oversight

FSA Oversight of the Development and Enhancement of Information Technology Products

Published by the Department of Education, Office of Inspector General on 2016-06-30.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                 UNITED STATES DEPARTMENT OF EDUCATION
                                                 OFFICE OF INSPECTOR GENERAL

                                                                                                                        AUDIT SERVICES



                                                                        June 30, 2016
                                                                                                       Control Number
                                                                                                       ED-OIG/A04O0014

James W. Runcie
Chief Operating Officer
Federal Student Aid
U.S. Department of Education
830 First Street, N.E.
Washington, DC 20202

Dear Mr. Runcie:

This final audit report, “FSA Oversight of the Development and Enhancement of Information
Technology Products,” presents the results of our audit. The purpose of our audit was to
determine whether Federal Student Aid’s (FSA) oversight of information technology (IT)
projects ensures that its Lifecycle Management Methodology (LMM) is appropriately
implemented. Our audit covered IT projects already in process or started during the period from
June 15, 2012, through December 31, 2014. 1

We found that FSA does not have sufficient oversight of IT projects to provide assurance that its
LMM process is appropriately implemented. This occurred because no specific office or official
has been designated overall responsibility to ensure the enforcement of LMM for all IT projects.
FSA does not have an accountability mechanism and as a result it did not always conduct
required technical and management reviews in accordance with the LMM criteria and did not
always update project tailoring plans as projects progressed through their lifecycle. In addition,
we found that FSA did not maintain a complete and reliable inventory of IT projects and did not
track the progress of all IT projects in its Enterprise Project Portfolio Management (EPPM)
system. By not having an accountability mechanism, FSA increases the likelihood of
unnecessary risk and costly delays.

In its comments to the draft audit report, FSA did not explicitly agree with the finding and it
proposed actions to address all five recommendations. While FSA’s proposed corrective actions
for two of the recommendations would improve their internal procedures, they do not fully
address the recommendations. We summarize FSA’s comments and our response at the end of
the finding and provide the full text of FSA’s comments in Attachment 2. We did not make any
changes to the finding and recommendations based on FSA’s comments.



1
 Our audit covered a period prior to the enactment on December 19, 2014, of the Federal Information Technology
Acquisition Reform Act (FITARA) that among other things enhances transparency and improves risk
management in IT investments. As a result of FITARA, the Office of Management and Budget issued
Memorandum M-15-14: Management and Oversight of Federal IT on June 10, 2015, which may affect FSA’s IT
management practices, including LMM.
    The Department of Education's mission is to promote student achievement and preparation for global competitiveness by fostering educational
                                                      excellence and ensuring equal access.
Final Report
ED-OIG/A04O0014                                                                                        Page 2 of 22



                                              BACKGROUND


LMM is FSA’s guide for delivering and governing IT projects. It is used by FSA to implement
the U.S. Department of Education’s (Department) Lifecycle Management Framework Directive, 2
and to address the strategic goal in FSA’s “FY 2011–2015 Five Year Plan” to “[d]evelop
efficient processes and effective capabilities that are among the best in the private and public
sectors.” The LMM states that it supports Federal and Department regulations and policies 3 and
incorporates many industry practices, including those identified in the U.S. Chief Information
Officer’s “25 Point Implementation Plan to Reform Federal Information Technology
Management.” FSA’s LMM became effective in July 2011, and FSA issued version 1.2 on
June 15, 2012, which was in effect throughout our audit period.

FSA’s stated purpose for LMM is to create an environment in which staff involved in IT projects
identify risks and mitigate them early in the project lifecycle. FSA’s LMM applies to the
development, acquisition, implementation, maintenance, and disposal of IT solutions within FSA
regardless of cost, complexity, and time constraints, and it applies to all FSA employees and
contractors engaged in those activities. LMM is also applicable to system releases, major
enhancements or changes to functionality, and upgrading key infrastructure. The Chief
Operating Officer for FSA stated in the introductory letter to the LMM guidance, “all projects
with an IT component are expected to adhere to the applicable elements and requirements of
[LMM].” The LMM also states that project managers for all IT projects are expected to tailor
their approach to LMM according to their project’s chosen system development lifecycle.

FSA executives have important roles and responsibilities in the implementation of LMM.
According to the “LMM Tailoring Process Description,” (May 2013) FSA executives are both IT
project sponsors and members of the governance review boards within FSA. The review boards
that are stakeholders in the LMM process are the Investment Review Board, the Engineering
Review Board, and the Operating Committee. In addition, there is an LMM Team that is
responsible for maintenance and improvement of LMM for the enterprise, but does not have
responsibility to ensure that projects are complying with LMM. 4

Components of the LMM Process

Implementing LMM for a particular project involves eight steps, which revolve around two main
areas. The first main area is constructing a tailoring plan to guide a project through its lifecycle.
A tailoring plan is an approved baseline of expectations that focus on the artifacts that a team
will produce throughout the life of a project. Artifacts are evidence that a project team has

2
  The Directive provides the lifecycle management framework for the Department to use from the planning stages of
an IT project through retirement of the project and allows employees and contractors the flexibility to tailor standard
procedures to meet specific needs.
3
  Clinger-Cohen Act of 1996, Office of Management and Budget Circular A-123, Office of Management and Budget
Circular A-130, Department’s Investment Review Board Charter, Department’s Life Cycle Management
Framework, and FSA’s Engineering Review Board Charter (dated March 2012).
4
  LMM Team Lead from the Enterprise Project Management and Oversight Group and the Quality and Assurance
Program Manager from the Technology Office.
Final Report
ED-OIG/A04O0014                                                                                        Page 3 of 22

completed required actions, and include items such as signed documents, presentations, meeting
notes, and deliverables. FSA’s “LMM Tailoring Process Description” (May 2013) provides
guidance for creating a tailoring plan and updating previously approved tailoring plans. FSA’s
Performance Management Office maintains a list of approved tailoring plans within its LMM
shared site on FSA’s Intranet. The second main area that LMM covers is stage gate reviews.
Stage gates are project control processes that occur at specific stages throughout the development
lifecycle to ensure the project is ultimately successful. FSA’s “LMM Stage Gate Review
Process Description” provides guidance for conducting stage gate reviews.

Stage gate reviews help ensure a project does not advance to the next stage of the project until
the integrated project teams, 5 subject matter experts, 6 stage gate process owners, 7 and relevant
governing bodies are satisfied the investment will support and add value to FSA’s mission,
technical flaws have been avoided, identified risks have been mitigated, the system will perform
as planned, and both the project and system adhere to all appropriate regulations and standards.
This process helps ensure the project team is developing the project according to requirements,
managing it properly, and maintaining the necessary documentation.

