oversight

High-Risk Series: Information Management and Technology

Published by the Government Accountability Office on 1997-02-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                United States General Accounting Office

GAO             High-Risk Series




February 1997
                Information Management
                and Technology




GAO/HR-97-9
GAO   United States
      General Accounting Office
      Washington, D.C. 20548

      Comptroller General
      of the United States



      February 1997
      The President of the Senate
      The Speaker of the House of Representatives

      In 1990, the General Accounting Office began a special
      effort to review and report on the federal program areas
      its work identified as high risk because of vulnerabilities
      to waste, fraud, abuse, and mismanagement. This effort,
      which was supported by the Senate Committee on
      Governmental Affairs and the House Committee on
      Government Reform and Oversight, brought a
      much-needed focus on problems that were costing the
      government billions of dollars.

      In December 1992, GAO issued a series of reports on the
      fundamental causes of problems in high-risk areas, and in
      a second series in February 1995, it reported on the status
      of efforts to improve those areas. This, GAO’s third series
      of reports, provides the current status of designated
      high-risk areas.

      This report focuses on major, multibillion dollar
      information system development and modernization
      efforts at the Internal Revenue Service, the Federal
      Aviation Administration, the Department of Defense, and
      the National Weather Service. These efforts are having
      serious trouble meeting cost, schedule, and/or
      performance goals. Such problems are all too common in
      federal automation projects. Agencies have obligated
      over $145 billion during the past 6 years building, buying,
and maintaining computer systems and networks. Yet this
vast investment has yielded poor returns in reducing
federal operating costs, improving performance,
supporting sound financial management, achieving
mission results, and providing quality service to the
American public.

In addition, we discuss two governmentwide information
management issues. The first is information security.
Despite the sensitivity and criticality of federal
information systems, they are not being adequately
protected from unauthorized access. The second issue
involves the need to change computer systems so that
they can accommodate dates after the year 1999. Unless
corrected, computer programs that use dates to perform
calculations, comparisons, and sorting may generate
incorrect results when working with the years 2000 and
beyond.

As dependence on computers grows and new high-risk
areas emerge, federal agencies need to adopt modern
practices to correct underlying management problems
that impede effective system development and
operations. In reviewing technology budget proposals,
the 105th Congress should determine whether agencies
are implementing recently enacted reform
legislation—the Paperwork Reduction Act of 1995 and
the Clinger-Cohen Act of 1996. This legislation, which
incorporates best practices of successful organizations, is
designed to strengthen executive leadership in
information management and institute sound capital



             Page 2          GAO/HR-97-9 Information Management
investment decision-making for maximizing the potential
benefits from information systems.

Copies of this report series are being sent to the
President, the congressional leadership, all other
Members of the Congress, the Director of the Office of
Management and Budget, and the heads of major
departments and agencies.




James F. Hinchman
Acting Comptroller General
  of the United States




            Page 3           GAO/HR-97-9 Information Management
Contents



Overview                                                    6

High-Risk System                                           13
Development and
Modernization
Efforts
Governmentwide                                             32
High-Risk Issues
Further Action                                             44
Needed
Related GAO                                                60
Reports
1997 High-Risk                                             68
Series




                   Page 4   GAO/HR-97-9 Information Management
Page 5   GAO/HR-97-9 Information Management
Overview



              The federal government’s dependence on
              computer systems, networks, and electronic
              records to carry out its work continues to
              accelerate. Information systems are now
              integral to nearly every aspect of over $1.5
              trillion in annual federal government
              operations and spending—from national
              defense and air traffic control to revenue
              collection and benefit payments. Yet, despite
              years of experience in developing systems,
              agencies across government continue to
              have chronic problems harnessing the full
              potential of information technology to
              improve performance, cut costs, and
              enhance responsiveness to the public.


The Problem   During the past 6 years, agencies have
              obligated over $145 billion building up and
              maintaining their information technology
              infrastructure. The benefits from this vast
              expenditure, however, have frequently been
              disappointing. GAO reports and congressional
              hearings have chronicled numerous system
              development efforts that suffered from
              multimillion dollar cost overruns, schedule
              slippages measured in years, and dismal
              mission-related results. At the same time, the
              public has become accustomed to high levels
              of quality and service from leading private
              sector organizations. They are increasingly


              Page 6          GAO/HR-97-9 Information Management
                   Overview




                   frustrated by the fact that they cannot get
                   comparable performance from their national
                   government.

                   This poor return on information technology
                   investments has also left the Congress and
                   executive branch severely handicapped by
                   the lack of reliable data for measuring the
                   costs and results of agency operations and
                   making well-informed decisions. For
                   instance, agencies are still a long way from
                   demonstrating the most basic fiscal
                   accountability to the public—such as
                   passing the test of an independent
                   audit—largely due to inadequate financial
                   management and accounting systems.


Progress to Date   Recognizing the urgent need for
                   improvement, the 104th Congress passed
                   landmark reforms in information technology
                   management. The Paperwork Reduction Act
                   of 1995 is the overarching statute dealing
                   with the acquisition and management of
                   information resources—including
                   information technology—by federal
                   agencies. It emphasizes that agencies need to
                   acquire and apply such resources to
                   effectively support the accomplishment of
                   agency missions and the delivery of services
                   to the public. The Clinger-Cohen Act of 1996


                   Page 7          GAO/HR-97-9 Information Management
Overview




repeats this theme and elaborates on
requirements for agencies to follow when
acquiring information technology.

Together, these acts direct agencies to
implement a framework of modern
technology management—one based on
practices followed by leading public-sector
and private-sector organizations that have
successfully used technology to dramatically
improve performance and meet strategic
goals.

Among their many provisions, the reforms
emphasize involving senior executives in
information management decisions,
appointing qualified senior-level Chief
Information Officers, establishing
appropriate agencywide technology
standards, imposing much-needed discipline
over technology spending, redesigning
inefficient work processes, and using
performance measures to assess
technology’s contribution in achieving
mission results for the American people.

These management practices provide
proven, practical methods for addressing the
federal government’s information
management problems, maximizing benefits
from technology spending, and controlling


Page 8          GAO/HR-97-9 Information Management
Overview




the risks of system acquisition and
development efforts. The challenge now is
for agencies to apply this framework to their
own technology efforts, particularly those
with questionable returns, high risks, and
high costs.

The importance of quickly implementing
these reforms is emphasized by the fact that
all four multibillion-dollar information
technology efforts listed in our 1995
High-Risk Series1 remain at high risk of being
late, running over cost, and/or falling short
of promised benefits. They are (1) the
Internal Revenue Service’s (IRS) Tax Systems
Modernization, (2) the Federal Aviation
Administration’s (FAA) Air Traffic Control
modernization, (3) the Department of
Defense’s Corporate Information
Management initiative, and (4) the National
Weather Service’s (NWS) modernization.
Each of these continues to suffer from one
or more problems, such as unsound
investment control, poor project
management, and ongoing technical
weaknesses—areas specifically addressed
by the new legislation. Corrective measures
are underway on many fronts, but our prior
recommendations have not yet been fully
implemented.

1
 GAO High-Risk Series, An Overview (GAO/HR-95-1, Feb. 1995).

Page 9                 GAO/HR-97-9 Information Management
Overview




Along with these four agency-specific
efforts, we are including two new high-risk
areas that touch virtually every major aspect
of government operations. The first is
information security. Despite the sensitivity
and criticality of federal information
systems, they are not being adequately
protected from unauthorized access.
Security weaknesses abound, creating
serious pervasive risks for the federal
government, such as potential disclosure of
sensitive data, loss of assets worth billions of
dollars due to fraud, and disruption of
critical operations.

The second area involves the need for
computer systems to be changed to
accommodate dates beyond the year 1999.
This “year 2000” problem stems from the
common practice of abbreviating years by
their last two digits. Computer systems
could interpret “00” as the year 1900 instead
of the year 2000, “01” as 1901, and so on. The
resulting miscalculations involving dates and
the computation of elapsed time could
cascade through all kinds of activities, such
as loans, mortgages, pensions, tax records,
and benefit payments. Federal agencies need
to take steps quickly to assess and correct
this problem before time runs out.



Page 10          GAO/HR-97-9 Information Management
                  Overview




Outlook for the   Will the picture be any different in another 2
Future            years? A great deal depends on leadership by
                  agency heads, their Chief Information
                  Officers, and senior program executives.

