oversight

Social Security Administration: Technology Modernization Needs Improved Planning and Performance Measures

Published by the Government Accountability Office on 2012-05-09.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                            United States Government Accountability Office

GAO                         Testimony
                            Before the Subcommittee on Social
                            Security, Committee on Ways and Means,
                            House of Representatives

                            SOCIAL SECURITY
For Release on Delivery
Expected at 2:00 p.m. EDT
Wednesday, May 9, 2012

                            ADMINISTRATION
                            Technology Modernization
                            Needs Improved Planning
                            and Performance Measures
                            Statement of Valerie C. Melvin, Director
                            Information Management and Technology Resources
                            Issues




GAO-12-723T
Chairman Johnson, Ranking Member Becerra, and Members of the
Subcommittee:

Thank you for inviting me to participate in today’s hearing on the Social
Security Administration’s (SSA) efforts to modernize its information
technology (IT) systems and environment. As you know, SSA is
responsible for delivering services that touch the lives of virtually every
American, and the agency relies heavily on IT to do so. Its computerized
information systems support a range of activities, from the processing of
Disability Insurance and Supplemental Security Income payments to the
calculation and withholding of Medicare premiums, and the issuance of
Social Security numbers and cards. Last fiscal year, the agency spent
nearly $1.6 billion on IT.

As SSA’s systems have aged and its workload has increased, the agency
has committed to investing in the capacity and modern technologies
needed to update its strained IT infrastructure. In addition, the agency has
recently undertaken a realignment of its IT governance structure,
including the responsibilities of its Chief Information Officer (CIO).

At your request, over the past year, we have been examining SSA’s
modernization efforts. The specific objectives of our study were to (1)
determine SSA’s progress in modernizing its IT systems and capabilities;
(2) evaluate the effectiveness of SSA’s plans and strategy for
modernizing its systems and capabilities; and (3) assess whether the
realignment of the agency’s CIO responsibilities allows for effective
oversight and management of the systems modernization efforts.

Our report documenting the results of the study is being released today. 1
As agreed with your office, my testimony statement summarizes the key
findings in our report. In preparing this statement, we relied on the work
supporting our report. The report contains a more detailed overview of the
scope of our review and the methodology used. The work upon which this
statement is based was conducted in accordance with generally accepted
government auditing standards from May 2011 to April 2012. Those
standards require that we plan and perform audits to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and


1
 GAO, Social Security Administration: Improved Planning and Performance Measures Are
Needed to Help Ensure Successful Technology Modernization, GAO-12-495 (Washington,
D.C.: Apr. 26, 2012).




Page 1                                                                  GAO-12-723T
                              conclusions. We believe that the evidence obtained provided a
                              reasonable basis for our findings and conclusions based on our audit
                              objectives.


                              SSA’s mission is to deliver Social Security services that meet the
Background                    changing needs of the public. The Social Security Act and amendments
                              established the programs that SSA administers, which include

                              •   the Old Age, Survivors, and Disability Insurance program: Commonly
                                  referred to simply as “Social Security,” this program is one of the
                                  nation’s largest entitlement programs and provides monthly benefits to
                                  retired and disabled workers, their spouses and children, and the
                                  survivors of insured workers who have died; and

                              •   the Supplemental Security Income program: This is a needs-based
                                  program financed from general tax revenues that provides benefits to
                                  aged adults, blind or disabled adults, and children with limited income
                                  and resources.

                              According to SSA, in fiscal year 2011, about 54 million people received
                              benefits from the Old Age, Survivors, and Disability program, and over 8
                              million people received benefits from the Supplemental Security Income
                              program. Collectively, about 155 million people work and pay Social
                              Security taxes. The agency’s fiscal year 2011 expenses totaled about
                              $12.4 billion to support its programs.


