United States General Accounting Office GAO High-Risk Series February 1997 Information Management and Technology GAO/HR-97-9 GAO United States General Accounting Office Washington, D.C. 20548 Comptroller General of the United States February 1997 The President of the Senate The Speaker of the House of Representatives In 1990, the General Accounting Office began a special effort to review and report on the federal program areas its work identified as high risk because of vulnerabilities to waste, fraud, abuse, and mismanagement. This effort, which was supported by the Senate Committee on Governmental Affairs and the House Committee on Government Reform and Oversight, brought a much-needed focus on problems that were costing the government billions of dollars. In December 1992, GAO issued a series of reports on the fundamental causes of problems in high-risk areas, and in a second series in February 1995, it reported on the status of efforts to improve those areas. This, GAO’s third series of reports, provides the current status of designated high-risk areas. This report focuses on major, multibillion dollar information system development and modernization efforts at the Internal Revenue Service, the Federal Aviation Administration, the Department of Defense, and the National Weather Service. These efforts are having serious trouble meeting cost, schedule, and/or performance goals. Such problems are all too common in federal automation projects. Agencies have obligated over $145 billion during the past 6 years building, buying, and maintaining computer systems and networks. Yet this vast investment has yielded poor returns in reducing federal operating costs, improving performance, supporting sound financial management, achieving mission results, and providing quality service to the American public. In addition, we discuss two governmentwide information management issues. The first is information security. Despite the sensitivity and criticality of federal information systems, they are not being adequately protected from unauthorized access. The second issue involves the need to change computer systems so that they can accommodate dates after the year 1999. Unless corrected, computer programs that use dates to perform calculations, comparisons, and sorting may generate incorrect results when working with the years 2000 and beyond. As dependence on computers grows and new high-risk areas emerge, federal agencies need to adopt modern practices to correct underlying management problems that impede effective system development and operations. In reviewing technology budget proposals, the 105th Congress should determine whether agencies are implementing recently enacted reform legislation—the Paperwork Reduction Act of 1995 and the Clinger-Cohen Act of 1996. This legislation, which incorporates best practices of successful organizations, is designed to strengthen executive leadership in information management and institute sound capital Page 2 GAO/HR-97-9 Information Management investment decision-making for maximizing the potential benefits from information systems. Copies of this report series are being sent to the President, the congressional leadership, all other Members of the Congress, the Director of the Office of Management and Budget, and the heads of major departments and agencies. James F. Hinchman Acting Comptroller General of the United States Page 3 GAO/HR-97-9 Information Management Contents Overview 6 High-Risk System 13 Development and Modernization Efforts Governmentwide 32 High-Risk Issues Further Action 44 Needed Related GAO 60 Reports 1997 High-Risk 68 Series Page 4 GAO/HR-97-9 Information Management Page 5 GAO/HR-97-9 Information Management Overview The federal government’s dependence on computer systems, networks, and electronic records to carry out its work continues to accelerate. Information systems are now integral to nearly every aspect of over $1.5 trillion in annual federal government operations and spending—from national defense and air traffic control to revenue collection and benefit payments. Yet, despite years of experience in developing systems, agencies across government continue to have chronic problems harnessing the full potential of information technology to improve performance, cut costs, and enhance responsiveness to the public. The Problem During the past 6 years, agencies have obligated over $145 billion building up and maintaining their information technology infrastructure. The benefits from this vast expenditure, however, have frequently been disappointing. GAO reports and congressional hearings have chronicled numerous system development efforts that suffered from multimillion dollar cost overruns, schedule slippages measured in years, and dismal mission-related results. At the same time, the public has become accustomed to high levels of quality and service from leading private sector organizations. They are increasingly Page 6 GAO/HR-97-9 Information Management Overview frustrated by the fact that they cannot get comparable performance from their national government. This poor return on information technology investments has also left the Congress and executive branch severely handicapped by the lack of reliable data for measuring the costs and results of agency operations and making well-informed decisions. For instance, agencies are still a long way from demonstrating the most basic fiscal accountability to the public—such as passing the test of an independent audit—largely due to inadequate financial management and accounting systems. Progress to Date Recognizing the urgent need for improvement, the 104th Congress passed landmark reforms in information technology management. The Paperwork Reduction Act of 1995 is the overarching statute dealing with the acquisition and management of information resources—including information technology—by federal agencies. It emphasizes that agencies need to acquire and apply such resources to effectively support the accomplishment of agency missions and the delivery of services to the public. The Clinger-Cohen Act of 1996 Page 7 GAO/HR-97-9 Information Management Overview repeats this theme and elaborates on requirements for agencies to follow when acquiring information technology. Together, these acts direct agencies to implement a framework of modern technology management—one based on practices followed by leading public-sector and private-sector organizations that have successfully used technology to dramatically improve performance and meet strategic goals. Among their many provisions, the reforms emphasize involving senior executives in information management decisions, appointing qualified senior-level Chief Information Officers, establishing appropriate agencywide technology standards, imposing much-needed discipline over technology spending, redesigning inefficient work processes, and using performance measures to assess technology’s contribution in achieving mission results for the American people. These management practices provide proven, practical methods for addressing the federal government’s information management problems, maximizing benefits from technology spending, and controlling Page 8 GAO/HR-97-9 Information Management Overview the risks of system acquisition and development efforts. The challenge now is for agencies to apply this framework to their own technology efforts, particularly those with questionable returns, high risks, and high costs. The importance of quickly implementing these reforms is emphasized by the fact that all four multibillion-dollar information technology efforts listed in our 1995 High-Risk Series1 remain at high risk of being late, running over cost, and/or falling short of promised benefits. They are (1) the Internal Revenue Service’s (IRS) Tax Systems Modernization, (2) the Federal Aviation Administration’s (FAA) Air Traffic Control modernization, (3) the Department of Defense’s Corporate Information Management initiative, and (4) the National Weather Service’s (NWS) modernization. Each of these continues to suffer from one or more problems, such as unsound investment control, poor project management, and ongoing technical weaknesses—areas specifically addressed by the new legislation. Corrective measures are underway on many fronts, but our prior recommendations have not yet been fully implemented. 