United States General Accounting Office GAO Report to the Subcommittee on Personnel, Committee on Armed Services, U.S. Senate January 1999 DEFENSE IRM Alternatives Should Be Considered in Developing the New Civilian Personnel System GAO/AIMD-99-20 United States GAO General Accounting Office Washington, D.C. 20548 Accounting and Information Management Division B-278058 January 27, 1999 The Honorable Wayne Allard Chairman The Honorable Max Cleland Ranking Minority Member Subcommittee on Personnel Committee on Armed Services United States Senate During the past 5 years, the Department of Defense (DOD) has been reducing the costs associated with civilian personnel management by reducing the number of staff working in personnel, consolidating selected personnel management functions at newly created regional centers, and attempting to improve personnel management business processes. A key part of this initiative is Defense’s development of a new information management system—the Defense Civilian Personnel Data System (DCPDS)—to support a wide range of personnel management functions including recruitment, staffing, benefits administration, and training. Defense expects to complete deployment of this system by March 2000. This letter responds to the request from your subcommittee that we answer the following questions about this initiative and recommend corrective actions, where appropriate. • How did Defense determine the number and locations for civilian personnel regional service centers and why is there a wide disparity in the number of regional centers among the services? • In overseeing, managing, and developing DCPDS, is Defense applying the investment principles of the Clinger-Cohen Act? • Does DCPDS duplicate a system that is available through the Office of Personnel Management (OPM) called the Employee Express System? • Was Defense leadership aware of the extent and cost of the needed modifications to the commercial-off-the-shelf (COTS) software application? • Has Defense identified and mitigated the risks associated with the major COTS modifications? In conducting our review, we examined Defense requirements on development, management, and oversight of information systems in light of relevant legislative and federal requirements, including the Clinger-Cohen Act of 1996. We discussed Defense’s efforts to develop and manage DCPDS with officials from (1) Defense’s Civilian Personnel Page 1 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 Management Service (CPMS), (2) the Air Force Central Design Activity (CDA) responsible for managing technical modifications, (3) Oracle Corporation, the contractor from which Defense acquired the new system, (4) the military services and Defense agencies that plan to use the system, and (5) the Office of Personnel Management. We also visited and interviewed officials from five of the regional personnel centers and four of the local or installation-level offices. We conducted our review from August 1997 through October 1998 in accordance with generally accepted government auditing standards. We requested comments on a draft of this report from the Department of Defense. The Acting Assistant Secretary for Force Management Policy provided us with written comments. These comments have been incorporated where appropriate and are discussed in the Agency Comment and Our Evaluation section of this letter and appendix I. Details on the scope and methodology of our work are provided in appendix II. Defense’s current initiative can potentially improve civilian personnel Results in Brief operations and achieve cost savings. However, because the Department has not examined other business process alternatives that could potentially achieve even greater savings and process efficiencies, there is no assurance that this is the best alternative for civilian personnel operations. Before embarking on its costly initiative to improve personnel management, Defense examined two alternatives (1) outsourcing personnel computer operations to the Department of Agriculture’s (USDA) National Finance Center1 and (2) regionalizing personnel centers. It determined that it would take the National Finance Center about 6 years to prepare for transferring computer operations and that some new functionality built into its legacy system would be lost. However, Defense did not examine several other potentially effective alternatives, including (1) continuing to centralize all or parts of its personnel management operations to reduce duplicative layers of oversight at the components and ensure more consistent operations DOD-wide, (2) integrating its personnel and payroll management systems, (3) restructuring its regional offices to serve multiple components rather than perpetuating regional offices dedicated to only one component, (4) restructuring local personnel offices to serve multiple bases or 1 The National Finance Center provides payroll, personnel, financial, and other administrative services to USDA agencies as well as a broad range of federal departments and agencies. Page 2 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 installations (they now serve only one base or installation), and (5) outsourcing all civilian personnel operations to the private sector. These alternatives are feasible and may have helped Defense to achieve even greater savings and efficiencies than the current approach. For example, as of June 1998, there were 886 people performing civilian personnel management and oversight functions at component headquarters and major command levels at a cost of about $63 million annually. By consolidating some or portions of these component oversight functions, Defense could reduce the number of staff that perform duplicative overhead functions and decrease personnel management oversight costs. In addition, the Defense Science Board2 determined that integrating payroll and personnel systems was a viable and cost beneficial option for military personnel. Among other benefits, this alternative might have enabled the Department to cut system operation and maintenance costs as well as streamline and dramatically improve both payroll and personnel business processes. Furthermore, by having regions serve multiple services and agencies, Defense could have further consolidated regional offices and reduced duplicative regional overhead costs. The Washington Headquarters Service has already demonstrated the feasibility of this option by managing personnel services for numerous smaller Defense agencies. CPMS officials who were responsible for the personnel initiative said that they did not consider these business processing alternatives because (1) CPMS did not have authority to require the military services and Defense agencies to adopt such approaches, (2) the Department did not allow sufficient time to rigorously examine alternatives, and (3) the Department lacked basic cost and performance data needed to study the alternatives. As a result, Defense selected a business processing alternative which, in the long run, may not provide the most effective personnel operations at the lowest cost. In addition, after it decided on its approach, Defense did not follow a sound process for selecting regions. For example, it did not require military services and Defense agencies to base their decisions on data-driven analyses and it allowed only a short time frame for the selection. Consequently, the analyses of the services and agencies were inconsistent, considering different factors in choosing their regions, and none included a formal cost/benefit analysis. As a result, there is a wide 2 Report of the Defense Science Board Task Force: Military Personnel Information Management, August 31, 1996. Page 3 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 disparity in the numbers of regions selected, and there is no convincing rationale or objective evidence that any of the selections were optimal. Furthermore, Defense did not adequately consider a full range of technical options before deciding to replace its legacy system with the Oracle COTS product. Defense informally surveyed the potential market of COTS3 products and selected three COTS packages for further evaluation. It then considered functional, technical, and cost differences among the three but did not rigorously analyze their costs, benefits, and expected returns-on-investment nor did it assess the desirability of continuing to use the legacy system. After the Oracle product was acquired, Defense performed a limited economic analysis for the system which did not consider all of the promising business operation options or all of the technical options and did not separate the costs and benefits of the selected regionalization approach from those of the Oracle product. As a result, there is still no objective evidence that either element of Defense’s approach (regionalization or the use of the Oracle product) is the best option. Finally, after Defense acquired the Oracle system, it did not mitigate critical technical risks, as the following examples illustrate. • Because the Oracle product did not satisfy many federal and Defense-unique requirements, modifying the system would entail a significant effort. Further, there was no guarantee that the modifications would be successful or that the system would be able to accommodate Defense’s large-scale workload. To mitigate this risk, Defense could have first worked with the developer to define unique Defense and federal personnel requirements and postponed purchasing the product until after it was modified. While Defense worked with the developer to define unique Defense and federal requirements, it committed to purchasing the product before the software was modified and could be demonstrated to perform successfully. • Defense has not fully mitigated critical security risks for either the legacy- or the Oracle-based systems. Despite the fact that these systems contain sensitive privacy data, Defense has not established encryption or firewall standards.4 These standards are needed to ensure a consistent level of protection for personnel data and to ensure that all DCPDS partners can 3 Over 100 different software products were initially identified. 