FSA uses two types of stage gate reviews: technical stage gate reviews (which we will refer to as
technical reviews throughout) and management stage gate reviews (which we will refer to as
management reviews throughout).

    •    Technical Reviews. FSA’s “LMM Stage Gate Review Process Description” (June 2012)
         requires technical reviews as part of its LMM governance process to minimize project
         risks. Projects may undergo six types of technical reviews: (1) preliminary design
         reviews, (2) detailed design reviews, (3) test readiness reviews, (4) detailed requirements
         reviews, (5) production readiness reviews, and (6) retirement and disposal reviews. Not
         all projects require each type of technical review. 8 The project’s tailoring plan indicates
         whether the project requires each type of technical review. FSA’s Engineering Review
         Board 9 is the official decision-making body authorized to review, assess, formulate
         recommendations, and approve or reject IT projects. It is also responsible for
         determining whether a project will proceed during preliminary design reviews and
         detailed design reviews and for additional technical reviews as requested.

5
  An integrated project team is a cross-functional team of staff who are responsible for delivering a specific product
such as software or a system release. They also ensure the project they are working on complies with LMM.
6
  Subject matter experts provide expertise, guidance, and support in their respective areas of knowledge to integrated
project teams. Subject matter experts also review deliverables before the project manager submits them for official
stage gate reviews.
7
  Stage gate process owners define and communicate what activities integrated project teams need to do to ensure
the project successfully progresses through the stage gate.
8
  For example, IT projects classified as recompete projects do not require the technical reviews as these projects are
primarily about awarding a new competitive contract and only the management stage gates apply. Also, IT projects
that do not require major enhancements and/or alteration of functionality to existing systems changes may not
require all technical reviews and the retirement and disposal technical review is only applicable when a system will
be retired.
9
  The Engineering Review Board is comprised of the Deputy Chief Information Officer and the Directors of the
following Technology Office groups: Enterprise IT Architecture & Strategic Infrastructure, Infrastructure
Operations, Application Development, IT Risk Management, Enterprise Quality and Technical Change
Management, and Enterprise Data Services; the Deputy Chief Information Officer’s Executive Assistant serves as
the Engineering Review Board secretary in a nonvoting capacity.
Final Report
ED-OIG/A04O0014                                                                                    Page 4 of 22

         The technical review stage gate review bodies are responsible for determining whether a
         project will proceed during the detailed requirements and test readiness technical reviews.
         The production readiness executives and the retirement review body executives are
         responsible for determining whether a project will proceed during the production
         readiness and the retirement and disposal technical reviews, respectively. Members for
         each one of these review bodies vary and the composition of the body will be different
         for each stage gate depending upon the expertise required, but typically include
         representatives from business units and the Technology Office.
     •   Management Reviews. Management reviews ensure that a proposed or ongoing
         investment provides substantial value to FSA. Projects may undergo three types of
         management reviews: (1) investment reviews, (2) requirements reviews, and (3) project
         close out reviews. These reviews periodically analyze a project and determine whether it
         warrants further effort and funding. The first two types of management reviews occur in
         the early stages of the project lifecycle so FSA can end low-potential projects before it
         allocates significant time or money toward an effort. The project close out review
         provides assurance that the system is functioning properly post implementation, that no
         project is closed without proof of sufficient documentation, and that all lifecycle
         development steps and activities have been completed. The Investment Review Board is
         the official decision-making body for the management reviews. It consists primarily of
         FSA executives on FSA’s Operating Committee. 10 It has final authority over project
         funding and decides whether a project will proceed. It selects, controls, and evaluates
         FSA’s investment portfolio in accordance with the Government Performance and Results
         Act of 1993, the Clinger-Cohen Act of 1996, and various Office of Management and
         Budget (OMB) directives and circulars.

Enterprise Project Portfolio Management System

FSA uses the EPPM system to support investment and project management throughout the
organization. FSA’s Performance Management Office implemented the EPPM system in 2010.
FSA’s intention was to use the EPPM system to manage all project activities for the lifecycle of
a project, further institutionalizing FSA’s use of LMM. The EPPM system automates investment
portfolio organization and selection, as well as several project management processes including
scheduling, risk management, and budget planning and control.

According to FSA’s investment request documents, the EPPM system supports FSA’s LMM by
allowing project teams to create tailoring plans online and manage documentation in a consistent
manner. The system standardizes processes related to risk, issues, action items, and document
management. It also can be used to report on project status, track portfolio status, support LMM
tailoring meetings, report on enterprise risk, and track issues. In addition, the system provides
tracking and oversight of project sites, schedules, and LMM processes.




10
  The Investment Review Board is comprised of the Chief Financial Officer, Chief Information Officer, Chief
Compliance Officer, Acting Chief Performance Officer, Director of Acquisitions, and a Project Portfolio Manager
that serves as secretary. Of these members, the Chief Financial Officer, Chief Information Officer, Chief
Compliance Officer and the Acting Chief Performance Officer are part of FSA’s Operating Committee.
Final Report
ED-OIG/A04O0014                                                                                         Page 5 of 22



                                             AUDIT RESULTS


We determined that FSA’s oversight of IT projects did not ensure that its LMM was
appropriately implemented. We found that FSA did not

     •   conduct all required technical reviews or document all technical reviews correctly,

     •   conduct all required management reviews or document all management reviews
         correctly,

     •   always update project tailoring plans as projects progressed through their lifecycle in
         EPPM, or

     •   maintain a complete and reliable inventory of IT projects and track the progress of all
         projects in its EPPM system, as required.

In its comments to the draft audit report, FSA did not explicitly agree with the finding and it
proposed actions to address all five recommendations. We summarize FSA’s comments and our
response at the end of the finding and include the comments in their entirety in Attachment 2 to
this report.

FINDING – FSA Does Not Have an Accountability Mechanism to Enforce Use of Its LMM
Process

We found that FSA does not have an accountability mechanism and sufficient oversight of IT
projects to provide assurance that project teams appropriately implement its LMM process. This
occurred because no specific office or official has been designated overall responsibility to
ensure the enforcement of LMM for all IT projects. By not having an accountability mechanism
to ensure IT projects comply with LMM, FSA increases the likelihood of unnecessary risk and
costly delays.

We identified a total of 109 IT projects that started or were in process during our audit period. 11
Of these projects, 63 were in EPPM with 43 of the projects in EPPM having tailoring plans
within FSA’s LMM shared site. Because of issues identified with processes for conducting the
first 3 types of technical reviews (preliminary design review, detailed design review and test
readiness review), we tested all 43 projects for those 3 areas. For the remaining 3 types of
technical reviews (detailed requirements review, production readiness review and retirement and
disposal review), we reviewed a judgmental sample of 10 projects of the 109 projects identified.
We used the same sample of 10 projects to assess management reviews.