1 GAO High-Risk Series, An Overview (GAO/HR-95-1, Feb. 1995). Page 9 GAO/HR-97-9 Information Management Overview Along with these four agency-specific efforts, we are including two new high-risk areas that touch virtually every major aspect of government operations. The first is information security. Despite the sensitivity and criticality of federal information systems, they are not being adequately protected from unauthorized access. Security weaknesses abound, creating serious pervasive risks for the federal government, such as potential disclosure of sensitive data, loss of assets worth billions of dollars due to fraud, and disruption of critical operations. The second area involves the need for computer systems to be changed to accommodate dates beyond the year 1999. This “year 2000” problem stems from the common practice of abbreviating years by their last two digits. Computer systems could interpret “00” as the year 1900 instead of the year 2000, “01” as 1901, and so on. The resulting miscalculations involving dates and the computation of elapsed time could cascade through all kinds of activities, such as loans, mortgages, pensions, tax records, and benefit payments. Federal agencies need to take steps quickly to assess and correct this problem before time runs out. Page 10 GAO/HR-97-9 Information Management Overview Outlook for the Will the picture be any different in another 2 Future years? A great deal depends on leadership by agency heads, their Chief Information Officers, and senior program executives. Agencies need to establish goals for using information technology to enhance the productivity, efficiency, and effectiveness of their operations. Progress toward these goals should be measured and reported in annual budget submissions. In addition, agencies need to improve work processes used to carry out programs, develop and implement an integrated agencywide technology architecture, and strengthen their staffs’ capabilities to manage information resources, deal with emerging technology issues, and develop needed systems. Each agency must also establish a structured process for selecting, controlling, and evaluating their capital investments in technology in order to maximize mission-related benefits and control risks. The Congress also will need to be vigilant in overseeing agencies’ information technology investments and project management. The recently enacted reforms could easily dissipate unless congressional committees use the full range of their budget, appropriations, and oversight functions to Page 11 GAO/HR-97-9 Information Management Overview hold agency leaders accountable for implementing them promptly. The Congress should assure itself that agency heads are working to identify strengths and weaknesses in their information management practices. Congressional committees should expect agencies to provide hard data on how technology spending is being used to improve mission performance and reduce operating costs. And there should be clear evidence that each agency has implemented a sound technology investment control process. The Congress should also see to it that the Office of Management and Budget (OMB) is carrying out its critical role in guiding the agencies in implementing investment reforms and that OMB is enforcing accountability for achieving improvements through the executive branch budget process. Page 12 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts Our 1995 High-Risk Series included four multibillion-dollar modernization efforts that were having serious trouble meeting their cost, schedule, and/or performance goals.1 In our ongoing work, we have continued to make specific recommendations for mitigating risks in areas such as investment control, system development, and technical infrastructure. These agencies have made some progress. Still, the level of improvement has not yet been enough to bring the problems under control. After 2 years, all four remain on our high-risk list. IRS’ Tax Systems Over the last decade, IRS has been attempting Modernization to overhaul its timeworn, paper-intensive approach to tax return processing. In 1995, we identified serious management and technical weaknesses in the modernization program that jeopardize its successful completion, recommended many actions to fix the problems, and added IRS’ modernization to our high-risk list. Since then, IRS and Treasury have together taken several steps to implement our recommendations, but much remains to be done. At stake is the over $3 billion that IRS has spent or obligated on this modernization 1 GAO/HR-95-1, Feb. 1995. Page 13 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts since 1986, as well as any additional funds that IRS plans to spend on modernization. In July 1995,2 we reported that IRS (1) did not have a comprehensive business strategy to cost effectively reduce paper tax return filings and (2) had not yet fully developed and put in place the requisite management, software development, and technical infrastructure necessary to successfully implement its ambitious, world-class modernization. We also reported that IRS lacked an overall systems architecture, or blueprint, to guide the modernization’s development and evolution. At that time, we made over a dozen recommendations to the IRS Commissioner to address these weaknesses. Collectively, the recommendations called for IRS to (1) formulate a comprehensive business strategy for maximizing electronic filings, (2) improve its strategic information management by implementing a process for selecting, prioritizing, controlling, and evaluating the progress and performance of all major information systems and investments, (3) implement disciplined, consistent procedures for software 2 Tax Systems Modernization: Management and Technical Weaknesses Must Be Corrected If Modernization Is to Succeed (GAO/AIMD-95-156, July 26, 1995). Page 14 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts requirements management, quality assurance, configuration management, and project planning and tracking, and (4) complete and enforce an integrated systems architecture and security and data architectures. IRS agreed to implement our recommendations. In May 1996, Treasury reported to the House and Senate Appropriations Committees on steps under way and planned to exert greater management oversight of IRS’ modernization efforts.3 For example, it established a Modernization Management Board as the primary review and decision-making body for modernization and for policy and strategic direction. In addition, Treasury scaled back the overall size of the modernization by approximately $2 billion and is working with IRS to obtain additional contractor help to accomplish the modernization. Pursuant to congressional direction, we assessed IRS’ actions to correct its management and technical weaknesses, as delineated in Treasury’s report on tax systems modernization. We reported in June and September 1996 that IRS had initiated 3 Report to House and Senate Appropriations Committees: Progress Report on IRS’s Management and Implementation of Tax Systems Modernization, Department of the Treasury, May 6, 1996. Page 15 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts many activities to improve its modernization efforts but had not yet fully implemented any of our recommendations. Consequently, in order to minimize the risk attached to continued investment in systems modernization, we suggested to the Congress that it consider limiting modernization funding exclusively to cost-effective efforts that (1) support ongoing operations and maintenance, (2) correct IRS’ pervasive management and technical weaknesses, (3) are small, represent low technical risk, and can be delivered quickly, and (4) involve deploying already developed and fully tested systems that have proven business value and are not premature given the lack of a completed architecture. To help oversee IRS’ modernization, the Congress in the fiscal year 1997 Omnibus Consolidated Appropriations Act4 directed IRS to (1) submit by December 1, 1996, a schedule for transferring a majority of its modernization development and deployment to contractors by July 31, 1997, and (2) establish a schedule by February 1, 1997, for implementing our recommendations by October 1, 1997. In its conference report on the act, the Congress directed the Secretary 4 P.L. 104-208, Sept. 30, 1996. Page 16 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts of the Treasury to (1) provide quarterly reports on the status of IRS’ corrective actions and modernization spending5 and (2) submit by May 15, 1997, a technical architecture for the modernization that has been approved by Treasury’s Modernization Management Board. Additionally, the Board was directed to prepare a request for proposals by July 31, 1997, to acquire a prime contractor to manage modernization deployment and implementation. IRShas continued to take steps to address our recommendations and respond to congressional direction. For example, IRS hired a new Chief Information Officer. It also created an investment review board to select, control, and evaluate its information technology investments. Thus far, the board has reevaluated and terminated selected major modernization development projects, such as the Document Processing System (DPS). Additionally, IRS (1) provided a November 26, 1996, report to the Congress that set forth IRS’ strategic plan and schedule for shifting 5 H.R. Report No. 863, 104th Cong., 2d sess. (1996). The Congress also included the requirement that Treasury provide a milestone schedule for developing and implementing all modernization projects in Treasury’s fiscal year 1996 appropriations act (P.L. 104-52, Nov. 19, 1995). Page 17 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts modernization development and deployment to contractors, (2) is finalizing a comprehensive strategy to maximize electronic filing that is scheduled for completion in early 1997, and (3) is updating its system development life cycle methodology and working across various IRS