Recommendation: The Administrator of CMS should develop formal procedures that include specific steps to be taken in the APD review process, including how CMS will document the review (including the name of the reviewer, date of review, and what was reviewed); what documentation should be retained after the review; as well as decision-making criteria for approval or denial decisions for state Medicaid IT funding requests. (Recommendation 1)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should, as part of the APD review process and prior to approval, verify that all of the required information (e.g. alternatives analysis, feasibility study, and cost benefit analysis) is included in the funding request. (Recommendation 2)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should ensure that all APD-related artifacts are retained within the designated CMS document management system, including documentation of key information from meetings and email communications with the states, the MITA self-assessment and independent verification and validation reports, when creating APD decision packages. (Recommendation 3)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should require analysts to maintain relevant MMIS and E&E system artifacts based on the entire system life cycle instead of individual APDs. (Recommendation 4)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should, in consultation with the HHS and CMS CIOs, develop a documented, comprehensive, and risk-based process for how CMS will select IT projects for technical assistance and provide recommendations to states to assist them in improving the performance of the systems, with consideration to those that are high-cost and performing poorly. (Recommendation 5)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should encourage state Medicaid program officials to consider involving state CIOs in overseeing Medicaid IT projects. (Recommendation 6)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should establish a timeline for implementing the outcome-based certification process for MMIS and E&E systems. (Recommendation 7)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should establish documented procedures for how the results of the outcome-based certification process will be used for conducting oversight and making funding decisions. The procedures should include specific steps that CMCS will take to oversee individual state MMIS and E&E projects and how it will demonstrate that the steps have been taken. (Recommendation 8)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Prior to approving funding for MMIS and E&E systems, the Administrator of CMS should identify areas of duplication or common functionality, such as core MMIS modules, in order to facilitate sharing, leveraging, or reusing Medicaid technologies. CMS should share the results of the review with the state or territory requesting federal funding for a duplicative or similar project and take steps to encourage states to share, leverage, or reuse Medicaid technologies, where possible. (Recommendation 9)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Early in the next decennial cycle, the Secretary of Commerce should direct the Under Secretary of the Economics and Statistics Administration and the Director of the U.S. Census Bureau to plan and execute more flexible, and perhaps smaller, address canvassing test and evaluation activity needed to support key design decisions having significant effect on the cost and quality of the census.

Agency: Department of Commerce
Status: Open

Comments: As of September 2020, the Bureau had not yet begun its 2030 testing and evaluation planning. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. HHS submitted a draft version of this methodology in June 2018. Upon reviewing this documentation, however, we did not see evidence that the department was factoring active risks into its CIO ratings. In May 2019, HHS officials stated that they planned to update their CIO rating methodology to focus on active risk; however, department documentation from August 2020 stated that the new CIO rating methodology is still in draft form and is not finalized. We will continue to monitor HHS's efforts in implementing this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) agreed with the recommendation and, in a written response, stated that the department was amending its CIO rating review process to ensure that active risks are factored into its IT Dashboard CIO ratings. In August 2020, VA submitted documentation for this new process; however, this documentation did not state how the department incorporates active risks into its investments' CIO ratings. We will continue to monitor the implementation of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of State
Status: Open

Comments: The Department of State (State) agreed with the recommendation, and, in an October 2017 response, stated that it currently evaluates risk as part of its IT governance activities. In March 2019, State informed us that its Bureau of Information Resource Management was developing a new policy and associated guidance for calculating its CIO risk ratings; however, as of September 2020, we have not received this new documentation. We will continue to monitor the status of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. According to HHS, these risk areas reflect both internal and external risks that affect an investment's ability to accomplish its goals. HHS submitted a draft version of this methodology in June 2018. While this documentation showed that HHS factored investment qualities related to overall project riskiness, it did not specify that active investment risks were also being factored as part of the evaluation. Without an additional focus on active risk, this methodology is unlikely to ensure that HHS's CIO ratings reflect the level of risk facing an investment. In May 2019, HHS officials stated that they planned to update their CIO rating methodology; however, per HHS documentation dated August 2020, this new methodology is still in draft form and is not finalized. We will continue to monitor HHS's efforts in implementing this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) agreed with the recommendation and, in a written response, stated that it will ensure that CIO ratings reflect the level of risk facing its investments. In August 2020, VA submitted documentation for an updated CIO ratings process; however, this process documentation did not state how the department incorporates active risks into its investments' CIO ratings. Without a consideration of active risks, VA's CIO rating process may not produce ratings that reflect the level of risk facing VA's investments. We will continue to monitor the status of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of State
Status: Open

Comments: The Department of State (State) agreed with the recommendation and has provided information on how investment risk is evaluated as part of its IT governance activities. In March 2019, State informed us that its Bureau of Information Resource Management was developing a new policy and associated guidance for calculating its CIO risk ratings; however, as of September 2020, we have not received this new documentation. We will continue to monitor the status of this recommendation.