4 Encryption involves the transformation of original text (also known as plaintext or cleartext) into unintelligible text (also known as ciphertext). Firewalls are hardware and software components that check all incoming network traffic and block unauthorized traffic. Page 4 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 safely and effectively access the system. In addition, Defense has not promoted security awareness among the local offices that will be operating the new system. • Defense has not adequately addressed risks associated with the Year 2000 computing problem. While it has made good progress in renovating the legacy system and ensuring the modern system’s compliance, it has not developed agreements with its data exchange partners that specify date format changes, time frames for these changes, or processes for resolving interface conflicts. In addition, Defense has not developed adequate contingency plans for either of the systems. Even if systems are compliant, civilian personnel business operations are at risk of disruptions caused by external interfacing systems and the public infrastructure. As such, detailed contingency plans are necessary to ensure that Defense can maintain the basic functionality of its core civilian personnel operations. Defense’s civilian personnel community provides Defense managers with Background the personnel management services and support needed to accomplish their missions, including recruitment, job classification, position management, training, career development, and benefits administration. Traditionally, the military services and Defense agencies have managed their civilian personnel service delivery organizations and systems through local civilian personnel offices located at or near military bases and installations all over the world. During the past 5 years, Defense has been attempting to reduce personnel management costs through the following actions. (1) Reducing the number of civilian personnelists. Personnelists provide face-to-face assistance to civilian employees, answering questions about such issues as life insurance, health insurance, and position classification. They process paperwork for new hires, promotions, awards, and a wide variety of personnel actions and assist in training, benefits administration, management/employee relations, recruitment, and staffing. In 1994, Defense reported that a single personnelist served about 67 employees. Defense’s goal was to reduce the number of personnel staff to the point where one personnelist served 88 employees by the year 2001 and 100 employees by the year 2003.5 As of June 30, 1998, Defense reported that it 5 In 1989, the Army and the Air Force had civilian personnelist servicing ratios of 1 to 50 and 1 to 48, respectively, while the Navy’s ratio was 1 to 61. At the time, DOD began efforts to increase servicing ratios in the other services to at least the Navy’s ratio. The goal of reaching 1:100 was derived based on recommendations by the National Performance Review, as well as DOD’s own internal benchmarking study. DOD’s internal study indicated that some DOD organizations had servicing ratios exceeding 1:100. Page 5 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 had cut 1,700 personnelists and had achieved a ratio of 1 personnelist to 77 employees. (2) Improving personnel management processes. To help increase the personnelist-to-civilian employee ratio, Defense is attempting to improve and automate its personnel management business processes. For example, it has automated and improved processes for (1) developing, tracking, and monitoring all personnel actions, (2) handling injury compensation claims, and (3) estimating retirement eligibility and benefits. It has acquired an automated tool called RESUMIX, which helps personnelists analyze resumes of people applying for a position with Defense. It is also developing an interactive voice response system that enables employees to use a Touch-Tone phone to change selected data in their own personnel records. (3) Creating regional centers. Defense is creating regional centers that will specialize in selected personnel management functions and reducing the number and size of local offices. It anticipates that specialization of labor within the regions combined with improved business processes will reduce operating costs. As of September 30, 1998, the Army had established all 10 of its planned regions, the Navy had established 7 of 8 planned regions, the Air Force had established its 1 region, and the Defense agencies participating in this initiative had established all 3 of their planned regions. Table 1 further illustrates the changes in personnel management that will occur through Defense’s improvement initiative. Page 6 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 Table 1: Differences in Personnel Management Before personnel improvements After personnel improvements Local personnel offices provided service to Local personnel offices will still provide all civilian employees and carried out all face-to-face service to civilian employees. work processes, such as processing However, 40 to 60 percent of the paperwork for new hires, processing processing of personnel-related actions promotions, developing vacancy are to be done at the regional offices. announcements, and assisting in management/employee relations. Some personnelists specialized in certain Most personnelists at the local offices will work processes while others provided a be generalists. Specialists will be located broader range of personnel services. at regions. In 1994, there were 389 local offices and no By fiscal year 1999, there are to be 311 regional offices. local offices plus 22 regional offices. Most work processes were manual and Business process improvement efforts are paper-oriented. targeted at automating many work processes, such as estimating retirement eligibility and benefits and analyzing resumes. Before 1994, only personnelists had access Functional managers, civilian employees to personnel management systems. and personnelists are to have access to the personnel management information system. Among other things, civilians can view their own records and make prescribed changes to insurance and thrift savings retirement data. Functional managers will be able to initiate personnel actions on the system. A COTS Personnel At the beginning of this effort, Defense components operated a number of Management System Is personnel management information systems that assisted in all aspects of Acquired to Support personnel operations, such as developing position classification documents; preparing vacancy announcements; and processing Initiative appointments, reinstatements, transfers, promotions, retirements, and terminations. These systems were redundant and not interoperable, and Defense believed that they were antiquated. To modernize this environment, Defense eliminated the duplicative systems and used the Air Force civilian personnel management information system, located in San Antonio, Texas, to do all personnel processing. This legacy system meets Defense-unique personnel management requirements; is able to process Defense’s large-scale workload successfully; and because it operates in one location, it can be maintained by CDA personnel with experience in operating and protecting systems. However, Defense believed that there were a number of Page 7 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 significant shortfalls with this mainframe system6 and, therefore, the system should be replaced with a new COTS system. For example, according to Defense • the legacy system relied on outdated technology for its database structure, file update, and retrieval; • manpower resources and costs needed to develop and maintain the system were extensive; • the system required duplicative data entry; • the system could only be accessed by personnelists—it could not be easily modified to provide access to civilian employees so that they could review and make prescribed changes to their own benefit, insurance, and other personnel-related data; • modifications reflecting improvements in business processes were difficult to make; and • the system was not Year 2000 compliant. As a result, Defense acquired a COTS product from Oracle Corporation. In contrast to the legacy system, which operated on two 1970s era mainframes, the new system will operate in a distributed, networked environment7 at regional and local offices. According to Defense, the system • will enable any authorized civilian employee with a personal computer to directly access the system and to perform prescribed personnel-related operations or management tasks, • can be easily modified to reflect improvements in business processes, • will cost less to maintain and operate, and • will be Year 2000 compliant. However, because the Oracle product was originally designed for use in the private sector, it did not satisfy all federal and Defense-unique requirements for personnel management. For example, it could not process federal personnel forms, such as the standard personnel action form (Form 52). It did not address the federal General Schedule for salaries, Defense’s demonstration projects for pay banding, or the Defense-unique salary schedule for tens of thousands of foreign nationals who work for the Department overseas but do not get the same salaries or 6 A mainframe is a very large computer capable of supporting hundreds or even thousands of users simultaneously. Mainframes use smaller computers as front-end processors that connect to communications networks. 7 Rather than processing all applications on a single mainframe, applications are distributed to run on independent, networked computers. Page 8 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 benefits as American employees. It did not have DOD-unique data for security and mobilization. In addition, it did not directly interface with Defense’s existing payroll system. As a result, the product needed to be modified and/or enhanced before it was deployed. The Civilian Personnel Management Service (CPMS), which was established in 1993 to provide departmentwide leadership for the civilian personnel business area, is responsible for managing the new system. CPMS acquired the system using an indefinite delivery, indefinite quantity (IDIQ) DOD contract8 under which Oracle Corporation was a participating vendor. Defense components are responsible for purchasing and maintaining hardware to support the new system. CPMS has assigned the Air Force Central Design Activity (CDA) responsibility for managing technical modifications to the system under the contract.9 According to CPMS, the system is currently in the test phase. Once system qualification tests are completed, the system will be deployed to four tests sites during January and February 1999. The Air Force Operational Test and Evaluation Center (AFOTEC) will then evaluate the test results to ensure that the system meets user needs in an operational environment. Deployment to the remaining sites is expected to begin in late 1999 and end by March 2000. DOD officials stated that this schedule is likely to slip at least 2 months to ensure that the system is fully tested and meets user needs before it is fully deployed. Costs of DOD’s Personnel The cost of Defense’s personnel initiative is estimated to be $1.2 billion Initiative over its estimated 15-year life cycle (fiscal years 1995 through 2009), of which Defense reports that over $300 million has been spent through the end of fiscal year 1998. These totals are itemized in table 2. 