                  Agencies need to establish goals for using
                  information technology to enhance the
                  productivity, efficiency, and effectiveness of
                  their operations. Progress toward these
                  goals should be measured and reported in
                  annual budget submissions. In addition,
                  agencies need to improve work processes
                  used to carry out programs, develop and
                  implement an integrated agencywide
                  technology architecture, and strengthen
                  their staffs’ capabilities to manage
                  information resources, deal with emerging
                  technology issues, and develop needed
                  systems. Each agency must also establish a
                  structured process for selecting, controlling,
                  and evaluating their capital investments in
                  technology in order to maximize
                  mission-related benefits and control risks.

                  The Congress also will need to be vigilant in
                  overseeing agencies’ information technology
                  investments and project management. The
                  recently enacted reforms could easily
                  dissipate unless congressional committees
                  use the full range of their budget,
                  appropriations, and oversight functions to


                  Page 11         GAO/HR-97-9 Information Management
Overview




hold agency leaders accountable for
implementing them promptly.

The Congress should assure itself that
agency heads are working to identify
strengths and weaknesses in their
information management practices.
Congressional committees should expect
agencies to provide hard data on how
technology spending is being used to
improve mission performance and reduce
operating costs. And there should be clear
evidence that each agency has implemented
a sound technology investment control
process. The Congress should also see to it
that the Office of Management and Budget
(OMB) is carrying out its critical role in
guiding the agencies in implementing
investment reforms and that OMB is enforcing
accountability for achieving improvements
through the executive branch budget
process.




Page 12         GAO/HR-97-9 Information Management
High-Risk System Development and
Modernization Efforts


                   Our 1995 High-Risk Series included four
                   multibillion-dollar modernization efforts that
                   were having serious trouble meeting their
                   cost, schedule, and/or performance goals.1 In
                   our ongoing work, we have continued to
                   make specific recommendations for
                   mitigating risks in areas such as investment
                   control, system development, and technical
                   infrastructure. These agencies have made
                   some progress. Still, the level of
                   improvement has not yet been enough to
                   bring the problems under control. After 2
                   years, all four remain on our high-risk list.


IRS’ Tax Systems   Over the last decade, IRS has been attempting
Modernization      to overhaul its timeworn, paper-intensive
                   approach to tax return processing. In 1995,
                   we identified serious management and
                   technical weaknesses in the modernization
                   program that jeopardize its successful
                   completion, recommended many actions to
                   fix the problems, and added IRS’
                   modernization to our high-risk list. Since
                   then, IRS and Treasury have together taken
                   several steps to implement our
                   recommendations, but much remains to be
                   done. At stake is the over $3 billion that IRS
                   has spent or obligated on this modernization


                   1
                    GAO/HR-95-1, Feb. 1995.

                   Page 13                GAO/HR-97-9 Information Management
High-Risk System Development and
Modernization Efforts




since 1986, as well as any additional funds
that IRS plans to spend on modernization.

In July 1995,2 we reported that IRS (1) did not
have a comprehensive business strategy to
cost effectively reduce paper tax return
filings and (2) had not yet fully developed
and put in place the requisite management,
software development, and technical
infrastructure necessary to successfully
implement its ambitious, world-class
modernization. We also reported that IRS
lacked an overall systems architecture, or
blueprint, to guide the modernization’s
development and evolution.

At that time, we made over a dozen
recommendations to the IRS Commissioner
to address these weaknesses. Collectively,
the recommendations called for IRS to
(1) formulate a comprehensive business
strategy for maximizing electronic filings,
(2) improve its strategic information
management by implementing a process for
selecting, prioritizing, controlling, and
evaluating the progress and performance of
all major information systems and
investments, (3) implement disciplined,
consistent procedures for software

2
 Tax Systems Modernization: Management and Technical
Weaknesses Must Be Corrected If Modernization Is to Succeed
(GAO/AIMD-95-156, July 26, 1995).

Page 14                GAO/HR-97-9 Information Management
High-Risk System Development and
Modernization Efforts




requirements management, quality
assurance, configuration management, and
project planning and tracking, and
(4) complete and enforce an integrated
systems architecture and security and data
architectures. IRS agreed to implement our
recommendations.

In May 1996, Treasury reported to the House
and Senate Appropriations Committees on
steps under way and planned to exert
greater management oversight of IRS’
modernization efforts.3 For example, it
established a Modernization Management
Board as the primary review and
decision-making body for modernization and
for policy and strategic direction. In
addition, Treasury scaled back the overall
size of the modernization by approximately
$2 billion and is working with IRS to obtain
additional contractor help to accomplish the
modernization.

Pursuant to congressional direction, we
assessed IRS’ actions to correct its
management and technical weaknesses, as
delineated in Treasury’s report on tax
systems modernization. We reported in June
and September 1996 that IRS had initiated

3
Report to House and Senate Appropriations Committees: Progress
Report on IRS’s Management and Implementation of Tax Systems
Modernization, Department of the Treasury, May 6, 1996.

Page 15               GAO/HR-97-9 Information Management
High-Risk System Development and
Modernization Efforts




many activities to improve its modernization
efforts but had not yet fully implemented any
of our recommendations. Consequently, in
order to minimize the risk attached to
continued investment in systems
modernization, we suggested to the
Congress that it consider limiting
modernization funding exclusively to
cost-effective efforts that (1) support
ongoing operations and maintenance,
(2) correct IRS’ pervasive management and
technical weaknesses, (3) are small,
represent low technical risk, and can be
delivered quickly, and (4) involve deploying
already developed and fully tested systems
that have proven business value and are not
premature given the lack of a completed
architecture.

To help oversee IRS’ modernization, the
Congress in the fiscal year 1997 Omnibus
Consolidated Appropriations Act4 directed
IRS to (1) submit by December 1, 1996, a
schedule for transferring a majority of its
modernization development and deployment
to contractors by July 31, 1997, and
(2) establish a schedule by February 1, 1997,
for implementing our recommendations by
October 1, 1997. In its conference report on
the act, the Congress directed the Secretary

4
 P.L. 104-208, Sept. 30, 1996.

Page 16                   GAO/HR-97-9 Information Management
High-Risk System Development and
Modernization Efforts




of the Treasury to (1) provide quarterly
reports on the status of IRS’ corrective
actions and modernization spending5 and
(2) submit by May 15, 1997, a technical
architecture for the modernization that has
been approved by Treasury’s Modernization
Management Board. Additionally, the Board
was directed to prepare a request for
proposals by July 31, 1997, to acquire a
prime contractor to manage modernization
deployment and implementation.

IRShas continued to take steps to address
our recommendations and respond to
congressional direction. For example, IRS
hired a new Chief Information Officer. It also
created an investment review board to
select, control, and evaluate its information
technology investments. Thus far, the board
has reevaluated and terminated selected
major modernization development projects,
such as the Document Processing System
(DPS).

Additionally, IRS (1) provided a November 26,
1996, report to the Congress that set forth
IRS’ strategic plan and schedule for shifting



5
 H.R. Report No. 863, 104th Cong., 2d sess. (1996). The Congress
also included the requirement that Treasury provide a milestone
schedule for developing and implementing all modernization
projects in Treasury’s fiscal year 1996 appropriations act (P.L.
104-52, Nov. 19, 1995).

Page 17                 GAO/HR-97-9 Information Management
High-Risk System Development and
Modernization Efforts




modernization development and deployment
to contractors, (2) is finalizing a
comprehensive strategy to maximize
electronic filing that is scheduled for
completion in early 1997, and (3) is updating
its system development life cycle
methodology and working across various IRS
organizations to define disciplined processes
for software requirements management,
quality assurance, configuration
management, and project planning and
tracking. Additionally, IRS is developing a
technical architecture for the modernization
and plans to provide this to the Congress by
May 15, 1997. Further, IRS is preparing a
schedule for implementing our
recommendations and plans to provide it to
the Congress in February 1997.

While we recognize IRS’ and Treasury’s
actions to address these problems, we
remain concerned. Much remains to be done
to fully implement essential improvements.
Increasing the use of contractors, for
example, will not automatically increase the
likelihood of successful modernization
because IRS does not have the technical
capability needed to manage all of its current
contractors. As a case in point, IRS’
Cyberfile—a system development effort led
by contractors to enable taxpayers to


Page 18            GAO/HR-97-9 Information Management
                    High-Risk System Development and
                    Modernization Efforts




                    personally prepare and file their tax returns
                    electronically—exhibited many
                    undisciplined software acquisition practices
                    as well as inadequate financial and
                    management controls. Eventually, IRS
                    canceled the Cyberfile project after spending
                    over $17 million and without fielding any of
                    the system’s promised capabilities.
                    Therefore, if IRS is to use additional
                    contractors effectively, it will have to first
                    strengthen and improve its ability to manage
                    those contractors.