organizations to define disciplined processes for software requirements management, quality assurance, configuration management, and project planning and tracking. Additionally, IRS is developing a technical architecture for the modernization and plans to provide this to the Congress by May 15, 1997. Further, IRS is preparing a schedule for implementing our recommendations and plans to provide it to the Congress in February 1997. While we recognize IRS’ and Treasury’s actions to address these problems, we remain concerned. Much remains to be done to fully implement essential improvements. Increasing the use of contractors, for example, will not automatically increase the likelihood of successful modernization because IRS does not have the technical capability needed to manage all of its current contractors. As a case in point, IRS’ Cyberfile—a system development effort led by contractors to enable taxpayers to Page 18 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts personally prepare and file their tax returns electronically—exhibited many undisciplined software acquisition practices as well as inadequate financial and management controls. Eventually, IRS canceled the Cyberfile project after spending over $17 million and without fielding any of the system’s promised capabilities. Therefore, if IRS is to use additional contractors effectively, it will have to first strengthen and improve its ability to manage those contractors. In addition, IRS needs to continue to make concerted, sustained efforts to fully implement our recommendations and respond effectively to the requirements outlined by the Congress. It will take both management commitment and technical discipline for IRS to do this effectively. Accordingly, we plan to continue assessing IRS’ progress in its critical endeavor to modernize. FAA’s Air Traffic Faced with rapidly growing air traffic Control volumes and aging air traffic control Modernization equipment, the FAA in 1981 initiated an ambitious air traffic control (ATC) modernization program. This effort, which is expected to cost $34 billion through fiscal Page 19 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts year 2003, mostly involves investments in a multitude of software-intensive computer systems. Over the past 15 years, the modernization program has experienced cost overruns, schedule delays, and performance shortfalls of large proportions—particularly in the $7.6 billion former centerpiece of the modernization known as the Advanced Automation System, which FAA restructured in 1994. The acquisition of that system failed because FAA did not recognize the technical complexity of the effort, realistically estimate the resources required, adequately oversee its contractors’ activities, or effectively control system requirements.6 With $11 billion planned to be spent on the ATC program from fiscal years 1998 through 2003, and billions more surely to follow, it is critical that FAA overcome the weaknesses that threaten this effort. To its credit, FAA has made progress in acquiring an interim replacement for its outage-plagued system that processes data into displayable images on controllers’ 6 Advanced Automation System: Implications of Problems and Recent Changes (GAO/T-RCED-94-188, Apr. 13, 1994). Page 20 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts screens.7 Although key acquisition milestones, events, and risks remain, FAA is currently on track to deliver promised capabilities ahead of schedule and within budget. Further, when we recommended that two risks associated with system testing—contention for human test resources and test baseline configuration change control—be formally managed, FAA officials agreed to do so. Still, serious problems remain. The many systems comprising the modernization effort have long proceeded without the benefit of a complete systems architecture, or overall blueprint, to guide development and evolution.8 The result has been unnecessarily higher spending to buy, integrate, and maintain hardware and software. For example, the number of application programming languages used on existing systems has been left unchecked, growing to 53. This has needlessly increased software maintenance costs and hindered software reuse among systems. We have recommended that FAA develop and enforce a complete systems architecture and 7 Air Traffic Control: Good Progress on Interim Replacement for Outage-Plagued System, but Risks Can Be Further Reduced (GAO/AIMD-97-2, Oct. 17, 1996). 8 Air Traffic Control: Complete and Enforced Architecture Needed for FAA Systems Modernization (GAO/AIMD-97-30, Feb. 3, 1997). Page 21 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts implement a management structure for doing so that is similar to the Chief Information Officers provisions of the Clinger-Cohen Act of 1996. Exacerbating the modernization’s problems is unreliable cost information—both future estimates of costs and accumulations of actual costs.9 According to the Clinger-Cohen Act of 1996, the selection of information technology investments should be based on competing projects’ estimated costs, benefits, and risks. To effectively manage these investments, their actual cost performance must be measured against their cost estimates. However, FAA lacks the adequate cost estimating processes and cost accounting practices needed to do so, leaving it at risk of making ill-informed decisions on critical multimillion, even billion, dollar air traffic control systems. We recommended that FAA institutionalize defined processes for estimating projects’ cost, and develop and implement a managerial cost accounting capability. FAA must also address problems in its organizational culture, which does not reflect a strong enough commitment to 9 Air Traffic Control: Improved Cost Information Needed to Make Billion Dollar Modernization Investment Decisions (GAO/AIMD-97-20, Jan. 22, 1997). Page 22 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts mission focus, accountability, coordination, and adaptability.10 For example, project officials established unrealistic cost estimates in order to obtain funding and suppressed news about setbacks in order to avoid heightened managerial oversight. Without strong leadership to promote the desired organizational behavior, the modernization effort’s problems will be difficult to overcome. We recommended that FAA develop a comprehensive strategy for addressing this issue. To further pinpoint the root causes of FAA’s modernization problems, we have a review underway to determine whether FAA’s software acquisition capability is sufficiently mature to successfully modernize the highly complex, real-time ATC system. Defense’s The Department of Defense’s Corporate Corporate Information Management (CIM) initiative, Information started in 1989, was expected to save billions Management of dollars by streamlining operations and Initiative implementing standard information systems supporting such important business areas as supply distribution, materiel management, personnel, finance, and transportation. 10 Aviation Acquisition: A Comprehensive Strategy Is Needed for Cultural Change at FAA (GAO/RCED-96-159, Aug. 22, 1996). Page 23 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts However, 8 years after beginning CIM, and after spending about $20 billion, Defense’s savings goal has not been met because the Department has not yet implemented sound management practices. We have made numerous recommendations for improving the Department’s management of CIM, including (1) better linking system modernization projects to business process improvement efforts, (2) establishing plans, performance measures, and clearly defined roles and responsibilities for implementing CIM, (3) improving controls over information technology investments, and (4) not initiating system improvement projects without sound economic and technical analyses.11 But Defense has yet to successfully implement these recommendations. Instead, it continues to spend billions of dollars on system migration projects with little sound 11 Defense Management: Stronger Support Needed for Corporate Information Management Initiative to Succeed (GAO/AIMD/NSIAD-94-101, April 12, 1994); Defense Management: Selection of Depot Maintenance Standard System Not Based on Sufficient Analyses (GAO/AIMD-95-110, July 13, 1995); Defense Transportation: Migration Systems Selected Without Adequate Analysis (GAO/AIMD-96-81, August 29, 1996); and Defense IRM: Critical Risks Facing New Material Management Strategy (GAO/AIMD-96-109, September 6, 1996). Page 24 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts analytical justification.12 Rather than relying on a rigorous decision-making process for information technology investments—as used in leading private and public sector organizations that we studied—Defense is making system migration decisions without • appropriately analyzing costs, benefits, and technical risks; • establishing realistic project schedules; or • considering how business process improvements could affect technology investments. Further, in some cases, Defense has denied its own decisionmakers the opportunity to evaluate the progress of technology