8 The Integrated Computer-Aided Software Engineering (I-CASE) contract. This is an indefinite delivery, indefinite quantity contract awarded to Logicon in April 1994. DOD can use this contract to purchase IT systems, hardware, and software tools from approved vendors without having to prepare a separate contract. 9 There is an integrated team of contractors working for CDA in San Antonio that includes Oracle staff as well as individuals who work on a contract basis for CDA. The Oracle employees work on Oracle’s federal system while the other contract employees are responsible for developing DOD-unique add-ons to the system. Page 9 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 Table 2: Estimated Costs of Defense’s Personnel Initiative (Dollars in Amount spent Millions) Estimated through fiscal Purpose cost year 1998 Cost to develop and deploy the new system. $177 $142 Cost to establish regional offices. $190 $159 Operational and support costs for the new system for fiscal years 1999 through 2009.a $621 $0 Operational and support costs for regions for fiscal years 1995 through 2009.a $256 $13 Total $1,244 $314 a This includes costs for site operations, replacement software and hardware, equipment upgrades, program management oversight, and administration. Answer: Defense considered only a narrow range of alternatives for Question: How Did improving personnel operations before deciding to regionalize personnel Defense Determine centers. This left the Department without assurance that it was pursuing the Number and the most cost-effective and beneficial approach. After it decided to regionalize, Defense did not follow a sound process for selecting regions, Locations for it did not require services and agencies to base their decisions on Regional Centers and data-driven analyses. Consequently, the analyses of the services and agencies were inconsistent, each considering different factors in choosing Why Is There a Wide regions and none included a formal cost/benefit analysis. This process Disparity? resulted in the wide disparity in the number of regions chosen, and it left Defense without the objective data needed to determine whether any of the choices were optimal. Before embarking on a major, costly initiative to improve personnel management, sound practices call for examining a range of improvement options, including those that would radically change the current way of doing business. For example, in addition to, or instead of regionalizing, Defense could have considered (1) outsourcing its personnelist computer operations or all of its civilian personnel management services, (2) integrating its personnel/payroll management systems, (3) creating regions that cross-service between agencies and the military services, (4) consolidating local personnel offices that are near each other to provide face-to-face services to multiple bases or installations out of the same office, and/or (5) centralizing all, or portions of, civilian personnel management in DOD. By thoroughly considering these and other choices, Defense would have ensured that the most cost-effective and beneficial Page 10 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 alternative was chosen before deciding to invest $367 million10 in the project and that any systems acquired or developed would support the most efficient and effective business processes. Defense did not examine all of these promising alternatives. Instead, it considered only the possibility of outsourcing computer operations with the National Finance Center. This option was determined to be infeasible.11 Defense did not analyze other alternatives, including cross-servicing, integrating payroll/personnel systems, collocating personnel offices, DOD-wide management of personnel operations, or outsourcing all of its personnel operations. In addition, once it decided on regionalization, Defense did not follow a sound process for selecting the regions. For example, Defense did not require the services and agencies to base their selections on data-driven analyses. In fact, the services were allowed to select whichever and as many regions as they wanted as long as they achieved at least a 1 to 88 personnelist-to-civilian employee ratio. Consequently, the services considered different factors in choosing their regions. However, none based their selections on a thorough cost/benefit analysis. This resulted in the wide disparity in the number of regions chosen, as the following examples illustrate. • The Army and the Navy considered the distance between regions, proximity to the installations they serviced, and coverage across time zones as well as some costs associated with establishing and operating regions and transferring personnel. After considering these factors, the Army selected 10 regions and the Navy selected 8. It was decided that the regions would be responsible for about 60 percent of the work while local offices would be responsible for about 40 percent. Neither the Army or the Navy conducted cost/benefit analyses in making their decisions. Nor did they consider the costs of personnel work processes or the relationship between per capita servicing costs and region size. • Because it had already demonstrated that it could reduce overhead and technology costs and facilitate standardization in service and business 10 Defense planned to initially invest $177 million to develop and deploy the new system and $190 million to establish the regional offices, for a total of $367 million. 11 Defense considered the possibility of outsourcing the IRM support function to the private sector. It concluded that this option was not feasible due to the size of Defense’s operations. In exploring the possibility of outsourcing computer operations with the National Finance Center, Defense learned that it would take the Center about 6 years to prepare for transfer and that some new functionality built into its legacy system would be lost. Page 11 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 processes by collocating the civilian personnel center with its military center, the Air Force decided to use a single Air Force personnel center to serve all of its personnel. The Air Force decided that its local offices would continue to be responsible for about 53 percent of the work. While Defense allowed the services wide latitude in choosing their regions, it directed that its agencies be serviced by three regional offices.12 The two largest agencies—the Defense Finance and Accounting Service and the Defense Logistics Agency—were directed to establish their own regions and the Washington Headquarters Service was directed to serve as a regional personnel office for the smaller agencies. The Defense Finance and Accounting Service selected the location for its regional center based on the fact that it had already started to regionalize personnel operations there. The Defense Logistics Agency selected the location for its regional center after considering the location and space availability of its depots. However, neither conducted formal cost/benefit analyses in choosing their regions or considered the cost of personnel work processes and the relationship between per capita servicing costs and region size. CPMS officials cited several reasons for taking this approach. First, they pointed out that CPMS had no authority to require the services and agencies to base their decisions on thorough, data-driven analyses or, in fact, to require that they adopt any standard personnel system or approach at all. At the same time, they noted that the military services had a vested interest in maintaining the status quo and had the independent budget authority to see that the status quo was preserved. Second, Defense lacked basic cost and performance data for examining options, including data on the cost of personnel work processes and the relationship between per capita servicing costs and region size. Third, the agency was directed in 1994 to implement the Office of the Secretary of Defense’s (OSD) recommendations quickly, i.e., to reduce the number of personnelists to a ratio of one personnelist to every 88 civilian employees by fiscal year 1998. CPMS officials held that this did not allow time to develop objective data and rigorously examine alternatives. The 1 to 88 goal was later extended to the year 2001. Fourth, CPMS officials stated that because most of the costs for performing personnel functions are for personnelists, and systems, facilities, and operations constitute relatively smaller costs, as long as it 12 DOD has over 20 separate agencies and activities. Most are small and in the Washington, D.C. area. The intelligence agencies were excluded from this initiative and allowed to acquire their own personnel software program (PeopleSoft). Page 12 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 achieved the 1 to 88 ratio, Defense would accrue significant cost savings regardless of the number of regions selected.13 Nevertheless, several of the alternatives Defense ignored offered the opportunity to achieve far greater savings while streamlining personnel operations, as the following examples illustrate. • By consolidating some or all of its personnel management, Defense could reduce the numbers of staff that perform duplicative overhead functions. As of June 1998, there were 886 people performing civilian personnel management and oversight functions at component headquarters and major command levels at a cost of about $63 million annually.14 Furthermore, if Defense had centralized management of departmentwide personnel operations, it could take a departmentwide perspective in deciding which local offices and which regions should be consolidated. • Cross-servicing could have enabled Defense to further consolidate regional offices and reduce duplicative overhead costs. Some Defense components have already found this alternative to be beneficial. The military services, for example, are doing some cross-servicing with employees in remote locations and the Washington Headquarters Service is servicing the smaller Defense agencies as well as some federal agencies, including the Office of Personnel Management.15 Additionally, having local personnel offices service multiple bases or installations could further reduce duplicative overhead costs. • Integrating payroll and personnel systems could have helped Defense reduce system operation and maintenance costs as well as further streamline and improve personnel and payroll management business processes. In fact, after considering the potential benefits of this alternative and its feasibility, the Defense Science Board recommended it as a solution for military personnel in 1996.16 While it may have required more time and greater management commitment to change Defense practices, the potential for substantially greater savings and efficiencies should have compelled Defense to 13 According to Defense’s economic analysis, over 80 percent of the costs of performing personnelists functions are for personnelists. 