11
  The 109 IT projects identified did not constitute a comprehensive list of IT projects in process or started within
the scope of our audit. For additional information, refer to the “FSA Did Not Maintain a Complete Inventory of
Information Technology Projects and Did Not Use EPPM to Track All Projects” section in this report.
Final Report
ED-OIG/A04O0014                                                                                      Page 6 of 22

FSA Did Not Always Conduct Required Technical Reviews as Established in LMM

FSA did not always conduct required technical reviews or did not correctly document the
preliminary design review, 12 detailed design review, 13 test readiness review, and detailed
requirements review. FSA’s production readiness executives and the retirement review body
executives performed required production readiness reviews and retirement and disposal reviews
as required and documented those reviews correctly for the projects in our sample.

Technical Reviews—Preliminary and Detailed Design

Of the 43 approved LMM tailoring plans we reviewed, 22 required the project to have a
preliminary design review and a detailed design review. 14 The Engineering Review Board did
not review and approve the preliminary design review for all 22 projects and did not review and
approve the detailed design review for 19 projects.

The preliminary and detailed system design reviews are intended to minimize project risks and
ensure the proper design. The preliminary design review consists of a requirements analysis and
is followed by the creation of a preliminary technical design. The detailed design review ensures
that the solution is ready to be built. The project team further develops the solution, using input
from stakeholders, after the design is approved. These reviews also verify that a system’s
technical solutions comply with FSA’s technical, architectural, and target state vision objectives
and the project is ready to pass from the design stage to a development stage in which the
technology is built and then tested. Performing technical reviews of the design after testing or
after production is too late in the process to ensure projects achieve FSA’s objectives.

According to LMM, when FSA’s Technology Office Enterprise IT Architecture Strategic
Information Group performs the preliminary and detailed design technical reviews, the group
must provide the results to the Engineering Review Board for review and approval. LMM
requires the Engineering Review Board to then determine whether projects should continue. The
former Deputy Chief Information Officer, 15 who was the Engineering Review Board Chair from
December 2013 through September 2015, stated that FSA does not have a standard process to
ensure that IT projects go through the Engineering Review Board, as required. As a result, the
Engineering Review Board has been meeting only when a project manager requests a meeting to
review a project. FSA has not been complying with its “LMM Stage Gate Review Process
Description,” which states that, after each preliminary and detailed design review, projects are
submitted to the Engineering Review Board. The Engineering Review Board will then approve
the project for continuation into the next stage, recommend the project for remediation, or for
problematic projects, refer the project to the Investment Review Board for a termination
assessment. As a result, none of the 22 IT projects that we reviewed received Engineering
Review Board approvals for the preliminary design review. Only 3 of these 22 IT projects




12
   Identified in LMM as Technical Review Stage Gate 1A.
13
   Identified in LMM as Technical Review Stage Gate 1B.
14
   One of the 10 sampled IT projects that was included in the 22 required a preliminary design review and detailed
design review.
15
   Resigned in September 2015.
Final Report
ED-OIG/A04O0014                                                                                         Page 7 of 22

received Engineering Review Board approval for the detailed design review authorizing the
projects to continue. 16

Among the reasons provided by Engineering Review Board officials for not performing the
technical reviews were that (1) only Tier 1 IT projects were required to have a formal review and
that the Engineering Review Board may request a review of Tier 2 and Tier 3 IT projects; 17
(2) FSA’s legacy systems under operations and maintenance contracts 18 did not have to comply
with LMM; (3) recompete 19 IT projects did not require a design review; (4) functional changes
that did not affect existing design were determined to not require a formal technical review; and
(5) the tailoring plan process is conducted at the beginning of the project and tailoring plans are
not always updated to reflect decisions made later during the project lifecycle and changes are
not always documented formally or communicated broadly. The current Deputy Chief
Information Officer and Engineering Review Board Chair stated that FSA is developing a formal
process to assess FSA’s compliance with all aspects of the LMM.

However, LMM states that its implementation will be based on the approved tailoring plans for
each IT project and it does not explicitly state that Tier 1 projects are the only IT projects that are
required to have a formal technical review or that the technical reviews are not required for FSA
legacy systems under operations and maintenance contracts. 20

Technical Reviews—Test Readiness

The tailoring plans for 24 of the 43 projects with approved tailoring plans that we reviewed
required the project to have a test readiness review. 21 For 2 of the 24 projects, no test readiness
review was performed by the Technical Review Stage Gate Review Body. For 17 of the
24 projects, the test readiness review was performed; however, there was no documentation that
the projects received appropriate approval from the enterprise testing senior manager, integrated
project team technical lead, and/or the senior business representative (as required depending on
the project and product risks). 22 For 4 of the 24 projects, the test readiness review was
performed; however, the documentation provided included some, but not all, of the required
approvals. For the one remaining project, the test readiness review was performed and all of the
required approvals were documented.
16
   For one of the three IT projects the Engineering Review Board provided a conditional approval pending corrective
actions given that the project did not follow LMM in the beginning stage of the project.
17
   Under the LMM process, each project is assigned to a tier. A tier is a risk-based categorization of projects based
on input factors such as cost, duration, complexity, resource and procurement needs. The result is one of three
categories: simple (Tier 3), standard (Tier 2), or complex (Tier 1).
18
   Contracts for systems that were in production prior to the approval of LMM in July 2011.
19
   We excluded recompete IT projects from our review and are not considered among the 22 IT projects reviewed.
20
   The Engineering Review Board conducts project level IT assessment and reviews of and for: (1) All Tier 1
projects as determined by the Enterprise Project Management and Oversight Group; (2) delivery of a new system
release or series of releases; (3) delivery of major enhancements and/or alteration of functionality to existing
systems; (4) technical analysis and assessments efforts consisting of reports or recommendations; (5) projects that
are not aligned with FSA’s target state vision; (6) projects with nonstandard or new technology; (7) projects with
high data sensitivity; (8) projects with package-based customizations or custom development; (9) projects that
impact intricate systems; (10) projects hosted outside of the virtual data centers; and (11) Tier 1, 2 or 3 as specified
by the Engineering Review Board.
21
   Four of the 10 sampled IT projects that were included in the 24 required the test readiness review.
22
   Of the 17 projects, the test readiness review for 1 of the projects was conducted by Business Operations and there
was no documentation that it received appropriate approval to proceed to the testing stage.
Final Report
ED-OIG/A04O0014                                                                                       Page 8 of 22

The subject matter expert for the test readiness review stated that the test readiness review was
not performed for 2 of the 24 projects. For the remaining 22 projects, the subject matter expert
provided documentation showing that the test readiness reviews were performed and
documented and stated that most of the approvals for the projects to proceed to the next stage
were given verbally, not in writing, at the end of the test readiness review meetings. The subject
matter expert indicated that the approval to proceed does not need to be a wet signature but that,
at times, acknowledgement was communicated via email even though the approval was made
verbally. As a result of these practices, FSA’s Technical Review Stage Gate Review Body did
not obtain sufficient documentation to support that approvals were provided for projects to
proceed to the next stage as established in LMM.