SSA Relies on IT to Deliver   SSA relies extensively on IT to administer its programs and support
Services                      related activities. Specifically, its systems are used to, among other
                              things,

                              •   handle millions of transactions on SSA’s toll-free telephone number,

                              •   maintain records for the millions of beneficiaries and recipients of
                                  SSA’s programs,

                              •   evaluate evidence and make determinations of eligibility for benefits,

                              •   issue new and replacement Social Security cards, and

                              •   process earnings items for crediting to workers’ earnings records.




                              Page 2                                                            GAO-12-723T
                             However, as the agency’s systems have aged, SSA has faced challenges
                             in carrying out its increasing workload. Specifically, many of SSA’s
                             existing systems software were developed in the 1960s and 1970s and
                             are written in older computer programming languages or are past their
                             designed life cycle. While the agency has made technical and functional
                             upgrades throughout the years, it continues to face challenges because
                             of the need to store, process, and share increasing amounts of data and
                             to transition to Web-based, online access for SSA data and services,
                             among other factors.

                             Accordingly, in its most recent Agency Strategic Plan, SSA has identified
                             IT as a key foundational element to achieving success in meeting its
                             goals. Recognizing the challenges facing its IT environment, the agency
                             has stated that it plans to, among other things, develop and implement a
                             common system for processing disability cases, increase its use of online
                             services for access to benefits and information, and automate its
                             processes for reporting information.


Office of Systems Oversees   SSA’s Office of Systems is responsible for developing, overseeing, and
SSA’s IT Systems and         maintaining the agency’s IT systems. Comprised of eight component
Investments                  offices and approximately 3,300 staff, the Office of Systems has
                             responsibility for the agency’s IT.

                             SSA uses its capital planning and investment control process to manage
                             its software development projects. This process is intended to meet the
                             objectives of the Clinger-Cohen Act of 1996 2 by providing a framework for
                             selecting, controlling, and evaluating investments in IT to help ensure that
                             they meet the strategic and business objectives of the agency. This
                             process requires a series of reviews by executive oversight bodies,
                             including the agency’s Strategic Information Technology Assessment and
                             Review board, to ensure that IT projects are selected that best meet the
                             agency’s goals; that, once selected, they are performing within expected
                             schedule and cost parameters; and finally, that once implemented, these
                             projects are delivering results.




                             2
                              The Clinger-Cohen Act (see 40 U.S.C. §§ 11301-11331) provides a framework for
                             effective IT management that encompasses systems integration planning and investment.




                             Page 3                                                                   GAO-12-723T
                        In June 2011, in an effort to increase efficiency, the Commissioner of
                        Social Security announced the realignment of CIO functions and
                        associated personnel. As part of this realignment, the Office of the CIO
                        was eliminated, and most of its responsibilities for managing IT, along
                        with the IT budget, were reassigned to the Office of Systems. Previously,
                        key duties of the CIO were to select and prioritize IT investments and
                        oversee the review and approval of the annual IT budget, while the Office
                        of Systems was responsible for managing the acquisition, development,
                        and maintenance of IT projects. Under the realignment, the Deputy
                        Commissioner for Systems—who heads the Office of Systems—assumed
                        the major responsibilities of the CIO.


                        Since 2001, SSA has reported spending more than $5 billion on the
SSA Has Undertaken      development, modernization, and enhancement of its IT systems and
Numerous                capabilities. SSA officials identified 120 initiatives undertaken from 2001
                        to 2011 that the agency considered to be key investments in
Modernization Efforts   modernization. These comprise a subset of the hundreds of projects and
but Lacks Effective     modernization activities SSA undertakes yearly, which vary greatly in
Tools for Measuring     level of effort, scope, and cost. These initiatives affected all of the
                        agency’s main program areas:
Progress
                        •   According to managers within SSA’s Office of Disability Systems, in
                            an effort to reduce backlogs of disability hearings, the agency
                            implemented a process for creating electronic “folders” for each
                            applicant, to replace the existing paper-based process. This initiative
                            included capabilities for electronically viewing an applicant’s folder,
                            electronic screening for faster disability determinations, and Internet
                            access to information on disability hearings and determinations.

