United States Government Accountability Office GAO Testimony Before the Subcommittee on Social Security, Committee on Ways and Means, House of Representatives SOCIAL SECURITY For Release on Delivery Expected at 2:00 p.m. EDT Wednesday, May 9, 2012 ADMINISTRATION Technology Modernization Needs Improved Planning and Performance Measures Statement of Valerie C. Melvin, Director Information Management and Technology Resources Issues GAO-12-723T Chairman Johnson, Ranking Member Becerra, and Members of the Subcommittee: Thank you for inviting me to participate in today’s hearing on the Social Security Administration’s (SSA) efforts to modernize its information technology (IT) systems and environment. As you know, SSA is responsible for delivering services that touch the lives of virtually every American, and the agency relies heavily on IT to do so. Its computerized information systems support a range of activities, from the processing of Disability Insurance and Supplemental Security Income payments to the calculation and withholding of Medicare premiums, and the issuance of Social Security numbers and cards. Last fiscal year, the agency spent nearly $1.6 billion on IT. As SSA’s systems have aged and its workload has increased, the agency has committed to investing in the capacity and modern technologies needed to update its strained IT infrastructure. In addition, the agency has recently undertaken a realignment of its IT governance structure, including the responsibilities of its Chief Information Officer (CIO). At your request, over the past year, we have been examining SSA’s modernization efforts. The specific objectives of our study were to (1) determine SSA’s progress in modernizing its IT systems and capabilities; (2) evaluate the effectiveness of SSA’s plans and strategy for modernizing its systems and capabilities; and (3) assess whether the realignment of the agency’s CIO responsibilities allows for effective oversight and management of the systems modernization efforts. Our report documenting the results of the study is being released today. 1 As agreed with your office, my testimony statement summarizes the key findings in our report. In preparing this statement, we relied on the work supporting our report. The report contains a more detailed overview of the scope of our review and the methodology used. The work upon which this statement is based was conducted in accordance with generally accepted government auditing standards from May 2011 to April 2012. Those standards require that we plan and perform audits to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and 1 GAO, Social Security Administration: Improved Planning and Performance Measures Are Needed to Help Ensure Successful Technology Modernization, GAO-12-495 (Washington, D.C.: Apr. 26, 2012). Page 1 GAO-12-723T conclusions. We believe that the evidence obtained provided a reasonable basis for our findings and conclusions based on our audit objectives. SSA’s mission is to deliver Social Security services that meet the Background changing needs of the public. The Social Security Act and amendments established the programs that SSA administers, which include • the Old Age, Survivors, and Disability Insurance program: Commonly referred to simply as “Social Security,” this program is one of the nation’s largest entitlement programs and provides monthly benefits to retired and disabled workers, their spouses and children, and the survivors of insured workers who have died; and • the Supplemental Security Income program: This is a needs-based program financed from general tax revenues that provides benefits to aged adults, blind or disabled adults, and children with limited income and resources. According to SSA, in fiscal year 2011, about 54 million people received benefits from the Old Age, Survivors, and Disability program, and over 8 million people received benefits from the Supplemental Security Income program. Collectively, about 155 million people work and pay Social Security taxes. The agency’s fiscal year 2011 expenses totaled about $12.4 billion to support its programs. SSA Relies on IT to Deliver SSA relies extensively on IT to administer its programs and support Services related activities. Specifically, its systems are used to, among other things, • handle millions of transactions on SSA’s toll-free telephone number, • maintain records for the millions of beneficiaries and recipients of SSA’s programs, • evaluate evidence and make determinations of eligibility for benefits, • issue new and replacement Social Security cards, and • process earnings items for crediting to workers’ earnings records. Page 2 GAO-12-723T However, as the agency’s systems have aged, SSA has faced challenges in carrying out its increasing workload. Specifically, many of SSA’s existing systems software were developed in the 1960s and 1970s and are written in older computer programming languages or are past their designed life cycle. While the agency has made technical and functional upgrades throughout the years, it continues to face challenges because of the need to store, process, and share increasing amounts of data and to transition to Web-based, online access for SSA data and services, among other factors. Accordingly, in its most recent Agency Strategic