14 Our estimate is based on DOD/CPMS data on personnelists costs and numbers. 15 Defense does not have information on the savings being derived from its current cross-servicing activities. 16 Report of the Defense Science Board Task Force: Military Personnel Information Management, August 31, 1996. Page 13 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 perform a rigorous analysis of all alternatives and to select the one proven most cost effective. Answer: Defense did not adequately apply the three requirements of the Question: In Clinger-Cohen Act of 1996 we reviewed which are designed to maximize Developing, the value of major investments. While the act was passed after Defense Managing, and initiated its development of DCPDS, the act’s requirements reflect basic and widely accepted principles of sound system acquisition management. Overseeing DCPDS, Is Similar practices are also called for by Defense’s own system acquisition Defense Applying the regulations and guidelines, Office of Management and Budget (OMB) guidance, and other legislative requirements effective at the time DCPDS Clinger-Cohen Act? decisions were made, including the Government Performance and Results Act of 1993, the Federal Acquisition Streamlining Act of 1994, the Paperwork Reduction Act of 1995, and the Chief Financial Officers Act of 1990. The Clinger-Cohen Act requires federal agencies to focus on the results achieved through information technology investments while streamlining the federal information technology (IT) procurement process. Specifically, this act introduces much more rigor and structure into how agencies approach the selection and management of IT projects. Although the act was passed after Defense decided to develop a new personnel management system, its principles are based on practices that are widely considered to be integral to successful IT investments.17 We examined whether Defense applied the following three requirements of Clinger-Cohen, which are designed to maximize the value of a major investment such as DCPDS. (1) Agency heads should analyze the missions of the agency and, based on the analysis, revise the agency’s mission-related and administrative processes, as appropriate, before making significant investments in IT supporting those missions. (2) Investments should be selected based on objective data, including quantitatively expressed projected net, risk-adjusted return on investment, 17 See Executive Guide: Improving Mission Performance Through Strategic Information Management and Technology (GAO/AIMD-94-115, May 1994) for an analysis of the management practices of several leading private and public sector organizations on which the Clinger-Cohen Act is based and Assessing Risk and Returns: A Guide for Evaluating Federal Agencies’ IT Investment Decision-making (GAO/AIMD-10.1.13, February 1997) for an overview of the IT management process envisioned by the Clinger-Cohen Act. Page 14 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 and specific quantitative and qualitative criteria for comparing and prioritizing alternative information system projects. (3) Agency heads should ensure, through the use of performance measurements, that mission-related benefits are defined and assessed for all IT investments. Defense Did Not Defense did not reengineer its personnel processes before investing in the Reengineer Business new system. Before initiating development, CPMS and the individual Processes Before Investing services conducted an extensive effort to identify and document the preproject business processes at the local offices. Most of the in DCPDS improvements they made to these operations were minor. For example, they developed automated tools to help personnelists analyze resumes and to track civilian employee costs. However, for the most part, these initiatives did not involve radical or major changes to existing processes. As noted in the previous section, Defense considered only the option for outsourcing computer operations and failed to consider other alternatives that had the potential to provide significantly greater benefits, such as integrating personnel and payroll systems, centralizing personnel management, or cross-servicing. Because Defense did not examine these options, there is no evidence that the personnel management system acquired will support the most effective way of doing business or provide optimal return on investment. Costs, Benefits, and Costs, benefits, and returns on investments were not adequately analyzed Returns on Investments before Defense acquired the Oracle package. Defense informally surveyed Not Adequately Analyzed the potential market of COTS products and selected products from PeopleSoft, Inc., Integral Software Systems, Inc., and Oracle Corporation for evaluation. In evaluating these products, a DOD team considered various characteristics of the software products, including functionality, technical merit, and cost. However, Defense did not perform a rigorous analysis of costs, benefits, and returns on investments for these products before deciding to acquire the Oracle product, nor did it rigorously analyze the other available commercial products or the possibility of continuing to use the legacy system. The importance of developing complete and accurate analyses of the costs/benefits and returns of system alternatives is underscored by several governmentwide requirements in addition to the Clinger-Cohen Act. For example, OMB’s Circular A-130, Management of Federal Page 15 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 Information Resources, calls on agencies “to conduct benefit-cost analyses to support ongoing management oversight processes that maximize return on investment and minimize financial and operating risks for investments in major information systems and on an agencywide basis.” Likewise, Supplement to OMB’s Circular A-11 (July 1997), Part 3, Capital Programming Guide Version 1.0, and OMB Bulletin No. 95-03, Planning and Budgeting for the Acquisition of Fixed Assets, state that “the planning for fixed asset acquisitions should be based on a systematic analysis of expected benefits and costs.” Because Defense did not perform these analyses, it does not know if it chose the best system. Once an alternative is selected, Defense regulations18 require that an economic analysis be prepared to compare the selection against the status quo. This analysis establishes baseline life cycle costs, estimates benefits for the new system, and calculates expected return on investment. However, Defense did not perform an economic analysis before acquiring the new system. In addition, the analysis that Defense performed after the initiative was underway did not separate the costs and benefits of the system from costs and benefits associated with cutting personnel and regionalizing. As a result, Defense still does not know if it chose the best business process alternative. Performance Measures To measure how the Oracle product supports its personnel administration Developed but Data mission, CPMS developed four major mission performance measure Needed for Comparisons Is categories to be collected by each service and Defense agency. These categories included (1) servicing ratio, (2) customer satisfaction, Lacking (3) process cycle time (e.g., how long it takes to process a specific personnel action, such as filling an opening or promoting an employee), and (4) regulatory compliance (i.e., whether personnel paperwork complies with applicable laws and regulations). The military services and Defense agencies then developed several detailed measures within the categories, and CDA and CPMS developed several information technology or system-level measures to measure DCPDS’ contribution to the mission area, including process cycle time and system response time. However, because military services have not agreed on two fundamental definitions, they will not be able to calculate these measures consistently and compare measures across services. First, the military services could not agree on how to define the start and end date for the process of filling 18 Economic analyses are required by DOD’s Instruction 7041.3, “Economic Analysis for Decisionmaking” and its “5000” acquisition regulations. Page 16 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 a position or whether certain personnel actions (rejecting a list of qualified job applicants, for example) would be considered as part of the process for filling a position. Second, they could not agree on a common definition of “paperwork errors.” Because the military services are not using common definitions, some critical performance measures will not be comparable across DOD. In addition, Defense does not have baseline performance information on how long it takes to fill a position and the accuracy of personnel paperwork. As a result, it will not be able to accurately assess whether the system has improved mission performance in these areas or by how much. Answer: DCPDS is not a duplicate of OPM’s Employee Express system. OPM’s Question: Does Employee Express system is designed to be used in conjunction with DCPDS Duplicate existing personnel and payroll systems of the agencies. It does not perform Employee Express? all basic personnel and payroll functions. Instead, it allows employees to interface with the existing personnel and payroll systems. For example, Employee Express enables a federal civilian employee to use a Touch-Tone phone or personal computer connected to the Internet to make changes to certain data in his/her automated personnel/payroll records.19 The new DCPDS system is to eventually replace existing DOD personnel systems. It is intended to support the full range of core functional requirements needed by Defense for an automated human resources management system, including position management and classification, recruitment and staffing, personnel action administration, benefits administration, labor-management and employee relations, work force development, and retention and reporting. These requirements are defined in a November 1997 study by the Human Resources Technology Council, an inter-agency group associated with the President’s Management Council and chaired by the Office of Personnel Management. Although Defense civilian employees will not be able to use the Employee Express system to make changes to DCPDS data, Defense plans to add employee express-type features at a later date that will allow changes to be made using a Touch-Tone phone or personal computer connected to the Internet. 