oversight

Federal Communications Commission: Strategic Focus Needed to Improve Information Resources Management

Published by the Government Accountability Office on 1990-07-20.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

    FEDERAL
    COMMUNICATIONS
    COMMISSION
    Strategic Focus
    Needed to Improve
    Information                         Resources
    Management
                                                                 3



                                                   142297




RJ3STRICTED --Not     to be released outside the
General Accounting Office unless specifically
approved by the Office of Congressional

                                   RELEASED
                                          -.-               --
United States
General Accounting Office
Washington, D.C. 20648

Information    Management   and
Technology    Division

B-226427

July 20, 1990

The Honorable Robert Wise
Chairman, Subcommittee on Government
  Information, Justice, and Agriculture
Committee on Government Operations
House of Representatives

Dear Mr. Chairman:

In response to your request and as agreed in meetings with your office,
this report discusses the Federal Communications Commission’s (FCC)
information resources management (IRM), concentrating on how the
agency plans and develops information technology to meet its mission.

As you know, FCC is charged with regulating interstate and foreign com-
merce through wire and radio communications. Rapid technological
change over the past decade has led to an increasing work load for FCC.
FCC is licensing new communications services, such as low-power televi-
sion and cellular radio, and may become more involved in other areas
such as cable television.

FYX’Scurrent Chairman and Managing Director believe that increased
information technology support can help the agency accomplish its
increasingly demanding mission. FCCrelies on information technology to
help process a million applications for licenses and collect millions of
dollars in licensing fees each year, as well as perform engineering anal-
yses and other mission-related and administrative functions, The agency
plans to spend about $11 million in fiscal years 1990 through 1993, four
times the money spent over the last 4 years.


Despite the growing importance of information technology to FCC, the
agency has not developed a strategic IRM plan to identify the goals,
direction, and information needed to meet its mission, set priorities, and
guide its information technology budget. Further, some of FCC'S informa-
tion systems development policies and practices are not consistent with
federal guidelines for preparing thorough benefit/cost analyses of alter-
native systems, or analyses of security risks and needs. Without these
analyses, FCC may not select the best alternatives to effectively and eco-
nomically meet users’ needs.




Page 1                       GAO/IMTEG9O-52   FCC Information   Resources   Management
                                                                                                             1




---
                                B-226427




                                Finally, FCChas not prepared an emergency plan to continue operations
                                if its computers are disabled. It has an agreement to use another
                                agency’s facilities to back up its largest computer, but has never tested
                                whether the facility can handle FCC’Swork load. Both the Office of Man-
                                agement and Budget and FCCrequire the development, maintenance, and
                                testing of an emergency plan. Without this plan, FCC risks not being able
                                to effectively accomplish its licensing or other missions if its computers
                                are unexpectedly lost for an extended period. FCC has not reported this
                                risk as a material internal control weakness under the Federal Man-
                                agers’ Financial Integrity Act.


                     FCC’Smission is becoming increasingly demanding. Applications for new
Strategic IRM Plan   communication services, such as low- power television (a service in
Neededto Guide FCC’s w h’ic hsignals are broadcast within relatively small areas) and cellular
Use of Technology    radio (mobile telephone service) have increased FCC'S licensing work
                     load. FCC’Sformer Chairman noted in testimony before the Senate Com-
                                mittee on Appropriations in May 1989, that FCC has been falling behind
                                in processing license applications. In the case of land mobile radio
                                licenses, processing was taking about 175 days, 60 percent longer than
                                the year before. FCC also anticipates the need for new rules, which may
                                further increase its work load. For example, the direct broadcasting of
                                television programs via satellite is a potential new service. FCC may also
                                apply additional controls over the cable television industry and it may
                                need to increase its oversight of telephone companies if they are allowed
                                to offer new services.

                                FCC’Scurrent Chairman and Managing Director, who began their duties
                                in August and October 1989, respectively, believe that the increased use
                                of information technology can help the agency accomplish its mission.
                                The Managing Director said that he and the Chairman are committed to
                                supporting a substantial increase in spending for information tech-
                                nology, even if it means hiring fewer staff for critical vacancies. The
                                agency plans to spend about $11 million on information technology to
                                support mission and administrative functions between fiscal years 1990
                                and 1993, four times the $2.5 million spent from fiscal years 1986
                                through 1989.

                                Because of the increasing demands on the agency, and its plans to spend
                                more on information technology, it is an opportune time for FCC to fulfill
                                the requirement to develop a strategic IRM plan. In developing this plan,
                                EC needs to examine its changing mission, how it will achieve it, and
                                how information and information technology can be of help.


                                Page 2                     GAO/IMTECXO-62   FCC Information   Resources   Management
    .



                          B-220427




FCC Has Not Developed a   Office of Management and Budget (OMB) Circular A-130 requires federal
Strategic IRM Plan        agencies to establish a multiyear strategic planning process for
                          acquiring and operating information technology. A December 1988 FCC
                          directive also requires that a strategic IRM plan be developed that identi-
                          fies the long-range goals and direction of the IRM program and guides its
                          bureaus in developing tactical information technology plans. Despite
                          these requirements, FCC has not yet developed a strategic IRM plan that
                          builds on its business strategy by identifying the goals, direction, and
                          information needed to meet its mission, set priorities, and guide informa-
                          tion technology investment. Typically, strategic IRM planning includes
                          top management commitment and involvement, updating the plan as
                          changes occur in mission or program direction, and setting priorities.
                          The strategic plan should be supported with tactical plans of action for
                          achieving strategic goals.’

