive plan by November?30, 2017. In May 2018, VA indicated that it had engaged OMB in discussions regarding how to classify its data centers and that the comprehensive plan would be completed by October 2018. In November 2019, VA reported that it had 279 agency-owned data centers that the department planned to keep open, of which OMB exempted 67 from optimization requirements and another 204 were pending OMB review to determine whether they would also be exempt. However, of the remaining eight data centers, none had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining eight agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of State
Status: Open

Comments: The Department of State agreed with our recommendation and described completed and planned actions to address it. Specifically, the department stated that it performed an analysis of tools, including shared services and commercial-off-the-shelf products. The department also stated that it was developing an acquisition strategy based on its research and planned to pursue a commercially available product. However, the department noted that budgetary constraints may delay the acquisition until fiscal year 2019 or later. In October 2019, staff from State's Office of the Chief Information Officer reported that 3,897 of the department's 4,137 servers (94.2 percent) had monitoring tools installed. In January 2020, the staff indicated that the department planned to continue installing tools as funds were available, with the goal of completing installation by the end of fiscal year 2020. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) described planned actions to address our recommendation. Specifically, the agency detailed plans to address OMB's requirements, such as leveraging EPA's current investment in a network monitoring tool and the intent to procure and deploy a data center infrastructure management tool by the end of fiscal year 2018. However, in December 2018, EPA determined it will leverage its current network monitoring tool for server utilization monitoring. The agency expects to have most data center servers monitored by the end of CY 2019. Once servers are monitored, the agency said that it will follow the most current OMB guidance to report required metrics. In November 2019, EPA reported that it had four agency-owned data centers that the agency planned to keep open. However, of those four data centers, one had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the agency about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining three agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) stated that it partially concurred with our recommendation and described plans to address it. Specifically, the agency stated that it plans to consolidate its remaining data centers into two main locations by the end of fiscal year 2018. OPM further stated that this consolidation will obviate the need to implement automated monitoring tools at the data centers that are closing. Finally, the agency noted that it is implementing automated monitoring tools at the designated core data centers. In November 2019, OPM reported that it had two agency-owned data centers that the agency planned to keep open. However, of those two data centers, only one had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the agency about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining agency-owned data center. We will continue to monitor the status of this recommendation.

Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to ensure that the department-level investment review structure is implemented as planned and that guidance on the IT governance process is documented and identifies criteria for selecting new investments, and reselecting investments currently operational at VHA.

Agency: Department of Veterans Affairs
Status: Open

Comments: In its comments on our report, VA concurred with our recommendation and provided meeting minutes for its Portfolio Investment Management Board and documentation describing the proposed alignment and interdependencies between information technology (IT) governance boards. According to VA officials, as of September 2019, the department had continued to further evolve its IT governance framework, reworked the committee structure and related working groups that oversee IT investments, and refined the process for prioritizing investments. A draft IT Governance Policy that describes an updated governance structure intended to implement IT solutions and an agile workforce was to be implemented by March 2020. The department has yet to report on the status and results of this implementation. We will continue to monitor VA's actions to ensure that the implementation is consistent with planned actions.

Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to identify additional performance metrics to align with VHA's core business functions, and then use these metrics to determine the extent to which the department's IT systems support performance of VHA's mission.

Agency: Department of Veterans Affairs
Status: Open

Comments: In its comments on our report, VA concurred with our recommendation. In addition, the department outlined steps it intends to take to address our recommendation, including developing a set of metrics to provide continuous input into investment portfolio decisions and establishing a methodology for ensuring that IT investments are aligned to business needs and that expected outcomes are defined prior to making the investments. According to department officials, VA issues a Joint Business Plan that identifies annual milestones associated with initiatives agreed upon by both VHA and OIT. As of September 2020, we are reviewing additional documentation related to the underlying processes that support the compilation of the plan and any related metrics for the associated investments that are to support VHA's mission. We will continue to monitor progress in this area.

Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to ensure that unmet IT needs identified by key program areas--pharmacy benefits management, scheduling, and community care--are addressed appropriately and that related business functions are supported by IT systems to the extent required.

Agency: Department of Veterans Affairs
Status: Open

Comments: In its comments on our report, VA concurred with our recommendation. The department described its intention to ensure that unmet IT needs for the pharmacy benefits management, scheduling, and community care program areas were addressed appropriately during fiscal year 2018 budget formulation. In March 2020, we met with officials from the Pharmacy Benefits Management program office, the Office of Veterans Access to Care, and the Community Care program to discuss the status of new service requests and the extent to which IT needs have been met since our report. While there was a slight decrease in the total number of new service requests that remained open for 5 years or more, officials from each office did not consistently report improvements in how IT needs were being addressed. For example, Pharmacy Benefits Management officials still waited for improvements that may come with the deployment of the new electronic health record system, but they continued to report that updates to industry standards should be addressed sooner and often IT needs did not make it through the prioritization process at the Veterans Health Administration to be considered by the Office of Information and Technology. Community Care officials reported a general improvement in the IT governance process and a more engaged relationship with the Office of Information Technology; however, the list of open new service requests still included long-term VistA-related enhancements, some of which had not yet been prioritized by the department. The Office of Veterans Care has not yet provided an updated list of open new service requests, but officials were satisfied with a new maintenance contract that allowed them to address a number of IT issues. We will continue to monitor the number of new service requests in each program area and the extent to which the IT needs are being met by the IT governance process.

Recommendation: To provide clinicians and pharmacists with improved tools to support pharmacy services to veterans and reduce risks to patient safety, the Secretary of Veterans Affairs should direct the Assistant Secretary for Information and Technology and the Under Secretary for Health to establish and implement a plan for updating the pharmacy system to address the inefficiencies with viewing patient medication data in the Outpatient Pharmacy application and between the pharmacy application and viewers.

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with our recommendation and in August 2017 stated that it had identified $4 million in fiscal year 2018 to establish a pharmacy graphical user interface. As of September 2020, VA was still in the process of implementing the pharmacy graphical user interface, which it estimated it would deploy in December 2020. We will continue to monitor the situation.

Recommendation: To provide clinicians and pharmacists with improved tools to support pharmacy services to veterans and reduce risks to patient safety, the Secretary of Veterans Affairs should direct the Assistant Secretary for Information and Technology and the Under Secretary for Health to complete a plan for the implementation of an approach to data standardization that will support the capability for clinicians and pharmacists to view complete DOD data and receive order checks that consistently include DOD data.

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred in principle with our recommendation and in May 2018 awarded a contract to implement the same electronic health record system that is being deployed by DOD, which is intended to present VA clinicians with complete DOD data and the ability to perform order checks on DOD data. In parallel, the department is continuing and expanding the implementation of data standardization. According to the department's September 2020 update, the agency had updated its pharmacy system to improve data standardization. However, the agency had not submitted sufficient documentation to close the recommendation. We will continue to monitor the situation.

Recommendation: To provide clinicians and pharmacists with improved tools to support pharmacy services to veterans and reduce risks to patient safety, the Secretary of Veterans Affairs should direct the Assistant Secretary for Information and Technology and the Under Secretary for Health to conduct an assessment to determine to what extent interoperability of VA's pharmacy system with DOD's pharmacy system is impacting transitioning service members.

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with our recommendation and in May 2017 stated that the health executive committee would complete an assessment to determine the extent interoperability with DOD's pharmacy system is impacting transitioning service members. In October 2017, VA conducted an assessment, however it was limited to one part of its system, the Joint Legacy Viewer (JLV), and read-only data. In September 2020, the agency provided a written response to supplement its October 2017 assessment with additional data regarding the potential impact of failures of its system to exchange pharmacy and allergy data with DOD. However, VA had not submitted sufficient documentation to close the recommendation. We will continue to monitor the situation.

Recommendation: To provide clinicians and pharmacists with improved tools to support pharmacy services to veterans and reduce risks to patient safety, the Secretary of Veterans Affairs should direct the Assistant Secretary for Information and Technology and the Under Secretary for Health to develop and execute a plan for implementing the capability to send outbound e-prescriptions to non-VA pharmacies, in accordance with National Council for Prescription Drug Programs standards.

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with our recommendation and in August 2017 stated that it will review its plan for e-prescribing functionality after it has signed a contract to adopt the electronic health record system that is being deployed by DOD. Although VA awarded the contract for the new electronic health record system in May 2018, VA had not submitted sufficient documentation to close the recommendation as of September 2020. We will continue to monitor the situation.

Recommendation: To provide clinicians and pharmacists with improved tools to support pharmacy services to veterans and reduce risks to patient safety, the Secretary of Veterans Affairs should direct the Assistant Secretary for Information and Technology and the Under Secretary for Health to ensure that the department's evaluation of alternatives for electronic health records includes consideration for additional generation level 3 capability such as navigating from an alert to medication order in the electronic health record system.

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with our recommendation and in August 2017 stated that it had entered into contract negotiations to acquire and deploy a level 3 electronic health record system that is expected to address pharmacy functions. As of September 2020, the agency had not submitted sufficient documentation to close the recommendation. We will update the status of this recommendation when VA provides documentation of its evaluation of alternatives to us.

Recommendation: To provide clinicians and pharmacists with improved tools to support pharmacy services to veterans and reduce risks to patient safety, the Secretary of Veterans Affairs should direct the Assistant Secretary for Information and Technology and the Under Secretary for Health to reassess the priority for establishing an inventory management capability to monitor and update medication levels and track when to reorder medications.

