Recommendation: To address weaknesses in the department's financial management systems modernization efforts, the Secretary of HUD should direct the Chief Financial Officer to work with the Chief Information Officer in managing subsequent initiatives to define a high-level depiction of the IT systems anticipated in the future state, a description of the operations that must be performed and who must perform them, and an explanation of where and how the operations are to be carried out.

Agency: Department of Housing and Urban Development
Status: Open

Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In April 2019, HUD reported that the Office of the Chief Information Officer and Office of the Chief Financial Officer had collaborated through an IT technical assessment initiative, identifying four primary financial management modernization initiatives remaining from the New Core Program. In July 2020, HUD officials, including the Deputy Chief Financial Officer, provided a roadmap that defined a high-level depiction of the financial management systems anticipated in the future state. However, the department had not yet completed more detailed plans that (1) identify operations that must be performed and who must perform them and (2) explain where and how operations are to be carried out. We will continue to monitor HUD's efforts to address this recommendation.

Recommendation: To address weaknesses in the department's financial management systems modernization efforts, the Secretary of HUD should direct the Chief Financial Officer to work with the Chief Information Officer in managing subsequent initiatives to develop comprehensive plans for scope, schedule and cost.

Agency: Department of Housing and Urban Development
Status: Open

Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In April 2019, HUD reported that the Office of the Chief Information Officer and Office of the Chief Financial Officer had identified a need to pursue financial management systems modernization. As of July 2020, the department had begun taking action to address this recommendation. Specifically, HUD planned to integrate loan and property management into its current financial management shared service and had begun planning for how to modernize its budget formulation and cost accounting systems. For the budget formulation effort, HUD had developed high-level plans for the scope of the program, planned an implementation schedule, and estimated on the cost for implementation and operating and maintaining the system for two years. We will continue to monitor HUD's efforts to address this recommendation.

Recommendation: To address weaknesses in the department's financial management systems modernization efforts, the Secretary of HUD should direct the Chief Financial Officer to work with the Chief Information Officer in managing subsequent initiatives to ensure requirements are fully documented and traceable.

Agency: Department of Housing and Urban Development
Status: Open

Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In March 2017, the department reported that the Chief Financial Officer and the Chief Information Officer intended to partner on future departmental financial management systems modernization efforts to fully document requirements and trace requirements to the functionality in the modernized system. In April 2019, HUD reported that the Office of the Chief Information Officer and Office of the Chief Financial Officer had identified a need to pursue financial management systems modernization in 4 areas previously identified for the New Core program. As of July 2020, HUD was in the early phases of planning for modernization in these areas. According to officials from the Office of the Chief Financial Officer, the department intended to address this recommendation for budget formulation modernization by developing applicable plans and artifacts for managing requirements from the department's project planning and management framework. However, that effort has not yet started. We intend to continue to follow up on HUD's actions.

Recommendation: The Secretary of HUD should also direct the Deputy Secretary to ensure that the Chief Information Officer takes action to improve IT governance control activities used for monitoring programs and identifying needed corrective actions, and strengthen investment oversight by improving coordination with stakeholders and alignment among IT modernization efforts.

Agency: Department of Housing and Urban Development
Status: Open

Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. Since 2016, HUD has revised its IT governance boards, which provide oversight of all its IT investments, including financial management initiatives, several times. While the department has not yet completed those improvement efforts, HUD updated its project planning and management framework to tailor requirements and artifacts for different program types. According to an official from the Office of the Chief Financial Officer, updates to the requirements for shared services projects incorporated lessons learned from the New Core program. In April 2019, HUD reported that the Office of the Chief Information Officer and Office of the Chief Financial Officer had identified a need to pursue financial management systems modernization in 4 areas previously identified for the New Core program. Officials from both offices have described improvements in their coordination and collaboration on efforts to plan for modernization. We intend to continue to follow up on HUD's actions to ensure that planned improvements to governance and oversight mechanisms are effectively implemented and institutionalized.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. HHS submitted a draft version of this methodology in June 2018. Upon reviewing this documentation, however, we did not see evidence that the department was factoring active risks into its CIO ratings. In May 2019, HHS officials stated that they planned to update their CIO rating methodology to focus on active risk; however, department documentation from August 2020 stated that the new CIO rating methodology is still in draft form and is not finalized. We will continue to monitor HHS's efforts in implementing this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) agreed with the recommendation and, in a written response, stated that the department was amending its CIO rating review process to ensure that active risks are factored into its IT Dashboard CIO ratings. In August 2020, VA submitted documentation for this new process; however, this documentation did not state how the department incorporates active risks into its investments' CIO ratings. We will continue to monitor the implementation of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of State
Status: Open