Plan, SSA has identified IT as a key foundational element to achieving success in meeting its goals. Recognizing the challenges facing its IT environment, the agency has stated that it plans to, among other things, develop and implement a common system for processing disability cases, increase its use of online services for access to benefits and information, and automate its processes for reporting information. Office of Systems Oversees SSA’s Office of Systems is responsible for developing, overseeing, and SSA’s IT Systems and maintaining the agency’s IT systems. Comprised of eight component Investments offices and approximately 3,300 staff, the Office of Systems has responsibility for the agency’s IT. SSA uses its capital planning and investment control process to manage its software development projects. This process is intended to meet the objectives of the Clinger-Cohen Act of 1996 2 by providing a framework for selecting, controlling, and evaluating investments in IT to help ensure that they meet the strategic and business objectives of the agency. This process requires a series of reviews by executive oversight bodies, including the agency’s Strategic Information Technology Assessment and Review board, to ensure that IT projects are selected that best meet the agency’s goals; that, once selected, they are performing within expected schedule and cost parameters; and finally, that once implemented, these projects are delivering results. 2 The Clinger-Cohen Act (see 40 U.S.C. §§ 11301-11331) provides a framework for effective IT management that encompasses systems integration planning and investment. Page 3 GAO-12-723T In June 2011, in an effort to increase efficiency, the Commissioner of Social Security announced the realignment of CIO functions and associated personnel. As part of this realignment, the Office of the CIO was eliminated, and most of its responsibilities for managing IT, along with the IT budget, were reassigned to the Office of Systems. Previously, key duties of the CIO were to select and prioritize IT investments and oversee the review and approval of the annual IT budget, while the Office of Systems was responsible for managing the acquisition, development, and maintenance of IT projects. Under the realignment, the Deputy Commissioner for Systems—who heads the Office of Systems—assumed the major responsibilities of the CIO. Since 2001, SSA has reported spending more than $5 billion on the SSA Has Undertaken development, modernization, and enhancement of its IT systems and Numerous capabilities. SSA officials identified 120 initiatives undertaken from 2001 to 2011 that the agency considered to be key investments in Modernization Efforts modernization. These comprise a subset of the hundreds of projects and but Lacks Effective modernization activities SSA undertakes yearly, which vary greatly in Tools for Measuring level of effort, scope, and cost. These initiatives affected all of the agency’s main program areas: Progress • According to managers within SSA’s Office of Disability Systems, in an effort to reduce backlogs of disability hearings, the agency implemented a process for creating electronic “folders” for each applicant, to replace the existing paper-based process. This initiative included capabilities for electronically viewing an applicant’s folder, electronic screening for faster disability determinations, and Internet access to information on disability hearings and determinations. • The Office of Retirement and Survivors Insurance Systems took steps to improve outdated legacy systems and respond to legislation or other mandates requiring new system functionality. These efforts included integrating stand-alone “post-entitlement” processes, facilitating online application for benefits, and conversion of a key database to a more modern, industry-standard one. • Managers from the Office of Applications and Supplemental Security Income described initiatives to modernize large legacy databases and facilitate data sharing to streamline the claims process. These included enhancements to the electronic death registration process Page 4 GAO-12-723T and the development of a Web application enabling access to data from multiple systems. • SSA officials described initiatives in the area of electronically exchanging data with external partners, including states and private- sector partners such as banks and credit bureaus. • SSA also noted efforts to streamline the process for administering Social Security cards, such as introducing safeguards against counterfeiting and replacing its legacy printers. In addition to these initiatives, SSA undertook a project to establish a disaster recovery capability at a secondary computing site. This project provided for continuity of operations, continuous processing of SSA’s workload, and backup of the agency’s IT assets, among other capabilities. While these improvements have yielded benefits, SSA still has a number of other major efforts under way to continue the modernization of its IT environment. These efforts involve • completing the conversion of the agency’s legacy Master Data Access Method database system (used to support the storage and retrieval of SSA’s major program master files) to a modern, industry-standard database system; • transitioning