                    In addition, IRS needs to continue to make
                    concerted, sustained efforts to fully
                    implement our recommendations and
                    respond effectively to the requirements
                    outlined by the Congress. It will take both
                    management commitment and technical
                    discipline for IRS to do this effectively.
                    Accordingly, we plan to continue assessing
                    IRS’ progress in its critical endeavor to
                    modernize.


FAA’s Air Traffic   Faced with rapidly growing air traffic
Control             volumes and aging air traffic control
Modernization       equipment, the FAA in 1981 initiated an
                    ambitious air traffic control (ATC)
                    modernization program. This effort, which is
                    expected to cost $34 billion through fiscal


                    Page 19            GAO/HR-97-9 Information Management
High-Risk System Development and
Modernization Efforts




year 2003, mostly involves investments in a
multitude of software-intensive computer
systems.

Over the past 15 years, the modernization
program has experienced cost overruns,
schedule delays, and performance shortfalls
of large proportions—particularly in the
$7.6 billion former centerpiece of the
modernization known as the Advanced
Automation System, which FAA restructured
in 1994. The acquisition of that system failed
because FAA did not recognize the technical
complexity of the effort, realistically
estimate the resources required, adequately
oversee its contractors’ activities, or
effectively control system requirements.6
With $11 billion planned to be spent on the
ATC program from fiscal years 1998 through
2003, and billions more surely to follow, it is
critical that FAA overcome the weaknesses
that threaten this effort.

To its credit, FAA has made progress in
acquiring an interim replacement for its
outage-plagued system that processes data
into displayable images on controllers’




6
Advanced Automation System: Implications of Problems and
Recent Changes (GAO/T-RCED-94-188, Apr. 13, 1994).

Page 20               GAO/HR-97-9 Information Management
High-Risk System Development and
Modernization Efforts




screens.7 Although key acquisition
milestones, events, and risks remain, FAA is
currently on track to deliver promised
capabilities ahead of schedule and within
budget. Further, when we recommended
that two risks associated with system
testing—contention for human test
resources and test baseline configuration
change control—be formally managed, FAA
officials agreed to do so.

Still, serious problems remain. The many
systems comprising the modernization effort
have long proceeded without the benefit of a
complete systems architecture, or overall
blueprint, to guide development and
evolution.8 The result has been unnecessarily
higher spending to buy, integrate, and
maintain hardware and software. For
example, the number of application
programming languages used on existing
systems has been left unchecked, growing to
53. This has needlessly increased software
maintenance costs and hindered software
reuse among systems. We have
recommended that FAA develop and enforce
a complete systems architecture and

7
 Air Traffic Control: Good Progress on Interim Replacement for
Outage-Plagued System, but Risks Can Be Further Reduced
(GAO/AIMD-97-2, Oct. 17, 1996).
8
 Air Traffic Control: Complete and Enforced Architecture Needed
for FAA Systems Modernization (GAO/AIMD-97-30, Feb. 3, 1997).

Page 21                GAO/HR-97-9 Information Management
High-Risk System Development and
Modernization Efforts




implement a management structure for
doing so that is similar to the Chief
Information Officers provisions of the
Clinger-Cohen Act of 1996.

Exacerbating the modernization’s problems
is unreliable cost information—both future
estimates of costs and accumulations of
actual costs.9 According to the
Clinger-Cohen Act of 1996, the selection of
information technology investments should
be based on competing projects’ estimated
costs, benefits, and risks. To effectively
manage these investments, their actual cost
performance must be measured against their
cost estimates. However, FAA lacks the
adequate cost estimating processes and cost
accounting practices needed to do so,
leaving it at risk of making ill-informed
decisions on critical multimillion, even
billion, dollar air traffic control systems. We
recommended that FAA institutionalize
defined processes for estimating projects’
cost, and develop and implement a
managerial cost accounting capability.

FAA must also address problems in its
organizational culture, which does not
reflect a strong enough commitment to

9
 Air Traffic Control: Improved Cost Information Needed to Make
Billion Dollar Modernization Investment Decisions
(GAO/AIMD-97-20, Jan. 22, 1997).

Page 22                GAO/HR-97-9 Information Management
              High-Risk System Development and
              Modernization Efforts




              mission focus, accountability, coordination,
              and adaptability.10 For example, project
              officials established unrealistic cost
              estimates in order to obtain funding and
              suppressed news about setbacks in order to
              avoid heightened managerial oversight.
              Without strong leadership to promote the
              desired organizational behavior, the
              modernization effort’s problems will be
              difficult to overcome. We recommended that
              FAA develop a comprehensive strategy for
              addressing this issue.

              To further pinpoint the root causes of FAA’s
              modernization problems, we have a review
              underway to determine whether FAA’s
              software acquisition capability is sufficiently
              mature to successfully modernize the highly
              complex, real-time ATC system.


Defense’s     The Department of Defense’s Corporate
Corporate     Information Management (CIM) initiative,
Information   started in 1989, was expected to save billions
Management    of dollars by streamlining operations and
Initiative    implementing standard information systems
              supporting such important business areas as
              supply distribution, materiel management,
              personnel, finance, and transportation.


              10
               Aviation Acquisition: A Comprehensive Strategy Is Needed for
              Cultural Change at FAA (GAO/RCED-96-159, Aug. 22, 1996).

              Page 23                GAO/HR-97-9 Information Management
High-Risk System Development and
Modernization Efforts




However, 8 years after beginning CIM, and
after spending about $20 billion, Defense’s
savings goal has not been met because the
Department has not yet implemented sound
management practices.

We have made numerous recommendations
for improving the Department’s management
of CIM, including (1) better linking system
modernization projects to business process
improvement efforts, (2) establishing plans,
performance measures, and clearly defined
roles and responsibilities for implementing
CIM, (3) improving controls over information
technology investments, and (4) not
initiating system improvement projects
without sound economic and technical
analyses.11

But Defense has yet to successfully
implement these recommendations. Instead,
it continues to spend billions of dollars on
system migration projects with little sound



11
  Defense Management: Stronger Support Needed for Corporate
Information Management Initiative to Succeed
(GAO/AIMD/NSIAD-94-101, April 12, 1994); Defense Management:
Selection of Depot Maintenance Standard System Not Based on
Sufficient Analyses (GAO/AIMD-95-110, July 13, 1995); Defense
Transportation: Migration Systems Selected Without Adequate
Analysis (GAO/AIMD-96-81, August 29, 1996); and Defense IRM:
Critical Risks Facing New Material Management Strategy
(GAO/AIMD-96-109, September 6, 1996).

Page 24               GAO/HR-97-9 Information Management
    High-Risk System Development and
    Modernization Efforts




    analytical justification.12 Rather than relying
    on a rigorous decision-making process for
    information technology investments—as
    used in leading private and public sector
    organizations that we studied—Defense is
    making system migration decisions without

•   appropriately analyzing costs, benefits, and
    technical risks;
•   establishing realistic project schedules; or
•   considering how business process
    improvements could affect technology
    investments.

    Further, in some cases, Defense has denied
    its own decisionmakers the opportunity to
    evaluate the progress of technology
    investments over time by forgoing its
    established oversight process.

    Not surprisingly, the results of Defense’s
    major technology investments have been
    meager. For example, in the transportation
    area, it has made some investments that are
    likely to result in a negative return on
    investment. For materiel management, it has
    abandoned its system modernization
    strategy after spending over $700 million.
    For depot maintenance, Defense expects to


    12
      A migration system is an automated information system which
    replaces several systems that perform similar functions.

    Page 25                GAO/HR-97-9 Information Management
                   High-Risk System Development and
                   Modernization Efforts




                   spend over $1 billion to develop a standard
                   system that will achieve less than 2.3 percent
                   in reduced operational costs over a 10-year
                   period.