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with our recommendation and in August 2017 stated that it will reassess the prioritization of medication inventory management after a contract for adoption of the electronic health record system is signed. As of September 2020, VA had not submitted sufficient documentation to close the recommendation. We will continue to monitor the situation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified.

Agency: Department of Homeland Security
Status: Open

Comments: In 2018 and 2019, the DHS Office of the Chief Information Officer implemented a Strategic Workforce Planning initiative that included (1) identifying the department's future IT skillset needs, and (2) conducting a skills gap analysis related to these needs. The department is currently working to resolve the skills gaps identified during the initiative. We will continue to monitor and evaluate the Department's efforts to resolve these skills gaps.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities.

Agency: Department of Homeland Security
Status: Open

Comments: In response to our recommendation, DHS updated its agile development policy to specify that the DHS CIO is responsible for certifying investments' incremental development activities, which is consistent with the Department's Acquisition Management Instruction. However, DHS has not yet updated its Systems Engineering Life Cycle Instruction and Guidebook to be consistent in specifying that this certification is the responsibility of the DHS CIO. We will continue to monitor the Department's progress in implementing this recommendation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable).

Agency: Department of Homeland Security
Status: Open

Comments: In response to our recommendation, Customs and Border Protection implemented a process to track the IT investments associated with each contract and agreement. The U.S. Coast Guard also implemented a process to track the IT investments associated with its contracts; however, it has not yet demonstrated that it has implemented such a process for tracking the IT investments associated with its agreements. Further, DHS headquarters is still working to establish a process for tracking the IT investments associated with its contracts and agreements. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with our recommendation. In May 2020, DHS officials stated that the Office of the CIO began piloting a new program health assessment process in the second quarter of fiscal year 2020, and DHS intends to report the program ratings resulting from that process to the IT Dashboard. We will continue to monitor and evaluate the Department's efforts to implement this new process.

Recommendation: To help ensure that its efforts to increase patients' electronic access to health information are successful, the Secretary of HHS should direct ONC to use the information these performance measures provide to make program adjustments, as appropriate. Such actions may include, for example, assessing the status of program operations or identifying areas that need improvement in order to help achieve program goals related to increasing patients' ability to access their health information electronically.

Agency: Department of Health and Human Services
Status: Open

Comments: As of May 2019, ONC is collecting and evaluating information from national surveys, program data, and third-party data sources. As ONC works to implement its evaluations, it should identify how evidence collected from national surveys, program data and third-party data sources has been used to assess the outcomes of key efforts and adjust programs accordingly.

Recommendation: To increase the likelihood that its IT investments develop reliable cost estimates, the Secretary of HUD should finalize, and ensure the implementation of, guidance that incorporates the best practices called for in the GAO Cost Estimating and Assessment Guide.

Agency: Department of Housing and Urban Development
Status: Open

Comments: In April 2017, HUD reported that the department concurred with the recommendation and noted that the Office of the Chief Information Officer (OCIO) intended to establish cost estimation guidance for IT projects within its IT Management Framework Guide, incorporating appropriate best practices from the GAO Cost Estimating and Assessment Guide. In March 2019, HUD reported that, with contractor assistance, the department had begun to develop a standard methodology for investment lifecycle cost estimation; however, the methodology had not been fully institutionalized across all investments, and a policy for cost estimation had not been developed. Lacking an updated IT Management Framework and cost estimation policy, OCIO took additional interim action in the most recent budget cycle to reduce cost estimation risk by having the Chief Technology Officer standardize the cost estimates for IT investments. HUD continues to take action intended to address this recommendation; however, OCIO has not yet finalized a cost estimation methodology or the associated policy for IT investments or established a timeframe for implementing cost estimation practices departmentwide.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Commerce should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process; (2) develop competency and staffing requirements; (3) assess competency and staffing needs regularly; (4) assess gaps in competencies for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, cross-functional training of acquisition and program personnel, a career path for program managers, and special hiring authorities, if justified and cost-effective; (7) monitor the department's progress in addressing IT competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: The department agreed with the recommendation and stated that it plans to fully implement it. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had substantially implemented the activity to develop competency and staffing requirements, minimally or partially implemented four activities, and not implemented the remaining three activities. In July 2020, the department provided a summary of actions it claimed it had taken to close the recommendation. The department also provided supporting documentation. We are reviewing the documentation to determine whether it fully addresses the recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Defense should require the Chief Information Officer, the Under Secretary of Defense for Personnel and Readiness, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) develop competencies for all staff; (2) assess competency needs regularly for all positions; (3) assess gaps in competencies for all components of the workforce; (4) develop strategies and plans to address gaps in competencies; (5) implement activities that address gaps, including developing a program management career path, if justified and cost-effective; (6) monitor the department's progress in addressing competency gaps identified for IT staff; and (7) report to department leadership on progress in addressing competency gaps.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the Department of Defense's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had fully implemented the activities to develop competency and staffing requirements and assess competency and staffing needs regularly, substantially implemented four other activities, and partially implemented the remaining two activities. We will continue to monitor the department's efforts to address our recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Health and Human Services should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process inclusive of all staff; (2) develop staffing requirements for all positions; (3) assess staffing needs regularly; (4) assess gaps in competencies and staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, if justified and cost-effective; (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

Agency: Department of Health and Human Services
Status: Open

Comments: The department agreed with our recommendation and identified plans for (1) collecting and analyzing additional workforce data and (2) conducting targeted recruitment, staff planning, career development, and training. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had substantially implemented the activity to develop competency and staffing requirements, partially implemented three other activities, and either minimally or not implemented the remaining four activities. We will continue to monitor the department's efforts to address our recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Transportation should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish a time frame for when the department is to finalize its draft workforce planning process and maintain that process; (2) develop staffing requirements for all positions; (3) assess competency and staffing needs regularly for all positions; (4) assess gaps in staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, cross-functional training of acquisition and program personnel, a career path for program managers, and use of special hiring authorities, if justified and cost-effective;e (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

Agency: Department of Transportation
Status: Open
Priority recommendation

Comments: The department agreed with the recommendation and stated that it plans to fully implement it. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had fully implemented the activity to develop competency and staffing requirements, but had not yet fully implemented the remaining seven activities, including developing a workforce planning process. In January 2020, the department stated that its Office of the Chief Information Officer and Office of Human Resource Management had established a workgroup to lead and conduct workforce planning activities, and had defined the strategic goals and objectives for the department's IT workforce. The department also stated that the workgroup was planning on subsequently completing additional activities, including completing a workforce analysis with a competency gap assessment, by the end of calendar year 2020, and developing strategies to address any identified gaps by the end of 2021. We will continue to monitor the department's efforts to implement our recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of the Treasury should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process; (2) develop competency and staffing requirements for all positions; (3) assess competency and staffing needs regularly; (4) assess gaps in competencies and staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing for all components of the workforce; (6) implement activities that address gaps, including a career path for program managers and special hiring authorities, if justified and cost-effective; (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps for all components of the workforce.

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The department agreed with our recommendation and identified planned and ongoing efforts to address it. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that it had fully implemented the activity to develop competency and staffing requirements, but had not yet fully implemented the remaining seven activities, including developing a workforce planning process. In January 2020, the department stated that its Office of the Chief Human Capital Officer and Office of the Chief Information Officer would be presenting a decision paper to the Human Capital Advisory Council that month to request approval and resources to complete an IT Competency Framework, conduct a competency assessment, and conduct a department-wide workforce planning study for the 2210 (IT management) occupation. We will continue to monitor the department's efforts to implement our recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Commerce
Status: Open

Comments: We reported that the Department of Commerce did not meet the following software application inventory practice: regularly updates the inventory with quality controls to ensure reliability. Specifically, the department did not provide evidence of a process to regularly update its inventory or quality controls to ensure the reliability of the data collected. In October 2017, the department reported that application inventory information will be captured through the Department of Commerce Capital Planning and Investment Control (CPIC) system, as part of its regular updating of investment information. Further, the department stated that it will update its CPIC handbook to provide guidance on quality control to ensure reliability of the data collected. In November 2018 and November 2019 we followed-up with Commerce on the status of their efforts; however, as of January 2020, we had not received an update. We plan to continue to follow up with Commerce to monitor the status of these planned actions.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Energy
Status: Open

Comments: We reported that the Department of Energy partially met the following three software application inventory practices, (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In May 2017, the department reported that it plans to implement automated monitoring and inventory tools by the end of fiscal year 2020, which it expects will address the key practices. In December 2019, the department reported that it anticipates completing a refresh of its application inventory by the end of February 2020. We plan to monitor the department's efforts to implement the tools and to develop a complete application inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Housing and Urban Development
Status: Open