                          FCC'S directive charges its IRM Steering Committee, which is made up of
                          the Chiefs of FCC’S four bureaus and the Office of Engineering and Tech-
                          nology, with (1) developing and recommending to the Managing Director
                          long-term goals and directions for the IRM program, and (2) reviewing
                          the annually prepared strategic plan and recommending priorities for
                          proposed information technology projects. According to the Chief of
                          FCC’S IRM Steering Committee, FCCdoes not have a strategic IRM plan and
                          the annual 5-year plan is a tactical plan. He said that a strategic plan is
                          needed, the Committee intends to prepare one, and has started to dis-
                          cuss what it might include. However, the Committee has not started to
                          prepare it or set a date for its completion. Also, the preparation of a
                          strategic IRM plan is not a formal responsibility of Committee members
                          and may therefore be less of a priority than their other responsibilities.’

                          In commenting on a draft of this report, the FCC’S Managing Director
                          stated that he considered the agency’s annual plan to be a strategic plan,
                          and also noted that FCCprepared the 1980 Blueprint, which provides a
                          longer range view. He said that the agency’s IRM planning efforts have
                          been constrained in the past because of austere budgets, but that FCC
                          intends to substantially increase its efforts in the future. To this end, he
                          noted that FCC has initiated several studies that he believes will help
                          strategically guide the FCC'S IRM program for the next decade.

                          ‘A Five-Year Plan for Meeting the Automated Data Processing Needs of the Federal Government,
                          Volume 1: Planning Strategies, Office of Management and Rudget, General Services Administration
                          and Department of Commerce, April 1984.

                          “In FCC’s Management by Objectives program, formal responsibilities are set forth in performance
                          contracts with each senior manager.



                          Page 3                              GAO/IMTJSXO-62      FCC Information    Resources   Management
                       B-226427




                       These studies are intended to address FCC’S need for information tech-
                       nology support in several areas, including (1) how automation can help
                       formulate policy, (2) how information is created, used, and transferred
                       within the agency, and (3) how electronic filing can support the
                       licensing process, These studies should help determine the usefulness of
                       information technology support. These studies could also provide infor-
                       mation that would be useful to top management in developing a stra-
                       tegic IRM plan.


Past FCC Information   FCCstaff recognized a decade ago that information technology could help
Technology Goals       the agency accomplish its mission. A 1980 FCC study, commonly called
                       the Blueprint,” proposed that FCC make greater use of information tech-
Identified but Not     nology to help do its work.
Achieved
                       The study fell short of being a strategic IRM plan because it did not set
                       the agency’s priorities, nor was it approved by FCC’S Chairman, or sup-
                       ported by tactical plans. The study was noteworthy, however, because
                       its authors, the Chiefs of FCC’Sbureaus, identified how FCC could better
                       achieve several important mission functions, namely, licensing, poli-
                       cymaking, and disseminating public information through greater use of
                       electronic information handling. Although FCChas increased its level of
                       office automation and its use of automation to support license
                       processing since 1980, it has not made the other mission-related
                       improvements identified in this plan.

                       The Blueprint noted the rapidly growing number of paper documents in
                       the agency’s public reference rooms and proposed introducing automa-
                       tion to help the public quickly obtain FCCdocuments. Quick retrieval of
                       documents is important because parties generally have short deadlines
                       to contest an application filed with the FCC, file a competing application,
                       or respond to proposed rules, tariffs, or other proceedings.

                       Despite this need, FCCdid not introduce automation into its reference
                       rooms. Subsequently, users complained about poor service, a.nd, in
                       response, the Subcommittee on Government Information, Justice, and
                       Agriculture, House Committee on Government Operations, held hearings
                       in 1988. We testified that FCC had problems managing the heavy volume
                       of documents in its reference rooms, such as not being able to locate


                       :‘The Future of Electronic Information Handling at the F’CC-Blueprint for the 80’s, FCC ADP Steering
                       Committee, October 31,198O.



                       Page 4                              GAO/IMTEGsO-52       FCC Information   Resources   Management
                       B-220427




                       requested documents4 The Committee concluded that FCC was not pro-
                       viding adequate service to the public and that this occurred because the
                       reference rooms were not a high management priority.” FCCis now devel-
                       oping an automated system to improve access to information in its bus-
                       iest reference room and considering automating others.

                       FCCalso has not implemented the proposal to use electronic filing for
                       license applications because, as noted by the Chairman of the IRM
                       Steering Committee, it did not periodically review progress on the
                       Blueprint’s proposals. FCC’S Bureau Chiefs still believe that electronic
                       filing may help speed up the processing of some types of licenses. The
                       Chief of the Common Carrier Bureau said that some regulated firms
                       favor electronic filing because of the convenience and potential for
                       reducing costs. FCC is beginning to study the feasibility of electronic
                       filing.