                        •   The Office of Retirement and Survivors Insurance Systems took steps
                            to improve outdated legacy systems and respond to legislation or
                            other mandates requiring new system functionality. These efforts
                            included integrating stand-alone “post-entitlement” processes,
                            facilitating online application for benefits, and conversion of a key
                            database to a more modern, industry-standard one.

                        •   Managers from the Office of Applications and Supplemental Security
                            Income described initiatives to modernize large legacy databases and
                            facilitate data sharing to streamline the claims process. These
                            included enhancements to the electronic death registration process




                        Page 4                                                            GAO-12-723T
    and the development of a Web application enabling access to data
    from multiple systems.

•   SSA officials described initiatives in the area of electronically
    exchanging data with external partners, including states and private-
    sector partners such as banks and credit bureaus.

•   SSA also noted efforts to streamline the process for administering
    Social Security cards, such as introducing safeguards against
    counterfeiting and replacing its legacy printers.

In addition to these initiatives, SSA undertook a project to establish a
disaster recovery capability at a secondary computing site. This project
provided for continuity of operations, continuous processing of SSA’s
workload, and backup of the agency’s IT assets, among other
capabilities.

While these improvements have yielded benefits, SSA still has a number
of other major efforts under way to continue the modernization of its IT
environment. These efforts involve

•   completing the conversion of the agency’s legacy Master Data Access
    Method database system (used to support the storage and retrieval of
    SSA’s major program master files) to a modern, industry-standard
    database system;

•   transitioning from its legacy system for processing retirement and
    survivors’ claims to a single, unified system that integrates initial and
    post-entitlement actions;

•   streamlining operations and reducing duplication in disability
    databases and transitioning from multiple and fragmented applications
    to a single, unified case processing system;

•   enhancing and refreshing telecommunications equipment and
    ongoing improvement of connectivity and bandwidth for data, voice,
    and video communications; and

•   supporting enhancements to SSA’s Medicare initiatives, including
    changes required by the Patient Protection and Affordable Care Act,
    which are intended to improve the process for verifying the name,
    Social Security number, and other data on Medicare earnings reports.




Page 5                                                             GAO-12-723T
SSA officials noted that the agency faces several challenges in
successfully carrying out these modernization efforts. These include
planning for system changes within a single fiscal year budget cycle, a
practice that limits the agency’s ability to make long-term modernization
plans; devoting significant resources to the maintenance of existing
legacy systems because of large quantities of legacy code; and diverting
resources from long-term projects to shorter-term immediate
requirements, such as those arising from legislative changes.

Compounding these challenges, we found that SSA has not fully
established performance measures or a post-implementation review
process that would allow it to determine the progress it is making in its
modernization efforts. Federal law requires agencies to identify
performance measures for their IT investments, 3 and we have previously
reported that comprehensive measures are essential for gauging the
progress and benefits of IT investments. 4 However, while SSA developed
performance measures for most of its 17 major modernization
investments for fiscal year 2010, it did not identify any measures in one of
four management areas identified by the Office of Management and
Budget (OMB) for 3 of these investments. 5 Moreover, the measures SSA
developed did not always allow for assessments of each project’s
effectiveness in meeting agency goals. For example, these measures did
not always (1) identify how each project is to contribute to expected
benefits; (2) include measures of investments’ effectiveness in meeting
goals, requirements, or mission results; or (3) provide the means for
measuring progress toward specific modernization goals.




3
 The Paperwork Reduction Act requires federal agencies to establish performance
measures that depict how effectively the management of information resources, which
includes IT, is supporting their business needs. In addition, the Clinger-Cohen Act requires
agencies to establish performance measures, such as those related to how IT contributes
to program productivity, efficiency, and effectiveness, and to monitor the actual-versus-
expected performance of those measures.
4
 GAO, Information Technology Management: Governmentwide Strategic Planning,
Performance Measurement, and Investment Management Can Be Further Improved,
GAO-04-49 (Washington, D.C.: Jan. 12, 2004).
5
 These four areas are mission and business results, processes and activities, customer
results, and technology. See OMB, Federal Enterprise Architecture: Consolidated
Reference Model Document, version 2. 3 (Washington, D.C.: October 2007).