Comments: We reported that the Department of Housing and Urban Development (HUD) partially met the following three software application inventory practices, (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In June 2017, the department reported that it is working to identify applications in field offices, and planned for this effort to be completed in fiscal year 2018. In addition, the department stated it planned to update the inventory to include business functions for each system by the end of fiscal year 2017. Further, department officials stated that to ensure the accuracy and reliability of the application inventory, the department planned to conduct quarterly portfolio reviews starting in fiscal year 2018. In October 2018, HUD officials reported that CTO performed a technical assessment of HUD's IT assets, which resulted in identifying systems in the inventory that had been decommissioned and will be decommissioned. In addition, the department provided its strategy for performing the assessment. In August 2019, HUD reported that it completed an assessment of its legacy applications and the current inventory system is outdated. However, as of January 2020, HUD had not yet provided an updated inventory. We plan to continue to monitor the department's efforts to address the recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Social Security Administration
Status: Open

Comments: We reported that the Social Security Administration (SSA) partially met the following two software application inventory practices, (1) includes systems from all organizational components, and (2) regularly updates the inventory with quality controls to ensure reliability. In March 2017, SSA officials reported that the agency's Office of Systems and Office of Operations continue to collaborate on integrating application information into the Enterprise Application Inventory. The officials reported that regionally developed applications that have been granted authority to operate have been imported into the enterprise application inventory. In addition, the officials stated that the Office of Operations was in the process of redesigning their repository to accommodate requirements to support the Enterprise Application Inventory, including the ability to update and maintain application information in the enterprise repository. Lastly, SSA officials reported that its Office of Information Security and Office of Systems were continuing to work to identify additional headquarters applications and develop process and automation to include applications in the inventory. In June 2019, SSA officials reported that they were continuing to make progress to update the inventory to include systems from all organizational components. However, as of January 2020, we had not received an updated inventory. We will continue to monitor SSA's efforts to develop a complete application inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Labor
Status: Open

Comments: We reported that the Department of Labor did not meet one software application inventory practice, and partially met three practices. Specifically, we reported that the department did not meet the practice to ensure that the inventory is regularly updated with quality controls to ensure reliability, and partially met the practices to (1) include business and enterprise IT systems, (2) include systems from all organizational components, and (3) specify basic application attributes. In March 2018, department officials provided an updated inventory, which included business and enterprise IT systems from all organizational components, and specified basic attributes, including the name, owner, and business function. In addition, officials stated that they plan to update the inventory on a periodic basis as necessary, at minimum annually, as part of the department's IT budgeting process. Further, in June 2019, officials reported that the department performs biannual reviews of all IT investments and associated systems and applications to verify reported data. The officials also reported that the department uses quality control processes and procedures to ensure consistent, standard, and complete reporting to align with all investment artifacts. However, the department did not provide evidence of these data quality efforts. In June 2019, officials also reported that the department is implementing a new system in order to maintain an ongoing comprehensive inventory of all IT assets, including applications, which it expects to have fully operational by the end of the second quarter of fiscal year 2020. We will continue to monitor the department's efforts.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of the Treasury
Status: Open

Comments: We reported that the Department of the Treasury had partially met the following two practices for establishing a complete software application inventory, (1) specifies basic application attributes, and (2) is regularly updated with quality controls to ensure reliability. In September 2017, the department provided evidence showing that it had taken steps to address these practices. Specifically, the department provided an export of its inventory, which showed that most of the systems listed contained a system description. According to department officials, some systems do not have a system description because the department's inventory policy allows bureaus to attach documents to the inventory, which include the system description, instead of populating the system description field. Further, the policy does not require a system description for systems in the disposal state. Moreover, the inventory did not include the business segment or function that the system supports. According to Treasury officials, the Bureau and Functional Unit fields within the inventory allow the department to map the systems to the business segments that they support. We followed up with the department to obtain this mapping. However, as of January 2020, the department had not provided it. We will continue to monitor the department's efforts to ensure that the inventory is regularly updated with quality controls to ensure its reliability.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of State
Status: Open

Comments: We reported that the Department of State partially met the following software application inventory practices: (1) specifies basic application attributes; and (2) is regularly updated with quality controls to ensure reliability. Specifically, we reported that while the inventory included basic application attributes (e.g. name, description), it did not include the business function for the majority of inventory entries. Further, we reported that the agency did not provide evidence that quality control processes were in place to ensure the reliability of the data in the inventory. In July 2017, department officials stated that the department recently began a department-wide data call to obtain information on all IT assets and applications from each bureau, including aligning the assets and applications to a business function. Further, officials stated that they plan to analyze the results against their current data to ensure the accuracy and reliability of the IT asset inventory. In June 2019, the department provided evidence demonstrating that its inventory includes the business function for IT assets. In addition, State officials stated that the IT asset inventory that is posted internally for review is a high-level summary to facilitate monthly validation. However, as of January 2020, the department has not provided documentation showing that it has implemented the quality control processes to ensure the reliability of the data. We plan to continue to monitor the department's efforts to address the recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Environmental Protection Agency
Status: Open

Comments: We reported that the Environmental Protection Agency had fully met three of the four practices to establish a complete application inventory, and partially met one. Specifically, the agency partially met the practice for including application attributes in the inventory, as although EPA did not identify the business function for every application. In December 2019, Environmental Protection Agency officials stated that the inventory now requires the business function to be included, and provided inventory update instructions that show the business function is to be included. In addition, agency officials provided instructions for senior information managers to update the inventory in fiscal year 2019. However, as of January 2020, agency officials had not provided an updated inventory, and thus we were not able to verify that the business function was added for all applications. We will follow up with the agency to obtain the updated inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Office of Personnel Management
Status: Open

Comments: We reported that the Office of Personnel Management (OPM) partially met the software application inventory practice to regularly update the inventory with quality controls to ensure reliability. In November 2016, OPM officials stated that they were validating the data in the application inventory. In addition, officials stated that they were making progress in using automated scanning tools to update the inventory, including coordinating with the General Services Administration's Software Management Group which is working to standardize the use of automated inventory tools across the government. In June 2017, November 2018, and November 2019, we followed up with OPM to obtain documentation of these reported actions; however, as of January 2020, the agency had not yet provided supporting documentation. We are continuing to follow up with OPM to obtain documentation of its reported actions.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Defense should direct the responsible official to modify the department's existing processes to collect and review cost, technical, and business information for the enterprise and business IT systems within the Enterprise Information Environment Mission Area applications which are currently not reviewed as part of the department's process for business systems.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense did not concur with our recommendation, noting, among other things, in its written response to our draft report, that a majority of the Enterprise Information Environment Mission Area systems are IT infrastructure, and not applications. However, we reported that the mission area nevertheless included a large number of enterprise and business IT applications which could benefit from rationalization, and we therefore believed our recommendation was still warranted. In March 2020, the department stated that it is formalizing a guide to assist components with implementing an application rationalization process, that will be used to rationalize the Enterprise Information Environment Mission Area systems. The department stated that it plans to perform annual reviews, and expects to start by the end of fiscal year 2020.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Homeland Security should direct the department's CIO to identify one high-cost function it could collect detailed cost, technical, and business information for and modify existing processes to collect and review this information.

Agency: Department of Homeland Security
Status: Open

Comments: In April 2018, DHS officials stated that they identified FOIA systems as a high cost function, and will modify existing processes to collect and review the cost, technical, and business information. In November 2019, DHS reported that it is continuing to make progress in acquiring a new enterprise-wide FOIA system by reviewing current capabilities. We plan to continue to monitor the department's efforts.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Labor should direct the department's CIO to consider a segmented approach to further rationalize and identify a function for which it would modify existing processes to collect and review application-specific cost, technical, and business value information.

Agency: Department of Labor
Status: Open

Comments: In February 2017, department officials stated that the department's portfolio of IT investments, which includes the systems, sub-systems, and applications in the IT asset inventory, are rationalized bi-annually as part of the Office of the Chief Information Officer's IT Capital Planning and Investment Control (CPIC) review processes. Further, officials stated that the systems and applications were also being rationalized as part of the process for updating the IT asset inventory. Officials stated that the department plans to review and update the department's CPIC guide to describe the IT asset inventory management process including the basic quality controls. In July 2019, officials reported that the department plans to have the updated guide completed by the end of fiscal year 2019. However, as of January 2020, the department had not provided documentation supporting these efforts. We plan to follow-up with the department to obtain documentation of its efforts to address the recommendation.

Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish performance measures for the Office of Civil Rights (OCR) audit program.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with the recommendation but has not yet provided sufficient evidence that it had implemented the recommendation. In particular, as of August 2020, the HHS Office for Civil Rights (OCR) has not yet reviewed the feasibility of performance measures as part of its audit program, and plans to do so only after implementing a future redesign of its audit program. We will continue to monitor HHS actions in response to this recommendation.

Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and has taken steps to establish a department policy and process for the certification of major IT investments' use of incremental development. Specifically, in September 2020, HHS officials reported that they have established a draft policy and anticipate publishing the finalized guidance by March 2021. We will continue to evaluate HHS's progress in implementing this recommendation.

Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

Agency: Department of the Treasury
Status: Open

Comments: In September 2020, an official from the Department of the Treasury (Treasury) reported that the department had developed draft guidance to address our recommendation, but did not provide time frames for when the guidance would be finalized. Until the department establishes a CIO certification policy, Treasury will not be able to fully ensure adequate implement of, or benefit from, incremental development practices. We will continue to evaluate Treasury's progress in implementing this recommendation.

Recommendation: To effectively measure 18F's performance, the Administrator of GSA should direct the Commissioner for the Technology Transformation Service to assess actual results for each performance measure.