FSA’s “LMM Stage Gate Review Process Description” requires test readiness reviews for each
iteration and stage of testing for projects. 23 Projects may not proceed to the testing stage until
they have successfully passed the test readiness review. Test readiness reviews provide
management with an assessment of the readiness of the development maturity, test environment,
test data, test processes, and deliverables to ensure the system is ready to pass from the
development and building stage to formal system testing. Test readiness reviews also determine
whether known risks have been documented and accepted or mitigated. Section 4.4 of the
“LMM Stage Gate Review Process Description” further requires a signed decision memorandum
outlining the decision to proceed to the next stage. If the project is not ready to proceed, the
decision memorandum must indicate what mitigation strategies the project team must complete
before resubmitting the project for approval. The decision memorandum must also include any
findings reported to the Engineering Review Board for decision when delays impact cost and the
project schedule.

Technical Reviews—Detailed Requirements

The tailoring plans for the 10 24 projects in our sample required 4 of the projects to have a
detailed requirements review. 25 None of the four had all supporting documentation that LMM
required. Three of the four projects did not have sufficient documentation that the project
received approval from the appropriate official or team for this technical review. The project
manager provided no support that the Technical Review Stage Gate Review Body completed the
detailed requirements review for one of the four projects.

FSA’s “LMM Stage Gate Review Process Description” requires a detailed requirements review
for projects based on the project’s tailoring plan and the complexity or risks associated with a
project. The detailed design review consists of a formal assessment of the risks associated with
23
   As stated in the background section, not all IT projects require each type of technical reviews, such as test
readiness reviews. The project’s tailoring plan indicates whether the project requires each type of technical review
and implementation of the LMM is based on the final tailoring plan.
24
   We tested 43 IT projects because of issues identified with processes for conducting the first 3 types of technical
reviews and reviewed a judgmental sample of 10 projects for the remaining 3 types of technical reviews—detailed
requirements review, production readiness review and retirement and disposal review.
25
   The stage gates required for our sample of 10 projects varied based on the lifecycle stage each project was in
during our audit period. Of the 10 projects in our judgmental sample, 2 were in the definition phase and required a
detailed requirements review; and 2 of the projects were in the development phase and required a detailed
requirements review in the previous stage so that it could have advanced to the development stage. Refer to Table 1
in the “Objective, Scope, and Methodology” section in this report for the LMM lifecycle stage we reviewed for
projects in our sample.
Final Report
ED-OIG/A04O0014                                                                                       Page 9 of 22

project status, lessons learned, and risk mitigation options. Section 4.5 of the “LMM Stage Gate
Review Process Description” further requires a signed decision memorandum (1) approving the
project for continuation to the next stage, (2) recommending the project for remediation, or
(3) referring its conclusions and recommendations to the Engineering Review Board for possible
escalation to the Investment Review Board, either based on a prereview determination that an
Executive review is required, or based on significant concerns identified during the review,
which warrant the added level of review such as recommending the project for suspension and/or
termination.

Technical Reviews—Production Readiness and Retirement and Disposal

The tailoring plans for the 10 projects in our sample required 2 of the projects to have a
production readiness review and 1 to have a retirement and disposal review. 26 FSA provided
sufficient documentation to support that the reviews occurred and followed LMM requirements.

Control activities are one of the standards in the U.S. Government Accountability Office’s
(GAO) Standards for Internal Control in the Federal Government (November 1999).
Specifically, “internal control activities help ensure that management’s directives are carried out.
The control activities should be effective and efficient in accomplishing the agency’s control
objectives.” The 2014 revisions, effective October 1, 2015, to these standards require
management to design control activities to achieve objectives and respond to risks.

Because the Technical Review Stage Gate Review Bodies did not conduct all required technical
reviews or obtain sufficient documentation to support that reviews occurred and receive
appropriate approvals and because the Engineering Review Board did not have sufficient
documentation that all technical reviews received required approvals, FSA did not comply with
its LMM requirements. Without having the required technical reviews and approvals, FSA faces
increased risks for technical flaws and increases in the cost of system implementation.
Previously, we found that FSA did not follow LMM within its initial development of the Debt
Management and Collection System 2, which was plagued by technical flaws and delays. 27 FSA
did not always conduct the required technical reviews because no specific office or official has
been designated overall responsibility to enforce the use of LMM for all IT projects. As a result,
FSA lacked accountability mechanisms and clear guidance as to who is ultimately responsible
for overseeing LMM across FSA and ensuring integrated project teams are complying with
LMM for all IT projects.

FSA Did Not Always Conduct Required Management Reviews

FSA’s Steering Committee did not always conduct required management reviews for projects.
The lifecycle stage we tested for each of the 10 projects in our sample required 5 of the projects




26
   During our audit period, 1 of the 10 projects in our judgmental sample was in the testing phase and required a
production readiness review; and 1 of the 10 projects was retired and required a retirement and disposal review.
27
   For more information, see “Review of Debt Management Collection System 2 (DMCS2) Implementation,”
August 24, 2015 (ED-OIG/A04N0004) and “Functionality of the Debt Management Collection System 2,”
November 5, 2015 (ED-OIG/A02N0004).
Final Report
ED-OIG/A04O0014                                                                                        Page 10 of 22

to have a management review. 28 FSA did not conduct the management review for two of the
five projects—one investment review and one project close out review. For the first project, the
Investment Review Board was updated on the status of the project and the project team
continued to complete artifacts and activities pertaining to the next stage without having a formal
investment review, or obtaining the required approvals. For the second project, the project close
out review did not happen; the project manager stated that she was not clear that having a project
close out review was a requirement. For a third project, FSA did not maintain documentation
that the Technology Office representative had affirmed that requirements were technically
adequate to support development activities or that the contracting officer affirmed that contract
deliverables had been accepted. The “LMM Stage Gate Review Process Description” required
these affirmations for requirements reviews. For the remaining two projects, the management
reviews were performed and included sufficient documentation of compliance with LMM
requirements for these reviews.