                   The Department estimates that additional
                   spending on system migration projects
                   between now and the year 2000 will total
                   more than $11 billion. As part of its
                   Clinger-Cohen Act implementation efforts,
                   the Department is establishing a framework
                   for better managing this investment using its
                   planning, programming, and budgeting
                   system. While a step in the right direction,
                   this initiative is just beginning. We have
                   ongoing and planned work—including
                   reviews of the Department’s system
                   modernization strategy and investment
                   controls—aimed at helping Defense
                   managers make well-informed business
                   decisions based on an accurate picture of
                   the costs of technology investments, their
                   related benefits, and an appreciation for how
                   they fit into the Department’s long-term and
                   short-term goals.


National Weather   NWS decided almost 15 years ago to leverage
Service’s          the power of information technology to “do
Modernization      more with less.” Promising better weather
                   forecasts and downsized operations, NWS has


                   Page 26            GAO/HR-97-9 Information Management
High-Risk System Development and
Modernization Efforts




been acquiring new observing
systems—such as radars, satellites, and
ground-based sensors—as well as powerful
forecaster workstations, at a combined cost
of about $4.5 billion. Although NWS
acknowledges that key problems confront
the new systems, it has found that the new
radars and satellites have improved
forecasts and warnings. How successful NWS
will ultimately be in this endeavor, however,
partly depends on how quickly it can address
several key problems that we have
identified.

Although the development and deployment
of the observing systems associated with
NWS’ modernization are nearing completion,
unresolved issues remain concerning the
observing systems’ operational effectiveness
and efficient maintenance. To illustrate, we
reported that the new radars are not always
up and running when severe weather is
threatening,13 and that the ground-based
sensors fall short of performance and user




13
 Weather Forecasting: Radar Availability Requirements Not Being
Met (GAO/AIMD-95-132, May 31, 1995) and Weather Forecasting:
Radars Far Superior to Predecessors, but Location and Availability
Questions Remain (GAO/T-AIMD-96-2, Oct. 17, 1995).

Page 27                 GAO/HR-97-9 Information Management
High-Risk System Development and
Modernization Efforts




expectations, particularly when the weather
is active.14

We recommended that NWS correct shortfalls
in radar performance and define and
prioritize all ground-based sensor
corrections needed to meet user needs. NWS
addressed some of our radar and
ground-based sensor performance concerns,
but others remain. Also, we recently
reported that NWS has not managed this
massive investment through sound
decision-making processes.15 For instance,
NWS lacks a means by which to ensure that
systems provide promised returns on
investments. Currently, only the radars have
had their benefits analyzed. In addition, the
sizable staff reductions that the
modernization promised will not be realized.
For example, we reported in 1995 that NWS
originally planned to reduce staff by
21 percent, but now the goal has been scaled
back to 8 percent.16 NWS attributes the
reduced goal primarily to needing more staff

14
 Weather Forecasting: Unmet Needs and Unknown Costs Warrant
Reassessment of Observing System Plans (GAO/AIMD-95-81,
April 21, 1995).
15
 Information Technology Investment: Agencies Can Improve
Performance, Reduce Costs, and Minimize Risks (GAO/AIMD-96-64,
Sept. 30, 1996).
16
   Weather Service Modernization Staffing (GAO/AIMD-95-239R,
Sept. 26, 1995).

Page 28                GAO/HR-97-9 Information Management
High-Risk System Development and
Modernization Efforts




than originally envisioned to operate new
systems and to unanticipated requirements
that were beyond NWS’ control.

Further, the centerpiece of the
modernization—the forecaster workstations
that will integrate observing systems’ data
and support forecaster decision-making—is
far from providing all promised capabilities,
for several reasons. These workstations have
been delayed and become more expensive
because of design problems and
management shortcomings. In addition,
workstation development continues without
all the technical process capabilities
advocated by the Software Engineering
Institute (SEI), although NWS did improve
some of its capabilities based on our
recommendation to do so.17 Also, NWS has
not demonstrated that all proposed
capabilities will result in mission
improvements, thereby increasing the risk




17
  Weather Forecasting: Improvements Needed in Laboratory
Software Development Processes (GAO/AIMD-95-24, Dec. 14,
1994). SEI, part of Carnegie Mellon University, has developed
generally recognized standards for gauging an organization’s ability
to develop or acquire software.

Page 29                 GAO/HR-97-9 Information Management
    High-Risk System Development and
    Modernization Efforts




    that spending will be wasted on unneeded
    system capabilities.18

    In 1996, we made several recommendations
    that, if implemented, will strengthen NWS’
    ability to manage the acquisition of these
    workstations. Specifically, we recommended
    that NWS

•   validate all workstation requirements on the
    basis of mission impact,
•   improve its process to test software,
•   establish a software quality assurance
    program, and
•   obtain an independent cost assessment since
    NWS does not have reliable project cost
    information.19

    As we reported in our 1995 high-risk series,
    the modernization and evolution of this
    major systems initiative has long begged for
    a guiding systems architecture. NWS has
    acknowledged that this technical blueprint is
    needed and is currently developing one to
    address our March 1994 recommendation to

    18
     Weather Forecasting: NWS Has Not Demonstrated that New
    Processing System Will Improve Mission Effectiveness
    (GAO/AIMD-96-29, Feb. 29, 1996). Weather Forecasting: New
    Processing System Faces Uncertainties and Risks
    (GAO/T-AIMD-96-47, Feb. 29, 1996).
    19
     Weather Forecasting: Recommendations to Address New Weather
    Processing Systems Development Risks (GAO/AIMD-96-74, May 13,
    1996).

    Page 30               GAO/HR-97-9 Information Management
High-Risk System Development and
Modernization Efforts




do so. In the meantime, however, NWS will
continue to incur higher system
development and maintenance costs and
reduced performance until the systems
architecture is developed and enforced.20




20
 Weather Forecasting: Systems Architecture Needed for National
Weather Service Modernization (GAO/AIMD-94-28, Mar. 11, 1994).

Page 31                GAO/HR-97-9 Information Management
Governmentwide High-Risk Issues



              One sign of the federal government’s
              growing dependence on information
              technology is the emergence of high-risk
              issues that are critical to operations at all
              agencies. This year, we are designating two
              governmentwide information management
              issues as high risk: information security and
              the Year 2000 problem. These issues require
              not only agency-specific actions, but also
              cooperative efforts among the executive
              branch and the Congress to manage risks
              and develop solutions.


Information   Malicious attacks on computer systems are
Security      an increasing threat to our national welfare.
              We rely heavily on interconnected systems
              to control critical functions, such as
              communications, financial services,
              transportation, and utilities. Though greater
              use of interconnected systems promises
              significant benefits in improved business and
              government operations, such systems are
              much more vulnerable to anonymous
              intruders, who may manipulate data to
              commit fraud, obtain sensitive information,
              or severely disrupt operations.

              At the federal level, system
              interconnectivity, combined with poor
              security management, is putting billions of


              Page 32         GAO/HR-97-9 Information Management
Governmentwide High-Risk Issues




dollars worth of assets at risk of loss and
vast amounts of sensitive data at risk of
unauthorized disclosure. In addition, the
increasing reliance on networked systems
and electronic records has elevated
concerns that critical federal operations are
vulnerable to serious disruption. This is
because automated systems and electronic
records are fast replacing manual
procedures and paper documents, which in
many cases are no longer available as
“backup” if automated systems fail. Further,
although such disruption could be
precipitated by natural disasters or
accidents, there is evidence that some
organizations are developing strategies and
tools for conducting premeditated attacks on
information systems.

Many federal operations that rely on
computer networks are attractive targets for
individuals or organizations with malicious
intentions. Examples include law
enforcement, import entry processing,
various financial transactions, payroll,
defense operational plans, electronic benefit
payments, and electronically submitted
medicare claims.

Despite their sensitivity and criticality,
federal systems and data are not being


Page 33             GAO/HR-97-9 Information Management
Governmentwide High-Risk Issues




adequately protected. Since June 1993, we
have issued over 30 reports describing
serious information security weaknesses at
major federal agencies.

For example, in May 1996, we reported that
tests at the Department of Defense showed
that Defense systems may have experienced
as many as 250,000 attacks during 1995, that
about 64 percent of attacks were successful
at gaining access, and that only a small
percentage of these attacks were detected.1
In September 1996, we reported that, during
the previous 2 years, serious information
security control weaknesses had been
reported for 10 of the 15 largest federal
agencies.2 For half of these agencies, the
weaknesses had been reported repeatedly
for 5 years or longer. Several of our most
disturbing reports on information security
are for limited official use and, therefore,
cannot be discussed here because of the risk
that unscrupulous individuals may attempt
to exploit reported weaknesses.