Agency: General Services Administration
Status: Open

Comments: The General Services Administration (GSA) agreed with, and has begun to take steps to implement, this recommendation. Specifically, in a March 2020 written response, GSA stated that Technology Transformation Service (TTS) leadership will be briefed on the program's performance measures on a quarterly basis. We are following up with GSA to confirm that its TTS leadership has been briefed on the results on these performance measures. We will continue to evaluate GSA's progress in implementing this recommendation.

Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to ensure that all goals and associated performance measures are outcome-oriented and that performance measures have targets.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in its December 2016 report to Congress, OMB developed three goals for U.S. Digital Service (USDS): (1) rethink how the federal government builds and buys digital services; (2) expand the use of common, platforms, services, and tools; and (3) bring top technical talent into public service. In addition, OMB established performance measures with targets for its third goal and for each of the program's major projects. However, OMB has not established performance measures for the first two USDS goals. Further, the program's third goal is not outcome-oriented. In May 2018, an USDS staff member stated that USDS established goals for and measured performance on each of the projects the program supports in its fall 2017 report to Congress. Although measuring performance on projects can provide USDS with valuable information, this effort does not address goals and performance measurement on the overall USDS program. In May 2020, OMB stated that they would provide an update on the agency's efforts to address the recommendation by June 2020. We will continue to evaluate OMB's progress in implementing this recommendation.

Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to assess actual results for each performance measure.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in its December 2016 report to Congress, OMB assessed the results of performance measures for one of the U.S. Digital Service (USDS) program's goals--bring top technical talent into public service--and for each of the program's major projects. However, OMB has not established performance measures for the other two USDS goals--rethink how the federal government builds and buys digital services; and expand the use of common, platforms, services, and tools. In May 2018, an USDS staff member stated that USDS established goals for and measured performance on each of the projects the program supports in its fall 2017 report to Congress. As of July 2019, USDS has not publicly released any subsequent reports to Congress or additional information on its goals and performance measures. Although measuring performance on projects can provide USDS with valuable information, this effort does not address performance measurement on the overall USDS program. In May 2020, OMB stated that they would provide an update on the agency's efforts to address the recommendation by June 2020. We will continue to evaluate OMB's progress in implementing this recommendation.

Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to update USDS policy to clearly define the responsibilities and authorities governing the relationships between CIOs and the digital service teams and require existing agency digital service teams to address this policy. In doing so, the Federal Chief Information Officer should ensure that this policy is aligned with relevant federal law and OMB guidance on CIO responsibilities and authorities.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. In particular, OMB updated its digital service team policy to require that teams appropriately inform their chief information officers (CIO) regarding U.S. Digital Service (USDS) projects. However, the policy does not describe the responsibilities or authorities governing the relationships between CIOs and digital service teams. In May 2018, an USDS staff member stated that the program updated digital service team charters to address the role of agency CIOs. As of May 2020, USDS has yet to provide us with the updated digital service team charters. In May 2020, OMB stated that they would provide an update on the agency's efforts to address the recommendation by June 2020. We will continue to evaluate OMB's progress in implementing this recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable JIE cost estimate and baseline, consistent with the best practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, it has not yet implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) was responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, the department approved a cost baseline for one of the components of JIE, the Joint Regional Security Stacks (JRSS), and developed a cost estimate for another component, the Enterprise Collaboration and Productivity Services (ECAPS) program. The ECAPS cost estimate was substantially consistent with the practices described in the report. However, the JRSS cost estimate was not developed consistent with the best practices described in the report. Specifically, the department did not demonstrate that the cost estimate was well documented, comprehensive, accurate, and credible. In May 2019, officials in the Office of the DOD CIO stated that it would provide documentation to address the gaps in the JRSS cost estimate; however, as of July 2019, DOD had not provided the documentation. The officials also stated that planning for JIE components other than JRSS and ECAPS had not begun; therefore, there were no other JIE component cost estimates. We will continue to monitor the department's efforts to implement this recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JIE schedule management plan and reliable schedule, consistent with practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, it has not yet implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In March 2017, the JIE Executive Committee approved a schedule baseline for the Non-secure Internet Protocol Router network part of the Joint Regional Security Stacks (JRSS) component; however, the schedule was not consistent with the practices described in our report. In addition, In May 2019, officials in the Office of the DOD CIO stated that another JIE initiative, the Enterprise Collaboration and Productivity Services program, had an approved baseline schedule. However, as of July 2019, DOD had not provided the schedule.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JRSS schedule management plan and reliable JRSS schedule and schedule baseline, consistent with practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, it has not implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In March 2017, the JIE Executive Committee approved a schedule baseline for the Non-secure Internet Protocol Router network component of JRSS; however, the schedule was not consistent with the practices described in our report. In May 2019, officials in the Office of the DOD CIO said that the JRSS schedule had not been re-baselined and the department had not developed a schedule management plan. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to complete an assessment to determine the number of staff and the specific skills and abilities needed to effectively achieve JIE, consistent with the workforce planning practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation and has taken steps to implement it; however, more needs to be done. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing the Joint Information Environment (JIE), and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, the department has developed an inventory of cybersecurity knowledge and skills of existing staff. Specifically, we reported in our June 2018 report Cybersecurity Workforce: Agencies Need to Improve Baseline Assessments and Procedures for Coding Positions (GAO-18-466) that the department had developed an assessment that included the percentage of cybersecurity personnel holding certifications and the level of preparedness of personnel without existing credentials to take certification exams. In August 2018, the office of the DOD CIO stated that the department planned to identify work roles of critical need and establish gap assessment and mitigation strategies by April 2019. However, as of July 2019, the department had not provided an update on the status of its efforts to address the recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a strategy for conducting JIE security assessments that describes the resources needed to execute the strategy, responsible organizations, and a schedule to complete the assessments.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, as of August 2018, it has not provided evidence that it has addressed it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing the Joint Information Environment (JIE), and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In May 2019, the office of the DOD CIO stated that it had developed a schedule to complete JIE security assessments. However, as of July 2019, the office had not provided the schedule or demonstrated that it has a strategy for conducting JIE security assessments that includes the rest of the elements of our recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable Joint Regional Security Stacks (JRSS) cost estimate and baseline, consistent with practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however it has not fully implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, in April 2017, the JRSS program office documented the methodology, ground rules and assumptions, among other things, used to develop the cost estimate we reviewed in our report, and the JIE Executive Committee established the estimate as its JRSS cost baseline. However, the cost estimate documentation was not sufficient to address our recommendation. Specifically, it did not demonstrate that the cost estimate was well documented, comprehensive, accurate and credible. In May 2019, officials in the Office of the DOD CIO stated that it would provide documentation to address the gaps. However, as of July 2019, DOD had not provided the documentation.

Recommendation: To help IRS improve its process for determining IT funding priorities and to provide timely information on the progress of its investments, the Commissioner of IRS should direct the Chief Technology Officer to establish, document, and implement policies and procedures for selecting new and reselecting ongoing business systems modernization activities, consistent with IRS's process for prioritizing operations support priorities, which addresses (1) prioritization and comparison of IT assets against each other, (2) criteria for making selection and prioritization decisions, and (3) ensuring IRS executives' final funding decisions on IT proposals are based on IRS's prioritization process.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS provided GAO a slide deck titled "Prioritization Process for the Business Systems Modernization (BSM) Program/Projects" which describes a process for prioritizing BSM investments and capabilities within the investments. However, the slides were labeled "pre-decisional." In addition, they did not include specific procedures for prioritizing investments. In April 2020, IRS informed us that it had moved its target for fully implementing the recommendation to November 2020. We will continue to monitor IRS's efforts to implement the recommendation.

Recommendation: To help IRS improve its process for determining IT funding priorities and to provide timely information on the progress of its investments, the Commissioner of IRS should direct the Chief Technology Officer to modify existing processes for Foreign Account Tax Compliance Act (FATCA) and Return Review Program (RRP) for measuring work performed by IRS staff to incorporate best practices, including accounting for actual work performed and using the level of effort measure sparingly.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In May 2018, IRS told GAO it had implemented the recommendation. As supporting evidence, the agency provided an April 2018 update to its Investment Performance Tool user guide along with briefing slides specifying actions taken to modify its processes to measure work performed by IRS staff. We reviewed the evidence provided and determined that it was not sufficient to close the recommendation as implemented. Specifically, while the Investment Performance Tool user guide included updated procedures for measuring work performed by IRS staff which aligned with best practices, it did not clearly state that earned value (or work performed) during an iteration should always be based on to the percentage of planned features or user stories that were completed for that iteration. In addition, IRS did not provide evidence that it had used its updated procedures for the Return Review Program investment. We followed up with IRS to obtain this documentation. The agency subsequently provided the requested documentation to us and, as of July 2020, we were reviewing it to determine the extent to which it addresses the recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. HHS submitted a draft version of this methodology in June 2018. Upon reviewing this documentation, however, we did not see evidence that the department was factoring active risks into its CIO ratings. In May 2019, HHS officials stated that they planned to update their CIO rating methodology to focus on active risk; however, department documentation from August 2020 stated that the new CIO rating methodology is still in draft form and is not finalized. We will continue to monitor HHS's efforts in implementing this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) agreed with the recommendation and, in a written response, stated that the department was amending its CIO rating review process to ensure that active risks are factored into its IT Dashboard CIO ratings. In August 2020, VA submitted documentation for this new process; however, this documentation did not state how the department incorporates active risks into its investments' CIO ratings. We will continue to monitor the implementation of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of State
Status: Open