Page 6                                                                         GAO-12-723T
                  In addition, SSA has not conducted post-implementation reviews of its IT
                  projects or systems, as called for by OMB guidance. Such a review
                  should confirm the extent to which planned benefits were achieved,
                  determine the cost-effectiveness of the project, and identify lessons
                  learned and opportunities for improvement. While SSA conducts
                  assessments of completed initiatives, these assessments lack key
                  elements called for by OMB that would provide assurance that
                  modernization and other IT projects are delivering expected benefits at
                  acceptable costs and that SSA is making progress in meeting its goals.


                  Comprehensive strategic planning is essential for successfully carrying
Modernization     out large-scale efforts such as SSA’s IT modernizations. Key elements of
Approach Is Not   such planning include developing an IT strategic plan and an enterprise
                  architecture that, together, outline modernization goals, measures, and
Guided by Key     timelines.
Practices
                  An IT strategic plan serves as an agency’s vision and helps align its
                  information resources with its business strategies and investment
                  decisions. As such, it provides a high-level perspective of the agency’s
                  goals and objectives, enabling the agency to prioritize how it allocates
                  resources; proactively respond to changes; and communicate its vision
                  and goals to management, oversight bodies, and external parties. The
                  enterprise architecture helps to implement the strategic vision by
                  providing a focused “blueprint” of the organization’s business processes
                  and technology that supports them. It includes descriptions of how the
                  organization operates today, how it intends to operate in the future, and a
                  plan for transitioning to the target state. It further helps coordinate the
                  concurrent development of IT systems to limit unnecessary duplication
                  and increase the likelihood that these systems will inter-operate.

                  SSA developed an IT strategic plan in 2007 to guide its modernization
                  efforts; however, the plan is outdated and may not be aligned with the
                  agency’s overall strategic plan. Specifically, because it has not been
                  updated since 2007, the plan contains elements that are no longer
                  relevant to SSA’s ongoing modernization efforts. For example, the plan
                  discusses projects that have largely been completed, does not reference
                  current information security requirements, and does not reflect current
                  staffing needs. Further, it does not reflect the way in which modernization
                  decisions are driven by the agency’s Strategic Information Technology
                  Assessment and Review board.




                  Page 7                                                           GAO-12-723T
The currency of the IT strategic plan is further called into question by the
fact that the agency updated its overall Agency Strategic Plan in 2008
and again in 2012. Thus, the IT strategic plan may no longer be aligned
with the agency’s broader goals. In the absence of an updated IT
strategic plan, SSA has relied on a number of program activities to guide
its modernization efforts, such as identifying and prioritizing IT
modernization investments during its annual investment review process
and developing high-level descriptions of projects in each of the agency’s
portfolios. However, these activities are based on short-term budget
cycles and do not provide a long-term strategic vision with detailed steps
and milestones. SSA officials stated that they are updating the IT
strategic plan; however, it has yet to be finalized or approved.

In addition, SSA has developed an enterprise architecture, but it is
missing key components. Specifically, the architecture captures certain
foundational information about the current and target states of the
organization, such as current business processes and business
outcomes, to assist in evolving existing information systems and
developing new ones. Nevertheless, the architecture lacks important
content called for by federal CIO Council and OMB guidance that would
allow the agency to more effectively plan its investments and achieve its
vision of modernized systems and operations. Specifically, the
architecture lacks key elements that would establish the specific steps
and direction to reach its vision of modernized systems by 2016. In
particular, the agency has not developed a service-oriented architecture
road map that would, among other things, articulate the changes and
growth in IT capabilities over time and provide a conceptual plan that
establishes a basis for developing more detailed project plans. Further,
SSA has not conducted an enterprise gap analysis to identify the
differences between its current and target states to enable the
development of a plan for transitioning from the current to the target state.
SSA also has not developed quantitative performance expectations for
the target state or analyzed the flows of information among the agency’s
business processes. Without a long-term strategic vision and an
enterprise architecture that provides details on how this vision is to be
executed, SSA lacks assurance that its modernization initiatives will
effectively and efficiently support its goals and mission.