investments over time by forgoing its established oversight process. Not surprisingly, the results of Defense’s major technology investments have been meager. For example, in the transportation area, it has made some investments that are likely to result in a negative return on investment. For materiel management, it has abandoned its system modernization strategy after spending over $700 million. For depot maintenance, Defense expects to 12 A migration system is an automated information system which replaces several systems that perform similar functions. Page 25 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts spend over $1 billion to develop a standard system that will achieve less than 2.3 percent in reduced operational costs over a 10-year period. The Department estimates that additional spending on system migration projects between now and the year 2000 will total more than $11 billion. As part of its Clinger-Cohen Act implementation efforts, the Department is establishing a framework for better managing this investment using its planning, programming, and budgeting system. While a step in the right direction, this initiative is just beginning. We have ongoing and planned work—including reviews of the Department’s system modernization strategy and investment controls—aimed at helping Defense managers make well-informed business decisions based on an accurate picture of the costs of technology investments, their related benefits, and an appreciation for how they fit into the Department’s long-term and short-term goals. National Weather NWS decided almost 15 years ago to leverage Service’s the power of information technology to “do Modernization more with less.” Promising better weather forecasts and downsized operations, NWS has Page 26 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts been acquiring new observing systems—such as radars, satellites, and ground-based sensors—as well as powerful forecaster workstations, at a combined cost of about $4.5 billion. Although NWS acknowledges that key problems confront the new systems, it has found that the new radars and satellites have improved forecasts and warnings. How successful NWS will ultimately be in this endeavor, however, partly depends on how quickly it can address several key problems that we have identified. Although the development and deployment of the observing systems associated with NWS’ modernization are nearing completion, unresolved issues remain concerning the observing systems’ operational effectiveness and efficient maintenance. To illustrate, we reported that the new radars are not always up and running when severe weather is threatening,13 and that the ground-based sensors fall short of performance and user 13 Weather Forecasting: Radar Availability Requirements Not Being Met (GAO/AIMD-95-132, May 31, 1995) and Weather Forecasting: Radars Far Superior to Predecessors, but Location and Availability Questions Remain (GAO/T-AIMD-96-2, Oct. 17, 1995). Page 27 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts expectations, particularly when the weather is active.14 We recommended that NWS correct shortfalls in radar performance and define and prioritize all ground-based sensor corrections needed to meet user needs. NWS addressed some of our radar and ground-based sensor performance concerns, but others remain. Also, we recently reported that NWS has not managed this massive investment through sound decision-making processes.15 For instance, NWS lacks a means by which to ensure that systems provide promised returns on investments. Currently, only the radars have had their benefits analyzed. In addition, the sizable staff reductions that the modernization promised will not be realized. For example, we reported in 1995 that NWS originally planned to reduce staff by 21 percent, but now the goal has been scaled back to 8 percent.16 NWS attributes the reduced goal primarily to needing more staff 14 Weather Forecasting: Unmet Needs and Unknown Costs Warrant Reassessment of Observing System Plans (GAO/AIMD-95-81, April 21, 1995). 15 Information Technology Investment: Agencies Can Improve Performance, Reduce Costs, and Minimize Risks (GAO/AIMD-96-64, Sept. 30, 1996). 16 Weather Service Modernization Staffing (GAO/AIMD-95-239R, Sept. 26, 1995). Page 28 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts than originally envisioned to operate new systems and to unanticipated requirements that were beyond NWS’ control. Further, the centerpiece of the modernization—the forecaster workstations that will integrate observing systems’ data and support forecaster decision-making—is far from providing all promised capabilities, for several reasons. These workstations have been delayed and become more expensive because of design problems and management shortcomings. In addition, workstation development continues without all the technical process capabilities advocated by the Software Engineering Institute (SEI), although NWS did improve some of its capabilities based on our recommendation to do so.17 Also, NWS has not demonstrated that all proposed capabilities will result in mission improvements, thereby increasing the risk 17 Weather Forecasting: Improvements Needed in Laboratory Software Development Processes (GAO/AIMD-95-24, Dec. 14, 1994). SEI, part of Carnegie Mellon University, has developed generally recognized standards for gauging an organization’s ability to develop or acquire software. Page 29 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts that spending will be wasted on unneeded system capabilities.18 In 1996, we made several recommendations that, if implemented, will strengthen NWS’ ability to manage the acquisition of these workstations. Specifically, we recommended that NWS • validate all workstation requirements on the basis of mission impact, • improve its process to test software, • establish a software quality assurance program, and • obtain an independent cost assessment since NWS does not have reliable project cost information.19 As we reported in our 1995 high-risk series, the modernization and evolution of this major systems initiative has long begged for a guiding systems architecture. NWS has acknowledged that this technical blueprint is needed and is currently developing one to address our March 1994 recommendation to 18 Weather Forecasting: NWS Has Not Demonstrated that New Processing System Will Improve Mission Effectiveness (GAO/AIMD-96-29, Feb. 29, 1996). Weather Forecasting: New Processing System Faces Uncertainties and Risks (GAO/T-AIMD-96-47, Feb. 29, 1996). 19 Weather Forecasting: Recommendations to Address New Weather Processing Systems Development Risks (GAO/AIMD-96-74, May 13, 1996). Page 30 GAO/HR-97-9 Information Management High-Risk System Development and Modernization Efforts do so. In the meantime, however, NWS will continue to incur higher system development and maintenance costs and reduced performance until the systems architecture is developed and enforced.20 20 Weather Forecasting: Systems Architecture Needed for National Weather Service Modernization (GAO/AIMD-94-28, Mar. 11, 1994). Page 31 GAO/HR-97-9 Information Management Governmentwide High-Risk Issues One sign of the federal government’s growing dependence on information technology is the emergence of high-risk issues that are critical to operations at all agencies. This year, we are designating two governmentwide information management issues as high risk: information security and the Year 2000 problem. These issues require not only agency-specific actions, but also cooperative efforts among the executive branch and the Congress to manage risks and develop solutions. Information Malicious attacks on computer systems are Security an increasing threat to our national welfare. We rely heavily on interconnected systems to control critical functions, such as communications, financial services, transportation, and utilities. Though greater use of interconnected systems promises significant benefits in improved business and government operations, such systems are much more vulnerable to anonymous intruders, who may manipulate data to commit fraud, obtain sensitive information, or severely disrupt operations. At the federal level, system interconnectivity, combined with poor security management, is putting billions of Page 32 GAO/HR-97-9 Information Management Governmentwide High-Risk Issues dollars worth of assets at risk of loss and vast amounts of sensitive data at risk of unauthorized disclosure. In addition, the increasing reliance on networked systems and electronic records has elevated concerns that critical federal operations are vulnerable to serious disruption. This is because automated systems and electronic records are fast replacing manual procedures and paper documents, which in many cases are no longer available as “backup” if automated systems fail. Further, although such disruption could be precipitated by natural disasters or accidents, there is evidence that some organizations are developing strategies and tools for conducting premeditated attacks on information systems. Many federal operations that rely on computer networks are attractive targets for individuals or organizations with malicious intentions. Examples include law enforcement, import entry processing, various financial transactions, payroll, defense operational plans, electronic benefit payments, and electronically submitted medicare claims. Despite their sensitivity and criticality, federal systems and data are not being Page 33 GAO/HR-97-9 Information Management Governmentwide High-Risk Issues adequately protected. Since June 1993, we have issued over 30 reports describing serious information security weaknesses at major federal agencies. For example, in May 1996, we reported that tests at the Department of Defense showed that Defense systems may have experienced as many as 250,000 attacks during 1995, that about 64 percent of attacks were successful at gaining access, and that only a small percentage of these attacks were detected.1 In September 1996, we reported that, during the previous 2 years, serious information security control weaknesses had been reported for 10 of the 15 largest federal agencies.2 For half of these agencies, the weaknesses had been reported repeatedly for 5 years or longer. Several of our most disturbing reports on information security are for limited official use and, therefore, cannot be discussed here because of the risk that unscrupulous individuals may attempt to exploit reported weaknesses. 