Comments: The Department of State (State) agreed with the recommendation, and, in an October 2017 response, stated that it currently evaluates risk as part of its IT governance activities. In March 2019, State informed us that its Bureau of Information Resource Management was developing a new policy and associated guidance for calculating its CIO risk ratings; however, as of September 2020, we have not received this new documentation. We will continue to monitor the status of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. According to HHS, these risk areas reflect both internal and external risks that affect an investment's ability to accomplish its goals. HHS submitted a draft version of this methodology in June 2018. While this documentation showed that HHS factored investment qualities related to overall project riskiness, it did not specify that active investment risks were also being factored as part of the evaluation. Without an additional focus on active risk, this methodology is unlikely to ensure that HHS's CIO ratings reflect the level of risk facing an investment. In May 2019, HHS officials stated that they planned to update their CIO rating methodology; however, per HHS documentation dated August 2020, this new methodology is still in draft form and is not finalized. We will continue to monitor HHS's efforts in implementing this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) agreed with the recommendation and, in a written response, stated that it will ensure that CIO ratings reflect the level of risk facing its investments. In August 2020, VA submitted documentation for an updated CIO ratings process; however, this process documentation did not state how the department incorporates active risks into its investments' CIO ratings. Without a consideration of active risks, VA's CIO rating process may not produce ratings that reflect the level of risk facing VA's investments. We will continue to monitor the status of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of State
Status: Open

Comments: The Department of State (State) agreed with the recommendation and has provided information on how investment risk is evaluated as part of its IT governance activities. In March 2019, State informed us that its Bureau of Information Resource Management was developing a new policy and associated guidance for calculating its CIO risk ratings; however, as of September 2020, we have not received this new documentation. We will continue to monitor the status of this recommendation.

Recommendation: The Director of OMB should identify and publish a specific goal associated with its non-provisioned O&M spending measure.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency agreed with the recommendation. However, in July 2020, OMB stated that the implementation of this recommendation would be counter to the Administration's focus of prioritizing modernization activities specifically for High Value Assets and, as a result, it does not intend on implementing this recommendation. We disagree and believe that identifying and publishing a specific goal aimed at reducing non-provisioned spending (i.e., spending associated with systems that are not cloud or shared service-based) aligns with the Administration's Cloud Smart strategy to accelerate agency adoption of cloud-based solutions. We will continue to monitor the implementation of this recommendation.

Recommendation: The Director of OMB should commit to a firm date by which its draft guidance on legacy systems will be issued, and subsequently direct agencies to identify legacy systems and/or investments needing to be modernized or replaced.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency agreed with the recommendation. In July 2020, OMB stated that agencies were directed to manage the risk to High Value Assets associated with legacy systems in OMB's December 2018 guidance. While OMB's guidance does direct agencies to identify, report, assess, and remediate issues associated with High Value Assets, it does not require agencies to do so for all legacy systems. We will continue to monitor the implementation of this recommendation.

Recommendation: To monitor whether existing investments are meeting the needs of their agencies, the Secretaries of Commerce and the Treasury should direct the respective agency CIO to ensure that required analyses are performed on investments in the operations and maintenance phase.

Agency: Department of the Treasury
Status: Open

Comments: The agency had no comment on the recommendation. In June 2017, Treasury provided an update on the IRS's efforts to ensure that operational analyses are performed on investments in the operations and maintenance phase. However, the recommendation is intended to address issues at the department level and not just at the IRS. In 2017, Treasury declined to provide an update at the department level. As of April 2020, Treasury has not responded to requests for updates. We will continue to monitor the implementation of this recommendation.

Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

Agency: Department of Agriculture
Status: Open

Comments: The agency agreed with the recommendation. In May 2019, the agency stated that it had conducted an assessment of its legacy system environment and identified 106 legacy IT assets across 18 components. In a March 2020 update, the agency stated that it is in the process of developing a policy to govern all legacy systems, to include modernization and decommissioning plans. The agency plans to publish this policy by March 2021. We will continue to monitor the implementation of this recommendation.

Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

Agency: Department of the Treasury
Status: Open

Comments: The agency had no comment on the recommendation. In June 2017, Treasury provided an update on the IRS's efforts to modernize the IRS's legacy systems. However, the recommendation is intended to address issues at the department level and not just at the IRS. In 2017, Treasury declined to provide an update at the department level. As of April 2020, Treasury has not responded to requests for updates. We will continue to monitor the implementation of this recommendation.

Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and reported that the department was in the process of addressing it. Specifically, a HHS official reported in August 2020 that the department had created a team to address cloud computing best practices and intended to finalize guidance on SLA key practices by June 2021. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

Agency: Department of the Treasury
Status: Open

Comments: In August 2020, an official from the Department of the Treasury (Treasury) reported that the department was in the process of addressing the recommendation. Specifically, a Treasury official reported that the department's Office of the Chief Information Officer was working with the Treasury Senior Procurement Executive to incorporate the key practices identified in our report into Treasury acquisition policy, which was expected to be completed by January 2021. We will continue to monitor the status of this recommendation.

Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and reported that the department was in the process of addressing it. In August 2020, a VA official reported that the department's Office of Information Technology was working to re-write existing SLA documentation following a review from the Office of Inspector General but did not provide a date when the guidance would be finalized. We will continue to monitor the status of this recommendation.

Recommendation: To help improve the management of MAIS programs, the Secretary of the Navy should direct the Common Aviation Command and Control System program manager to identify weaknesses in the requirements traceability process and take corrective actions to manage the traceability of requirements to the respective lower-level requirements, and periodically evaluate work products, including the requirements management plan, and update them in accordance with the requirements guidance.

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: DOD concurred with this recommendation and stated in March 2016 that the Navy had corrected the data query issue that caused 11 requirements to be eliminated from the traceability matrix we reviewed. DOD also stated that the Navy had identified the weakness in the traceability process that led to 14 general requirements not being fully traced. However, as of June 2020, DOD had not provided us with documentation that supports that it identified the weakness in the requirements traceability process. It also had not demonstrated that the program office has updated its requirements management guidance to address the weakness it identified.

Recommendation: To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, goals, and objectives, the Commissioner of FDA should require the CIO to implement the plan to ensure that expected outcomes of the agency's key IT initiatives are achieved.

Agency: Department of Health and Human Services: Food and Drug Administration
Status: Open

Comments: According to agency officials, FDA's CIO met with the FDA Commissioner in 2016 where the updated IT strategic plan was reviewed and approved. The Commissioner identified key IT initiatives to be implemented within FY2017 and incorporated them into the CIO's performance management appraisal program. According to officials, the Commissioner requires the CIO to implement a plan to ensure that expected outcomes of the agency's key IT initiatives are achieved. Although FDA provided us with an excel spreadsheet that identifies IT initiatives at the agency's weekly FDA project meeting, we requested additional documentation regarding the plan the CIO is required to implement to ensure that expected outcomes of the agency's key IT initiatives are fulfilled. We contacted FDA in September and December 2019 and January 2020 to obtain additional information on the actions taken to implement the recommendation, but have not received a response. We will update the recommendation when additional information is obtained.

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of the Treasury should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the financial services sector's cybersecurity progress.

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury, as the sector-specific agency for the financial services sector, continues to develop initiatives intended to enhance the sector's cybersecurity. In 2016, Treasury developed and promulgated a set of seven fundamental elements or critical building blocks for sector stakeholders' cybersecurity, disseminated a template for financial sector cyber exercises, and promoted the NIST Cybersecurity Framework throughout the sector. However, they have not provided evidence of metrics implemented, and the 2015 sector-specific plan does not include specific metrics to track and report on their effectiveness. We will continue to monitor Treasury's efforts to create specific metrics and related reports on the sector's cybersecurity progress.

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture (USDA), as the co-sector specific agency for the food and agriculture sector, with the Department of Health and Human Services (HHS) continues to implement cybersecurity-related activities for the sector. In particular, USDA, through the sector coordination council, routinely shares best practices and informational bulletins from the Department of Homeland Security on cybersecurity with sector stakeholders via the Homeland Security Information Network. In addition, at semi-annual council meetings, USDA has hosted roundtable discussions of cybersecurity challenges and best practices. No evidence of performance metrics to track and report on the SSAs' activities or the sector's cybersecurity progress has been provided. As USDA and HHS continue to carry out their sector-specific agency role, we will continue to monitor their efforts and associated performance metrics to be developed to demonstrate the effectiveness of these activities

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS), as the co-sector specific agency for the food and agriculture sector, with the Department of Agriculture (USDA) continues to implement cybersecurity-related activities for the sector. In particular, through the sector coordination council, they routinely share best practices and informational bulletins from the Department of Homeland Security on cybersecurity with sector stakeholders via the Homeland Security Information Network. In addition, at semi-annual council meetings, they have hosted roundtable discussions of cybersecurity challenges and best practices. No evidence of performance metrics to track and report on the SSAs' activities or the sector's cybersecurity progress has been provided. As HHS and USDA continue to carry out their sector-specific agency role, we will continue to monitor their efforts and associated performance metrics to be developed to demonstrate the effectiveness of these activities

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Administrator of the Environmental Protection Agency should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the water and wastewater systems sector's cybersecurity progress.