19 For example, direct deposit information, financial allotments, federal and state tax withholding, home or check mailing address, health benefits, and Thrift Savings Plan contributions. Page 17 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 Answer: Defense leadership was aware that the COTS package it acquired Question: Was would need to be substantially modified in order to support federal and Defense Leadership Defense-unique personnel requirements although the full extent of the Aware of Extent and modification was not known. According to the Acquisition Program Manager, Oracle had orally agreed not to charge Defense for the Cost of Modifications? modifications it was making to the system because it believed it could market the package to other federal agencies after it was “federalized.” Answer: Defense has not identified and mitigated significant risks Question: Has associated with its acquisition. Specifically, as discussed below, Defense Defense Identified does not yet know (1) if the modifications will satisfy DOD needs and and Mitigated Risks provide required functionality and performance, (2) how it will handle future system modification, (3) how it will maintain the system, (4) how it Associated With the will protect sensitive data in the system, and (5) how it will ensure the COTS Modifications? continuity of core civilian personnel operations in the event of Year 2000 failures. Defense Does Not Know If Defense has no assurance that the modified product being developed by Modifications Will Satisfy Oracle will meet all its needs. It does not know whether Oracle can Requirements provide all required functionality and performance or deliver it on time. Although Defense worked closely with Oracle to define requirements and test the changes that were made to the COTS package, it acquired the system before these modifications were completed and before the modified product could be tested. As a result, Defense faces the risk that the system it has already acquired may not meet all its requirements. This risk could have been avoided by waiting for Oracle to produce the “federalized” product and thoroughly testing it before purchasing it. Defense Does Not Know Compounding the risk that the system will not meet Defense requirements How It Will Handle Future is the fact that Defense has not secured the legal right to modify and System Modification upgrade the package it has acquired. CPMS obtained a software licensing agreement for 3 years (with an option to extend to 8 years) that provides for Oracle to correct programming errors found in its product. However, the agreement does not require Oracle to provide upgrades to DOD’s modified product at the same time and at the same cost as it provides upgrades to its private sector commercial product. As a result, Defense has no assurance that Oracle will make future versions of the software available to Defense at a reasonable cost or make future needed modifications at a reasonable cost, so that its version of Oracle product Page 18 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 will not become obsolete. In addition, the agreement does not specify whether Oracle will make DOD-required modifications to its customized product, or how much Oracle will charge for such work. DOD Does Not Know How CPMS has not taken several actions which are essential to ensuring that the It Will Maintain the System system is adequately maintained. First, CPMS has not yet developed agreements between the DCPDS partners that define each partner’s responsibility for systems, operations, maintenance, and security. Whereas the legacy system was centrally maintained, the military services and Defense agencies will be responsible for maintaining the new system hardware and related local area networks. It is critical that CPMS develop agreements with its DCPDS partners to ensure effective, efficient, and secure systems operations and maintenance. Second, CPMS has not yet established a configuration control board comprised of DCPDS users to assist in deciding what changes need to be made to the system once it is deployed and to prioritize change requests. As noted in Defense’s Program Manager’s Guide to Software Acquisition Best Practices, configuration management is vital to the success of any software effort because it prevents uncontrolled, uncoordinated changes to shared project software and products (documentation and test results, for example). Third, CPMS has not decided who will provide technical assistance to the personnel sites operating the system. CDA currently performs this function; however, CPMS has not decided whether to continue using CDA after deployment or to outsource this function. Fourth, CPMS has not yet developed agreements with DCPDS interface partners, which include the Office of Personnel Management and DOD agencies responsible for payroll, security, and manpower systems. As noted in Defense’s Program Manager’s Guide to Software Acquisition Best Practices, interfaces constitute essential elements of the system but are not completely controlled by the developer. As a result, the guide recommends that explicit written agreements with interface partners be developed to ensure that the partners clearly understand their roles and responsibilities. Defense Has Not It is even more difficult to protect the new system and its data than it is to Adequately Addressed protect the legacy system and its data. Whereas the mainframe-based Security Risks legacy system operated in one location and was maintained by CDA Page 19 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 personnel with experience in protecting information systems, the new system will be distributed to 22 centers and many local offices where staff have little or no experience in providing the type of security required for DCPDS. Furthermore, both systems are vulnerable to outside computer attacks since they use an unsecure telecommunications network to transmit data.20 According to our Executive Guide: Information Security Management,21 there are five key principles for managing these types of risks that were identified by studying private and government organizations with reputations for having good information security programs. First, organizations should assess their risks and determine their security needs. Second, they should establish a central management focal point for security issues. Third, they should implement appropriate policies and related controls. Fourth, they should promote security awareness. Fifth, they should continually monitor and evaluate policy and control effectiveness. An important factor in effectively implementing these principles is linking them in a cycle of activity that helps ensure that information security policies address current risks on an ongoing basis. A security risk assessment was performed for the new system, a central security focal point was established, and some effective measures were implemented, including a software application that can identify and notify appropriate officials of unauthorized or suspicious attempts to access personnel data and produce summary audit reports highlighting unauthorized access attempts. However, Defense has not implemented appropriate departmentwide or DCPDS-specific security policies and related controls nor effectively promoted security awareness as indicated by the following examples of identified weaknesses which have increased both the legacy and modern system’s vulnerability to computer attacks. • Defense officials, including the Deputy Secretary of Defense, believe that encryption technology is necessary to maintain the secrecy and integrity of data that is transmitted over Defense’s unsecure networks. Encryption involves the transformation of original text (also known as plaintext or cleartext) into unintelligible text (also known as ciphertext). However, the Defense Information Systems Agency (DISA), which is responsible for establishing computer security standards for the Department, has not established a standard encryption approach for sensitive but unclassified Defense data. In the absence of these standards, CPMS is planning to 20 Defense uses its Non-Secure Internet Protocol Router Network (NIPRNet) to transmit DCPDS data. 21 Executive Guide: Information Security Management (GAO/AIMD-98-68, May 1998). Page 20 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 acquire a package for encrypting DCPDS data. As other organizations do the same, DOD may be faced with managing multiple, incompatible encryption products and approaches. • The military services and Defense agencies recognize that firewalls, which are hardware and software components that check all incoming network traffic and block unauthorized traffic, are also essential to protecting sensitive data and have begun installing them. However, DISA has not established standards to ensure a consistent level of protection and to ensure that computer systems protected by firewalls can still communicate with each other. • During our review, we identified several sites that were not maintaining adequate physical security over computer resources, indicating a lack of security awareness at the local level. For example, at two of the four local personnel offices we visited, the door to the computer room was unlocked. At one of these offices, one of the computer room’s walls consisted of a row of standard metal filing cabinets, offering little obstruction to the room even if the door had been locked. At a third local office, the computer room was collocated with the office’s paper shredder, to which the personnel office staff were given unsupervised access. Also, the network communications room at one of the local offices was unlocked and personnel office staff were given unsupervised access to the room. Additionally, at one of the four regional offices we visited, the network communications room door was unlocked and tied open. Further, our review identified fire protection deficiencies at four offices—three local offices and one regional office. Specifically, the four offices did not have automatic fire detection equipment in or near the computer room. • Our review identified problems with disaster recovery procedures and planning for the regional and local offices. For example, we observed