Comments: The Department of State (State) agreed with the recommendation, and, in an October 2017 response, stated that it currently evaluates risk as part of its IT governance activities. In March 2019, State informed us that its Bureau of Information Resource Management was developing a new policy and associated guidance for calculating its CIO risk ratings; however, as of September 2020, we have not received this new documentation. We will continue to monitor the status of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. According to HHS, these risk areas reflect both internal and external risks that affect an investment's ability to accomplish its goals. HHS submitted a draft version of this methodology in June 2018. While this documentation showed that HHS factored investment qualities related to overall project riskiness, it did not specify that active investment risks were also being factored as part of the evaluation. Without an additional focus on active risk, this methodology is unlikely to ensure that HHS's CIO ratings reflect the level of risk facing an investment. In May 2019, HHS officials stated that they planned to update their CIO rating methodology; however, per HHS documentation dated August 2020, this new methodology is still in draft form and is not finalized. We will continue to monitor HHS's efforts in implementing this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) agreed with the recommendation and, in a written response, stated that it will ensure that CIO ratings reflect the level of risk facing its investments. In August 2020, VA submitted documentation for an updated CIO ratings process; however, this process documentation did not state how the department incorporates active risks into its investments' CIO ratings. Without a consideration of active risks, VA's CIO rating process may not produce ratings that reflect the level of risk facing VA's investments. We will continue to monitor the status of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of State
Status: Open

Comments: The Department of State (State) agreed with the recommendation and has provided information on how investment risk is evaluated as part of its IT governance activities. In March 2019, State informed us that its Bureau of Information Resource Management was developing a new policy and associated guidance for calculating its CIO risk ratings; however, as of September 2020, we have not received this new documentation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics to require MAIS programs to establish their first acquisition program baseline within 2 years of beginning work on the programs.

Agency: Department of Defense
Status: Open

Comments: As of January 2020, DOD had made limited progress addressing our recommendation for business system programs; however, it had not addressed the recommendation for non-business system programs. Specifically, the department updated its instruction on business systems requirements and acquisition to include, among other things, guidance on establishing baselines against which to measure progress for developing needed business capability. However, the instruction did not explicitly require that a program baseline be established within 2 years. Specifically, according to the instruction, baselines may be established at the program level or at the release level (i.e., for a manageable subset of functionality in support of the business capability), within 2 years after programs have validated a business capability is needed and received approval to conduct solution analysis. If at the program level, the baseline is to be set prior to the development of the first release or deployment. If at the release level, the baseline is to be set prior to the development of each release or deployment. In January 2020, the department also issued interim policy for software-intensive systems. However, while the interim policy requires program managers to develop an acquisition strategy that includes delivering software within one year from the date funds are first obligated to acquire or develop new software capability, the interim policy does not require software-intensive system programs to establish a program baseline within 2 years.

Recommendation: To promote an efficient use of resources and to better plan for the design of a new performance management system, the Secretary of Defense should direct the Deputy Assistant Secretary of Defense for Civilian Personnel Policy to, in conjunction with the DOD Comptroller, help ensure that information identifying and supporting the costs of the NSPS termination and new performance management system is documented, reliable, traceable to a source document, and readily available for examination.

Agency: Department of Defense
Status: Open

Comments: GAO staff met with DOD officials in October 2019 to discuss the status of the department's new performance management system and any efforts to address this recommendation. DOD officials agreed to provide documentation related to these efforts, but, as of November 2019, this documentation. has not been received. Further updates will be made once that documentation is received and reviewed.