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) continues to develop and implement activities in support of the water and wastewater sector's cybersecurity such as a cyber-attack risk assessment tool and cybersecurity training for sector partners. The 2015 water and wastewater sector-specific plan calls for assessing performance and reporting on sector cybersecurity progress; however, the plan does not state specific measures. In 2017, agency officials stated that the development of performance metrics in collaboration with sector partners was underway; however, EPA has not provided evidence of the metrics or any tracking effort. As EPA continues to carry out its sector-specific agency role, we will continue to monitor its efforts and associated performance metrics to be developed to demonstrate the effectiveness of these activities.

Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Agriculture should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture agreed with our recommendation and has taken initial steps to implement it. Specifically, as of May 2020, the department's integrated data collection submission to the Office of Management and Budget included reinvestment plans for 37 of 68 reported cost savings and avoidance initiatives. However, the department reported about $122.8 million in cost savings and avoidances in the 31 initiatives that did not include plans regarding how these savings would be reinvested. The department expects to provide an update in June 2020. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Housing and Urban Development should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

Agency: Department of Housing and Urban Development
Status: Open

Comments: The Department of Housing and Urban Development agreed with, and has taken initial steps to implement, our recommendation. Specifically, as of May 2020, the department's integrated data collection submission included reinvestment plans for one of the eight cost savings and avoidance initiatives reported. However, the seven remaining initiatives, with savings and avoidances totaling approximately $6.3 million, did not include reinvestment plans. The department expects to provide an update in June 2020. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of the Treasury should direct the CIO, as part of any future update to the department's IRM strategic plan or equivalent document, to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) in accordance with OMB's guidance.

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury has not yet taken steps to implement our recommendation. Specifically, as of May 2020, the department had not yet updated its Information Resources Management (IRM) Strategic Plan to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources. In addition, in an April 2020 e-mail, the department's GAO liaison stated that Treasury had not yet updated its IRM strategic plan, but might have other, more current, strategic documents that described its reinvestment plans. The department expects to provide an update in June 2020. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of the Treasury should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to use any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury has not yet taken steps to implement our recommendation. Specifically, as of May 2020, the department's quarterly integrated data collection submission to the Office of Management and Budget did not include reinvestment plans for 15 of the 27 reported cost savings and avoidance initiatives. For example, the department reported about $100 million in cost avoidances from its data center consolidation and optimization initiatives, but did not provide information regarding how it plans to reinvest these avoidances. The department expects to provide an update in June 2020. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Veterans Affairs should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs agreed with, and took initial steps to implement, our recommendation. Specifically, in November 2015, the department's Chief of Staff stated that the Office of Information and Technology was working to establish an office to close monitor program performance, deliver, cost, schedule, return on investment, and total cost of ownership, which will enable reinvestment opportunities. However, as of May 2020, the department's quarterly integrated data collection submission to the Office of Management and Budget did not include reinvestment plans for five of the 10 reported cost savings and avoidance initiatives. For example, the department reported about $229 million in cost avoidances associated with renegotiating an enterprise license agreement with Microsoft, but did not provide information regarding how it plans to reinvest these avoidances. The department expects to provide an update in June 2020. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: To improve the agency's IT savings reinvestment plans, the Administrator of the Environmental Protection Agency should direct the CIO to ensure that the agency's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2020, the agency's quarterly integrated data collection submission to the Office of Management and Budget did not include reinvestment plans for any of the 12 reported cost savings and avoidance initiatives. For example, the agency reported about $34.0 million in cost savings and avoidances in 2019 related to data center, commodity IT, and software licensing initiatives, but did not provide information regarding how it plans to reinvest these savings and avoidances. The agency expects to provide an update in June 2020. We will continue to evaluate the agency's progress in implementing this recommendation.

Recommendation: To improve the agency's IT savings reinvestment plans, the Director of the Office of Personnel Management should direct the CIO, as part of any future update to the agency's IRM strategic plan or equivalent document, to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) in accordance with OMB's guidance.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) agreed with our recommendation, but has not yet taken action to implement it. Specifically, in November 2015, OPM's Acting Director stated that information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) would be included in future updates to OPM's Strategic IT Plan. In August 2019, OPM's GAO liaison stated that the agency intended to update its Strategic IT Plan in fiscal year 2020 and intended to include reinvestment language as part of the update. However, as of May 2020, the agency had not yet updated its strategic plan to include this information. The agency expects to provide an update in June 2020. We will continue to evaluate the OPM's progress in implementing this recommendation.

Recommendation: To help ensure that the department can better achieve business process reengineering and enterprise architecture outcomes and benefits, the Secretary of Defense should utilize the results of our portfolio manager survey to determine additional actions that can improve the department's management of its business process reengineering and enterprise architecture activities.

Agency: Department of Defense
Status: Open

Comments: DOD has made progress implementing the recommendation. Specifically, in January 2017, the department issued a business enterprise architecture improvement plan. The plan was intended to address business enterprise architecture usability and deficiencies in information supporting the investment management process. As part of its planning efforts, the department identified opportunities to address the results of our survey. For example, according to the plan, our survey results were used to identify opportunities for improving management and integration of existing enterprise business processes and investments; assessing duplication early in the analysis phase and finding process and capability reuse across the department; and providing a federated business enterprise architecture information environment and capabilities to discover and exchange information from other sources. The plan included delivering three major capabilities. In October 2019, the office of the Chief Management Officer (CMO) demonstrated its new capabilities to GAO. Further, in October 2019, staff within the office of the CMO were working to move the capabilities to a government-approved host environment, although the office had not yet finalized its plan to do so. As of November 2019, the department had not yet deployed the capabilities.

Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for developing cost estimates that includes key practices as discussed in this report.

Agency: Library of Congress
Status: Open

Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer (OCIO). Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing cost estimates. Further, in August 2017 the Project Management Office finalized guidance for developing cost estimates that generally includes the key practices discussed in our report. However, none of the cost estimates for three key investments fully met the practices associated with a comprehensive estimate. In October 2019, the Library provided evidence of its Monte-Carlo risk assessment process. We are currently assessing whether this process is consistent with the practices found in our Cost Estimating and Assessment Guide. We will continue to evaluate the Library's progress in implementing this recommendation.

Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish a time frame for finalizing and implementing an organization-wide policy for developing and maintaining project schedules that includes key practices as discussed in this report, and finalize and implement the policy within the established time frame.

Agency: Library of Congress
Status: Open

Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a Project Management Office within the Office of the Chief Information Officer (OCIO) and tasked the office with communicating and enforcing Library requirements for project management and systems development. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing and maintaining schedules. Further, in August 2017 the Project Management Offices finalized guidance for developing schedules that generally includes the key practices discussed in our report. However, none of the schedules for three key investments fully met the practices associated with a well-constructed schedule. In October 2019, the Library provided the schedules that it uses to manage select projects. We are currently reviewing this scheduling documentation to determine the extent to which the Library is implementing its scheduling guidance.

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics to require MAIS programs to establish their first acquisition program baseline within 2 years of beginning work on the programs.

Agency: Department of Defense
Status: Open

Comments: As of January 2020, DOD had made limited progress addressing our recommendation for business system programs; however, it had not addressed the recommendation for non-business system programs. Specifically, the department updated its instruction on business systems requirements and acquisition to include, among other things, guidance on establishing baselines against which to measure progress for developing needed business capability. However, the instruction did not explicitly require that a program baseline be established within 2 years. Specifically, according to the instruction, baselines may be established at the program level or at the release level (i.e., for a manageable subset of functionality in support of the business capability), within 2 years after programs have validated a business capability is needed and received approval to conduct solution analysis. If at the program level, the baseline is to be set prior to the development of the first release or deployment. If at the release level, the baseline is to be set prior to the development of each release or deployment. In January 2020, the department also issued interim policy for software-intensive systems. However, while the interim policy requires program managers to develop an acquisition strategy that includes delivering software within one year from the date funds are first obligated to acquire or develop new software capability, the interim policy does not require software-intensive system programs to establish a program baseline within 2 years.

Recommendation: To increase coordination between various levels of government and reduce duplication of effort, resources, and costs associated with collecting and maintaining accurate address data, Congress should consider assessing the impact of the disclosure restrictions of Section 9 of Title 13 and Section 412 of Title 39 of the U.S. Code in moving toward a national geospatial address database. If warranted, Congress should consider revising those statutes to authorize the limited release of addresses, without any personally identifiable information, specifically for geospatial purposes. Such a change, if deemed appropriate, could potentially result in significant savings across federal, state, and local governments.

Agency: Congress
Status: Open

Comments: No legislative action had been identified as of December 2019. Addressing this action, which GAO suggested in February 2015, could increase coordination between various levels of government and reduce duplication of effort, resources, and costs associated with collecting and maintaining accurate address data.

Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and ensure that the executive-level investment review board meets as outlined in its charter, documents criteria for use by the other boards, and distributes its decisions to appropriate stakeholders.