from its legacy system for processing retirement and survivors’ claims to a single, unified system that integrates initial and post-entitlement actions; • streamlining operations and reducing duplication in disability databases and transitioning from multiple and fragmented applications to a single, unified case processing system; • enhancing and refreshing telecommunications equipment and ongoing improvement of connectivity and bandwidth for data, voice, and video communications; and • supporting enhancements to SSA’s Medicare initiatives, including changes required by the Patient Protection and Affordable Care Act, which are intended to improve the process for verifying the name, Social Security number, and other data on Medicare earnings reports. Page 5 GAO-12-723T SSA officials noted that the agency faces several challenges in successfully carrying out these modernization efforts. These include planning for system changes within a single fiscal year budget cycle, a practice that limits the agency’s ability to make long-term modernization plans; devoting significant resources to the maintenance of existing legacy systems because of large quantities of legacy code; and diverting resources from long-term projects to shorter-term immediate requirements, such as those arising from legislative changes. Compounding these challenges, we found that SSA has not fully established performance measures or a post-implementation review process that would allow it to determine the progress it is making in its modernization efforts. Federal law requires agencies to identify performance measures for their IT investments, 3 and we have previously reported that comprehensive measures are essential for gauging the progress and benefits of IT investments. 4 However, while SSA developed performance measures for most of its 17 major modernization investments for fiscal year 2010, it did not identify any measures in one of four management areas identified by the Office of Management and Budget (OMB) for 3 of these investments. 5 Moreover, the measures SSA developed did not always allow for assessments of each project’s effectiveness in meeting agency goals. For example, these measures did not always (1) identify how each project is to contribute to expected benefits; (2) include measures of investments’ effectiveness in meeting goals, requirements, or mission results; or (3) provide the means for measuring progress toward specific modernization goals. 3 The Paperwork Reduction Act requires federal agencies to establish performance measures that depict how effectively the management of information resources, which includes IT, is supporting their business needs. In addition, the Clinger-Cohen Act requires agencies to establish performance measures, such as those related to how IT contributes to program productivity, efficiency, and effectiveness, and to monitor the actual-versus- expected performance of those measures. 4 GAO, Information Technology Management: Governmentwide Strategic Planning, Performance Measurement, and Investment Management Can Be Further Improved, GAO-04-49 (Washington, D.C.: Jan. 12, 2004). 5 These four areas are mission and business results, processes and activities, customer results, and technology. See OMB, Federal Enterprise Architecture: Consolidated Reference Model Document, version 2. 3 (Washington, D.C.: October 2007). Page 6 GAO-12-723T In addition, SSA has not conducted post-implementation reviews of its IT projects or systems, as called for by OMB guidance. Such a review should confirm the extent to which planned benefits were achieved, determine the cost-effectiveness of the project, and identify lessons learned and opportunities for improvement. While SSA conducts assessments of completed initiatives, these assessments lack key elements called for by OMB that would provide assurance that modernization and other IT projects are delivering expected benefits at acceptable costs and that SSA is making progress in meeting its goals. Comprehensive strategic planning is essential for successfully carrying Modernization out large-scale efforts such as SSA’s IT modernizations. Key elements of Approach Is Not such planning include developing an IT strategic plan and an enterprise architecture that, together, outline modernization goals, measures, and Guided by Key timelines. Practices An IT strategic plan serves as an agency’s vision and helps align its information resources with its business strategies and investment decisions. As such, it provides a high-level perspective of the agency’s goals and objectives, enabling the agency to prioritize how it allocates resources; proactively respond to changes; and communicate its vision and goals to management, oversight bodies, and external parties. The enterprise architecture helps to implement the strategic vision by providing a focused “blueprint” of the organization’s business processes and technology that supports them. It includes descriptions of how the organization operates today, how it intends to operate in the future, and a plan for transitioning to the target state. It further helps coordinate the concurrent development of IT systems to limit unnecessary duplication and increase the likelihood that these systems will inter-operate. SSA developed