1 Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/AIMD-96-84, May 22, 1996); Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/T-AIMD-96-92, May 22, 1996); and Information Security: Computer Hacker Information Available on the Internet (GAO/T-AIMD-96-108, June 5, 1996). 2 Information Security: Opportunities for Improved OMB Oversight of Agency Practices (GAO/AIMD-96-110, Sept. 24, 1996). Page 34 GAO/HR-97-9 Information Management Governmentwide High-Risk Issues Many of the federal information security weaknesses and causal factors reported over the last few years were identified as a direct result of the annual financial statement audits initiated under the Chief Financial Officers Act of 1990. Although these audits pertain primarily to financial management systems, they generally include a review of computer-based controls that affect a significant portion of an agency’s broader operations. In addition to describing information security weaknesses, our reports contain dozens of recommendations to individual agencies for improvement. Agencies have acted on many of these recommendations, and, in early 1996, OMB issued updated guidance to agencies on the security of federal automated information resources. However, several underlying factors need to be addressed to help ensure that federal agencies adequately protect their systems and data on a continuing basis. These factors include: • insufficient awareness and understanding of information security risks among senior agency officials, Page 35 GAO/HR-97-9 Information Management Governmentwide High-Risk Issues • poorly designed and implemented security programs that do not adequately monitor controls or proactively address risk, • a shortage of personnel with the technical expertise needed to manage controls in today’s sophisticated information technology environment, and • limited oversight of agency practices at a governmentwide level. In light of the increasing importance of information security and the pattern of widespread problems that has emerged, stronger central leadership is needed. Our previously cited September 1996 report3 concluded that OMB needs to play a more proactive role in promoting awareness and in monitoring agency practices—a role that was recently reemphasized in the PRA and Clinger-Cohen Act. In particular, we recommended that OMB engage assistance from private contractors and others with appropriate expertise to assist in monitoring agency information security programs. Also, as chair of the Chief Information Officers Council, OMB should encourage council members to adopt information security as one of their top priorities and develop a strategic plan for addressing the root causes 3 GAO/AIMD-96-110, Sept. 24, 1996. Page 36 GAO/HR-97-9 Information Management Governmentwide High-Risk Issues of agency security problems. Such a plan could include • developing information on existing and emerging information security risks, • establishing a program for reviewing the adequacy of individual agency security programs using interagency teams of reviewers, and • developing or identifying training and certification programs that could be shared among agencies. OMB reported in December 1996 that it has begun efforts to improve its oversight of federal agencies’ activities in information security by holding a training session for program examiners to increase their understanding of this management issue and its implications. In addition, the CIO Council has included information security as one of its priorities. However, at present, it is too early to assess the adequacy of OMB’s or the Council’s response to our concerns. The Year 2000 At 12:01 on New Year’s morning of the year Problem 2000, many computer systems could either fail to run or malfunction—thereby producing inaccurate results—simply because the equipment and software were Page 37 GAO/HR-97-9 Information Management Governmentwide High-Risk Issues not designed to accommodate the change of date to the new millennium. The Year 2000 problem is rooted in the way dates are recorded and computed in many computer systems. For the past several decades, systems have typically used two digits to represent the year, such as “97” representing 1997, in order to conserve on electronic data storage and reduce operating costs. With this two-digit format, however, the year 2000 is indistinguishable from 1900, 2001 from 1901, and so on. As a result of this ambiguity, system or application programs that use dates to perform calculations, comparisons, or sorting may generate incorrect results when working with years after 1999. Unless this problem is resolved ahead of time, widespread operational and financial impacts could affect federal, state, and local governments; foreign governments; and private-sector organizations worldwide. At the federal level, scenarios like these are possible: • IRS’tax systems could be unable to process returns, which in turn could jeopardize the collection of revenue and the entire tax processing system. Page 38 GAO/HR-97-9 Information Management Governmentwide High-Risk Issues • Payments to veterans with service-connected disabilities could be severely delayed because Veterans Affairs’ compensation and pension system either halts or produces checks that are so erroneous that the system must be shut down and the checks processed manually. • Social Security Administration’s disability insurance process could experience major disruptions because the interface with various state systems fails, thereby causing delays and interruptions in disability payments to citizens. • Federal systems used to track student education loans could produce erroneous information on loan status, such as indicating that an unpaid loan had been satisfied. While the date issue will reach a crescendo at the end of the century, date-related problems have been manifesting themselves for some time. For example, the Defense Department had medical benefits computational problems in 1980 with its Defense Entitlement Eligibility Report System (DEERS). Had the system not been corrected, people who were 45 years old, or younger, would have been erroneously terminated from receiving their entitlement benefits. Page 39 GAO/HR-97-9 Information Management Governmentwide High-Risk Issues Other problems are just beginning to show up. Recently, a Defense Logistics Agency system marked 3-year contracts as delinquent even though they had not yet been let. Defense has also uncovered date-related problems in its Space Defense Operations Center involving a system that supports its Integrated Tactical Warning and Attack Assessment community. Testing revealed 10 date-related discrepancies that would have caused a significant operational impact. Other federal agencies face similar operational risks and impacts. Resolving the date problem will involve extensive, resource-intensive efforts due to the large scale of many federal systems and the numerous dependencies and interactions they often have with systems of both private-sector organizations and state agencies. To complicate matters further, many government computer systems were originally designed and developed 20 to 25 years ago, are poorly documented, and use a wide variety of computer languages—many of which are old or obsolete. The systems consist of tens or hundreds of computer programs, each with thousands, tens of Page 40 GAO/HR-97-9 Information Management Governmentwide High-Risk Issues thousands, or even millions of lines of code, which must be examined for date problems. Moreover, the government’s computer systems, like private sector systems, have numerous components—hardware, firmware, operating systems, communications applications, and database software—that are affected by the date problem. Given that every federal agency is at risk of system failures, the 104th Congress held hearings to determine the severity of the problem