Section 4.2 of the “LMM Stage Gate Review Process Description” requires management reviews
to ensure that a proposed or ongoing investment provides substantial value to FSA. The LMM
requires investment reviews to assess whether the proposed project truly responds to agency
needs and supports mission critical change. The requirements review confirms that project
requirements and deliverables have been accepted and that the project is being managed
effectively. The project close out review provides assurance that the system is functioning
properly post implementation, that no project is closed without proof of sufficient
documentation, and that all lifecycle development steps and activities have been completed. The
Steering Committee is responsible for assuring that all project artifacts are accurate, and assess
whether the project continues to provide value to FSA. The Steering Committee then makes a
recommendation to the Investment Review Board regarding the future of the project and the
Investment Review Board decides whether to advance the project to the next stage or stop the
project. LMM requires that the Investment Review Board’s decision be documented on a
decision record memorandum signed by the chair of the board. FSA did not always conduct
management reviews for projects and did not maintain sufficient documentation of required
approvals because no specific office or official has been designated overall responsibility to
enforce the use of LMM for all IT projects. As a result, FSA lacked an accountability
mechanism to ensure project teams properly implemented LMM. By not complying with the
LMM requirements to conduct these reviews, FSA increased the risk of funding projects that
were not of significant value to FSA or not ending low-potential projects before it invested
significant time and money.

FSA Did Not Always Update Project Tailoring Plans

We found that FSA’s integrated project teams did not update the tailoring plans for 7 of the
10 projects in our sample to reflect applicable artifacts. For six of the seven projects, FSA’s
integrated project teams lacked sufficient support that they completed 33 of the 102 artifacts
identified as applicable in these projects’ tailoring plans. For one of the seven projects, FSA
maintained sufficient support but the tailoring plan was not properly updated. As stated in the
LMM, a tailoring plan is an approved baseline of expectations that focus on the artifacts that a

28
  During our audit period, the lifecycle stage for the 10 projects in our sample testing involved five of the projects
being in a stage that required a management review. The remaining five projects were in lifecycle stages that did
not require a management review during our audit period.
Final Report
ED-OIG/A04O0014                                                                                    Page 11 of 22

team will produce throughout the life of a project. An artifact provides support that the team
completed activities that the tailoring plan required for each lifecycle stage. LMM requires
integrated project teams to complete artifacts determined to be applicable during the tailoring
process and ensuring project artifacts are completed and available as needed for stage gate
process inputs. Further, the “LMM Tailoring Process Description” states that project updates
require corresponding updates to approved tailoring plans. FSA did not update all tailoring plans
and did not complete all applicable artifacts because no specific office or official has been
designated overall responsibility to enforce the use of LMM for all IT projects. As a result, FSA
lacked accountability mechanisms and clear guidance about who oversees and enforces LMM for
all IT projects, limiting its ability to use the tailoring plans as an accountability mechanism to
provide assurance of properly implementing LMM for all IT projects.

FSA Did Not Maintain a Complete Inventory of Information Technology Projects and Did Not
Use EPPM to Track All Projects

FSA does not maintain a complete and reliable inventory of IT projects. As a result, FSA was
unable to provide a comprehensive list of IT projects or projects with an IT component for the
period from June 15, 2012, through December 31, 2014. In response to our request for a
comprehensive list of IT projects in process or started within the scope of our audit, FSA’s
Performance Management Office provided six different lists with inconsistent information. FSA
initially provided a list of IT and non-IT projects that were in EPPM; however, it did not identify
if a project was an IT project or non-IT project. In the second list of projects that were in EPPM,
FSA identified the IT projects, but the list showed IT projects in a “closed” status as being in an
“active” status and the total number of IT projects differed from the first list. 29 In the third list,
FSA included the same information provided in the second list, but identified the active IT
projects.

We requested that FSA’s Performance Management Office add contract information for each one
of the IT projects included in the third list and a fourth list was provided. However, the fourth
list did not include contract information for IT investments for all IT projects identified in the
third list, and the contract information provided covered primarily IT investments for fiscal year
2014 through fiscal year 2017, which were outside of the scope of our audit. Because we found
that FSA did not track all IT projects in EPPM, we requested that FSA’s Performance
Management Office provide a list of IT projects that were not in EPPM, and a fifth list
containing IT projects with production readiness reviews was provided. However, the fifth list
also identified IT projects that were being tracked in EPPM and that were not included in any of
the prior lists. Given the discrepancies between these five lists, we asked FSA’s Performance
Management Office to provide one comprehensive list of IT projects, including contract
information and identifying IT projects in EPPM and not in EPPM. A sixth list was provided;
however, the total number of IT projects differed from the previous lists. As a result, we are not
confident that any of the six lists provided to us were complete.

By not maintaining a complete and reliable inventory of projects, FSA cannot ensure that LMM
is being followed for all IT projects, increasing the likelihood of unnecessary risk and costly
delays which LMM is intended to mitigate. All IT projects must follow LMM, and LMM

29
 Closed status indicates that an IT project has been completed (a new system has been created and is in use).
Active status indicates that an IT project has not been completed.
Final Report
ED-OIG/A04O0014                                                                                 Page 12 of 22

requires staff to enter all IT projects into EPPM. FSA did not track all IT projects in EPPM and
not all project managers used the system to manage and track the progress of the projects. Of the
109 IT projects considered for sampling, only 63 were in EPPM as required, the remaining 46
were not. FSA implemented the EPPM system in 2010 at a cost of about $2.4 million30 to
manage and track IT and non-IT projects across FSA. EPPM is a tool for FSA to ensure that all
projects comply with LMM, including assisting in investment management and project
management.

FSA has no accountability mechanism because no specific office or official has been designated
overall responsibility to oversee and enforce the use of LMM for all IT projects. Although LMM
guidance includes the stakeholders’ roles and responsibilities in the implementation of LMM, the
guidance is not clear as to who is ultimately responsible for overseeing compliance with LMM
for all IT projects. As a result, the use of EPPM was not enforced, which prevented FSA from
having a reliable inventory of IT projects and limited FSA’s ability to track IT projects to
provide reasonable assurance of compliance with LMM. As the Chief Operating Officer stated
in his letter requiring the use of LMM for all IT projects,

        LMM adds and builds upon the standard project delivery methodology with
        guidance, processes, and tools that ensure appropriate and timely technology
        resource management throughout the project lifecycle. By having this
        support at logical points throughout the project, project teams can benefit
        from timely and effective engagement of appropriate technical resources,
        increasing the likelihood of avoiding unnecessary risk and costly delays.

The lack of an accountability mechanism to ensure LMM compliance also resulted in confusion
about the applicability of LMM to FSA legacy systems that were in production prior to the
approval of LMM. According to LMM Team officials, staff may have been confused when FSA
first implemented LMM. The LMM Team is responsible for maintenance and improvement of
LMM for the enterprise, but does not have responsibility to ensure that projects are complying
with LMM. Early in LMM implementation, the LMM Team allowed partial adoption of LMM
for some in-process projects. FSA applied LMM to these projects by applying the LMM
requirements applicable to the project stages then in effect. However, any new project was
expected to fully adopt LMM. Based on discussions with FSA project team members,
Engineering Review Board members, and the LMM subject matter expert for test readiness
reviews, some staff members thought management decided in the past that FSA’s Business
Operations would use the change management process instead of the LMM testing process and
that legacy contracts were not required to follow LMM. FSA’s Business Operations Change
Management Plan is the process for requesting, managing and implementing new requirements
and changes to baselined requirements for legacy systems maintained by Business Operations.
As of December 9, 2015, the LMM Team was working with FSA’s Business Operations to
identify any overlap between LMM and Business Operations’ change management process.