1
 Information Security: Computer Attacks at Department of Defense
Pose Increasing Risks (GAO/AIMD-96-84, May 22, 1996);
Information Security: Computer Attacks at Department of Defense
Pose Increasing Risks (GAO/T-AIMD-96-92, May 22, 1996); and
Information Security: Computer Hacker Information Available on
the Internet (GAO/T-AIMD-96-108, June 5, 1996).
2
 Information Security: Opportunities for Improved OMB Oversight
of Agency Practices (GAO/AIMD-96-110, Sept. 24, 1996).

Page 34                GAO/HR-97-9 Information Management
    Governmentwide High-Risk Issues




    Many of the federal information security
    weaknesses and causal factors reported over
    the last few years were identified as a direct
    result of the annual financial statement
    audits initiated under the Chief Financial
    Officers Act of 1990. Although these audits
    pertain primarily to financial management
    systems, they generally include a review of
    computer-based controls that affect a
    significant portion of an agency’s broader
    operations.

    In addition to describing information
    security weaknesses, our reports contain
    dozens of recommendations to individual
    agencies for improvement. Agencies have
    acted on many of these recommendations,
    and, in early 1996, OMB issued updated
    guidance to agencies on the security of
    federal automated information resources.
    However, several underlying factors need to
    be addressed to help ensure that federal
    agencies adequately protect their systems
    and data on a continuing basis. These factors
    include:

•   insufficient awareness and understanding of
    information security risks among senior
    agency officials,




    Page 35             GAO/HR-97-9 Information Management
    Governmentwide High-Risk Issues




•   poorly designed and implemented security
    programs that do not adequately monitor
    controls or proactively address risk,
•   a shortage of personnel with the technical
    expertise needed to manage controls in
    today’s sophisticated information technology
    environment, and
•   limited oversight of agency practices at a
    governmentwide level.

    In light of the increasing importance of
    information security and the pattern of
    widespread problems that has emerged,
    stronger central leadership is needed. Our
    previously cited September 1996 report3
    concluded that OMB needs to play a more
    proactive role in promoting awareness and
    in monitoring agency practices—a role that
    was recently reemphasized in the PRA and
    Clinger-Cohen Act. In particular, we
    recommended that OMB engage assistance
    from private contractors and others with
    appropriate expertise to assist in monitoring
    agency information security programs. Also,
    as chair of the Chief Information Officers
    Council, OMB should encourage council
    members to adopt information security as
    one of their top priorities and develop a
    strategic plan for addressing the root causes


    3
     GAO/AIMD-96-110, Sept. 24, 1996.

    Page 36                GAO/HR-97-9 Information Management
                    Governmentwide High-Risk Issues




                    of agency security problems. Such a plan
                    could include

                •   developing information on existing and
                    emerging information security risks,
                •   establishing a program for reviewing the
                    adequacy of individual agency security
                    programs using interagency teams of
                    reviewers, and
                •   developing or identifying training and
                    certification programs that could be shared
                    among agencies.

                    OMB reported in December 1996 that it has
                    begun efforts to improve its oversight of
                    federal agencies’ activities in information
                    security by holding a training session for
                    program examiners to increase their
                    understanding of this management issue and
                    its implications. In addition, the CIO Council
                    has included information security as one of
                    its priorities. However, at present, it is too
                    early to assess the adequacy of OMB’s or the
                    Council’s response to our concerns.


The Year 2000       At 12:01 on New Year’s morning of the year
Problem             2000, many computer systems could either
                    fail to run or malfunction—thereby
                    producing inaccurate results—simply
                    because the equipment and software were


                    Page 37             GAO/HR-97-9 Information Management
    Governmentwide High-Risk Issues




    not designed to accommodate the change of
    date to the new millennium.

    The Year 2000 problem is rooted in the way
    dates are recorded and computed in many
    computer systems. For the past several
    decades, systems have typically used two
    digits to represent the year, such as “97”
    representing 1997, in order to conserve on
    electronic data storage and reduce operating
    costs. With this two-digit format, however,
    the year 2000 is indistinguishable from 1900,
    2001 from 1901, and so on. As a result of this
    ambiguity, system or application programs
    that use dates to perform calculations,
    comparisons, or sorting may generate
    incorrect results when working with years
    after 1999.

    Unless this problem is resolved ahead of
    time, widespread operational and financial
    impacts could affect federal, state, and local
    governments; foreign governments; and
    private-sector organizations worldwide. At
    the federal level, scenarios like these are
    possible:

•   IRS’tax systems could be unable to process
    returns, which in turn could jeopardize the
    collection of revenue and the entire tax
    processing system.


    Page 38             GAO/HR-97-9 Information Management
    Governmentwide High-Risk Issues




•   Payments to veterans with
    service-connected disabilities could be
    severely delayed because Veterans Affairs’
    compensation and pension system either
    halts or produces checks that are so
    erroneous that the system must be shut
    down and the checks processed manually.
•   Social Security Administration’s disability
    insurance process could experience major
    disruptions because the interface with
    various state systems fails, thereby causing
    delays and interruptions in disability
    payments to citizens.
•   Federal systems used to track student
    education loans could produce erroneous
    information on loan status, such as
    indicating that an unpaid loan had been
    satisfied.

    While the date issue will reach a crescendo
    at the end of the century, date-related
    problems have been manifesting themselves
    for some time. For example, the Defense
    Department had medical benefits
    computational problems in 1980 with its
    Defense Entitlement Eligibility Report
    System (DEERS). Had the system not been
    corrected, people who were 45 years old, or
    younger, would have been erroneously
    terminated from receiving their entitlement
    benefits.


    Page 39             GAO/HR-97-9 Information Management
Governmentwide High-Risk Issues




Other problems are just beginning to show
up. Recently, a Defense Logistics Agency
system marked 3-year contracts as
delinquent even though they had not yet
been let. Defense has also uncovered
date-related problems in its Space Defense
Operations Center involving a system that
supports its Integrated Tactical Warning and
Attack Assessment community. Testing
revealed 10 date-related discrepancies that
would have caused a significant operational
impact.

Other federal agencies face similar
operational risks and impacts. Resolving the
date problem will involve extensive,
resource-intensive efforts due to the large
scale of many federal systems and the
numerous dependencies and interactions
they often have with systems of both
private-sector organizations and state
agencies.

To complicate matters further, many
government computer systems were
originally designed and developed 20 to 25
years ago, are poorly documented, and use a
wide variety of computer languages—many
of which are old or obsolete. The systems
consist of tens or hundreds of computer
programs, each with thousands, tens of


Page 40             GAO/HR-97-9 Information Management
Governmentwide High-Risk Issues




thousands, or even millions of lines of code,
which must be examined for date problems.
Moreover, the government’s computer
systems, like private sector systems, have
numerous components—hardware,
firmware, operating systems,
communications applications, and database
software—that are affected by the date
problem.

Given that every federal agency is at risk of
system failures, the 104th Congress held
hearings to determine the severity of the
problem and the progress that agencies were
making to deal with it. For instance, in
April 1996, the House Government Reform
and Oversight Committee surveyed 24
departments and agencies. They found that
only 9 had developed plans for addressing
the problem.

With the year 2000 less than 3 years away,
much work must be done, and done quickly.
Ensuring that systems are Year 2000
compliant represents the widest-scale
system and software conversion effort ever
attempted. Agencies must immediately
assess their Year 2000 risk exposure, and
plan and budget for achieving Year 2000
compliance for all of their mission critical
systems. This will involve identifying and


Page 41             GAO/HR-97-9 Information Management
Governmentwide High-Risk Issues




analyzing mission-critical computer systems,
developing date conversion strategies and
plans, and dedicating sufficient resources to
convert the computer systems by early 1999
in order to allow 1 year for additional testing
and error correction. Agencies will also need
to develop contingency plans for those
systems that they are unable to change in
time.

In 1995, OMB formed an interagency working
group on the year 2000 issue, which is now
under the President’s recently established
Chief Information Officers Council. The
basic federal strategy for resolving the year
2000 problem relies on Chief Information
Officers to raise management awareness of
the problem at their agencies, and then
direct work to assess the scope of the
changes needed, renovate the systems that
need to be changed, test the changed
systems, and then implement them. OMB is
currently working with agencies to establish
time frames for completing these steps.
Regulatory action has also been taken to
assist agencies in acquiring information
products and systems that are already year
2000 compliant, whenever possible.