inadequate data backup and recovery procedures at one of the four regions visited. In this regard, the draft DCPDS Trusted Facilities Manual, dated February 2, 1998, noted that Defense had not resolved basic disaster recovery planning issues for DCPDS such as, “what data to backup, how often that data will require backup, the method of backup, and testing to ensure the backup has been accomplished successfully.”22 Additionally, the military services had not completed service-level or site-specific disaster recovery plans for their regional and local personnel offices. As of July 1998, CDA had drafted guidelines for the services and agencies to use in developing disaster recovery plans, but it did not have complete data on the number of regional and local offices that had finalized and tested site-level disaster recovery plans. After discussions on this issue, CDA 22 Final draft of the Trusted Facilities Manual dated February 2, 1998, Section 6.5, Trusted Backup and Recovery Guidance. Page 21 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 began requiring all sites to provide these plans before becoming operational. However, neither CPMS nor CDA have determined how the plans will be tested or whether CDA will periodically verify that the disaster recovery plans are updated. Year 2000 Risks Not Fully The Year 2000 computing problem is rooted in the way dates are recorded Mitigated and computed in automated information systems. For the past several decades, systems have typically used two digits to represent the year, such as “97” to represent 1997, in order to conserve electronic data storage and reduce operating costs. With this two-digit format, however, the Year 2000 is indistinguishable from 1900, or 2001 from 1901, etc. As we reported earlier this year, the impact of computer failures resulting from the problem could be widespread, costly, and potentially disruptive to military operations.23 Year 2000 problems could adversely affect Defense’s ability to train civilian personnel, administer benefits, recruit staff, and handle management/employee disputes. However, Defense has not fully mitigated this risk. We compared Defense’s efforts to correct the Year 2000 problem to criteria detailed in our Year 2000 Assessment Guide.24 This guide advocates a structured approach to planning and managing an effective Year 2000 program though five phases: (1) raising awareness of the problem, (2) assessing the extent and severity of the problem and identifying and prioritizing remediation efforts, (3) renovating, retiring, or replacing systems, (4) validating or testing corrections, and (5) implementing corrected systems. We and OMB established a schedule for completing each of the five phases, including requiring agencies to complete the assessment phase by August 1997 and the renovation phase by September 1998. Our Assessment Guide also identifies other dimensions to solving the Year 2000 problem, such as identifying interfaces with outside organizations, specifying how data will be exchanged in the Year 2000 and beyond, and developing contingency plans to ensure that core business functions can be performed even if systems fail. As further detailed in the following sections, while Defense is making good progress in renovating the legacy system and ensuring that the new system is compliant, it has not yet 23 Defense Computers: Year 2000 Computer Problems Threaten DOD Operations (GAO/AIMD-98-72, April 30, 1998). 24 Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, September 1997). Published as an exposure draft in February 1997 and finalized in September 1997. Page 22 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 ensured that its external interfaces will be remediated or developed effective contingency plans. Adequate Interface Agreements Defense has nearly completed renovation work on its legacy system, and Business Continuity and according to the Acquisition Program Manager, and release/deployment is Contingency Plans Not planned for December 1998. In addition, in August 1998, Defense finalized Developed for Legacy System a Year 2000 test plan for the legacy system. However, Defense does not yet have interface agreements that specify changes to date formats and how and when conflicts will be resolved with its data exchange partners.25 Because noncompliant interfacing partners can introduce Year 2000-related errors into compliant systems, our Assessment Guide recommends that agreements with interface partners be established in the assessment phase in order to allow enough time for resolving conflicts. Until these agreements are in place, Defense will not have assurance that partners are working to correct interfaces effectively or promptly. In addition, Defense has not developed adequate business continuity and contingency plans for the legacy system. To mitigate the risk that Year 2000-related problems will disrupt operations, our guide, entitled Year 2000 Business Continuity and Contingency Planning,26 recommends that agencies perform risk assessments and develop and test realistic contingency plans to ensure the continuity of critical operations and business processes. Business continuity and contingency plans are important because they identify the manual or other fallback procedures to be employed should systems miss their Year 2000 deadline or fail unexpectedly in operation. Business continuity and contingency plans also define the specific conditions that will cause their activation. In order for these plans to be effective, our guide recommends that, among other things, agencies analyze business process composition and priorities, dependencies, cycles, and service levels, and most important, the business process dependency on mission-critical information systems. The results of this analysis should be used to assess the cost and benefits of contingency alternatives and to identify and document contingency plans and implementation modes. These plans should define roles and responsibilities for contingency operations and provide a master schedule and milestones. 25 Defense has interface agreements for the legacy system that define general interface partner relationships and responsibilities, but these have not been updated to address these Year 2000 issues. 26 Year 2000 Computing Crisis: Business Continuity and Contingency Planning (GAO/AIMD-10.1.19). Published as an exposure draft in March 1998 and finalized in August 1998. Page 23 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 Defense recently developed a contingency plan for the legacy system, but this plan is perfunctory and does not meet the minimum criteria defined in our Business Continuity and Contingency Planning guidance which OMB has adopted as a standard for federal agencies. Specifically, the plan only states that if the legacy system fails, critical personnel actions will be prepared using one of three other commercial software packages. The plan does not provide a description of the resources, staff roles, procedures, and timetables needed for its implementation. And there is no evidence that Defense (1) assessed and documented risks posed by external systems and the public infrastructure, (2) defined the minimum acceptable level of outputs and services for each core business process, or (3) assessed the costs and benefits of contingency strategy alternatives. The steps detailed in our guide are integral to helping agencies to manage the risk of potential Year 2000-induced disruptions to their operations. For example, the civilian personnel business area depends on information and data provided by other Defense and federal agencies whose systems can introduce Year 2000 problems into DCPDS. It also relies on services provided by the public infrastructure, which are susceptible to Year 2000 problems that could disrupt personnel operations—including power, water, and voice and data telecommunications. Until business continuity and contingency plans are developed that focus on this chain of critical dependencies, Defense will not be able to ensure that it can maintain the basic functionality of its core civilian personnel operations. New System Facing Similar Since the new system already has a four-digit year field, it does not require Risks renovation. Defense has obtained certification of Year 2000 compliance on all applications in the new system and completed Year 2000 tests on the system. However, CPMS has not identified all system interfaces or developed agreements with its interface partners. In addition, while CPMS recently developed a contingency plan, this plan is cursory. It only states that if the modern system fails, Defense will revert to using the legacy system for critical personnel actions. It is not based on a business impact analysis nor does it describe resources, staff roles, procedures, and timetables needed for its implementation. As stressed above, even if the modernized system is compliant, Defense’s civilian personnel management operations are at risk because of dependencies on external systems and the public infrastructure. Therefore, until it develops specific interface agreements and contingency plans that focus on critical dependencies, it will have no assurance that it can prevent Year 2000-related disruptions to critical personnel operations. Page 24 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 Because Defense did not consider alternatives, such as centralizing Conclusions personnel functions, restructuring its regional and/or local offices to serve multiple agencies and services, or integrating payroll/personnel systems, its current regionalization approach may not be optimal. Defense lacked cost and performance data to analyze the options and it faced resistance from Defense components. While it may have required more time to develop needed data and greater management commitment to changing Defense business practices, the potential for substantially greater savings and efficiencies should have persuaded Defense to perform a rigorous analysis of all alternatives and to select the one proven most cost effective. Additionally, because Defense did not adequately estimate and evaluate costs, benefits, and returns, there is not adequate assurance that its decision to replace the legacy system with the Oracle COTS package is optimal. Furthermore, Defense does not know whether modifications to the Oracle product will satisfy its needs, how it will maintain the system, how it will protect sensitive data in the system, or how it will ensure the continuity of core civilian personnel operations in the event of Year 2000 failures. Despite this uncertainty, Defense reports having already spent about $300 million on developing the system and establishing the regional offices