and the progress that agencies were making to deal with it. For instance, in April 1996, the House Government Reform and Oversight Committee surveyed 24 departments and agencies. They found that only 9 had developed plans for addressing the problem. With the year 2000 less than 3 years away, much work must be done, and done quickly. Ensuring that systems are Year 2000 compliant represents the widest-scale system and software conversion effort ever attempted. Agencies must immediately assess their Year 2000 risk exposure, and plan and budget for achieving Year 2000 compliance for all of their mission critical systems. This will involve identifying and Page 41 GAO/HR-97-9 Information Management Governmentwide High-Risk Issues analyzing mission-critical computer systems, developing date conversion strategies and plans, and dedicating sufficient resources to convert the computer systems by early 1999 in order to allow 1 year for additional testing and error correction. Agencies will also need to develop contingency plans for those systems that they are unable to change in time. In 1995, OMB formed an interagency working group on the year 2000 issue, which is now under the President’s recently established Chief Information Officers Council. The basic federal strategy for resolving the year 2000 problem relies on Chief Information Officers to raise management awareness of the problem at their agencies, and then direct work to assess the scope of the changes needed, renovate the systems that need to be changed, test the changed systems, and then implement them. OMB is currently working with agencies to establish time frames for completing these steps. Regulatory action has also been taken to assist agencies in acquiring information products and systems that are already year 2000 compliant, whenever possible. We are currently working with the Congress and the executive branch to identify specific Page 42 GAO/HR-97-9 Information Management Governmentwide High-Risk Issues recommendations for resolving the Year 2000 problem. In this regard, we plan to review efforts at the Department of Defense, IRS, the Social Security Administration, FAA, Veterans Affairs, and the Health Care Financing Administration. In addition, we are developing a set of audit templates for use by the audit community and agencies to identify their risk areas. Page 43 GAO/HR-97-9 Information Management Further Action Needed The high-risk system development and modernization problems described above are common across the government—and have been for many years. A broad set of solutions is needed to help agencies prevent high risks and maximize the benefits of technology for improving performance and reducing costs. Similarly, there is a need to strengthen federal agencies’ ability to effectively address emerging technology issues and problems on a governmentwide basis. To improve this situation, we have worked closely with the Congress since our 1995 high-risk report to fundamentally revamp and modernize federal information management practices. Our study of leading public and private sector organizations showed how they applied an integrated set of management practices to create the information technology infrastructures they needed to dramatically improve their performance and achieve mission goals.1 These practices provide federal agencies with essential lessons on how to overcome the root causes of their chronic information management problems. 1 Executive Guide: Improving Mission Performance Through Strategic Information Management and Technology—Learning from Leading Organizations (GAO/AIMD-94-115, May 1994). Page 44 GAO/HR-97-9 Information Management Further Action Needed The 104th Congress used these lessons to create the first significant reforms in information technology management in over a decade: the 1995 PRA and the Clinger-Cohen Act of 1996.2 These laws, discussed below, focus sharply on building a foundation for sustained improvement by (1) establishing strong agency-level leadership in technology issues and (2) implementing sound processes for approving and managing investments in technology. Strong Agency Senior executives in the successful Leadership in organizations we studied were personally Information committed to improving the management of Management Is technology. Agency leaders likewise must Critical recognize the urgent need to improve their agencies’ information management practices and create and maintain the momentum for implementing reform. Both PRA and the Clinger-Cohen Act make agency heads directly responsible for effective information management. Among their key duties, agency heads are to 2 The Omnibus Consolidated Appropriations Act, 1997, renamed both the Federal Acquisition Reform Act of 1996 and the Information Technology Management Reform Act of 1996 as the “Clinger-Cohen Act of 1996.” Page 45 GAO/HR-97-9 Information Management Further Action Needed • establish goals for improving the use of information technology in enhancing the productivity, efficiency, and effectiveness of agency operations and service to the public; • measure the actual performance and contribution of technology in supporting agency programs; and • include with their agencies’ OMB budget submission a report on the progress being made in meeting operational improvement goals through the use of technology. In short, rather than leaving technology issues to mid-level specialists, agency heads must incorporate strategic information management into an executive-level general management framework—one that incorporates the agency’s budget process and a set of solid performance measures. To help them carry out these new responsibilities, the heads of agencies are to designate a Chief Information Officer (CIO). The CIO is to be much more than a senior technology manager. As a top-level executive reporting directly to the agency head, the CIO is responsible for achieving mission results through technology by • working with the agency head and senior managers on effective information Page 46 GAO/HR-97-9 Information Management Further Action Needed management to achieve the agency’s strategic performance goals; • promoting improvements to work processes used to carry out programs; • increasing the value of the agency’s information resources by developing and implementing an integrated agencywide technology architecture; and • strengthening the agency’s knowledge, skills, and capabilities to effectively manage information resources, deal with emerging technology issues, and develop needed systems. As we learned from appointments to the Chief Financial Officer positions, getting the right people in place will make a real difference in implementing lasting management reforms. The reforms simply will not work without qualified, effective leadership. OMB is monitoring the agencies’ CIO appointments at 28 federal agencies and has found mixed progress. According to OMB, as of November 1996, many agencies had CIOs or acting CIOs who had limited operational and technical experience, unclear roles, additional duties besides information resources management, and/or did not report directly to the agency head. OMB is continuing to evaluate these situations as agencies take further actions. Page 47 GAO/HR-97-9 Information Management Further Action Needed Along with the top executives and CIOs, program managers have critical leadership responsibilities for information management. In successful organizations we studied, managers work with the CIOs to define information needs for their programs and develop strategies, systems, and capabilities to meet those needs. The reform legislation calls for program officials to take ownership of technology projects and be held accountable for their results. This represents a major shift away from the common practice of delegating system development projects to technical specialists. Controlling A key practice identified in our study of Investments in leading organizations is that they manage Information information technology projects as Technology investments. Top executives periodically assess all major projects—proposed, under development, and operational—then prioritize them and make funding decisions based on factors such as cost, risk, return on investment, and support of mission-related outcomes. Once projects are selected for funding, executives monitor them continually, taking quick actions to resolve development problems and mitigate risks. After a project is implemented, executives evaluate actual versus expected results and Page 48 GAO/HR-97-9 Information Management Further Action Needed revise their investment management process based on lessons learned. PRA and the Clinger-Cohen Act incorporate these features into new requirements on how technology-related projects are to be selected and managed. The heads of agencies are to design and implement a structure for maximizing the value and managing the risk of technology investments, including • establishing a process to select, control, and evaluate information technology investments using quantitative and qualitative criteria and data; • modernizing inefficient administrative and mission-related work processes before making significant