                       Federal guidance recommends that certain analyses be prepared to help
FCC Needsto Improve    ensure that information systems meet users’ needs effectively and eco-
Its Systems            nomically. However, our review of six critical systems development
Development Policies   projects showed that FCC’S systems development policies do not require
                       thorough benefit/cost analyses or security analyses.
and Practices
                       Federal guidelines recommend that agencies prepare a thorough benefit/
                       cost analysis in the earliest phase of a development project (the initia-
                       tion phase) to help management choose which alternative system will
                       best meet its needs.” Benefit/cost analyses thoroughly examine quantifi-
                       able and nonquantifiable benefits and costs over the estimated useful
                       life of all alternative systems. However, FCC’S policies only require that a
                       limited analysis of benefits and costs be prepared, covering 3 to 6 years,
                       for the current system and the preferred alternative. FCC does not
                       require the analysis to include indirect costs such as training and travel
                       or nonquantifiable benefits, As shown on the summary in appendix II,


                       4The Management and Operation of FCC’s Public Reference Rooms (GAO/T-RCED-88-25, Mar. 17,
                       1988).
                       “The FCC Public Reference Rooms Are A Mess, Committee on Government Operations, Rouse of Rep-
                       resentatives, Report 100-749,July 6,1988, p.3.

                       “Federal Information Resource                           (July 1, 1989 Edition) Part 201-30.009 and
                       Federal Information Processing                          4, Guidelines for Documentation of Computer
                       Programs and Automated Data Systems for the Initiation Phase(Aug.
                       Standards (now called the National Institute of Standards and Technology), Department of
                       Commerce.



                       Page 5                              GAO/IMTEGBO-52      FCC Information    Resources Management
                         B-226427




                         FCC did not develop thorough benefit/cost analyses of alternative sys-
                         tems over the estimated useful system life for five of the six develop-
                         ment projects. FCC, therefore, risks developing systems that do not meet
                         its needs effectively and economically.

                         Agency managers should also consider security issues in selecting a
                         system to meet their needs. Federal guidelines state that agencies are to
                         determine the basic security needs of a proposed system, potential risks,
                         and the cost of alternative security measures.j Despite this, FCC does not
                         require these analyses during any phase of system development. None
                         of the analyses for the six system development projects we reviewed
                         addressed security requirements in detail. For example, even though
                         FCC’Sfunctional requirements study for the Fees Collection System notes
                         that a security lapse could lose money due the government, the study
                         does not discuss specific security requirements, risks, alternative
                         security measures, or costs.


                              depends heavily on information technology to process about a mil-
Action Neededto          FCC
                         lion licenses a year, support the collection of millions of dollars a year in
Ensure Continued         licensing fees, and perform engineering analyses and other functions. To
Information              ensure the continued accomplishment of missions in an emergency, OMB
                         Circular A-130 requires that federal agencies maintain continuity of
Technology Support       operations plans for all information technology installations. The plans
After a Disaster         should be periodically tested for large installations and ones supporting
                         essential agency functions.

                         A 1987 FCCdirective also discusses the development of and requires
                         periodic testing of a continuity of operations plan, in accordance with
                         the OMB circular. If information technology support is unexpectedly lost,
                         FCC’Sability to serve the public may be impaired. To ensure that the
                         plan is sufficiently detailed to minimize decision-making immediately
                         following an emergency, the directive requires

                     l   each FCCbureau and office to prepare a list ranking its critical informa-
                         tion systems;
                     .   IRM officials to prepare detailed emergency procedures, including identi-
                         fying minimum computer hardware and software requirements needed


                         ‘Federal Information Processing Standards Publication 64, Guidelines for Documentation of Com-
                                                                                              (Aug. 1,1979) and Federal
                                                                                              ity of Applications (June 30,
                          1980), National Bureau of Standards, Department of Commerce.



                         Page 6                              GAO/IMTEG90-62       FCC Information   Resources   Management
  022fM27




  for critical systems, criteria for deciding when to activate the continuity
  plan, and security procedures for emergency operations;
. IRM officials to annually test FCC'S ability to recover and operate critical
  information systems; and
. a management team to annually review the plan, procedures, and test
  results, and record the results of the review for follow-up action.

  FCChas not prepared a continuity of operations plan, identified its crit-
  ical information systems, or prepared detailed emergency procedures.
  Nor has it tested its ability to recover these critical systems or per-
  formed annual reviews of its procedures and test results. While
  acknowledging this, the Chief of FCC'S Information Processing Division
  noted that the agency has some important components of a continuity
  plan. He noted that FCC has an agreement with another federal agency
  for emergency backup of FCC'S mainframe computer. FCC also stores
  computer tapes containing licensing data and key computer programs at
  an off-site location.

  The official said FCC would use the other agency’s mainframe computer
  if a disaster disabled FCC’s mainframe computer. However, we found
  that FCC has not tested its ability to operate critical information systems
  on the backup computer, or determined whether communications capa-
  bilities at the other agency are sufficient to support the 1,400 on-line
  computer terminals FCC employees use to review and approve licenses.

  FCC’sPrivate Radio Bureau Licensing Division relies on the mainframe
  computer to support the processing of over 800,000 licenses annually.
  The division chief said that an interruption of this support for just a few
  days would essentially idle his staff and would quickly create a backlog
  of applications that would be difficult to process.

  In addition, not all FCC licensing and other operations are processed on
  the mainframe. FCC uses a minicomputer to help it analyze and process
  about 20,000 broadcasting licenses per year. FCC does not have a con-
  tinuity of operations plan or an interagency agreement to backup this
  minicomputer.

  The Chief of FCC's Information Processing Division stated that preparing
  a continuity of operations plan has not been an agency priority. He said
  if a disaster occurs that disrupts FCC'S computer-based licensing, it could
  try to issue licenses manually until normal computer operations are




  Page 7                       GAO/IMTEWO-52   FCC Information   Resources Management
                                                                                                                .-
                  B-226427




                  restored. However, FCC has used computers for about 20 years to pro-
                  cess its high volume of licenses, and it does not have standing proce-
                  dures for issuing licenses manually. Because of this, we believe that
                  resorting to manual licensing would be slow and inefficient. The speed
                  and efficiency of FCC’Slicensing process can directly affect the nation’s
                  economy. In 1989 budget hearings, FCC’S former Chairman noted that
                  delays in licensing communications services affect not only the appli-
                  cants, but also have an adverse impact on the economy and reduce tax
                  revenue.H

                  FCChas not reported its lack of a continuity of operations plan as a
                  material internal control weakness under the Federal Managers’ Finan-
                  cial Integrity Act of 1982.” The act requires agencies to annually report
                  to the President on the status of their internal control systems, including
                  any substantial weaknesses such as inadequate continuity of operations
                  planning.


                  In the next 4 years, FCC plans to spend $11 million on information tech-
Conclusions       nology or about four times the amount spent on technology in the last 4
                  years. This investment creates a challenge and an opportunity to ensure
                  that these funds for information technology are well spent, and to
                  address past oversights and follow federal guidelines for managing
                  information resources. First, although 10 years ago the agency acknowl-
                  edged the importance of information technology to its mission, it has not
                  developed a strategic information resource management plan to define
                  goals, priorities, and milestones. Further, it has not always followed
                  guidelines regarding the analyses that need to be prepared in the early
                  stages of system development. Finally, the agency has not developed a
                  continuity of operations plan that supports its current computer envi-
                  ronment and that would help it cope if an emergency disables its com-
                  puters Addressing these shortcomings will increase the chance that the
                  money it plans to spend on information technology will help it meet its
                  increasingly challenging mission.


                  To guide FCC’S increased level of information technology expenditures,
Recommendations   we recommend that the Chairman, FCC, ensure that the agency develops
                  a strategic IRM plan. In addition, to help ensure that FCC selects the best
          Y
                  “Statement of Dennis R. Patrick, FCC Chairman, before the Committee on Appropriations, U.S.
                  Senate, May 18,1989.
                  “31 USC. 3612(b) and(c) (1982).



                  Page 8                             GAO/IMTJS90-62      FCC Information   Resources   Management
                      B.226427




                      alternatives for developing systems and properly considers security
                      needs, we recommend that FCC revise its system development policies to
                      conform to federal guidelines and standards.

                      To help ensure a smooth, rapid recovery of automated data processing
                      operations in an emergency, we recommend that FCC prepare and period-
                      ically test an automated data processing continuity of operations plan.
                      Until a plan has been developed and tested, we recommend that FCC
                      report the lack of a plan as a material internal control weakness under
                      the Federal Managers’ Financial Integrity Act.


                      Commenting on a draft of our report, FCCstated that it recognizes the
Agency Comments and   fundamental importance of IRM in accomplishing its mission, and said
Our Evaluation        that it has initiated studies during the last 10 months to help guide the
                      IRM program into the next decade. FCC also stated that it annually pub-
                      lishes a strategic IRM plan and that recent editions of it were approved
                      by OMB and the General Services Administration (GSA) as FCC’Sstrategic
                      plan. It said that it published a Blueprint for its IRM program in 1980,
                      and is now in the process of developing a new one.

                      Our report acknowledges that FCC sees the importance of IRM and that
                      FCC has initiated studies which could help it develop a strategic IRM plan.
                      We disagree, however, that FCC'S annual plan is a strategic IRM plan, or
                      that OMB and GSA approved it as a strategic plan. The annual plan does
                      not identify the agency’s strategic priorities or goals, or the information
                      needed to meet these goals. Further, the annual plan itself does not
                      claim to be the agency’s strategic plan. Rather, it states that the
                      agency’s strategic IRM direction was articulated in the 1980 Blueprint. In
                      addition, OMR and GSA officials stated that they do not approve agencies
                      strategic IRM plans, and have not approved FCC’Sannual plan, or any
                      document, as FCC'S strategic IRM plan. After we received FCC’Scomments,
                      the Managing Director acknowledged that OMB and GSA did not approve
                      FCC'S annual plans.