We are currently working with the Congress
and the executive branch to identify specific


Page 42             GAO/HR-97-9 Information Management
Governmentwide High-Risk Issues




recommendations for resolving the Year
2000 problem. In this regard, we plan to
review efforts at the Department of Defense,
IRS, the Social Security Administration, FAA,
Veterans Affairs, and the Health Care
Financing Administration. In addition, we
are developing a set of audit templates for
use by the audit community and agencies to
identify their risk areas.




Page 43             GAO/HR-97-9 Information Management
Further Action Needed



            The high-risk system development and
            modernization problems described above are
            common across the government—and have
            been for many years. A broad set of
            solutions is needed to help agencies prevent
            high risks and maximize the benefits of
            technology for improving performance and
            reducing costs. Similarly, there is a need to
            strengthen federal agencies’ ability to
            effectively address emerging technology
            issues and problems on a governmentwide
            basis.

            To improve this situation, we have worked
            closely with the Congress since our 1995
            high-risk report to fundamentally revamp
            and modernize federal information
            management practices. Our study of leading
            public and private sector organizations
            showed how they applied an integrated set
            of management practices to create the
            information technology infrastructures they
            needed to dramatically improve their
            performance and achieve mission goals.1
            These practices provide federal agencies
            with essential lessons on how to overcome
            the root causes of their chronic information
            management problems.


            1
             Executive Guide: Improving Mission Performance Through
            Strategic Information Management and Technology—Learning
            from Leading Organizations (GAO/AIMD-94-115, May 1994).

            Page 44               GAO/HR-97-9 Information Management
                Further Action Needed




                The 104th Congress used these lessons to
                create the first significant reforms in
                information technology management in over
                a decade: the 1995 PRA and the Clinger-Cohen
                Act of 1996.2 These laws, discussed below,
                focus sharply on building a foundation for
                sustained improvement by (1) establishing
                strong agency-level leadership in technology
                issues and (2) implementing sound
                processes for approving and managing
                investments in technology.


Strong Agency   Senior executives in the successful
Leadership in   organizations we studied were personally
Information     committed to improving the management of
Management Is   technology. Agency leaders likewise must
Critical        recognize the urgent need to improve their
                agencies’ information management practices
                and create and maintain the momentum for
                implementing reform.

                Both PRA and the Clinger-Cohen Act make
                agency heads directly responsible for
                effective information management. Among
                their key duties, agency heads are to



                2
                 The Omnibus Consolidated Appropriations Act, 1997, renamed
                both the Federal Acquisition Reform Act of 1996 and the
                Information Technology Management Reform Act of 1996 as the
                “Clinger-Cohen Act of 1996.”

                Page 45               GAO/HR-97-9 Information Management
    Further Action Needed




•   establish goals for improving the use of
    information technology in enhancing the
    productivity, efficiency, and effectiveness of
    agency operations and service to the public;
•   measure the actual performance and
    contribution of technology in supporting
    agency programs; and
•   include with their agencies’ OMB budget
    submission a report on the progress being
    made in meeting operational improvement
    goals through the use of technology.

    In short, rather than leaving technology
    issues to mid-level specialists, agency heads
    must incorporate strategic information
    management into an executive-level general
    management framework—one that
    incorporates the agency’s budget process
    and a set of solid performance measures.

    To help them carry out these new
    responsibilities, the heads of agencies are to
    designate a Chief Information Officer (CIO).
    The CIO is to be much more than a senior
    technology manager. As a top-level executive
    reporting directly to the agency head, the CIO
    is responsible for achieving mission results
    through technology by

•   working with the agency head and senior
    managers on effective information


    Page 46             GAO/HR-97-9 Information Management
    Further Action Needed




    management to achieve the agency’s
    strategic performance goals;
•   promoting improvements to work processes
    used to carry out programs;
•   increasing the value of the agency’s
    information resources by developing and
    implementing an integrated agencywide
    technology architecture; and
•   strengthening the agency’s knowledge, skills,
    and capabilities to effectively manage
    information resources, deal with emerging
    technology issues, and develop needed
    systems.

    As we learned from appointments to the
    Chief Financial Officer positions, getting the
    right people in place will make a real
    difference in implementing lasting
    management reforms. The reforms simply
    will not work without qualified, effective
    leadership. OMB is monitoring the agencies’
    CIO appointments at 28 federal agencies and
    has found mixed progress. According to OMB,
    as of November 1996, many agencies had
    CIOs or acting CIOs who had limited
    operational and technical experience,
    unclear roles, additional duties besides
    information resources management, and/or
    did not report directly to the agency head.
    OMB is continuing to evaluate these situations
    as agencies take further actions.


    Page 47             GAO/HR-97-9 Information Management
                 Further Action Needed




                 Along with the top executives and CIOs,
                 program managers have critical leadership
                 responsibilities for information management.
                 In successful organizations we studied,
                 managers work with the CIOs to define
                 information needs for their programs and
                 develop strategies, systems, and capabilities
                 to meet those needs. The reform legislation
                 calls for program officials to take ownership
                 of technology projects and be held
                 accountable for their results. This represents
                 a major shift away from the common
                 practice of delegating system development
                 projects to technical specialists.


Controlling      A key practice identified in our study of
Investments in   leading organizations is that they manage
Information      information technology projects as
Technology       investments. Top executives periodically
                 assess all major projects—proposed, under
                 development, and operational—then
                 prioritize them and make funding decisions
                 based on factors such as cost, risk, return on
                 investment, and support of mission-related
                 outcomes. Once projects are selected for
                 funding, executives monitor them
                 continually, taking quick actions to resolve
                 development problems and mitigate risks.
                 After a project is implemented, executives
                 evaluate actual versus expected results and


                 Page 48             GAO/HR-97-9 Information Management
    Further Action Needed




    revise their investment management process
    based on lessons learned.

    PRA and the Clinger-Cohen Act incorporate
    these features into new requirements on how
    technology-related projects are to be
    selected and managed. The heads of
    agencies are to design and implement a
    structure for maximizing the value and
    managing the risk of technology
    investments, including

•   establishing a process to select, control, and
    evaluate information technology investments
    using quantitative and qualitative criteria and
    data;
•   modernizing inefficient administrative and
    mission-related work processes before
    making significant technology investments
    to support them;
•   mitigating the risks of acquiring large,
    complex systems by building them in a
    modular fashion; and
•   monitoring project progress and
    performance using up-to-date data.

    Current federal practices fall far short of
    these expectations. For example, in our
    report on the technology investment
    practices at five federal agencies, only one
    had defined decision criteria for cost, risk,


    Page 49             GAO/HR-97-9 Information Management
Further Action Needed




and return.3 In the absence of such
information, investment decisions were
disproportionately based on subjective,
qualitative factors. Generally, data on a
project’s cost, schedule, risks, and returns
were not documented, defined, or kept
current, and in many cases was not used to
make investment decisions. Instead,
agencies focused on justifying funding for
new technology projects rather than
managing all projects as a portfolio of
competing investments. Once a project was
approved, the agency exerted little effort to
ensure that information on it was kept
accurate and up to date. Rarely were data
used to manage a project’s progress
throughout its life cycle.

Under the new legislation, OMB has
significant leadership responsibility in
directing agencies to implement investment
reforms. In our information technology
investment report, cited above, we
recommended that OMB develop guidance for
agencies on implementing a technology
investment decision-making process,
including advising agencies on the minimum
quality standards for data used to assess
cost, benefit, and risks. We also

3
 Information Technology Investment: Agencies Can Improve
Performance, Reduce Costs, and Minimize Risks (GAO/AIMD-96-64,
Sept. 30, 1996).

Page 50               GAO/HR-97-9 Information Management
                Further Action Needed




                recommended that OMB ensure that agencies’
                investment control processes are in
                compliance with such guidance by assessing
                their strengths and weaknesses, and
                developing remedial actions and timetables
                for any needed improvements.


Strong          Controlling and preventing high risks will
Congressional   depend largely on how well federal agencies
Oversight Is    implement PRA and the Clinger-Cohen Act.
Essential to    From our past experience with the
Successful      implementation of the Chief Financial
                Officers Act, for which important progress
Reform
                has been made, we know that the early days
                following the passage of reform legislation
                are telling. The level of interest shown by the
                105th Congress in driving and overseeing the
                implementation of the reforms will send a
                strong signal to the agencies that they should
                move vigorously to implement them.
                Congressional oversight should focus on
                progress being made in the following four
                areas.