and plans to spend hundreds of millions of dollars more to operate and support DCPDS and the regions. Before Defense starts to deploy the new system beyond test sites, we Recommendations recommend that the Secretary of Defense rigorously evaluate all business and system alternatives to providing personnel services as envisioned by the Clinger-Cohen Act, and, using this data and the system test results, select the most cost beneficial business and system alternative and develop and implement a transition plan for that alternative. Specifically, business alternatives considered should include (1) use of regions and local offices to serve specific agencies or services, (2) use of regions or local offices to serve multiple agencies and services, (3) centralizing all or parts of personnel management operations that currently operate at component headquarters and major commands, (4) integrating DOD’s civilian personnel and payroll management systems, (5) outsourcing civilian personnel computer operations, (6) outsourcing all civilian personnel management services, and (7) acquiring other commercially available products. In analyzing commercially available products, we recommend that Defense consider the costs, benefits, and returns-on-investment of all commercially available products that support Page 25 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 personnel management. We also recommend that the analysis of commercially available products consider technical risks, including whether each available product can support Defense’s needs and whether each one can be modified in the future at a reasonable cost. In evaluating the range of business alternatives consideration should be given to the substantial investment that has already been made in the current approach. Regardless of the business and system alternative selected, we recommend that Defense optimize it by collecting, analyzing and using reliable cost and performance data and making improvements. We also recommend that, regardless of the chosen approach, Defense take the following actions to mitigate technical, security, and Year 2000 risks. • To ensure that the system is adequately maintained and that modifications are carefully controlled, Defense should (1) develop agreements with system partners and interface partners to define responsibility for system operations, maintenance, and security, (2) establish a configuration control board comprised of system users to assist in deciding on which changes need to be made to the system, prioritizing change requests, and ensuring that changes are correctly made, (3) assign clear responsibility for providing technical assistance to Defense components. • To ensure that sensitive personnel data are adequately protected, Defense should (1) assess its risks and determine security needs, (2) define and implement appropriate policies and related controls, including standards for encrypting data and firewalls, (3) promote security awareness at all sites maintaining the system, and (4) continually monitor and evaluate policy and control effectiveness. • To mitigate Year 2000 risks, Defense should (1) establish interface agreements that clearly specify date format changes, time frames for these changes, and processes for resolving conflicts, (2) refine business continuity and contingency plans to ensure that they consider risks posed by external systems and infrastructure; assess the costs and benefits of alternative contingency strategies; and describe resources, staff roles, procedures, and timetables needed for implementation of the plan, and (3) test contingency plans to ensure that they are capable of providing the desired level of support to the agency’s core business processes and can be implemented within a specified period of time. The Acting Assistant Secretary for Force Management Policy provided Agency Comments written comments on a draft of this report, which are reprinted in and Our Evaluation Page 26 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 appendix I. He concurred with all five of our recommendations and agreed to evaluate recommended alternatives as Defense proceeds with its regionalization and modernization efforts. In concurring with our recommendations, however, Defense questioned our use of the Clinger-Cohen Act of 1996 as criteria for evaluating civilian personnel system decisions since these decisions were made before the act took effect. We used the Clinger-Cohen Act to evaluate Defense’s decisions because the act’s requirements reflect basic and widely accepted principles of sound system acquisition management. Similar practices are also called for in OMB Circulars A-11 and A-130, the Chief Financial Officers Act of 1990, the Government Performance and Results Act of 1993, the Federal Acquisition Streamlining Act of 1994, and the Paperwork Reduction Act of 1995—all of which were applicable in some manner to Defense’s decisions in this effort. Moreover, Defense was required to follow such practices by its own system acquisition regulations and guidelines. Finally, during the course of our review, Defense officials responsible for DCPDS told us that they were attempting to follow Clinger-Cohen Act principles in developing the system. Appendix I provides our detailed responses to Defense’s views on our recommendations and findings. We are sending copies of this report to the Chairmen and Ranking Minority Members of the Senate Committee on Armed Services; Senate Committee on Governmental Affairs; Subcommittee on Defense, Senate Committee on Appropriations; House Committee on Armed Services; Subcommittee on Defense, House Committee on Appropriations; and Senate and House Committees on the Budget; the Secretary of Defense; the Senior Civilian Official of the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence; the Under Secretary of Defense (Comptroller); the Acting Assistant Secretary of Defense for Force Management Policy; and the Director, Office of Management and Budget. Copies will also be made available to others upon request. Page 27 GAO/AIMD-99-20 Defense Civilian Personnel Management B-278058 If you have any questions about this report, please call me or Carl Urie, Assistant Director at (202) 512-6240. Other major contributors of this report are listed in appendix III. Jack L. Brock, Jr. Director, Governmentwide and Defense Information Systems Page 28 GAO/AIMD-99-20 Defense Civilian Personnel Management Page 29 GAO/AIMD-99-20 Defense Civilian Personnel Management Contents Letter 1 Appendix I 32 Comments From the Department of Defense Appendix II 44 Scope and Methodology Appendix III 47 Major Contributors to This Report Tables Table 1: Differences in Personnel Management 7 Table 2: Estimated Costs of Defense’s Personnel Initiative 10 Page 30 GAO/AIMD-99-20 Defense Civilian Personnel Management Contents Abbreviations AFB Air Force Base AFOTEC Air Force Operational Test and Evaluation Center CDA Central Design Activity COTS commercial-off-the-shelf CFO chief financial officer CPMS Civilian Personnel Management Service DCPDS Defense Civilian Personnel Data System DISA Defense Information Systems Agency DOD Department of Defense FASA Federal Acquisition Streamlining Act of 1994 GPRA Government Performance and Results Act of 1993 I-CASE Integrated Computer-Aided Software Engineering IDIQ indefinite delivery, indefinite quantity IT information technology MAISRC Major Automated System Review Council OMB Office of Management and Budget OPM Office of Personnel Management OSD Office of the Secretary of Defense PA&E Program Analysis and Evaluation PRA Paperwork Reduction Act of 1995 USDA Department of Agriculture Page 31 GAO/AIMD-99-20 Defense Civilian Personnel Management Appendix I Comments From the Department of Defense Note: GAO comments supplementing those in the report text appear at the end of this appendix. See comment 1. Page 32 GAO/AIMD-99-20 Defense Civilian Personnel Management Appendix I Comments From the Department of Defense Page 33 GAO/AIMD-99-20 Defense Civilian Personnel Management Appendix I Comments From the Department of Defense See comment 2. Page 34 GAO/AIMD-99-20 Defense Civilian Personnel Management Appendix I Comments From the Department of Defense See comment 1. See comment 3. Page 35 GAO/AIMD-99-20 Defense Civilian Personnel Management Appendix I Comments From the Department of Defense See comment 4. See comment 5. Page 36 GAO/AIMD-99-20 Defense Civilian Personnel Management Appendix I Comments From the Department of Defense See comment 6. Page 37 GAO/AIMD-99-20 Defense Civilian Personnel Management Appendix I Comments From the Department of Defense See comment 7. Page 38 GAO/AIMD-99-20 Defense Civilian Personnel Management Appendix I Comments From the Department of Defense See comment 8. Page 39 GAO/AIMD-99-20 Defense Civilian Personnel Management Appendix I Comments From the Department of Defense See comment 9. See comment 9. Page 40 GAO/AIMD-99-20 Defense Civilian Personnel Management Appendix I Comments From the Department of Defense The following are GAO’s comments on the Department of Defense’s letter dated January 11, 1999. 1. Although the Clinger-Cohen Act was not in existence when DOD made GAO Comments the initial decisions in developing the modern DCPDS, it has been in effect since 1996 and should have been applied to all decisions made subsequent to its enactment. Further, OMB Circulars A-11 and A-130 existed prior to the initial decisions related to DCPDS and included basic principles of sound system acquisition management. In addition, several acts that were in effect when the initial decisions were made contain requirements similar to those outlined in the Clinger-Cohen Act relating to improved information technology management in the federal government. For example (1) the Government Performance and Results Act of 1993 (GPRA) requires federal agencies to set strategic goals, measure performance, and report on accomplishments, (2) the Federal Acquisition Streamlining Act of 1994 (FASA), Title V, requires agencies to define cost, schedule, and performance goals for federal acquisition programs (including information technology projects) and to monitor these projects to ensure that they remain within prescribed tolerances, (3) the Paperwork Reduction Act of 1995 (PRA) emphasizes achieving program benefits and meeting agency goals through the effective use of information technology, and (4) the Chief Financial Officers (CFO) Act of 1990 focuses on the need to improve financial management and reporting practices of the federal government, which is critical for knowing an information technology project’s actual costs and for computing accurate returns on investment. Finally, Defense’s own system acquisition regulations and guidelines, in existence at the time Defense made the initial decisions in developing the modern DCPDS, include requirements similar to those outlined in the Clinger-Cohen Act related to basic principles of sound system acquisition management. 