                      FCC’S1980 Blueprint also fell short of being a strategic IRM plan because
                      it did not set the agency’s priorities, nor was it approved by FCC'S
                      Chairman, or supported by a tactical plan. According to FCC's IRM
                      Steering Committee Chairman, a strategic IRM plan is needed and the
                      Committee intends to prepare one, but no date has been set for com-
                      pleting it.




                      Page 9                     GAO/IMTEG90-52   FCC Information   Resources Management
                                                                                   .


    R-226427




    Regarding its system development efforts, FCC states that it has per-
    formed benefit/cost analyses of alternatives. Although it acknowledges
    it could have been more thorough and better documented its work, FCC
    believes its efforts have been reasonable and adequate given the
    agency’s limited resources,

    The system development policies of FCC do not conform to federal gui-
    dance because they do not require adequate benefit/cost analyses (such
    as analyzing several alternative approaches) or require security anal-
    yses at all. Our review of six critical systems development projects
    revealed inadequate benefit/cost analyses and security analyses. FCC
    therefore risks not selecting the best alternative or properly considering
    security needs.

    FCC stated that it has an emergency plan to continue operations if its
    computers are disabled, and also said that it reported the inadequacy of
    its plan as a material weakness in its Federal Managers’ Financial Integ-
    rity Act report.

    We disagree with this assessment. FCC'S plan is incomplete and out of
    date, and the backup of the mainframe has not been adequately tested.
    Because FCC does not have an emergency plan that could be quickly
    implemented if a disaster occurs, its license processing and other mis-
    sion-related functions are at risk.

    Regarding FCC'S comment that it has reported emergency planning as a
    weakness, FCC’SAssociate Managing Director for Information Manage-
    ment explained that the report does not actually state it is a weakness,
    but he believes it is implied by FCC's disclosure in the report that com-
    puter security is inadequate. Computer security is a very broad topic
    covering a wide range of security controls. Given FCC's heavy reliance on
    information technology, emergency planning is a specific weakness that
    should be reported until it is corrected.

    FCC  stated that, to the degree there are shortcomings in its IRM planning
    and other activities, it will implement corrective actions. It did not, how-
    ever, specify what actions it intends to take on our recommendations, so
    it is unclear whether FCC'S actions will adequately address our concerns.


Y
    As arranged with your office, unless you publicly announce the contents
    of this report earlier, we plan no further distribution of this report until
    30 days from the date of this letter. We will then send copies to the


    Page 10                     GAO/IMTEG90-62   FCC Information   Resources   Management
Chairman and Managing Director of FCC and other interested parties.
This report was prepared under the direction of JayEtta Hecker,
Director, Resources, Community, and Economic Development Informa-
tion Systems, who can be reached at (202) 275-9675. Other major con-
tributors are listed in appendix IV.

Sincerely yours,



kLdt.&J~&
Ralph V. Carlone
Assistant Comptroller   General




 Page 11                   GAO/IMTEGSO-52   FCC Information   Resources Management
Contents


Letter
Appendix I
Objectives, Scope,and
Methodology
Appendix II
Summary of Analyses
for Six Major FCC
Information Systems
Appendix III                                                                                             16
Comments From the       GAO Comments                                                                     19
Federal
Communications
Commission
Appendix IV                                                                                              23
Major Contributors to
This Report




                        Abbreviations

                        KC        Federal Communications Commission
                        GAO       General Accounting Office
                        GSA       General Services Administration
           Y            IMTEC     Information Management and Technology Division
                        IHM       information resources management
                        OMB       Office of Management and Budget


                        Page 12                  GAO/IMTEGSO-62   FCC Information   Resources   Management
Y




    Page 13   GAO/lMTEG!IO-52   FCC Information   Resources Management
                                                                                        I)




Appendix I

Objectives,Scope,and Methodology                                                             *-


              The objective of our review, as agreed with the requesting Subcom-
              mittee, was to evaluate information resources management activities at
              the FCC, concentrating on how it plans and manages its information
              resources. We conducted our work from August 1989 through March
               1990 at FCC headquarters in Washington, DC., and the FCC Private Radio
              Bureau’s Licensing Division in Gettysburg, Pennsylvania.

              To determine how FCC plans and manages its information resources, we
              interviewed the agency’s Managing Director, Associate Managing
              Director for Information Management, and senior program officials,
              including bureau chiefs. To help evaluate FCC'S planning and manage-
              ment of information resources, we contracted with an IRM consultant,
              We also reviewed FCC policy, planning, budget, and system justification
              documents and relevant reports.

              To determine FCC’S methodology for developing information systems, we
              selected six FCCinformation systems that FCC identified as critical to its
              missions, and which covered different program areas. We reviewed fed-
              eral guidance on systems development methodology and continuity of
              operations planning, and compared these to FCC'S policies and practices,

              Our work was performed in accordance with generally accepted govern-
              ment auditing standards. The FCC provided written comments on a draft
              of this report. These comments are presented and evaluated in
              appendix III.




              Page 14                    GAO/IMTRCSO-52   FCC Information   Resources   Management
  Ppt,

b=ary     of Analyses for Six Major F’CC
Information Systems


                                           Was the             Was a benefit/                                             Were security risks and
                                           system life         cost analysis           Were alternative                   requirements
System                                     estimated?          prepared?               approaches described?              described?    - --~ -~
Automated Land Mobile Application          No                  No                       Yes                               No
  Processing System                                                                                                       No ..--__--..--        .._~ -~
Auiomated Re orting Management             No                  No                       No
  lnformatlon l ystem
Common Carrier Land Mobile System         .-No                 Yes                      Yes                            No
Automated Marine Application Processing     No                 No                       No                             No
  System                                                                                                              __-.--.--~._-.--.             .~~.
Fees-i Collection System                   No                  Noa                     Yes
                                                                         -..~~~----_____.                              No
Antenna Clearance Svstem                   No                  No                      No                              No
                                            “Benefits were summarized in narrative form, but not quantified or analyzed




                                            Page 15                               GAO/IMTEC90-62       FCC Information       Resources      Management
Appendix III

Comments From the Federal
Communications Commission

supplementing those in the
report text appear at the
end of this appendix.                                   FEDERAL COMMUNICATIONS COMMl!SSlON
                                                                Washington, D. C. 20554

                                                                      MAY 2 4 1980
                             OFFICE OF
                             MANAGING OIRECTOR




                                  Mr. Ralph V. Carlone
                                  Assistant Comptroller General
                                  Information  Management and Technology Division
                                  United States General Accounting Office
                                  Washington, D. C. 20548
                                  Dear Mr. Carlone:
See comment 1                     I appreciate the opportunity     to respond to the draft report concerning
                                  “Strategic    Focus Needed to Improve Information      Resources ManageIwnt”.
                                  First,   let me state that Chairman Sikes is personally committed to
                                  excellence     in the IRM area. The Chairman and I both recognize the
                                  fundamental importance of IRM to the MI: in acconplishing its midon to
                                  regulate    non-government interstate    and international    communications
                                  services     and to foster    the introduction      of new and innovative
                                  telecommunications technology.
                                  To provide the strategic      focus needed to direct  the Information
                                  Resource5 Management Program, the Chairman has initiated    a number of
                                  agency-wide    studies to help determine the demands and opportunities
                                  that the future will bring to the FCC. This programmatic vision will,
                                  in turn, strategically   guide the direction of the FCC IRM Program for
                                  the next decade. During the first 10 month8 of Chairman Sikes’ tenure
                                  we have taken the first steps on this path by:
                                         - Initiating a census of all data interchange       between the
                                           FCC and the public.
                                         - Beginning a requirements analysis of all FCC information
                                           resources with an end goal of carpletely modernizing our
                                           processes and resources.
                                         - Initiating a study of the inpact of future technology on
                                           the role and mission of the FCC.
                                  While looking      to future opportunities    for IRM at the ECC, we recognize
                                  that stringent        budget constraints   and staff shortages have been the
                                  norm for the      FCC in general and the agency’s IRM prograam in particular
                                  in the recent       past. These funding constraints    have provided numerous
                                  obstacles    to     earlier  IRM efforts.    In the interest   of building   a




                                      Page 10                        GAO/IMTEG90-62   FCC Information   Resources   Management
                     Appendix III
                     Comments From the Federal
                     Communications Cmunission




                Mr. Ralph V. Carlone                                                           2.

                complete and accurate record, we must note some areas of d&agreement
                with the findings   and conclusions contained in your draft report,
                specifically:
See comment 2         - FCC JI&Q had a strategic    plan, published yearly, for
                        well over a decade in accordance with regulations.      New
                        versions of the plan are regularly s&m&ted to OMB and
                        GSA, and recent editions     have been approved a5 our
                        strategic   plan by both agencies.      In addition to its
                        yearly plan, FCC published      a blueprint    for its IRM
                        program in 1980, and we are now in the process of
                        developing   a new one. While we may differ with your
                        finding,   we endorse your premise of the fundamental
                        importance of strategic   IRM planning for the FCC. In
                        the past, austere budgets constrained the FCC’s IRM
                        planning efforts.   We intend to renew and SubEaantially
                        increase our efforts in this area in the future.
See comment 3         - FCC & performed benefit/cost       analysi.5 of alternatives
                        in its systems development efforts.       While we concede
                        that our efforts      could have been more thorough and
                        better documented, we view our efforts in this area to
                        be “reasonable    and adequate” in accordance with the
                        controlling  regulations.    Past lack of resources at the
                        FCC has severely limited alternatives       and, as so often
                        is the ca5e when resource5 are abort, documentation of
                        the decision process was xxnewhat limited.
See comment 4         - FCC haa prepared       an emergency     plan to continue
                        operations if computers are disabled.       We have selected
                        and tested an alternate       site computer, stored all
                        relevant data and program5 off site, and put in place a
                        methodology for determining criticality      of system; on a
                        real time basis depending on the type and duration of
                        the disaster.    We made a documented management deci5ion
                        in October 1989 to defer updating this plan until we had
                        put in place an FCC IRM Security Plan. Because our
                        existing   plan is out of date and does not address our
                        new on-line systems and our microcomputer ba5ed 5y5tans,
                        the FCC & reported the inadequacy of its emergency
                        plan as part of the agency submission pursuant to the
                        requirements      of the Computer Security         Act and
                        subsequently,   as a material weakness under the Federal
                        Managers’ Financial Integrity Act.
See comment 5   To the degree      that there are shortcomings in the FCC’s IRM planning
                processes and past practices       , we will be diligent     in implementing
                corrective     actions.    Indeed, as indicated   in the above comments,
                appropriate     actions have already been initiated      and new starts   are
                planned or underway to improve the CormJsaion’s overall IRM capabilities
                and effectiveness.