technology investments to support them; • mitigating the risks of acquiring large, complex systems by building them in a modular fashion; and • monitoring project progress and performance using up-to-date data. Current federal practices fall far short of these expectations. For example, in our report on the technology investment practices at five federal agencies, only one had defined decision criteria for cost, risk, Page 49 GAO/HR-97-9 Information Management Further Action Needed and return.3 In the absence of such information, investment decisions were disproportionately based on subjective, qualitative factors. Generally, data on a project’s cost, schedule, risks, and returns were not documented, defined, or kept current, and in many cases was not used to make investment decisions. Instead, agencies focused on justifying funding for new technology projects rather than managing all projects as a portfolio of competing investments. Once a project was approved, the agency exerted little effort to ensure that information on it was kept accurate and up to date. Rarely were data used to manage a project’s progress throughout its life cycle. Under the new legislation, OMB has significant leadership responsibility in directing agencies to implement investment reforms. In our information technology investment report, cited above, we recommended that OMB develop guidance for agencies on implementing a technology investment decision-making process, including advising agencies on the minimum quality standards for data used to assess cost, benefit, and risks. We also 3 Information Technology Investment: Agencies Can Improve Performance, Reduce Costs, and Minimize Risks (GAO/AIMD-96-64, Sept. 30, 1996). Page 50 GAO/HR-97-9 Information Management Further Action Needed recommended that OMB ensure that agencies’ investment control processes are in compliance with such guidance by assessing their strengths and weaknesses, and developing remedial actions and timetables for any needed improvements. Strong Controlling and preventing high risks will Congressional depend largely on how well federal agencies Oversight Is implement PRA and the Clinger-Cohen Act. Essential to From our past experience with the Successful implementation of the Chief Financial Officers Act, for which important progress Reform has been made, we know that the early days following the passage of reform legislation are telling. The level of interest shown by the 105th Congress in driving and overseeing the implementation of the reforms will send a strong signal to the agencies that they should move vigorously to implement them. Congressional oversight should focus on progress being made in the following four areas. (1) Executive Accountability: The Congress should assure itself that agency heads are educating their agencies about the reforms and putting in place the management structure to implement them. Agency heads should currently be devoting Page 51 GAO/HR-97-9 Information Management Further Action Needed time, talent, and resources to analyzing the strengths and weaknesses of their information management practices. Our own experience in assisting agencies with such self-assessments has identified many fundamental problems that must be quickly addressed, such as poor performance measures, vaguely defined customer needs, and weak integration of technology investment into the planning, budgeting, and evaluation processes. Members of Congress should expect agency heads to provide hard numbers and facts on their information technology spending and how it is being used to improve mission performance. As noted earlier, the reform legislation requires annual reports by agency heads to OMB on the program performance benefits achieved from capital investments in information technology and how these benefits relate to the achievement of the agency’s goals. Probing discussions of these reports should be a regular feature of congressional budget, appropriations, and oversight hearings. (2) CIO responsibilities: The Congress should closely monitor the progress that agency heads are making in appointing well-qualified CIOs who have sound Page 52 GAO/HR-97-9 Information Management Further Action Needed expertise, practical experience, and proven track records in information technology and strategic management. Each CIO should be positioned as a senior management partner, reporting directly to the agency head. In addition to strong sponsorship from agency heads, CIOs need active support from other senior executives in setting up effective information management practices that meet the intent of the reform legislation. CIO responsibilities should focus sharply on strategic information management issues, and not be burdened with other activities, such as administrative services, personnel, and contracting—as has often happened in the past. Similarly, the CIO and Chief Financial Officer positions should not be combined under one person, since the problems associated with financial and information management are very significant and require full-time attention by separate individuals with appropriate talent, skills, and experience in each area. The Congress should expect to see CIOs making clear progress in defining and implementing information management policies, guidelines, and standards consistent with the reform legislation. They should be Page 53 GAO/HR-97-9 Information Management Further Action Needed establishing a sound information technology architecture at their agencies to provide a framework for integrating current and new systems. And they should be active in identifying the technical skills and capabilities that their agencies need to acquire and manage information resources in a disciplined manner to better control risk and achieve desired outcomes. Ultimately, these actions should result in measurable improvements in mission performance. (3) Interagency Actions: Building on the agency-level CIO positions established under the reform legislation, the President has established a CIO Council to develop recommendations on governmentwide information technology policies, procedures, and standards. This Council will be a critical test of the efficacy of CIOs in taking concerted action to address and control governmentwide technology risks. Initially, the Congress should focus on the Council’s progress in promoting effective federal technology investment reforms at their agencies and dealing with the governmentwide information security and Year 2000 issues. (4) Investment Oversight and OMB Leadership: Given the federal government’s Page 54 GAO/HR-97-9 Information Management Further Action Needed long-standing record of poor investments in information technology, a much higher level of oversight should be applied to agencies’ investment management processes and the actual results achieved. The Congress should closely monitor how well agencies are institutionalizing processes to select, control, and evaluate their technology projects. By now, heads of agencies should be well on their way to defining and implementing the elements of an investment decision-making process called for by the legislation. One measure of progress is to review the effectiveness of agencies’ actions in bringing under control the high-risk modernization efforts described in this report. As part of this oversight effort, the Congress should also assess the effectiveness of OMB’s leadership in two areas: • establishing guidance and policies for agencies to follow in implementing the investment reforms and • evaluating the results of agency technology investments and enforcing accountability for results through the executive branch budget process. Page 55 GAO/HR-97-9 Information Management Further Action Needed In the first area, OMB has been proactive in drafting new policies and procedures to assist agencies in establishing technology investment decision-making processes. For example, OMB has issued a guide on evaluating information technology investments for use by its own staff and the agencies.4 It is important that OMB continue to clearly define expectations for agencies and for itself in this key area. As for OMB’s oversight of agency technology portfolios, we recommended in our previously cited technology investment report that OMB • develop recommendations for the President’s budget on funding levels for technology projects that take account of an agency’s track record in delivering performance improvements from technology investments and • develop an approach for determining whether OMB itself is having an impact on reducing the risk or increasing the returns on agency information technology investments. 