30
  Cost information covers September 30, 2011, through July 7, 2015. FSA was not able to provide cost information
before September 30, 2011.
Final Report
ED-OIG/A04O0014                                                                       Page 13 of 22

Recommendations

We recommend that the Chief Operating Officer of FSA

1.1    Establish accountability mechanisms, such as assigning a specific office or official, to
       ensure FSA follows LMM for all IT projects.

1.2    Conduct an inventory of IT projects across FSA to establish a complete universe of IT
       projects.

1.3    Ensure all projects are entered into EPPM and managed using LMM after establishing a
       complete universe of IT projects.

1.4    Update the LMM process as applicable to establish controls and assign responsibility to
       provide assurance that project teams timely conduct technical and management reviews
       for IT projects.

1.5    Maintain required documentation to support compliance with LMM.

FSA Comments

FSA did not explicitly agree with the finding. FSA stated it will define “IT project” and conduct
an inventory of IT projects across FSA. Also, it will use the EPPM tool to report the status of the
schedules and risks for all IT projects, and it will maintain the required documentation in EPPM.
Regarding Recommendation 1.1, FSA’s Chief Operating Officer will obtain commitment
statements from all senior leaders directly responsible for implementing LMM for all IT projects
and FSA will consider and implement other accountability mechanisms to ensure FSA follows
LMM. In response to Recommendation 1.4, FSA stated it will update its support tools,
processes, and procedures to validate that technical reviews are planned for each IT project.

OIG Response

FSA’s planned corrective actions for Recommendations 1.2, 1.3, and 1.5, if implemented, are
responsive to those recommendations. While FSA’s proposed corrective actions for
Recommendation 1.1 indicate that it will consider and implement accountability mechanisms to
ensure compliance with LMM, more specificity is needed on the accountability mechanisms.
Specifically, FSA should address the root cause of the finding: that no specific office or official
has been designated overall responsibility to oversee and enforce the use of LMM for all IT
projects. Additionally, FSA’s response to Recommendation 1.4 only covers the planning of
technical reviews. Our recommendation applied to both technical and management reviews.
FSA should ensure that both technical and management reviews are planned and conducted.
Final Report
ED-OIG/A04O0014                                                                   Page 14 of 22



                  OBJECTIVE, SCOPE, AND METHODOLOGY


The objective of our audit was to determine whether FSA’s oversight of IT projects ensures that
its LMM is appropriately implemented. Our audit covered IT projects already in process or
started during the period from June 15, 2012, through December 31, 2014.

To achieve our objective, we—
   1. Obtained an understanding of FSA’s LMM process for IT project delivery and
       governance, including a review of the following LMM policies and procedures:
           • “Lifecycle Management Methodology,” June 2012;
           • LMM Stage Gate Review Process Description, June 2012;
           • LMM Tailoring Process Description, May 2013;
           • LMM Tailoring Plan Guidance, April 2012; and
           • Department Directive, “Lifecycle Management Framework,” July, 2010.
   2. Reviewed FSA’s EPPM guidance.
   3. Reviewed selected provisions of
           • OMB Circular A-123, “Management’s Responsibility for Internal Control,”
              December 2004;
           • OMB Circular A-130, “Management of Federal Information Resources,”
              November 2000;
           • OMB Circular A-11, “Preparation, Submission, and Execution of the Budget,
              Supplement to Part 7─Capital Programming Guide,” 2014;
           • Information Technology Management Reform Act of 1996;
           • GAO Standards for Internal Control in the Federal Government, November 1999
              and September 2014;
           • U.S. Chief Information Officer’s “25 Point Implementation Plan to Reform
              Federal Information Technology Management,” December 2010; and
           • Federal Acquisition Regulation, March 2005.
   4. Obtained an understanding of other guidance and best practices pertaining to information
       technology development and project management, including
           • GAO IT Investment Management, “A Framework For Assessing and Improving
              Process Maturity,” March 2004; and
           • GAO Best Practices for IT Management, accessed online on March 2015.
   5. Reviewed the following audit reports and reviews including:
           • U.S. Department of Education Office of Inspector General Report, “FSA
              Oversight of TIVAS Contracts,” August 2013 (A02L0006);
           • GAO Report, “Information Technology: Critical Factors Underlying Successful
              Major Acquisitions,” October 2011 (GAO-12-7);
           • GAO Testimony, “GAO’s 2015 High-Risk Series – An Update,” February 11,
              2015 (GAO-15-371T); and
           • GAO Report, “Federal Chief Information Officers: Reporting to OMB Can Be
              Improved by Further Streamlining and Better Focusing on Priorities,” April 2015
              (GAO-15-106).
Final Report
ED-OIG/A04O0014                                                                                 Page 15 of 22

     6. Interviewed key FSA officials─including its Chief Financial Officer, Deputy Chief
        Information Officer, Deputy Chief Business Officer, Director-Enterprise IT Architecture
        & Strategic Infrastructure Group, Acting Director for the Investment Management Group
        and the Enterprise Project Management Office, Project Portfolio Manager, LMM Team
        Lead, Quality Assurance Program Manager, subject matter experts, and project managers.
        We also reviewed documentation for the following:
            • development and implementation of LMM across FSA;
            • roles and responsibilities of FSA’s Investment Review Board, Engineering
                Review Board, Performance Management Office, Technology Office, subject
                matter experts, and stage gate owners in relation to LMM;
            • use of LMM by project managers and integrated project teams;
            • governance controls incorporated into LMM at implementation;
            • purpose and use of the EPPM system; and
            • oversight of tailoring plans and stage gate review processes.
     7. Tested whether FSA appropriately implemented LMM for 10 judgmentally selected FSA
        IT projects. For these 10 IT projects, we tested the last three technical reviews (detailed
        requirements review, production readiness review, and retirement and disposal review)
        and the management reviews, as applicable. See the sections “Sample Selection of IT
        Projects” and “Testing of IT Projects” below for details.
     8. Reviewed approved LMM tailoring plans for the 43 FSA IT projects which had tailoring
        plans to determine whether FSA complied with LMM requirements for preliminary and
        detailed design reviews (Technical Review Stage Gates 1A and 1B) and test readiness
        reviews where an approved tailoring plan required the reviews to be conducted. See
        “Testing of Approved Tailoring Plans to Determine whether Preliminary, Detailed
        Design and Test Readiness Technical Reviews Were Required and to Determine
        Compliance” section below for details.