                     Page 17                       GAO/IMTEG!30-62   FCC Information   Resources Management
                                                                                        ,
                                                                                            ,


          Appendix III
          timments   From the Federal
          C&mmunications   Commission




    Mr.   Ralph V. Carlone                                                         3.
    Despite the essential commitment by the Chairman and his management
    team to rejuvenating  strategic  IRM planning at !XC, a key to continuing
    progress in this area will be an adequate level of funding in fiscal
    year 1992 and beyond.     Adequate funding is essential     if we are to
    achieve our goals of IRM providing critical    support to the FCC in the
    accomplishment of its mission.
                                           Sincerely,

                                            w--w
                                           Andrew S. Fishel
                                           Managing Director




Y




          Page 18                       GAO/IMTEG90-52   FCC Information   Resources    Managemeni
               Appendix III
               Commenta From the Federal
               Communications Commission




               The following are GAO comments on the Federal Communications Com-
               mission’s letter dated May 24, 1990.


               1. The FCC stated that it recognizes the fundamental importance of IHM to
GAO Comments   help it accomplish its mission of regulating communications services and
               fostering new technologies. It said that to provide the strategic focus
               needed to direct the IRM program, the Chairman has begun a number of
               studies to help determine the demands and opportunities that FCC will
               face in the future. This vision will guide the direction for FCC'S IRM pro-
               gram for the next decade. Our report notes top management’s recogni-
               tion that the increased use of information technology can help the
               agency accomplish its mission. We note that the December 1988 IRM
               Steering Committee charter makes it responsible for defining the long-
               term goals and direction of the IRM program and aiding the bureaus in
               developing tactical information technology plans. We also acknowledge
               that FCChas started a number of studies and that these could be useful
               to top management in developing a strategic IRM plan.

               2. FCC stated that it has annually published a strategic plan for well over
               a decade and that recent editions were approved by OMB and GSA as FCC'S
               strategic plan. FCC said that it published a Blueprint for its IRM program
               in 1980, and is now in the process of developing a new one. It also said it
               intends to substantially increase its planning efforts in the future.

               We disagree that FCC'S annual plan is a strategic plan, or that OMB and
               GSA  approved recent editions as FCC'S strategic plan. The annual plan
               that FCC refers to does not identify the agency’s strategic goals, informa-
               tion needed to meet strategic goals, or strategic priorities. Further, the
               annual plan itself does not claim to be the agency’s strategic plan.
               Rather, it states the current strategic direction was articulated in the
               1980 Blueprint. The Chairman of the IRM Steering Committee, respon-
               sible for preparing strategic IRM plans at FCC,stated that he considers
               the annually prepared plans to be more tactical than strategic.

               Regarding FCC'S comment that recent editions of its annual IRM plan were
               approved by OMB and GSA as a strategic plan, officials from both agencies
               stated that they do not approve agencies strategic IRM plans, and that
               they have not approved FCC’Splan as a strategic IRM plan. A project
               manager in the GSA'S Office of Software Development and Information
               Technology told us that, at FCC’Srequest, she reviewed and commented
               on the 1990 annual plan. This did not, however, constitute GSA approval
               of FCC'S plan. Following the receipt of agency comments, FCC'S Managing


               Page 19                     GAO/IMTEC90-52   FCC Information   Resources Management
Appendix III
Comments From the Federal
Communicationa Cbmmission




Director stated that, in fact,   OMB   and   GSA   did not approve FCC’Sannual
plans.

Our report discusses FCC'S 1980 Blueprint, noting that the Blueprint fell
short of being a strategic IRM plan because it did not set the agency’s
priorities, and was not approved by the FCC'S Chairman, or supported by
tactical plans. FCC did not make some of the mission-related improve-
ments identified in the Blueprint. It did not introduce automation into its
reference rooms before service problems occurred or examine the feasi-
bility of using electronic filing to speed up some licensing processes.
According to FCC'S IRM Steering Committee Chairman, a strategic IRM
plan is needed and the Committee intends to prepare one. As noted in
this report, no date has been set for completing the plan.

3. FCC stated that it has performed benefit/cost analyses of alternatives
in its systems development efforts. Although it admits it could have
been more thorough and better documented its work, FCC said its efforts
have been reasonable and adequate given the agency’s past lack of
resources. It added that scarce resources have limited the alternatives it
could consider, and has caused it to somewhat limit the documentation
of its decision process.

As discussed in this report, FCC'S system development policies do not
conform to federal guidance because they do not require thorough ben-
efit/cost analyses or require security analyses at all. FCC did not thor-
oughly analyze the benefits and costs of alternative systems over the
estimated useful life for five of the six critical systems development
projects we reviewed. In addition, FCC'S analyses did not discuss security
requirements for any of the six projects. Our recommendation is
intended to help FCC ensure that it selects the best alternatives for devel-
oping systems and properly considers security needs.