Page 8                                                            GAO-12-723T
                       As mentioned earlier, in 2011, SSA realigned the functions of its Office of
CIO Realignment        the CIO, consolidating major responsibilities for the management and
Allows for Effective   oversight of IT in its Office of Systems. Federal law, specifically the
                       Clinger-Cohen Act of 1996, requires the heads of executive branch
Oversight and          agencies to designate a CIO with key responsibilities for managing an
Management but Was     agency’s IT resources. As we have previously reported, to carry out these
Implemented without    responsibilities effectively, CIOs require sufficient control over IT
                       investments, including control over the IT budget and workforce. 6
Adequate Planning or
Updated Guidance       Under the realignment, key responsibilities of the CIO and Deputy
                       Commissioner for Systems were merged into the Office of Systems.
                       Specifically, this arrangement gave the Office for Systems responsibility
                       for, among other things,

                       •   oversight and management of IT budget formulation;

                       •   systems acquisition, development, and integration;

                       •   the IT capital planning and investment control process;

                       •   workforce planning and allocation of resources to IT projects;

                       •   IT strategic planning;

                       •   enterprise architecture;

                       •   IT security; and

                       •   IT operations.

                       If implemented appropriately, this organizational structure should allow for
                       effective oversight and management of the agency’s systems and
                       modernization initiatives. However, we found in our review that the
                       realignment was undertaken without the benefit of an analysis of the
                       impact of this significant organizational change. Specifically, SSA did not
                       develop a management plan that would describe the challenges
                       associated with the realignment or strategies for addressing them, along
                       with time frames, resources, performance measures, and accountability


                       6
                        GAO, Federal Chief Information Officers: Opportunities Exist to Improve Role in
                       Information Technology Management, GAO-11-634 (Washington, D.C.: Sept. 15, 2011).




                       Page 9                                                                 GAO-12-723T
                        structures. Further, SSA did not analyze the roles and responsibilities
                        needed to support the allocation of functions under the realignment.
                        Without such an analysis, it cannot be determined whether the
                        reassignment of staff that occurred as a result of the realignment
                        represents an optimal allocation of resources.

                        In addition, SSA has not updated its capital planning and investment
                        control guidance to reflect the realignment. This guidance sets forth the
                        process and responsibilities for managing the selection, control, and
                        evaluation of SSA’s IT investments. However, under the realignment,
                        certain elements of the existing guidance are obsolete, such as the
                        requirement for independent CIO reviews of IT investment proposals.
                        SSA officials stated that the guidance was being updated and would be
                        reviewed internally; however, they could not provide a time frame for the
                        approval and implementation of the revised guidance. Having updated
                        guidance is critical to ensuring that responsibilities for management and
                        oversight of the agency’s IT investments are being carried out effectively
                        under the realigned organizational structure.


                        In our report, we made a number of recommendations to SSA to address
SSA Needs to Take       the challenges it faces in carrying out its IT modernization efforts.
Actions to Help         Specifically, we recommended that SSA:
Ensure the Success of   •   Ensure that performance measures are established for IT investments
Its Modernization           in each of OMB’s four management areas and that they allow for
                            measurement of progress in meeting modernization goals.

                        •   In updating the agency’s IT strategic plan, ensure that it includes key
                            elements, such as results-oriented goals, strategies, milestones,
                            performance measures, and an analysis of interdependencies among
                            projects and activities, and is used to guide and coordinate
                            modernization efforts.