4 Evaluating Information Technology Investments: A Practical Guide, version 1.0 (S/N 041-001-00460-2, Nov. 1, 1995). Page 56 GAO/HR-97-9 Information Management Further Action Needed To its credit, OMB issued an October 25, 1996, memorandum to heads of executive departments and agencies laying out decision criteria that OMB will use in evaluating major information system investments proposed for funding under the President’s fiscal year 1998 budget. The criteria strongly reinforce the provisions of the reform legislation. In the memorandum, OMB states that as a general presumption, it will recommend new and continued funding only for those major system investments that satisfy these criteria. OMB’s effectiveness will depend greatly on its ability to marshall the resources and expertise that its staff needs to produce sound evaluations of agencies’ technology investment portfolios. Given existing workloads and the resilience of the OMB culture, OMB will have little impact on the quality of technology investment decision-making without a determined effort to build the necessary assessment skills. Finally, as part of its review of the budget proposals for FY 1998, the Congress should look for clear evidence that the soundness of an agency’s investment process, along with its track record in achieving performance Page 57 GAO/HR-97-9 Information Management Further Action Needed improvements from technology, is being considered in executive branch funding requests for information systems. Page 58 GAO/HR-97-9 Information Management Page 59 GAO/HR-97-9 Information Management Related GAO Reports Strategic Information Technology Investment: Information Agencies Can Improve Performance, Reduce Management Costs, and Minimize Risks (GAO/AIMD-96-64, Sept. 30, 1996). NASA Chief Information Officer: Opportunities to Strengthen Information Resources Management (GAO/AIMD-96-78, Aug. 15, 1996). Information Management Reform: Effective Implementation Is Essential for Improving Federal Performance (GAO/T-AIMD-96-132, July 17, 1996). Government Reform: Using Reengineering and Technology to Improve Government Performance (GAO/T-OCG-95-2, Feb. 2, 1995). Executive Guide: Improving Mission Performance Through Strategic Information Management and Technology (GAO/AIMD-94-115, May 1994). Internal Revenue Tax Systems Modernization: Actions Service Underway But Management and Technical Weaknesses Not Yet Corrected (GAO/T-AIMD-96-165, Sept. 10, 1996). Page 60 GAO/HR-97-9 Information Management Related GAO Reports IRSOperations: Critical Need to Continue Improving Core Business Practices (GAO/T-AIMD/GGD-96-188, Sept. 10, 1996). Internal Revenue Service: Business Operations Need Continued Improvement (GAO/AIMD/GGD-96-152, Sept. 9, 1996). Tax Systems Modernization: Cyberfile Project Was Poorly Planned and Managed (GAO/AIMD-96-140, Aug. 26, 1996). Tax Systems Modernization: Actions Underway But IRS Has Not Yet Corrected Management and Technical Weaknesses (GAO/AIMD-96-106, June 7, 1996). Tax Systems Modernization: Management and Technical Weaknesses Must Be Corrected If Modernization Is To Succeed (GAO/AIMD-95-156, July 26, 1995). IRSAutomation: Controlling Electronic Filing Fraud and Improper Access to Taxpayer Data (GAO/T-AIMD/GGD-94-183, July 19, 1994). Tax Systems Modernization: Automated Underreporter Project Shows Need for Human Resource Planning (GAO/GGD-94-159, July 8, 1994). Page 61 GAO/HR-97-9 Information Management Related GAO Reports Tax Systems Modernization: Status of Planning and Technical Foundation (GAO/T-AIMD-GGD-94-104, March 2, 1994). FAA Air Traffic Air Traffic Control: Complete and Enforced Control Architecture Needed for FAA Systems Modernization Modernization (GAO/AIMD-97-30, Feb. 3, 1997). Air Traffic Control: Improved Cost Information Needed to Make Billion Dollar Modernization Investment Decisions (GAO/AIMD-97-20, Jan. 22, 1997). Air Traffic Control: Good Progress on Interim Replacement for Outage-Plagued System, but Risks Can Be Further Reduced (GAO/AIMD-97-2, Oct. 17, 1996). Aviation Acquisition: A Comprehensive Strategy Is Needed for Cultural Change at FAA (GAO/RCED-96-159, Aug. 22, 1996). Air Traffic Control: Status of FAA’s Modernization Program (GAO/RCED-95-175FS, May 26, 1995). Advanced Automation System: Implications of Problems and Recent Changes (GAO/T-RCED-94-188, Apr. 13, 1994). Page 62 GAO/HR-97-9 Information Management Related GAO Reports Defense Defense IRM: Strategy Needed for Logistics Corporate Information Technology Improvement Information Efforts (GAO/AIMD-97-6, Nov. 14, 1996). Management DOD Accounting Systems: Efforts to Improve Systems for Navy Need Overall Structure (GAO/AIMD-96-99, Sept. 30, 1996). Defense IRM: Critical Risks Facing New Materiel Management Strategy (GAO/AIMD-96-109, Sept. 6, 1996). Defense Transportation: Migration Systems Selected Without Adequate Analysis (GAO/AIMD-96-81, Aug. 29, 1996). Defense Management: Selection of Depot Maintenance Standard System Not Based on Sufficient Analyses (GAO/AIMD-95-110, July 13, 1995). Defense Management: Impediments Jeopardize Logistics Corporate Information Management (GAO/NSIAD-95-28, Oct. 21, 1994). Defense Management: Stronger Support Needed for Corporate Information Management Initiative to Succeed (GAO/AIMD/NSIAD-94-101, April 12, 1994). Page 63 GAO/HR-97-9 Information Management Related GAO Reports National Weather NOAA Satellites (GAO/AIMD-96-141R, Sept. 13, Service 1996). Modernization Weather Forecasting: Recommendations to Address New Weather Processing System Development Risks (GAO/AIMD-96-74, May 13, 1996). Weather Forecasting: New Processing System Faces Uncertainties and Risks (GAO/T-AIMD-96-47, Feb. 29, 1996). Weather Forecasting: NWS Has Not Demonstrated That New Processing System Will Improve Mission Effectiveness (GAO/AIMD-96-29, Feb. 29, 1996). Weather Forecasting: Radars Far Superior to Predecessors, but Location and Availability Questions Remain (GAO/T-AIMD-96-2, Oct. 17, 1995). Weather Service Modernization Staffing (GAO/AIMD-95-239R, Sept. 26, 1995). Weather Forecasting: Radar Availability Requirements Not Being Met (GAO/AIMD-95-132, May 31, 1995). Weather Forecasting: Unmet Needs and Unknown Costs Warrant Reassessment of Page 64 GAO/HR-97-9 Information Management Related GAO Reports Observing System Plans (GAO/AIMD-95-81, April 21, 1995). Weather Service Modernization Questions (GAO/AIMD-95-106R, March 10, 1995). Weather Service Modernization: Despite Progress, Significant Problems and Risks Remain (GAO/T-AIMD-95-87, Feb. 21, 1995). Meteorological Satellites (GAO/NSIAD-95-87R, Feb. 6, 1995). Weather Forecasting: Improvements Needed in Laboratory Software Development Processes (GAO/AIMD-95-24, Dec. 14, 1994). Weather Forecasting: Systems Architecture Needed for National Weather Service Modernization (GAO/AIMD-94-28, March 11, 1994). Weather Forecasting: Important Issues on Automated Weather Processing System Need Resolution (GAO/IMTEC-93-12BR, Jan. 6, 1993). Information Information Security: Opportunities for Security Improved OMB Oversight of Agency Practices (GAO/AIMD-96-110, Sept. 24, 1996). Page 65 GAO/HR-97-9 Information Management Related GAO Reports Financial Audit: Examination of IRS’ Fiscal Year 1995 Financial Statements (GAO/AIMD-96-101, July 11, 1996). Information Security: Computer Hacker Information Available on Internet (GAO/T-AIMD-96-108, June 5, 1996). Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/AIMD-96-84, May 22, 1996). Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/T-AIMD-96-92, May 22, 1996). Security Weaknesses at IRS’ Cyberfile Data Center (GAO/AIMD-96-85R, May 9, 1996). Financial Audit: Federal Family Education Loan Program’s Financial Statements for Fiscal Years 1994 and 1993 (GAO/AIMD-96-22, Feb. 26, 1996). Department of Energy: Procedures Lacking To Protect Computerized Data (GAO/AIMD-95-118, June 5, 1995). Information Superhighway: An Overview of Technology Challenges (GAO/AIMD-95-23, Jan. 23, 1995). Page 66 GAO/HR-97-9 Information Management Related GAO Reports Financial Audit: Examination of Customs’ Fiscal Year 1993 Financial Statements (GAO/AIMD-94-119, June 15, 1994). HUD Information Resources: Strategic Focus and Improved Management Controls Needed (GAO/AIMD-94-34, April 14, 1994). IRSInformation Systems: Weaknesses Increase Risk of Fraud and Impair Reliability of Management Information (GAO/AIMD-93-34, Sept. 22, 1993). Page 67 GAO/HR-97-9 Information Management 1997 High-Risk Series An Overview (GAO/HR-97-1) Quick Reference Guide (GAO/HR-97-2) Defense Financial Management (GAO/HR-97-3) Defense Contract Management (GAO/HR-97-4) Defense Inventory Management (GAO/HR-97-5) Defense Weapon Systems Acquisition (GAO/HR-97-6) Defense Infrastructure (GAO/HR-97-7) IRS Management (GAO/HR-97-8) Information Management and Technology (GAO/HR-97-9) Medicare (GAO/HR-97-10) Student Financial Aid (GAO/HR-97-11) Department of Housing and Urban Development (GAO/HR-97-12) Department of Energy Contract Management (GAO/HR-97-13) Page 68 GAO/HR-97-9 Information Management 1997 High-Risk Series Superfund Program Management (GAO/HR-97-14) The entire series of 14 high-risk reports can be ordered using the order number GAO/HR-97-20SET. Page 69 GAO/HR-97-9 Information Management Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 6015 Gaithersburg, MD 20884-6015 or visit: Room 1100 700 4th St. NW (corner of 4th & G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (301) 258-4066, or TDD (301) 413-0006. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with "info" in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested
High-Risk Series: Information Management and Technology
Published by the Government Accountability Office on 1997-02-01.
Below is a raw (and likely hideous) rendition of the original report. (PDF)