Sample Selection of IT Projects

To determine whether FSA ensured that project teams appropriately implemented LMM, we
selected a judgmental sample of IT projects subject to LMM. To select a sample of IT projects
for testing, we requested FSA to provide us a list of IT projects for our audit period. However,
FSA was unable to provide a reliable list of IT projects to use as a universe for sampling. We
used a list of IT projects that FSA had entered in EPPM and narrowed the list based on the
project start and end dates to identify projects that started or were in process during our audit
period. We identified a list of 63 IT projects entered in EPPM that met these criteria. We
supplemented the list with 44 31 projects that FSA had not entered in EPPM and 2 projects which
FSA had retired during our audit period but had not been included in any of the lists provided. In
total, we considered a list of 109 IT projects for sampling.

After identifying the list of 109 IT projects, we categorized each project by the LMM lifecycle
stage it was in during our audit period, June 15, 2012, through December 31, 2014. We designed
our sampling methodology to ensure we judgmentally selected at least one IT project within each
of the seven lifecycle stages and selected 10 projects. We prioritized selections based on the Tier
category of each project, oversight concerns of IT projects expressed by FSA officials, and
31
  FSA identified the 44 projects not entered in EPPM based on production readiness reviews and investment
requests tracking records.
Final Report
ED-OIG/A04O0014                                                                                      Page 16 of 22

projects related to FSA’s core IT systems. We selected and reviewed 10 projects to obtain
coverage of each of the 7 distinct LMM lifecycle stages. Table 1 below shows the LMM
lifecycle stage for the 10 projects we reviewed in our judgmental sample. In addition, because of
issues identified with processes for conducting the first 3 types of technical reviews (preliminary
design review, detailed design review and test readiness review), we also tested 43 IT projects as
explained in the section below titled “Testing of Approved Tailoring Plans to Determine whether
Preliminary, Detailed Design and Test Readiness Technical Reviews Were Required and to
Determine Compliance.”

Table 1: Number of Projects Judgmentally Selected By LMM Lifecycle Stage
LMM Lifecycle Stage                                Number of Projects
Initiative Vision                                  2
Definition                                         2
Development                                        2
Testing                                            1
Implementation                                     1
                           32
Operations and Maintenance                         1
Retirement                                         1
Total                                              10

Because the list of 109 IT projects may not contain all projects subject to LMM and because we
did not select the projects as part of a statistical sample, our judgmental sample used in the audit
was not representative of the actual universe of FSA’s IT projects subject to LMM. Therefore,
the results of our testing of IT projects cannot be projected to the universe.

Testing of Approved Tailoring Plans to Determine whether Preliminary, Detailed Design
and Test Readiness Technical Reviews Were Required and to Determine Compliance

We identified a total of 109 IT projects and of these projects, 63 were in EPPM, with 43 of the
projects in EPPM having tailoring plans within FSA’s LMM shared site. Because of issues
identified with processes for conducting the first 3 types of technical reviews (preliminary design
review, detailed design review and test readiness review), we tested all 43 projects. For the
remaining 3 types of technical reviews (detailed requirements review, production readiness
review and retirement and disposal review), we reviewed a judgmental sample of 10 projects of
the 109 projects identified. To assess whether FSA complied with LMM requirements for
preliminary, detailed design and test readiness technical reviews, we reviewed the 43 approved
LMM tailoring plans to identify projects that required these reviews. Of these 43 approved
tailoring plans, 22 of the projects required preliminary and detailed design technical reviews,
while 24 required test readiness review. For the 22 and the 24 projects, we requested and
reviewed documentation to support the completion of the technical reviews in accordance with
LMM requirements. 33 Table 2 shows the total number of IT projects requiring a technical or
management review that we tested.


32
   For this project, we reviewed the management stage gate 3 (project close out review) as it is the review required
for advancing the project to the operations and maintenance lifecycle stage.
33
   Of the 10 sampled IT projects, 1 had a tailoring plan that required the preliminary and detailed design technical
reviews, while 4 of the 10 sampled projects had a tailoring plan that required the test readiness review.
Final Report
ED-OIG/A04O0014                                                                       Page 17 of 22

Table 2: LMM Technical and Management Reviews Tested
LMM Technical and          Count of IT Projects and                          Count of IT projects
Management Reviews         Tailoring Plans Reviewed                          Requiring This Review
Tested                                                                       and Which We
                                                                             Subsequently Tested 34
Preliminary Design Review                All 43 with approved LMM tailoring 22
                                         plans
Detailed Design Review                   All 43 with approved LMM tailoring 22
                                         plans
Test Readiness Review                    All 43 with approved LMM tailoring 24
                                         plans
Detailed Requirements                    Sample of 10 from universe of 109   4
Review                                   IT projects identified for sampling
Production Readiness Review              Sample of 10 from universe of 109   2
                                         IT projects identified for sampling
Retirement and Disposal                  Sample of 10 from universe of 109   1
Reviews                                  IT projects identified for sampling
Management Reviews                       Sample of 10 from universe of 109   5
                                         IT projects identified for sampling

Testing of IT Projects

To determine whether FSA properly implemented LMM for IT projects within our sample, we
performed the following steps:
    1. Reviewed the project’s tailoring plans and identified all of the LMM artifacts, technical
       reviews, and management reviews that FSA determined were applicable to the lifecycle
       stage each project was in during our audit period.
    2. Evaluated whether the documentation FSA maintained was sufficient to support that the
       artifacts were completed in accordance with LMM requirements.
    3. Determined whether the documentation FSA maintained for all technical and
       management reviews required for the lifecycle stage each project was in during our audit
       period were sufficient to support that the reviews were conducted in accordance with the
       LMM acceptance criteria for each review. To determine whether FSA complied with
       LMM requirements before advancing projects to the next lifecycle stage, we evaluated
       the documentation FSA maintained for the technical and management reviews that
       advanced the projects to the lifecycle stage we reviewed for each project in our sample.
    4. Followed up with project managers and project teams, as well as the LMM Team within
       FSA, as needed to clarify our understanding of the documentation.

Computer-Processed Data

We relied on the computer-processed data contained in FSA’s EPPM system for the purpose of
selecting a sample of IT projects. As described in our finding, FSA did not maintain a complete
and reliable inventory of IT projects and did not track all IT projects in EPPM. However, we
determined that the computer-processed data were not sufficiently reliable for the purposes of

34
     Requirement determined by approved tailoring plans and stage of IT project.
Final Report
ED-OIG/A04O0014                                                                   Page 18 of 22

obtaining a complete inventory. However, we determined in total there was sufficient and
appropriate evidence to address the audit objective and support our conclusions.