an IT strategic plan in 2007 to guide its modernization efforts; however, the plan is outdated and may not be aligned with the agency’s overall strategic plan. Specifically, because it has not been updated since 2007, the plan contains elements that are no longer relevant to SSA’s ongoing modernization efforts. For example, the plan discusses projects that have largely been completed, does not reference current information security requirements, and does not reflect current staffing needs. Further, it does not reflect the way in which modernization decisions are driven by the agency’s Strategic Information Technology Assessment and Review board. Page 7 GAO-12-723T The currency of the IT strategic plan is further called into question by the fact that the agency updated its overall Agency Strategic Plan in 2008 and again in 2012. Thus, the IT strategic plan may no longer be aligned with the agency’s broader goals. In the absence of an updated IT strategic plan, SSA has relied on a number of program activities to guide its modernization efforts, such as identifying and prioritizing IT modernization investments during its annual investment review process and developing high-level descriptions of projects in each of the agency’s portfolios. However, these activities are based on short-term budget cycles and do not provide a long-term strategic vision with detailed steps and milestones. SSA officials stated that they are updating the IT strategic plan; however, it has yet to be finalized or approved. In addition, SSA has developed an enterprise architecture, but it is missing key components. Specifically, the architecture captures certain foundational information about the current and target states of the organization, such as current business processes and business outcomes, to assist in evolving existing information systems and developing new ones. Nevertheless, the architecture lacks important content called for by federal CIO Council and OMB guidance that would allow the agency to more effectively plan its investments and achieve its vision of modernized systems and operations. Specifically, the architecture lacks key elements that would establish the specific steps and direction to reach its vision of modernized systems by 2016. In particular, the agency has not developed a service-oriented architecture road map that would, among other things, articulate the changes and growth in IT capabilities over time and provide a conceptual plan that establishes a basis for developing more detailed project plans. Further, SSA has not conducted an enterprise gap analysis to identify the differences between its current and target states to enable the development of a plan for transitioning from the current to the target state. SSA also has not developed quantitative performance expectations for the target state or analyzed the flows of information among the agency’s business processes. Without a long-term strategic vision and an enterprise architecture that provides details on how this vision is to be executed, SSA lacks assurance that its modernization initiatives will effectively and efficiently support its goals and mission. Page 8 GAO-12-723T As mentioned earlier, in 2011, SSA realigned the functions of its Office of CIO Realignment the CIO, consolidating major responsibilities for the management and Allows for Effective oversight of IT in its Office of Systems. Federal law, specifically the Clinger-Cohen Act of 1996, requires the heads of executive branch Oversight and agencies to designate a CIO with key responsibilities for managing an Management but Was agency’s IT resources. As we have previously reported, to carry out these Implemented without responsibilities effectively, CIOs require sufficient control over IT investments, including control over the IT budget and workforce. 6 Adequate Planning or Updated Guidance Under the realignment, key responsibilities of the CIO and Deputy Commissioner for Systems were merged into the Office of Systems. Specifically, this arrangement gave the Office for Systems responsibility for, among other things, • oversight and management of IT budget formulation; • systems acquisition, development, and integration; • the IT capital planning and investment control process; • workforce planning and allocation of resources to IT projects; • IT strategic planning; • enterprise architecture; • IT security; and • IT operations. If implemented appropriately, this organizational structure should allow for effective oversight and management of the agency’s systems and modernization initiatives. However, we found in our review that the realignment was undertaken without the benefit of an analysis of the impact of this significant organizational change. Specifically, SSA did not develop a management plan that would describe the challenges associated with the realignment or strategies for addressing them, along with time frames, resources, performance measures, and accountability 6 GAO, Federal Chief Information Officers: Opportunities Exist to Improve Role in Information Technology Management, GAO-11-634 (Washington, D.C.: Sept. 15, 2011). Page 9 GAO-12-723T structures. Further, SSA did not analyze the roles and responsibilities needed to support the allocation of functions under the realignment. Without