Agency: Department of Housing and Urban Development
Status: Open

Comments: HUD has not provided information demonstrating that the department has addressed this recommendation. HUD reported that it established a new executive-level investment review board (i.e. the Executive Operations Committee) that replaced the board discussed in our report. The department also provide evidence of the board's initial governance activities, including providing criteria to guide board decision-making in January 2017. However, the board has not continued to meet and act in accordance with its charter. In April 2019, HUD reported that it was updating its governance process and charters and stated an intent to ensure that executive-level decision making is clearly defined including when a decision needs to be made, at what level that decision needs to be made, what criteria should be used, and how that decision will be communicated. HUD has not yet provided evidence that the updated governance process and charter have been finalized and implemented.

Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish and maintain a complete set of governance policies, establish time frames for establishing policies planned but not yet developed, and update key governance documents to reflect changes made to established practices.

Agency: Department of Housing and Urban Development
Status: Open

Comments: The department has taken steps to address this recommendation. In 2015, HUD updated its Project Planning and Management policy. Since that time, the department has developed additional policies (e.g., IT risk management policy), revised policies for the IT management framework and Agile development, and reported that it reviewed OCIO's existing policies in September 2018. In October 2018, HUD provided a copy of the draft of the revisions to its IT Management Framework (dated February 2018) and OCIO reported plans to continue developing and maintaining IT policies for each of the framework's elements and to review policies for currency annually on the anniversary date of the policy. As of March 2019, HUD reported that a central repository had been developed to store, track and monitor policy reviews. GAO is seeking additional evidence from the newly implemented policy review process.

Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish an IT investment selection process that includes (1) articulating how reviews of project proposals are to be conducted; (2) planning how data (including cost estimates) are to be developed and verified and validated; (3) establishing criteria for how cost, schedule, and project risk are to be analyzed; (4) developing procedures for how proposed projects are to be compared to one another in terms of investment size (cost), project longevity (schedule), technical difficulty, project risk, and cost-benefit analysis; and (5) ensuring that final selection decisions made by senior decision makers and governance boards are supported by analysis, consider predefined quantitative measures, and are consistently documented.

Agency: Department of Housing and Urban Development
Status: Open

Comments: HUD has provided information demonstrating that the department has addressed elements of this recommendation. In 2015, HUD reported that it had begun using a new tool to support its IT selection process. In May 2018, the department provided a demonstration of its HUD PLUS tool, including how it had used the tool to automate its selection process. The officials demonstrated how the tool is being used to review proposed projects. They reported that segment sponsors are responsible for validating data submitted but have not provided evidence that the department has developed guidance for that process. The officials demonstrated how the tool supports analysis of investment costs, schedule, and risk. They also demonstrated how the tool helps the Office of the Chief Information Officer compare investments based on cost and showed how decision makers access information and can perform analysis for all projects in the system. Department officials have not yet provided evidence that HUD has improved each of the areas noted in our recommendation. OCIO reported in April 2019 that it intends to: conduct the selection process on a more frequent basis and allow more time for annual budget considerations, improve performance metrics, and further incorporate cost-benefit analysis. OCIO also reported that it intends to better incorporate its management and oversight of the portfolio into a more formal "re-select" process. OCIO also reported that HUD was updating its governance policies to detail the criteria, data, and process used to select investments and targeting action to close this recommendation in 2019.

Recommendation: To establish an enterprise-wide view of cost savings and operational efficiencies generated by investments and governance processes, the Secretary of Housing and Urban Development should direct the Deputy Secretary and Chief Information Officer to place a higher priority on identifying governance-related cost savings and efficiencies and establish and institutionalize a process for identifying and tracking comprehensive, high-quality data on savings and efficiencies resulting from IT investments and the IT governance process.

Agency: Department of Housing and Urban Development
Status: Open
Priority recommendation

Comments: The department has taken steps to address this recommendation. Specifically, in April 2016, HUD provided examples of cost savings that the department had identified by "scrubbing" existing contracts during the budget formulation process, along with copies of a template that it designed and used to help identify such savings. In May 2018, department officials provided a demonstration of the HUD PLUS tool, including screens staff could use to report cost savings and avoidances related to specific projects--although they reported that HUD was not yet using that functionality. In April 2019, OCIO reported that HUD was updating its governance process and charters to ensure that executive-level decision making will be clearly defined. OCIO also reported an intent to implement Technology Business Management to, among other things, improve and expand the tracking of investments. HUD expects these two efforts to facilitate better tracking of the savings and efficiencies resulting from IT decisions. The department has not yet provided evidence that it has established guidance supporting a repeatable process for tracking enterprise-wide IT related cost savings and operational efficiencies, including those related to HUD's governance decisions.

Recommendation: To improve the completeness and accuracy of data submissions to the USASpending.gov website, the Director of the Office of Management and Budget, in collaboration with Treasury's Fiscal Service, should clarify guidance on (1) agency responsibilities for reporting awards funded by non-annual appropriations; (2) the applicability of USASpending.gov reporting requirements to non-classified awards associated with intelligence operations; (3) the requirement that award titles describe the award's purpose (consistent with our prior recommendation); and (4) agency maintenance of authoritative records adequate to verify the accuracy of required data reported for use by USASpending.gov.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open
Priority recommendation

Comments: OMB has taken several steps related to this recommendation as of December 2019, but have not fully addressed it. Specifically, working with the Department of the Treasury to implement the DATA Act, OMB took partial action on two aspects of the recommendation and are still considering actions on two others. 1) OMB staff said they continue to deliberate on agency responsibilities for reporting awards funded by non-annual appropriations. 2) OMB staff provided a Frequently Asked Question (FAQ) addressing the applicability of USASpending.gov reporting requirements for recipient information related to classified or sensitive information. GAO reviewed the FAQ and determined that additional guidance is still needed to ensure complete reporting of unclassified awards as required by FFATA. 3) OMB staff have agreed that it will be important to clarify guidance on how agencies can report on award titles that appropriately describes the awards' purposes and noted that they are working on providing additional guidance to agencies as part of their larger DATA Act implementation efforts. 4) OMB released policy guidance in May 2016 (MPM 2016-03) that identifies the authoritative sources for reporting procurement and award data. However, GAO's review of this policy guidance determined that it does not address the underlying source that can be used to verify the accuracy of non-financial procurement data or any source for data on assistance awards.

Recommendation: To ensure the effective management of software licenses, the Secretary of Commerce should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

Agency: Department of Commerce
Status: Open

Comments: In April 2018, the Department of Commerce reported that training will be concurrent with the implementation of the new inventory. It estimates the completion of this to be June 30, 2019. In October 2017, the department reported that they were reaching out to another federal agency to learn about the software license management training they offer to incorporate lessons learned into the Commerce's future training plans. However, as of November 2019, the department has not provided an update on these efforts. GAO will continue to monitor the department's progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Secretary of Transportation should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

Agency: Department of Transportation
Status: Open

Comments: In April 2018, the Department of Transportation stated that it has developed a policy addressing components of centralized management and management of software licenses through the entire life cycle. However, Transportation's Order 1351.21 was issued in June 2009 and has not been updated since our report was issued to include the weaknesses we identified. Specifically, the order identifies the roles and responsibility, and central oversight authority for managing enterprise license agreements and does not specify policy on establishing goals and objectives of the software license management program and considering the software license management life-cycle phases to implement effect decision making and incorporate existing standards, processes, and metrics. We will follow up with the department to obtain evidence of the department-wide implementation of this recommendation.

Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

Agency: Environmental Protection Agency
Status: Open

Comments: In April 2018, the Environment Protection Agency reported that it is currently taking steps to develop a comprehensive policy that will address a centralized management program of licenses, an analysis to inform decision making, education and training goals and overall management throughout the lifecycle. In addition, The Agency stated that it is still leveraging the efforts of the Continuous Diagnostics and Mitigation project as well as its Office of Acquisition Management's consolidation of its Microsoft suite. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

Agency: Environmental Protection Agency
Status: Open

Comments: In April 2018, the Environment Protection Agency reported that it is currently taking steps to develop a comprehensive policy that will address a centralized management program of licenses. In addition, the agency stated that it is still leveraging the efforts of the Continuous Diagnostics and Mitigation project as well as leveraging its Office of Acquisition Management's consolidation of enterprise licenses. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Chairman of the Nuclear Regulatory Commission should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

Agency: Nuclear Regulatory Commission
Status: Open

Comments: In March 2019, the Nuclear Regulatory Commission reported that the agency's IT asset management program requires training and communication, as appropriate for all key personnel. The agency also reported that on September 19, 2018, personnel associated with software asset management attended relevant training and will also participate in software training is currently being developed by the Office of Management and Budget, the Federal Acquisition Institute and the Defense Acquisition University. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management concurred with this recommendation and in September 2015, reported that it had developed a guide to capture enterprise architecture lifecycle activities including software licensing management, acquisition, and requirements during several points of the project lifecycle. In April 2018, the office reported they have no changes to the status of this recommendation, but expect substantive updates later this year. We will continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) concurred with this recommendation and in September 2015 reported that it is finalizing a revised Life Cycle Management draft policy which will use stage gate reviews to evaluate the progress of projects including software licenses throughout the agency. According to OPM, once the new policy is approved, OPM subject matter experts will review project documentation during stage gates reviews to make written recommendations on whether projects should continue. OPM's Investment Review Board will then review that recommendation and other procurement documentation to make a final recommendation to the OPM Director. In April 2018, OPM reported they have no changes to the status of this recommendation, but expect substantive updates later this year. We plan to continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) concurred with this recommendation and in September 2015 OPM reported that it acquired an enterprise architecture repository tool and is collecting information on its software applications. OPM also reported that it is assembling and performing quality reviews on hardware and software lists currently maintained in spreadsheets, in its enterprise architecture systems database, and Remedy database in order to consolidate the entire hardware and software asset inventory. In April 2018, OPM reported they have no changes to the status of this recommendation, but expect substantive updates later this year. We will continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) concurred with this recommendation and in September 2015 OPM reported that it acquired an enterprise architecture repository tool and is collecting information on its software applications. In April 2018, OPM reported they have no changes to the status of this recommendation. We will continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) concurred with our recommendations and noted actions the agency plans to take. In April 2018, OPM reported they have no changes to the status of this recommendation. We will continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management concurred with our recommendations and noted actions the agency plans to take. In April 2018, OPM reported they have no changes to the status of this recommendation. We will continue to monitor its progress in implementing this recommendation.