Internal Controls

We obtained an understanding of internal control concerning FSA’s oversight of LMM
implementation for IT projects. We determined that control activities were significant to our
audit objective. We reviewed and tested control activities for FSA’s oversight to ensure LMM
implementation. We found weaknesses in FSA’s control activities, which are reported in the
finding.

We performed our onsite review at FSA’s offices in Washington, D.C., from April 14, 2015,
through April 16, 2015, and from November 2, 2015, through November 5, 2015. We held our
exit conference with FSA officials on March 9, 2016.

We conducted this performance audit in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions
based on our audit objectives. We believe that the evidence obtained provides a reasonable basis
for our findings and conclusions based on our audit objectives.
Final Report
ED-OIG/A04O0014                                                                     Page 19 of 22



                            ADMINISTRATIVE MATTERS


Corrective actions proposed (resolution phase) and implemented (closure phase) by your office
will be monitored and tracked through the Department’s Audit Accountability and Resolution
Tracking System. The Department’s policy requires that you develop a final corrective action
plan (CAP) for our review in the automated system within 30 calendar days of the issuance of
this report. The CAP should set forth the specific action items, and targeted completion dates,
necessary to implement final corrective actions on the findings and recommendations contained
in this final audit report. An electronic copy of this report has been provided to your Audit
Liaison Officer.

In accordance with the Inspector General Act of 1978, as amended, the Office of Inspector
General is required to report to Congress twice a year on the audits that remain unresolved after
six months from the date of issuance.

Statements that managerial practices need improvements, as well as other conclusions and
recommendations in this report, represent the opinions of the Office of Inspector General.
Determinations of corrective action to be taken will be made by the appropriate Department of
Education officials.

In accordance with the Freedom of Information Act (5 U.S.C. §552), reports issued by the Office
of Inspector General are available to members of the press and general public to the extent
information contained therein is not subject to exemptions in the Act.

We appreciate the cooperation given us during this review. If you have any questions, please
call Christopher Gamble at (404) 974-9417.

                                             Sincerely,

                                             /s/

                                             Patrick J. Howard
                                             Assistance Inspector General for Audit


Attachments
Final Report
ED-OIG/A04O0014                                             Page 20 of 22

                                                            Attachment 1

ABBREVIATIONS, ACRONYMS, AND SHORT FORMS USED IN THIS REPORT


CAP               Corrective Action Plan

Department        U.S. Department of Education

EPPM              Enterprise Project Portfolio Management

FSA               Federal Student Aid

GAO               U.S. Government Accountability Office

IT                Information Technology

LMM               Lifecycle Management Methodology

OMB               Office of Management and Budget
Final Report
ED-0 IG/A04000 14                                                                                                          Page 21 of 22

                                                                                                                          Attachment 2




               MEM ORAND UM

               L>AT E: 	      May 26.20 16

               TO: 	          Christo pher A. Gamble
                              Acting Regional Inspector General to r Audit
                              Oflicc::oflnspcctorGFF~ ~
                                                                \
               F ROM: 	       James W. Runcic                                        -t..'-1                   ~ .....~
                              ChicfOpcmting omcer                           .                 .          •

               SUBJ ECT: 	 Response to Orati Aud Report:         "'
                           FSA Oversight of the Ocvelopmcm and Enhancement of lnfom1ation Technology
                           Products Control No. ED-OIG/A0400014

               T hank you lo r the opportunity to comment on the Ollicc of Inspector General's (OIG) drali audit
               report. FSA Ol·er.,·ij.:hl l!(the De1·e/opmeJII and Enhancement ofll!fimmuion 7i!clmoloxy
               f'r(l(/ucts. dated April 13. 2016. Your audit found that Federal S tudent Aid (FSA) docs not have
               an accountability mechanism to enforce usc of its Litecycle Management Methodology (LMM)
               process. FSA is commiued to excellence when deliveri ng quality Information Tech no logy (IT)
               products and soluti ons: therelore. FSA linds this report timely and useful as we move to
               implement improved guidance :md controls to ensure compliance with the LMM process.

               As you know. we have continuously improved our governam;e model since the o fficial
               implementation in 2011. and we have ulready taken steps to address OIG's concerns. As noted
               during your audit. FSA 's LMM mode l is a robust governanc.: model and the Production
               Readiness Review Stage Gate is considered a mode l stage gate.

               We look lorward to the continued enhancements of the LMM governance model and fu lly
               addressing the OIG recommendatio ns.

               We ha\'c responded to each reco mmendation bclo\\':

               F INDI NG- FSA L>ocs No t Ha"c an Accountnbility Mechanism to Enfo rce Usc of Its LM M
               Process.

               Recom m endati on 1.1 : Es tab lish accountability mechanisms . such as assigni ng a specific
               oflicc o r official. to ensure FSA follows LMM lor a ll IT projects.

               Respo nse: FSA ·s Chief Operating Ofliccr will obtain commitment suucmcn ts !'rom al l senior
               leaders directly n:s po nsiblc to r implementation of the LMM process. FSt\ will also consider and


                                         Federal Student Aid                                                 ...
                                         ~ ~   I   I   :   S•       ~   •       ,',',) ;;   1.: 1   !1
Final Report
ED-01G/A0400014                                                                                              Page 22 of22




             implement accountabi lity mechanisms to ensure FSA follows LMM lor those IT projects
             required to follow the LMM.

             Reco mm end ation 1.2: Conduct an in ven tory of IT projects across FSA     to   establish a complete
             universe oi'IT projects.

             Res ponse: FSA wi ll establish a definition of "IT Project" for the FSA organization that
             addresses fSA -specific considerations and relevant federal guidance. When the definition is
             established. we will communicate and apply the delinition throughout the FSA organization and
             complete an in ventory of all FSA authorized projects.

             Reco mmendation 1.3: Ensure all projects are entered into EPPM and managed using LMM
             after establishing a complete universe of IT projects.

             Res ponse: FSA IT Projects (based on the list developed under recommendation 1.2) shall utilize
             the EPPM tool to report status of schedule and risk s/issues.

             Recomm endation lA: Update the LMM process as applicable to establ ish controls and assign
             responsi bility to provide assurance that project teams timely conduct technical and managemem
             re\'icws tor IT projects.

             Respo nse: FSA will update FSA ' s support tools. processes and procedures to validate that
             appropriate technical reviews are planned for each IT project.

             Reco mmendat ion 1.5: Maintain required documentation to support compliance with LMM.

             Response: FSA will maintain n::quired project level docume ntation. within the EPPM tool.
             to support compliance with LMM.


             Thank you again for the opportunity to review and respond to this report.




      cc: Chris Vierling