such an analysis, it cannot be determined whether the reassignment of staff that occurred as a result of the realignment represents an optimal allocation of resources. In addition, SSA has not updated its capital planning and investment control guidance to reflect the realignment. This guidance sets forth the process and responsibilities for managing the selection, control, and evaluation of SSA’s IT investments. However, under the realignment, certain elements of the existing guidance are obsolete, such as the requirement for independent CIO reviews of IT investment proposals. SSA officials stated that the guidance was being updated and would be reviewed internally; however, they could not provide a time frame for the approval and implementation of the revised guidance. Having updated guidance is critical to ensuring that responsibilities for management and oversight of the agency’s IT investments are being carried out effectively under the realigned organizational structure. In our report, we made a number of recommendations to SSA to address SSA Needs to Take the challenges it faces in carrying out its IT modernization efforts. Actions to Help Specifically, we recommended that SSA: Ensure the Success of • Ensure that performance measures are established for IT investments Its Modernization in each of OMB’s four management areas and that they allow for measurement of progress in meeting modernization goals. • In updating the agency’s IT strategic plan, ensure that it includes key elements, such as results-oriented goals, strategies, milestones, performance measures, and an analysis of interdependencies among projects and activities, and is used to guide and coordinate modernization efforts. • Establish an enterprise architecture that includes key elements, such as a service-oriented architecture road map, a gap analysis, performance targets, and descriptions of information flows and relationships. • Define roles and responsibilities of realigned IT staff and develop and clearly document updated investment review guidance. Page 10 GAO-12-723T In commenting on a draft of our report, SSA neither agreed nor disagreed with our recommendations. However, the agency provided responses to each of the recommendations, as well as more general comments on our report’s findings. SSA described steps it is taking that would address elements of the recommendations related to planning, enterprise architecture, and IT oversight, while it took issue with other elements of the recommendations, including the level of detail that an IT strategic plan should contain and the need for more comprehensive measures. We continue to believe these recommendations are warranted. (Please see the “Agency Comments and Our Evaluation” section of our report for more details on SSA’s comments and our response.) In summary, while SSA has undertaken important initiatives that have resulted in improvements to its processes, significant efforts remain for it to fully meet its goals for modernizing its IT environment. Ensuring that it is successful in meeting these goals will be difficult without the agency establishing effective tools for measuring progress and performance and without comprehensive strategic planning. SSA’s realignment of the CIO responsibilities provides an opportunity for effective management and oversight of the agency’s systems modernization efforts; however, this effectiveness may well be hindered without appropriate implementation of the realignment, including defined roles and responsibilities and updated oversight guidance. Chairman Johnson, Ranking Member Becerra, and Members of the Subcommittee, this concludes my statement. I would be pleased to answer any questions that you may have at this time. If you have any questions regarding this statement, please contact Contact and Valerie C. Melvin, Director, Information Management and Technology Acknowledgments Resources Issues, at (202) 512-6304 or firstname.lastname@example.org. Other individuals who made key contributions include Christie Motley, Assistant Director; Michael Alexander; David Hong; Alina Johnson; Lee McCracken; and Scott Pettis. (310985) Page 11 GAO-12-723T This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO’s Mission The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no Obtaining Copies of cost is through GAO’s website (www.gao.gov). Each weekday afternoon, GAO Reports and GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, Testimony go to www.gao.gov and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at www.gao.gov. Contact: To Report Fraud, Waste, and Abuse in Website: www.gao.gov/fraudnet/fraudnet.htm E-mail: email@example.com Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Katherine Siggerud, Managing Director, firstname.lastname@example.org, (202) 512- Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room Relations 7125, Washington, DC 20548 Chuck Young, Managing Director, email@example.com, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Please Print on Recycled Paper.
Social Security Administration: Technology Modernization Needs Improved Planning and Performance Measures
Published by the Government Accountability Office on 2012-05-09.
Below is a raw (and likely hideous) rendition of the original report. (PDF)