4. FCC stated that it has prepared an emergency plan to continue opera-
tions if its computers are disabled. In addition, FCC states that it
reported the inadequacy of its emergency plan as a material weakness in
its Federal Managers’ Financial Integrity Act report.

We do not agree that FCC has an emergency plan. As discussed in this
report, the official responsible for emergency planning told us that while
FCChas some of the components of a plan, such as obtaining a main-
frame backup agreement, FCC has not prepared a plan, identified critical
information systems, or developed detailed emergency procedures. Nor



Page 20                     GAO/IMTEC-90-62        FCC Information   Resources   Management
Appendix III
Comments From the Federal
Communications Comndr3sion




has FCC tested its ability to recover and operate critical information sys-
tems at the current backup facility, or had a management team annually
review the plan, procedures and test results and record the results for
follow-up action.

FCC officials told us they consider the directive on emergency planning
to be the agency’s plan. We note, however, that the stated purpose of the
directive is to “provide guidance for establishing policies, plans, and
procedures for contingency operations.”

In its comments, FCC states that the plan is out of date because it does
not address the FCC'S new on-line and microcomputer-based systems. For
these reasons we believe that FCC does not have an emergency plan that
could be quickly implemented if a disaster occurs. As a result, its license
processing and other mission-related functions are at risk.

FCCstates that it selected and tested an alternate site computer, and
stored all relevant data and programs off site. These are important mea-
sures. However, FCC has not adequately tested the backup mainframe
computer. According to the Chief of FCC’SInformation Processing Divi-
sion, FCC checked that the other agency’s backup computer is basically
compatible with its own, but it has not tried to run any of its licensing or
other systems using this computer.

FCC   also commented that it has put in place a methodology for deter-
mining the criticality of its systems on a real-time basis. The Associate
Managing Director for Information Management explained that, after a
disaster occurs, the FCC'S Contingency Crisis Committee, composed of
representatives from each of FCC'S bureaus and offices, would meet,
decide what the most critical information systems are and make
arrangements for running these systems. This approach would be time-
consuming and ineffective unless there is adequate pre-disaster plan-
ning, such as preparing, as FCC’Sdirective requires, lists of each bureau’s
critical systems. Such lists have not been prepared. In addition, the Con-
tingency Crisis Committee may not be well prepared to cope with a dis-
aster because it has not met since 1982.

With regard to FCC'S comment that it has reported emergency planning
as a weakness in its 1989 Federal Managers’ Financial Integrity Act
report, we noted that this weakness is not stated in the FCC'S report.
Also, the official responsible for FCC’Scontingency planning, the Chief of




Page 21                      GAO/IMTEGSO-62   FCC Information   Resources   Management
Appendix III
Comments F’rom the Federal
C4unmunications   Commidon

                                                                                       .




the Information Processing Division, said it was not reported as a weak-
ness. However, FCC’S Associate Managing Director for Information Man-
agement explained that, while the report does not actually state
emergency plans are inadequate, he believes it is implied by FCC’S disclo-
sure in the report that computer security is inadequate. However, this
implication is not obvious because computer security is a very broad
topic. For instance, a recent GAO report on security lists 18 types of com-
puter security controls, ranging from the need for adequate personnel
selection and screening processes to the need to control modifications to
computer programs.’ Given the FCC’S heavy reliance on information tech-
nology to support licensing and other mission-related functions, we con-
tinue to believe that emergency planning is a specific weakness and
should be reported until the weakness is corrected.

5. FCC stated that to the degree that there are shortcomings in its IRM
planning and its past practices, it will diligently implement corrective
actions. It added that it believes it has already initiated appropriate
actions and plans others to improve its IRM capabilities and
effectiveness.

Our recommendations were intended to help facilitate IRM improve-
ments. Although FCC said it will take corrective actions, it did not
specify what actions it intends to take on our recommendations. There-
fore, at this point, it is unclear whether FCC’s actions will adequately
address our concerns.




‘Computer Security: Governmentwide Planning Process Had Limited Impact (GAO/IMTEC-90-48,
May 10, 1990).



Page 22                          GAO/IMTEG90-62     FCC Information   Resources   Management
           t:

Appendix IV

Major Contributors to This Report


                       David G. Gill, Assistant Director
Information            James Houtz, Evaluator-in-Charge
Management and         Karlin Richardson, Technical Adviser
Technology Division,   Alice Morris, Evaluator
Washington, D.C.




(610449)               Page 23                  GAO/IMTEC!-90-62   FCC Information   Resources Management
    i


    $




!                                                                                                                                                                        --se   -.-B--P
        -~   -_--   --.-   ._..   II_   -1”   “.I   ..1...   I .I   .““.11   *“-..ll.l..“l   -.--^..   . . ..-.--_.   --..-   _____I_,__   “ll--_”   l,.,l*-^..l”-l---
1
I” ,~._I_..“. _.   .,“l”l.-” “,,I   ..“_..“I.
                                           _“._
                                              ._.~.-
                                                  ._.....
                                                     I_.-.-..-----__---   ---   -_-.-~--_-