2. Before embarking on an improvement approach for its civilian personnel mission area, Defense performed cost and performance analyses which indicated the Department’s civilian personnel servicing ratios could be improved significantly. However, because these analyses did not fully consider the costs and benefits of numerous alternative business and systems approaches for improving the servicing ratios, the Department may not have selected the most cost-effective improvement approach. 3. We revised the report to delete specific information on the scoring criteria used in the DCPDS procurement. Page 41 GAO/AIMD-99-20 Defense Civilian Personnel Management Appendix I Comments From the Department of Defense 4. While Defense reports that it has already consolidated some civilian personnel functions at component headquarters and major commands and reduced staff by 23 percent, in June of 1998, there were still 886 people performing civilian personnel management and oversight functions at component headquarters and major command levels at a cost of about $63 million a year. Given that the Civilian Personnel Management Service performs the same management and oversight functions as component headquarters and major commands, there are substantial opportunities for further consolidation and staff reduction. 5. The A-76 study includes some but not all promising alternatives. While it will evaluate outsourcing civilian pay operations, it will not consider outsourcing personnel operations or integrating personnel and payroll systems. Furthermore, while Defense considered the possibility of outsourcing personnel computer operations in 1994, it lacked the cost and performance data necessary to sufficiently analyze this approach. 6. While it is important for Defense components to develop comprehensive metrics to measure the timeliness and value of regional service center work, they must also standardize these metrics so that meaningful comparisons can be made across the Department. The components must also collect baseline data that define the current operations so that Defense can determine whether new systems and business strategies are achieving predicted cost and performance improvements. 7. If implemented effectively, the site-by-site risk assessments and other actions Defense is taking should help address the security concerns identified in this report. However, to maximize protection over DCPDS data, Defense still needs to establish departmentwide standards on encryption and firewalls. 8. Although CPMS has interface agreements with the owners of major external interfaces for the legacy DCPDS system, those agreements have not been adequately updated to include Year 2000 issues. Specifically, the agreements do not define agreed upon date formats, nor describe how problems with data exchanges will be resolved. Further, as of the completion of our review, CPMS had not identified the system interfaces or developed agreements with its interface partners for the modern DCPDS. 9. Defense plans to complete interface agreements by April 1999 and contingency plans by May 1999 and to begin testing contingency plans by June 1999. However, the Office of Management and Budget and GAO’s Year Page 42 GAO/AIMD-99-20 Defense Civilian Personnel Management Appendix I Comments From the Department of Defense 2000 guidance recommend that agencies develop interface agreements and realistic contingency plans during the assessment phase, i.e., by August 1997, in order to minimize the risk of Year 2000 problems. Page 43 GAO/AIMD-99-20 Defense Civilian Personnel Management Appendix II Scope and Methodology To analyze how Defense determined the number and locations for civilian personnel regional service centers and why there is a wide disparity in the number of regional centers among the services, we interviewed Office of the Secretary of Defense, military service, and Defense agency officials and reviewed guidance mandating regionalization, the services’ and Defense agencies’ regionalization studies, and their rationale for determining the number and location of regions. Where appropriate, we interviewed officials from CPMS, the military services, and the Washington Headquarters Service to understand perspectives regarding regionalization plans and status of regionalization actions. We visited five regional centers, toured the facilities, and interviewed numerous officials. These five centers were Ft. Riley, Kansas; Aberdeen Proving Ground, Maryland; Silverdale, Washington; Randolph AFB, Texas; and Washington, D.C. To assess whether Defense is applying the Clinger-Cohen Act in overseeing, managing, and developing DCPDS, we compared Defense’s actions taken on DCPDS to the investment principles included in the act. We reviewed GAO, OMB,1 and Defense best practices guidance2 for implementing the Clinger-Cohen Act and reviewed other Defense policies and guidance for developing and implementing information systems. We analyzed selected major studies of information technology and personnel management matters in Defense, including studies by Coopers & Lybrand, a consulting organization3 and the Defense Science Board,4 prior GAO studies of major defense information systems projects, and selected Defense Office of Inspector General reports. We interviewed appropriate Defense and OMB representatives familiar with personnel legislative requirements and officials responsible for the development and oversight of DCPDS, including officials from CPMS, the Major Automated Information System Review Council (MAISRC), the Under Secretary of Defense/Comptroller, the Comptroller’s Program Analysis and Evaluation (PA&E) unit, and service and agency staff responsible for regionalization, and DCPDS program management. 1 Office of Management and Budget, Capital Programming Guide, Version 1.0, Supplement to Office of Management and Budget Circular A-11, Part 3: Planning, Budgeting, and Acquisition of Capital, July 1997. 2 Department of Defense Software Acquisition Best Practices Initiative, The Program Manager’s Guide to Software Acquisition Practices, undated. 3 Department of Defense, Office of the Comptroller, Civilian Personnel/Payroll Private Sector Benchmarking Survey, Final Report, Coopers & Lybrand, September 21, 1994. 4 Defense Science Board, Report of the Defense Science Task Force: Military Personnel Information Management, August 31, 1996. Page 44 GAO/AIMD-99-20 Defense Civilian Personnel Management Appendix II Scope and Methodology To determine whether DCPDS duplicates the Employee Express System available through the Office of Personnel Management (OPM), we reviewed documentation Defense prepared justifying the need for DCPDS and Defense documentation reviewing the Employee Express System. We requested that OPM review and comment on Defense’s rationale for not using the Employee Express system; we requested that Defense respond to OPM’s comments; and we analyzed both Defense’s and OPM’s positions on this issue. In addition, we contacted representatives of six other federal organizations that were developing new civilian personnel systems and were not using the Employee Express system to determine their rationale. To determine whether (1) Defense’s civilian personnel management requirements are sufficiently different to require extensive modification of the commercial-off-the-shelf software (COTS) application which Defense selected as the foundation for developing DCPDS and (2) Defense leadership was aware of the extent and cost of modifications that would be needed, we interviewed the Functional and Acquisition Program managers and their staff as well as representatives of the Oracle Corporation to solicit information on the selection, acquisition, and modification of the Oracle COTS product. To assess whether Defense identified and mitigated the risks associated with the major modifications, we interviewed CDA officials to determine Defense’s actions to date, including those planned, in process, and completed to address mitigating risks in overseeing, managing, and developing DCPDS. We reviewed pertinent regulations, studies, and documentation, including the technical risk analysis, configuration management plan, testing plans, and the Department’s Program Manager’s Guide to Software Acquisition Best Practices. As requested, we determined whether Defense used this guide in overseeing, managing, and developing DCPDS. In assessing security risks, we reviewed Defense’s Deployment, Concept of Operations, Encryption, Security Support, and Contingency Plans. We reviewed Defense directives and regulations on computer security, including Regulation 5000.2-R, dated March 23, 1998, Directive 5200.28, dated March 21, 1998, and Military Standard 498, dated December 1994. In addition, we assessed the physical security threats at four local and four regional offices, through interviews and observations. In assessing Year 2000 risks, we reviewed the Year 2000 plans for the legacy and modern systems and we compared these plans to our own Year 2000 Assessment Guide.5 We conducted our review from August 1997 5 Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14). Issued as an exposure draft in February 1997 and finalized in September 1997. Page 45 GAO/AIMD-99-20 Defense Civilian Personnel Management Appendix II Scope and Methodology through July 1998 in accordance with generally accepted government auditing standards. Page 46 GAO/AIMD-99-20 Defense Civilian Personnel Management Appendix III Major Contributors to This Report Dr. Rona Stillman, Chief Scientist Accounting and Carl M. Urie, Assistant Director Information Brian C. Spencer, Technical Assistant Director Management Division, Cristina T. Chaplain, Communications Analyst Robert L. Crocker, Jr., Senior Evaluator Washington, D.C. George L. Jones, Evaluator-in-Charge Kansas City Field David R. Solenberger, Senior Evaluator Office Denise M. Wempe, Senior Evaluator Karl G. Neybert, Staff Evaluator (511634) Page 47 GAO/AIMD-99-20 Defense Civilian Personnel Management Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with "info" in the body to: firstname.lastname@example.org or visit GAO’s World Wide Web Home Page at: http://www.gao.gov PRINTED ON RECYCLED PAPER United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested
Defense IRM: Alternatives Should Be Considered in Developing the New Civilian Personnel System
Published by the Government Accountability Office on 1999-01-27.
Below is a raw (and likely hideous) rendition of the original report. (PDF)