Recommendation: To improve the implementation of the act, the Secretary of Agriculture should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

Agency: Department of Agriculture
Status: Open

Comments: Although department officials have stated that they plan to take actions to address this recommendation, as of July 2019 we have not yet received information to validate agency actions. Subsequent to the agency sending documentation, we plan to verify whether implementation has occurred.

Recommendation: To improve the implementation of the act, the Secretary of Labor should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

Agency: Department of Labor
Status: Open

Comments: Although department officials have stated that they are taking actions to address this recommendation, as of August 2020, we have not yet received information to validate agency actions. Subsequent to the agency sending documentation, we plan to verify whether implementation has occurred.

Recommendation: To improve the implementation of the act, the Secretary of Labor should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

Agency: Department of Labor
Status: Open

Comments: Although department officials have stated that they are taking actions to address this recommendation, as of August 2020, we have not yet received information to validate agency actions. Subsequent to the agency sending documentation, we plan to verify whether implementation has occurred.

Recommendation: To improve the implementation of the act, the Secretary of Labor should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

Agency: Department of Labor
Status: Open

Comments: Although department officials have stated that they are taking actions to address this recommendation, as of August 2020, we have not yet received information to validate agency actions. Subsequent to the agency sending documentation, we plan to verify whether implementation has occurred

Recommendation: To clarify IT requirements within the Executive Agreement, to enable VA and DOD to make an informed recommendation about whether the FHCC should continue after the end of the demonstration, and to provide useful information for other integrations that may be considered in the future, the Secretaries of Veterans Affairs and Defense should develop plans with clear definitions and specific deliverables, including time frames for two IT capabilities-documentation of patient care to support medical and dental operational readiness and outpatient appointment enhancements-and formalize these plans, for example, by incorporating them into the Executive Agreement.

Agency: Department of Veterans Affairs
Status: Open

Comments: We will update the status of this recommendation when we receive additional information. As of September 2019, VA and DOD officials have not provided information or documentation to address this recommendation.

Recommendation: To clarify IT requirements within the Executive Agreement, to enable VA and DOD to make an informed recommendation about whether the FHCC should continue after the end of the demonstration, and to provide useful information for other integrations that may be considered in the future, the Secretaries of Veterans Affairs and Defense should develop plans with clear definitions and specific deliverables, including time frames for two IT capabilities-documentation of patient care to support medical and dental operational readiness and outpatient appointment enhancements-and formalize these plans, for example, by incorporating them into the Executive Agreement.

Agency: Department of Defense
Status: Open

Comments: We will update the status of this recommendation when we receive additional information. As of September 2019, VA and DOD officials have not provided information or documentation to address this recommendation.

Recommendation: To ensure that DOD continues to implement the full range of institutional management controls needed to address its business systems modernization high-risk area, the Secretary of Defense should ensure that the Deputy Secretary of Defense, as the department's Chief Management Officer, establish a policy that clarifies the roles, responsibilities, and relationships among the Chief Management Officer, Deputy Chief Management Officer, DOD and military department Chief Information Officers, Principal Staff Assistants, military department Chief Management Officers, and the heads of the military departments and defense agencies, associated with the development of a federated business enterprise architecture (BEA). Among other things, the policy should address the development and implementation of an overarching taxonomy and associated ontologies to help ensure that each of the respective portions of the architecture will be properly linked and aligned. In addition, the policy should address alignment and coordination of business process areas, military department and defense agency activities associated with developing and implementing each of the various components of the BEA, and relationships among these entities.

Agency: Department of Defense
Status: Open

Comments: While the Department of Defense (DOD) had taken steps to improve its business enterprise architecture, it had not implemented the recommendation as of November 2019. In August 2013, the department established the Business Enterprise Architecture Configuration Control Board, which is chaired by the business enterprise architecture chief architect (Office of the DOD CMO) and includes representatives from the Defense Business Council member organizations. These organizations include, among others, DOD's CIO and the military department CMOs. According to its charter, the Business Enterprise Architecture Configuration Control Board is the principal body for managing the disposition of proposed architecture requirements and change requests. However, the charter does not discuss roles and responsibilities associated with the development of the business enterprise architecture. Specifically, it does not address alignment and coordination of business process areas or military department and defense agency activities associated with developing and implementing each of the various components of the business enterprise architecture, and the relationships among these entities. In addition, in September 2018, the department stated that it was drafting a business enterprise architecture concept of operations that was to outline roles and responsibilities associated with the development of the architecture. However, as of November 2019, the department had not completed the concept of operations or otherwise demonstrated that it had established roles and responsibilities for the development of the architecture. In October 2018, an official from the Office of the CMO described the department's new approach to developing its business enterprise architecture. In addition, the department demonstrated that it had developed a taxonomy for the architecture and was in the process of developing an ontology to help ensure that each of the respective portions of the architecture would be appropriately linked and aligned. In November 2019, the official stated that the ontology had been implemented in the department's new business enterprise architecture tool; however, the department did not demonstrate that it had finished developing the ontology. Specifically, the department's October 2019 ontology document identifies basic concepts, such as "Goal", "Objective", and "LOB" (i.e., line of business) as classes, and the properties and attributes of, and relationships among, classes. However, the document does not include annotations such as for the "description" attribute for an LOB, which would provide information needed to create a specific instance of a class applicability; and had not demonstrated that it had developed ontologies for its business domains, such as acquisition, human resource management, and financial management. Also, the document does not demonstrate if allowed values have been defined for some attributes, such as the options allowed in an "option list" for "status" attributes. Further, the department had not documented general information about the ontology, such as its scope and intended applicability; and had not demonstrated that it had developed ontologies for its business domains, such as acquisition, human resource management, and financial management.

Recommendation: To help ensure the success of FDA's modernization efforts, the Commissioner of FDA should direct the CIO to, in completing the assessment of Mission Accomplishments and Regulatory Compliance Services (MARCS), develop an integrated master schedule (IMS) that (1) identifies which legacy systems will be replaced and when; (2) identifies all current and future tasks to be performed by contractors and FDA; and (3) defines and incorporates information reflecting resources and critical dependencies.

Agency: Department of Health and Human Services: Food and Drug Administration
Status: Open

Comments: In 2018, we confirmed that FDA, in response to our recommendation, began efforts to identify which legacy systems will be replaced. FDA also developed an IMS for fiscal year (FY) 2017 and 2018 that identifies current and future tasks to be performed by contractors and FDA. However, FDA's IMS for FY 2017 and 2018 does not fully and clearly define resources. For example, although the FY 2017 IMS includes 265 names, roles, and teams, only 16 percent of activities have resource assignments. Further, FDA's fiscal year 2018 IMS does not fully define critical dependencies. For example, there are 14 activities and milestones with finish dates that are not properly tied to logic. Specifically, the finish dates of the 14 activities are not clearly tied to succeeding activities in the schedule. We contacted FDA in September and December 2019 and January 2020 for an update on the actions taken to implement the recommendation, but have not received a response. We will update the recommendation when additional information is obtained.

Recommendation: To develop timely chemical risk information that EPA needs to effectively conduct its mission, the Administrator, EPA, should require the Office of Research and Development to re-evaluate its draft proposed changes to the IRIS assessment process in light of the issues raised in this report and ensure that any revised process periodically assesses the level of resources that should be dedicated to this significant program to meet user needs and maintain a viable IRIS database.

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: As of February 2020, EPA officials indicated that the IRIS Program had almost completed internal review of a "Handbook for Developing IRIS Assessments," intended to guide staff through the sequential stages of the IRIS assessment process and ensure consistency across assessments. The Handbook, when finalized and used by staff, codifies the agency's effort to reevaluate their assessment process, but doesn't address the resources that should be dedicated to the IRIS Program. A workforce plan that includes both staff and budget resources consistent with user needs is necessary. As we reported in March 2019, the program has made strides utilizing project management software and project management techniques that enable the IRIS Program to better plan assessment schedules and utilize staff. However, we also reported in March 2019 that the President's budget requests since fiscal year 2018 have repeatedly cut the budget by as much as 40 percent for the Health and Environmental Risk Assessment (HERA) area, of which IRIS is a part. While these cuts were not enacted by Congress, the President's fiscal year 2021 budget request again cuts the HERA program by 34 percent, or approximately $12.7 million dollars. These cuts could have an impact on the IRIS program's ability to meet EPA program and regional office needs, if enacted by Congress.