                (1) Executive Accountability: The
                Congress should assure itself that agency
                heads are educating their agencies about the
                reforms and putting in place the
                management structure to implement them.
                Agency heads should currently be devoting


                Page 51             GAO/HR-97-9 Information Management
Further Action Needed




time, talent, and resources to analyzing the
strengths and weaknesses of their
information management practices. Our own
experience in assisting agencies with such
self-assessments has identified many
fundamental problems that must be quickly
addressed, such as poor performance
measures, vaguely defined customer needs,
and weak integration of technology
investment into the planning, budgeting, and
evaluation processes.

Members of Congress should expect agency
heads to provide hard numbers and facts on
their information technology spending and
how it is being used to improve mission
performance. As noted earlier, the reform
legislation requires annual reports by agency
heads to OMB on the program performance
benefits achieved from capital investments
in information technology and how these
benefits relate to the achievement of the
agency’s goals. Probing discussions of these
reports should be a regular feature of
congressional budget, appropriations, and
oversight hearings.

(2) CIO responsibilities: The Congress
should closely monitor the progress that
agency heads are making in appointing
well-qualified CIOs who have sound


Page 52             GAO/HR-97-9 Information Management
Further Action Needed




expertise, practical experience, and proven
track records in information technology and
strategic management.

Each CIO should be positioned as a senior
management partner, reporting directly to
the agency head. In addition to strong
sponsorship from agency heads, CIOs need
active support from other senior executives
in setting up effective information
management practices that meet the intent
of the reform legislation. CIO responsibilities
should focus sharply on strategic
information management issues, and not be
burdened with other activities, such as
administrative services, personnel, and
contracting—as has often happened in the
past. Similarly, the CIO and Chief Financial
Officer positions should not be combined
under one person, since the problems
associated with financial and information
management are very significant and require
full-time attention by separate individuals
with appropriate talent, skills, and
experience in each area.

The Congress should expect to see CIOs
making clear progress in defining and
implementing information management
policies, guidelines, and standards consistent
with the reform legislation. They should be


Page 53             GAO/HR-97-9 Information Management
Further Action Needed




establishing a sound information technology
architecture at their agencies to provide a
framework for integrating current and new
systems. And they should be active in
identifying the technical skills and
capabilities that their agencies need to
acquire and manage information resources
in a disciplined manner to better control risk
and achieve desired outcomes. Ultimately,
these actions should result in measurable
improvements in mission performance.

(3) Interagency Actions: Building on the
agency-level CIO positions established under
the reform legislation, the President has
established a CIO Council to develop
recommendations on governmentwide
information technology policies, procedures,
and standards. This Council will be a critical
test of the efficacy of CIOs in taking
concerted action to address and control
governmentwide technology risks. Initially,
the Congress should focus on the Council’s
progress in promoting effective federal
technology investment reforms at their
agencies and dealing with the
governmentwide information security and
Year 2000 issues.

(4) Investment Oversight and OMB
Leadership: Given the federal government’s


Page 54             GAO/HR-97-9 Information Management
    Further Action Needed




    long-standing record of poor investments in
    information technology, a much higher level
    of oversight should be applied to agencies’
    investment management processes and the
    actual results achieved. The Congress should
    closely monitor how well agencies are
    institutionalizing processes to select,
    control, and evaluate their technology
    projects. By now, heads of agencies should
    be well on their way to defining and
    implementing the elements of an investment
    decision-making process called for by the
    legislation. One measure of progress is to
    review the effectiveness of agencies’ actions
    in bringing under control the high-risk
    modernization efforts described in this
    report.

    As part of this oversight effort, the Congress
    should also assess the effectiveness of OMB’s
    leadership in two areas:

•   establishing guidance and policies for
    agencies to follow in implementing the
    investment reforms and
•   evaluating the results of agency technology
    investments and enforcing accountability for
    results through the executive branch budget
    process.




    Page 55             GAO/HR-97-9 Information Management
    Further Action Needed




    In the first area, OMB has been proactive in
    drafting new policies and procedures to
    assist agencies in establishing technology
    investment decision-making processes. For
    example, OMB has issued a guide on
    evaluating information technology
    investments for use by its own staff and the
    agencies.4 It is important that OMB continue
    to clearly define expectations for agencies
    and for itself in this key area.

    As for OMB’s oversight of agency technology
    portfolios, we recommended in our
    previously cited technology investment
    report that OMB

•   develop recommendations for the
    President’s budget on funding levels for
    technology projects that take account of an
    agency’s track record in delivering
    performance improvements from technology
    investments and
•   develop an approach for determining
    whether OMB itself is having an impact on
    reducing the risk or increasing the returns
    on agency information technology
    investments.




    4
    Evaluating Information Technology Investments: A Practical
    Guide, version 1.0 (S/N 041-001-00460-2, Nov. 1, 1995).

    Page 56                GAO/HR-97-9 Information Management
Further Action Needed




To its credit, OMB issued an October 25, 1996,
memorandum to heads of executive
departments and agencies laying out
decision criteria that OMB will use in
evaluating major information system
investments proposed for funding under the
President’s fiscal year 1998 budget. The
criteria strongly reinforce the provisions of
the reform legislation. In the memorandum,
OMB states that as a general presumption, it
will recommend new and continued funding
only for those major system investments that
satisfy these criteria.

OMB’s  effectiveness will depend greatly on its
ability to marshall the resources and
expertise that its staff needs to produce
sound evaluations of agencies’ technology
investment portfolios. Given existing
workloads and the resilience of the OMB
culture, OMB will have little impact on the
quality of technology investment
decision-making without a determined effort
to build the necessary assessment skills.

Finally, as part of its review of the budget
proposals for FY 1998, the Congress should
look for clear evidence that the soundness of
an agency’s investment process, along with
its track record in achieving performance



Page 57             GAO/HR-97-9 Information Management
Further Action Needed




improvements from technology, is being
considered in executive branch funding
requests for information systems.




Page 58             GAO/HR-97-9 Information Management
Page 59   GAO/HR-97-9 Information Management
Related GAO Reports



Strategic          Information Technology Investment:
Information        Agencies Can Improve Performance, Reduce
Management         Costs, and Minimize Risks (GAO/AIMD-96-64,
                   Sept. 30, 1996).

                   NASA Chief Information Officer:
                   Opportunities to Strengthen Information
                   Resources Management (GAO/AIMD-96-78,
                   Aug. 15, 1996).

                   Information Management Reform: Effective
                   Implementation Is Essential for Improving
                   Federal Performance (GAO/T-AIMD-96-132,
                   July 17, 1996).

                   Government Reform: Using Reengineering
                   and Technology to Improve Government
                   Performance (GAO/T-OCG-95-2, Feb. 2, 1995).

                   Executive Guide: Improving Mission
                   Performance Through Strategic Information
                   Management and Technology (GAO/AIMD-94-115,
                   May 1994).


Internal Revenue   Tax Systems Modernization: Actions
Service            Underway But Management and Technical
                   Weaknesses Not Yet Corrected
                   (GAO/T-AIMD-96-165, Sept. 10, 1996).




                   Page 60         GAO/HR-97-9 Information Management
Related GAO Reports




IRSOperations: Critical Need to Continue
Improving Core Business Practices
(GAO/T-AIMD/GGD-96-188, Sept. 10, 1996).

Internal Revenue Service: Business
Operations Need Continued Improvement
(GAO/AIMD/GGD-96-152, Sept. 9, 1996).

Tax Systems Modernization: Cyberfile
Project Was Poorly Planned and Managed
(GAO/AIMD-96-140, Aug. 26, 1996).

Tax Systems Modernization: Actions
Underway But IRS Has Not Yet Corrected
Management and Technical Weaknesses
(GAO/AIMD-96-106, June 7, 1996).

Tax Systems Modernization: Management
and Technical Weaknesses Must Be
Corrected If Modernization Is To Succeed
(GAO/AIMD-95-156, July 26, 1995).

IRSAutomation: Controlling Electronic Filing
Fraud and Improper Access to Taxpayer
Data (GAO/T-AIMD/GGD-94-183, July 19, 1994).

Tax Systems Modernization: Automated
Underreporter Project Shows Need for
Human Resource Planning (GAO/GGD-94-159,
July 8, 1994).



Page 61               GAO/HR-97-9 Information Management
                  Related GAO Reports




                  Tax Systems Modernization: Status of
                  Planning and Technical Foundation
                  (GAO/T-AIMD-GGD-94-104, March 2, 1994).