                        •   Establish an enterprise architecture that includes key elements, such
                            as a service-oriented architecture road map, a gap analysis,
                            performance targets, and descriptions of information flows and
                            relationships.

                        •   Define roles and responsibilities of realigned IT staff and develop and
                            clearly document updated investment review guidance.




                        Page 10                                                          GAO-12-723T
                  In commenting on a draft of our report, SSA neither agreed nor disagreed
                  with our recommendations. However, the agency provided responses to
                  each of the recommendations, as well as more general comments on our
                  report’s findings. SSA described steps it is taking that would address
                  elements of the recommendations related to planning, enterprise
                  architecture, and IT oversight, while it took issue with other elements of
                  the recommendations, including the level of detail that an IT strategic plan
                  should contain and the need for more comprehensive measures. We
                  continue to believe these recommendations are warranted. (Please see
                  the “Agency Comments and Our Evaluation” section of our report for
                  more details on SSA’s comments and our response.)

                  In summary, while SSA has undertaken important initiatives that have
                  resulted in improvements to its processes, significant efforts remain for it
                  to fully meet its goals for modernizing its IT environment. Ensuring that it
                  is successful in meeting these goals will be difficult without the agency
                  establishing effective tools for measuring progress and performance and
                  without comprehensive strategic planning. SSA’s realignment of the CIO
                  responsibilities provides an opportunity for effective management and
                  oversight of the agency’s systems modernization efforts; however, this
                  effectiveness may well be hindered without appropriate implementation of
                  the realignment, including defined roles and responsibilities and updated
                  oversight guidance.


                  Chairman Johnson, Ranking Member Becerra, and Members of the
                  Subcommittee, this concludes my statement. I would be pleased to
                  answer any questions that you may have at this time.


                  If you have any questions regarding this statement, please contact
Contact and       Valerie C. Melvin, Director, Information Management and Technology
Acknowledgments   Resources Issues, at (202) 512-6304 or melvinv@gao.gov. Other
                  individuals who made key contributions include Christie Motley, Assistant
                  Director; Michael Alexander; David Hong; Alina Johnson; Lee
                  McCracken; and Scott Pettis.




(310985)
                  Page 11                                                          GAO-12-723T
This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.
GAO’s Mission         The Government Accountability Office, the audit, evaluation, and
                      investigative arm of Congress, exists to support Congress in meeting its
                      constitutional responsibilities and to help improve the performance and
                      accountability of the federal government for the American people. GAO
                      examines the use of public funds; evaluates federal programs and
                      policies; and provides analyses, recommendations, and other assistance
                      to help Congress make informed oversight, policy, and funding decisions.
                      GAO’s commitment to good government is reflected in its core values of
                      accountability, integrity, and reliability.

                      The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of   cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and       GAO posts on its website newly released reports, testimony, and
                      correspondence. To have GAO e-mail you a list of newly posted products,
Testimony             go to www.gao.gov and select “E-mail Updates.”

Order by Phone        The price of each GAO publication reflects GAO’s actual cost of
                      production and distribution and depends on the number of pages in the
                      publication and whether the publication is printed in color or black and
                      white. Pricing and ordering information is posted on GAO’s website,
                      http://www.gao.gov/ordering.htm.
                      Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                      TDD (202) 512-2537.
                      Orders may be paid for using American Express, Discover Card,
                      MasterCard, Visa, check, or money order. Call for additional information.
                      Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO      Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                      Visit GAO on the web at www.gao.gov.
                      Contact:
To Report Fraud,
Waste, and Abuse in   Website: www.gao.gov/fraudnet/fraudnet.htm
                      E-mail: fraudnet@gao.gov
Federal Programs      Automated answering system: (800) 424-5454 or (202) 512-7470

                      Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
Congressional         4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations             7125, Washington, DC 20548

                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149
                      Washington, DC 20548




                        Please Print on Recycled Paper.