FAA Air Traffic   Air Traffic Control: Complete and Enforced
Control           Architecture Needed for FAA Systems
Modernization     Modernization (GAO/AIMD-97-30, Feb. 3, 1997).

                  Air Traffic Control: Improved Cost
                  Information Needed to Make Billion Dollar
                  Modernization Investment Decisions
                  (GAO/AIMD-97-20, Jan. 22, 1997).

                  Air Traffic Control: Good Progress on
                  Interim Replacement for Outage-Plagued
                  System, but Risks Can Be Further Reduced
                  (GAO/AIMD-97-2, Oct. 17, 1996).

                  Aviation Acquisition: A Comprehensive
                  Strategy Is Needed for Cultural Change at
                  FAA (GAO/RCED-96-159, Aug. 22, 1996).


                  Air Traffic Control: Status of FAA’s
                  Modernization Program (GAO/RCED-95-175FS,
                  May 26, 1995).

                  Advanced Automation System: Implications
                  of Problems and Recent Changes
                  (GAO/T-RCED-94-188, Apr. 13, 1994).



                  Page 62               GAO/HR-97-9 Information Management
              Related GAO Reports




Defense       Defense IRM: Strategy Needed for Logistics
Corporate     Information Technology Improvement
Information   Efforts (GAO/AIMD-97-6, Nov. 14, 1996).
Management
              DOD Accounting Systems: Efforts to
              Improve Systems for Navy Need Overall
              Structure (GAO/AIMD-96-99, Sept. 30, 1996).

              Defense IRM: Critical Risks Facing New
              Materiel Management Strategy
              (GAO/AIMD-96-109, Sept. 6, 1996).

              Defense Transportation: Migration Systems
              Selected Without Adequate Analysis
              (GAO/AIMD-96-81, Aug. 29, 1996).

              Defense Management: Selection of Depot
              Maintenance Standard System Not Based on
              Sufficient Analyses (GAO/AIMD-95-110, July 13,
              1995).

              Defense Management: Impediments
              Jeopardize Logistics Corporate Information
              Management (GAO/NSIAD-95-28, Oct. 21, 1994).

              Defense Management: Stronger Support
              Needed for Corporate Information
              Management Initiative to Succeed
              (GAO/AIMD/NSIAD-94-101, April 12, 1994).




              Page 63               GAO/HR-97-9 Information Management
                   Related GAO Reports




National Weather   NOAA Satellites (GAO/AIMD-96-141R, Sept. 13,
Service            1996).
Modernization
                   Weather Forecasting: Recommendations to
                   Address New Weather Processing System
                   Development Risks (GAO/AIMD-96-74, May 13,
                   1996).

                   Weather Forecasting: New Processing
                   System Faces Uncertainties and Risks
                   (GAO/T-AIMD-96-47, Feb. 29, 1996).

                   Weather Forecasting: NWS Has Not
                   Demonstrated That New Processing System
                   Will Improve Mission Effectiveness
                   (GAO/AIMD-96-29, Feb. 29, 1996).

                   Weather Forecasting: Radars Far Superior to
                   Predecessors, but Location and Availability
                   Questions Remain (GAO/T-AIMD-96-2, Oct. 17,
                   1995).

                   Weather Service Modernization Staffing
                   (GAO/AIMD-95-239R, Sept. 26, 1995).

                   Weather Forecasting: Radar Availability
                   Requirements Not Being Met (GAO/AIMD-95-132,
                   May 31, 1995).

                   Weather Forecasting: Unmet Needs and
                   Unknown Costs Warrant Reassessment of


                   Page 64               GAO/HR-97-9 Information Management
              Related GAO Reports




              Observing System Plans (GAO/AIMD-95-81,
              April 21, 1995).

              Weather Service Modernization Questions
              (GAO/AIMD-95-106R, March 10, 1995).

              Weather Service Modernization: Despite
              Progress, Significant Problems and Risks
              Remain (GAO/T-AIMD-95-87, Feb. 21, 1995).

              Meteorological Satellites (GAO/NSIAD-95-87R,
              Feb. 6, 1995).

              Weather Forecasting: Improvements Needed
              in Laboratory Software Development
              Processes (GAO/AIMD-95-24, Dec. 14, 1994).

              Weather Forecasting: Systems Architecture
              Needed for National Weather Service
              Modernization (GAO/AIMD-94-28, March 11,
              1994).

              Weather Forecasting: Important Issues on
              Automated Weather Processing System Need
              Resolution (GAO/IMTEC-93-12BR, Jan. 6, 1993).


Information   Information Security: Opportunities for
Security      Improved OMB Oversight of Agency Practices
              (GAO/AIMD-96-110, Sept. 24, 1996).



              Page 65               GAO/HR-97-9 Information Management
Related GAO Reports




Financial Audit: Examination of IRS’ Fiscal
Year 1995 Financial Statements
(GAO/AIMD-96-101, July 11, 1996).

Information Security: Computer Hacker
Information Available on Internet
(GAO/T-AIMD-96-108, June 5, 1996).

Information Security: Computer Attacks at
Department of Defense Pose Increasing
Risks (GAO/AIMD-96-84, May 22, 1996).

Information Security: Computer Attacks at
Department of Defense Pose Increasing
Risks (GAO/T-AIMD-96-92, May 22, 1996).

Security Weaknesses at IRS’ Cyberfile Data
Center (GAO/AIMD-96-85R, May 9, 1996).

Financial Audit: Federal Family Education
Loan Program’s Financial Statements for
Fiscal Years 1994 and 1993 (GAO/AIMD-96-22,
Feb. 26, 1996).

Department of Energy: Procedures Lacking
To Protect Computerized Data
(GAO/AIMD-95-118, June 5, 1995).

Information Superhighway: An Overview of
Technology Challenges (GAO/AIMD-95-23,
Jan. 23, 1995).


Page 66               GAO/HR-97-9 Information Management
Related GAO Reports




Financial Audit: Examination of Customs’
Fiscal Year 1993 Financial Statements
(GAO/AIMD-94-119, June 15, 1994).

HUD Information Resources: Strategic
Focus and Improved Management Controls
Needed (GAO/AIMD-94-34, April 14, 1994).

IRSInformation Systems: Weaknesses
Increase Risk of Fraud and Impair Reliability
of Management Information (GAO/AIMD-93-34,
Sept. 22, 1993).




Page 67               GAO/HR-97-9 Information Management
1997 High-Risk Series



             An Overview (GAO/HR-97-1)

             Quick Reference Guide (GAO/HR-97-2)

             Defense Financial Management (GAO/HR-97-3)

             Defense Contract Management (GAO/HR-97-4)

             Defense Inventory Management (GAO/HR-97-5)

             Defense Weapon Systems Acquisition
             (GAO/HR-97-6)

             Defense Infrastructure (GAO/HR-97-7)

             IRS   Management (GAO/HR-97-8)

             Information Management and Technology
             (GAO/HR-97-9)

             Medicare (GAO/HR-97-10)

             Student Financial Aid (GAO/HR-97-11)

             Department of Housing and Urban
             Development (GAO/HR-97-12)

             Department of Energy Contract Management
             (GAO/HR-97-13)




             Page 68           GAO/HR-97-9 Information Management
1997 High-Risk Series




Superfund Program Management
(GAO/HR-97-14)




The entire series of 14 high-risk reports
can be ordered using the order number
GAO/HR-97-20SET.




Page 69                 GAO/HR-97-9 Information Management
Ordering Information

The first copy of each GAO report and testimony
is free. Additional copies are $2 each. Orders
should be sent to the following address,
accompanied by a check or money order made
out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards
are accepted, also. Orders for 100 or more
copies to be mailed to a single address are
discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 6015
Gaithersburg, MD 20884-6015

or visit:

Room 1100
700 4th St. NW (corner of 4th & G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling
(202) 512-6000 or by using fax number
(301) 258-4066, or TDD (301) 413-0006.

Each day, GAO issues a list of newly available
reports and testimony. To receive facsimile
copies of the daily list or any list from the past
30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide
information on how to obtain these lists.

For information on how to access GAO reports
on the INTERNET, send an e-mail message with
"info" in the body to: info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:
http://www.gao.gov
United States
                                    Bulk Rate
General Accounting Office
                               Postage & Fees Paid
Washington, D.C. 20548-0001
                                      GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested