FEDERAL COMMUNICATIONS COMMISSION Strategic Focus Needed to Improve Information Resources Management 3 142297 RJ3STRICTED --Not to be released outside the General Accounting Office unless specifically approved by the Office of Congressional RELEASED -.- -- United States General Accounting Office Washington, D.C. 20648 Information Management and Technology Division B-226427 July 20, 1990 The Honorable Robert Wise Chairman, Subcommittee on Government Information, Justice, and Agriculture Committee on Government Operations House of Representatives Dear Mr. Chairman: In response to your request and as agreed in meetings with your office, this report discusses the Federal Communications Commission’s (FCC) information resources management (IRM), concentrating on how the agency plans and develops information technology to meet its mission. As you know, FCC is charged with regulating interstate and foreign com- merce through wire and radio communications. Rapid technological change over the past decade has led to an increasing work load for FCC. FCC is licensing new communications services, such as low-power televi- sion and cellular radio, and may become more involved in other areas such as cable television. FYX’Scurrent Chairman and Managing Director believe that increased information technology support can help the agency accomplish its increasingly demanding mission. FCCrelies on information technology to help process a million applications for licenses and collect millions of dollars in licensing fees each year, as well as perform engineering anal- yses and other mission-related and administrative functions, The agency plans to spend about $11 million in fiscal years 1990 through 1993, four times the money spent over the last 4 years. Despite the growing importance of information technology to FCC, the agency has not developed a strategic IRM plan to identify the goals, direction, and information needed to meet its mission, set priorities, and guide its information technology budget. Further, some of FCC'S informa- tion systems development policies and practices are not consistent with federal guidelines for preparing thorough benefit/cost analyses of alter- native systems, or analyses of security risks and needs. Without these analyses, FCC may not select the best alternatives to effectively and eco- nomically meet users’ needs. Page 1 GAO/IMTEG9O-52 FCC Information Resources Management 1 --- B-226427 Finally, FCChas not prepared an emergency plan to continue operations if its computers are disabled. It has an agreement to use another agency’s facilities to back up its largest computer, but has never tested whether the facility can handle FCC’Swork load. Both the Office of Man- agement and Budget and FCCrequire the development, maintenance, and testing of an emergency plan. Without this plan, FCC risks not being able to effectively accomplish its licensing or other missions if its computers are unexpectedly lost for an extended period. FCC has not reported this risk as a material internal control weakness under the Federal Man- agers’ Financial Integrity Act. FCC’Smission is becoming increasingly demanding. Applications for new Strategic IRM Plan communication services, such as low- power television (a service in Neededto Guide FCC’s w h’ic hsignals are broadcast within relatively small areas) and cellular Use of Technology radio (mobile telephone service) have increased FCC'S licensing work load. FCC’Sformer Chairman noted in testimony before the Senate Com- mittee on Appropriations in May 1989, that FCC has been falling behind in processing license applications. In the case of land mobile radio licenses, processing was taking about 175 days, 60 percent longer than the year before. FCC also anticipates the need for new rules, which may further increase its work load. For example, the direct broadcasting of television programs via satellite is a potential new service. FCC may also apply additional controls over the cable television industry and it may need to increase its oversight of telephone companies if they are allowed to offer new services. FCC’Scurrent Chairman and Managing Director, who began their duties in August and October 1989, respectively, believe that the increased use of information technology can help the agency accomplish its mission. The Managing Director said that he and the Chairman are committed to supporting a substantial increase in spending for information tech- nology, even if it means hiring fewer staff for critical vacancies. The agency plans to spend about $11 million on information technology to support mission and administrative functions between fiscal years 1990 and 1993, four times the $2.5 million spent from fiscal years 1986 through 1989. Because of the increasing demands on the agency, and its plans to spend more on information technology, it is an opportune time for FCC to fulfill the requirement to develop a strategic IRM plan. In developing this plan, EC needs to examine its changing mission, how it will achieve it, and how information and information technology can be of help. Page 2 GAO/IMTECXO-62 FCC Information Resources Management . B-220427 FCC Has Not Developed a Office of Management and Budget (OMB) Circular A-130 requires federal Strategic IRM Plan agencies to establish a multiyear strategic planning process for acquiring and operating information technology. A December 1988 FCC directive also requires that a strategic IRM plan be developed that identi- fies the long-range goals and direction of the IRM program and guides its bureaus in developing tactical information technology plans. Despite these requirements, FCC has not yet developed a strategic IRM plan that builds on its business strategy by identifying the goals, direction, and information needed to meet its mission, set priorities, and guide informa- tion technology investment. Typically, strategic IRM planning includes top management commitment and involvement, updating the plan as changes occur in mission or program direction, and setting priorities. The strategic plan should be supported with tactical plans of action for achieving strategic goals.’ FCC'S directive charges its IRM Steering Committee, which is made up of the Chiefs of FCC’S four bureaus and the Office of Engineering and Tech- nology, with (1) developing and recommending to the Managing Director long-term goals and directions for the IRM program, and (2) reviewing the annually prepared strategic plan and recommending priorities for proposed information technology projects. According to the Chief of FCC’S IRM Steering Committee, FCCdoes not have a strategic IRM plan and the annual 5-year plan is a tactical plan. He said that a strategic plan is needed, the Committee intends to prepare one, and has started to dis- cuss what it might include. However, the Committee has not started to prepare it or set a date for its completion. Also, the preparation of a strategic IRM plan is not a formal responsibility of Committee members and may therefore be less of a priority than their other responsibilities.’ In commenting on a draft of this report, the FCC’S Managing Director stated that he considered the agency’s annual plan to be a strategic plan, and also noted that FCCprepared the 1980 Blueprint, which provides a longer range view. He said that the agency’s IRM planning efforts have been constrained in the past because of austere budgets, but that FCC intends to substantially increase its efforts in the future. To this end, he noted that FCC has initiated several studies that he believes will help strategically guide the FCC'S IRM program for the next decade. ‘A Five-Year Plan for Meeting the Automated Data Processing Needs of the Federal Government, Volume 1: Planning Strategies, Office of Management and Rudget, General Services Administration and Department of Commerce, April 1984. “In FCC’s Management by Objectives program, formal responsibilities are set forth in performance contracts with each senior manager. Page 3 GAO/IMTJSXO-62 FCC Information Resources Management B-226427 These studies are intended to address FCC’S need for information tech- nology support in several areas, including (1) how automation can help formulate policy, (2) how information is created, used, and transferred within the agency, and (3) how electronic filing can support the licensing process, These studies should help determine the usefulness of information technology support. These studies could also provide infor- mation that would be useful to top management in developing a stra- tegic IRM plan. Past FCC Information FCCstaff recognized a decade ago that information technology could help Technology Goals the agency accomplish its mission. A 1980 FCC study, commonly called the Blueprint,” proposed that FCC make greater use of information tech- Identified but Not nology to help do its work. Achieved The study fell short of being a strategic IRM plan because it did not set the agency’s priorities, nor was it approved by FCC’S Chairman, or sup- ported by tactical plans. The study was noteworthy, however, because its authors, the Chiefs of FCC’Sbureaus, identified how FCC could better achieve several important mission functions, namely, licensing, poli- cymaking, and disseminating public information through greater use of electronic information handling. Although FCChas increased its level of office automation and its use of automation to support license processing since 1980, it has not made the other mission-related improvements identified in this plan. The Blueprint noted the rapidly growing number of paper documents in the agency’s public reference rooms and proposed introducing automa- tion to help the public quickly obtain FCCdocuments. Quick retrieval of documents is important because parties generally have short deadlines to contest an application filed with the FCC, file a competing application, or respond to proposed rules, tariffs, or other proceedings. Despite this need, FCCdid not introduce automation into its reference rooms. Subsequently, users complained about poor service, a.nd, in response, the Subcommittee on Government Information, Justice, and Agriculture, House Committee on Government Operations, held hearings in 1988. We testified that FCC had problems managing the heavy volume of documents in its reference rooms, such as not being able to locate :‘The Future of Electronic Information Handling at the F’CC-Blueprint for the 80’s, FCC ADP Steering Committee, October 31,198O. Page 4 GAO/IMTEGsO-52 FCC Information Resources Management B-220427 requested documents4 The Committee concluded that FCC was not pro- viding adequate service to the public and that this occurred because the reference rooms were not a high management priority.” FCCis now devel- oping an automated system to improve access to information in its bus- iest reference room and considering automating others. FCCalso has not implemented the proposal to use electronic filing for license applications because, as noted by the Chairman of the IRM Steering Committee, it did not periodically review progress on the Blueprint’s proposals. FCC’S Bureau Chiefs still believe that electronic filing may help speed up the processing of some types of licenses. The Chief of the Common Carrier Bureau said that some regulated firms favor electronic filing because of the convenience and potential for reducing costs. FCC is beginning to study the feasibility of electronic filing. Federal guidance recommends that certain analyses be prepared to help FCC Needsto Improve ensure that information systems meet users’ needs effectively and eco- Its Systems nomically. However, our review of six critical systems development Development Policies projects showed that FCC’S systems development policies do not require thorough benefit/cost analyses or security analyses. and Practices Federal guidelines recommend that agencies prepare a thorough benefit/ cost analysis in the earliest phase of a development project (the initia- tion phase) to help management choose which alternative system will best meet its needs.” Benefit/cost analyses thoroughly examine quantifi- able and nonquantifiable benefits and costs over the estimated useful life of all alternative systems. However, FCC’S policies only require that a limited analysis of benefits and costs be prepared, covering 3 to 6 years, for the current system and the preferred alternative. FCC does not require the analysis to include indirect costs such as training and travel or nonquantifiable benefits, As shown on the summary in appendix II, 4The Management and Operation of FCC’s Public Reference Rooms (GAO/T-RCED-88-25, Mar. 17, 1988). “The FCC Public Reference Rooms Are A Mess, Committee on Government Operations, Rouse of Rep- resentatives, Report 100-749,July 6,1988, p.3. “Federal Information Resource (July 1, 1989 Edition) Part 201-30.009 and Federal Information Processing 4, Guidelines for Documentation of Computer Programs and Automated Data Systems for the Initiation Phase(Aug. Standards (now called the National Institute of Standards and Technology), Department of Commerce. Page 5 GAO/IMTEGBO-52 FCC Information Resources Management B-226427 FCC did not develop thorough benefit/cost analyses of alternative sys- tems over the estimated useful system life for five of the six develop- ment projects. FCC, therefore, risks developing systems that do not meet its needs effectively and economically. Agency managers should also consider security issues in selecting a system to meet their needs. Federal guidelines state that agencies are to determine the basic security needs of a proposed system, potential risks, and the cost of alternative security measures.j Despite this, FCC does not require these analyses during any phase of system development. None of the analyses for the six system development projects we reviewed addressed security requirements in detail. For example, even though FCC’Sfunctional requirements study for the Fees Collection System notes that a security lapse could lose money due the government, the study does not discuss specific security requirements, risks, alternative security measures, or costs. depends heavily on information technology to process about a mil- Action Neededto FCC lion licenses a year, support the collection of millions of dollars a year in Ensure Continued licensing fees, and perform engineering analyses and other functions. To Information ensure the continued accomplishment of missions in an emergency, OMB Circular A-130 requires that federal agencies maintain continuity of Technology Support operations plans for all information technology installations. The plans After a Disaster should be periodically tested for large installations and ones supporting essential agency functions. A 1987 FCCdirective also discusses the development of and requires periodic testing of a continuity of operations plan, in accordance with the OMB circular. If information technology support is unexpectedly lost, FCC’Sability to serve the public may be impaired. To ensure that the plan is sufficiently detailed to minimize decision-making immediately following an emergency, the directive requires l each FCCbureau and office to prepare a list ranking its critical informa- tion systems; . IRM officials to prepare detailed emergency procedures, including identi- fying minimum computer hardware and software requirements needed ‘Federal Information Processing Standards Publication 64, Guidelines for Documentation of Com- (Aug. 1,1979) and Federal ity of Applications (June 30, 1980), National Bureau of Standards, Department of Commerce. Page 6 GAO/IMTEG90-62 FCC Information Resources Management 022fM27 for critical systems, criteria for deciding when to activate the continuity plan, and security procedures for emergency operations; . IRM officials to annually test FCC'S ability to recover and operate critical information systems; and . a management team to annually review the plan, procedures, and test results, and record the results of the review for follow-up action. FCChas not prepared a continuity of operations plan, identified its crit- ical information systems, or prepared detailed emergency procedures. Nor has it tested its ability to recover these critical systems or per- formed annual reviews of its procedures and test results. While acknowledging this, the Chief of FCC'S Information Processing Division noted that the agency has some important components of a continuity plan. He noted that FCC has an agreement with another federal agency for emergency backup of FCC'S mainframe computer. FCC also stores computer tapes containing licensing data and key computer programs at an off-site location. The official said FCC would use the other agency’s mainframe computer if a disaster disabled FCC’s mainframe computer. However, we found that FCC has not tested its ability to operate critical information systems on the backup computer, or determined whether communications capa- bilities at the other agency are sufficient to support the 1,400 on-line computer terminals FCC employees use to review and approve licenses. FCC’sPrivate Radio Bureau Licensing Division relies on the mainframe computer to support the processing of over 800,000 licenses annually. The division chief said that an interruption of this support for just a few days would essentially idle his staff and would quickly create a backlog of applications that would be difficult to process. In addition, not all FCC licensing and other operations are processed on the mainframe. FCC uses a minicomputer to help it analyze and process about 20,000 broadcasting licenses per year. FCC does not have a con- tinuity of operations plan or an interagency agreement to backup this minicomputer. The Chief of FCC's Information Processing Division stated that preparing a continuity of operations plan has not been an agency priority. He said if a disaster occurs that disrupts FCC'S computer-based licensing, it could try to issue licenses manually until normal computer operations are Page 7 GAO/IMTEWO-52 FCC Information Resources Management .- B-226427 restored. However, FCC has used computers for about 20 years to pro- cess its high volume of licenses, and it does not have standing proce- dures for issuing licenses manually. Because of this, we believe that resorting to manual licensing would be slow and inefficient. The speed and efficiency of FCC’Slicensing process can directly affect the nation’s economy. In 1989 budget hearings, FCC’S former Chairman noted that delays in licensing communications services affect not only the appli- cants, but also have an adverse impact on the economy and reduce tax revenue.H FCChas not reported its lack of a continuity of operations plan as a material internal control weakness under the Federal Managers’ Finan- cial Integrity Act of 1982.” The act requires agencies to annually report to the President on the status of their internal control systems, including any substantial weaknesses such as inadequate continuity of operations planning. In the next 4 years, FCC plans to spend $11 million on information tech- Conclusions nology or about four times the amount spent on technology in the last 4 years. This investment creates a challenge and an opportunity to ensure that these funds for information technology are well spent, and to address past oversights and follow federal guidelines for managing information resources. First, although 10 years ago the agency acknowl- edged the importance of information technology to its mission, it has not developed a strategic information resource management plan to define goals, priorities, and milestones. Further, it has not always followed guidelines regarding the analyses that need to be prepared in the early stages of system development. Finally, the agency has not developed a continuity of operations plan that supports its current computer envi- ronment and that would help it cope if an emergency disables its com- puters Addressing these shortcomings will increase the chance that the money it plans to spend on information technology will help it meet its increasingly challenging mission. To guide FCC’S increased level of information technology expenditures, Recommendations we recommend that the Chairman, FCC, ensure that the agency develops a strategic IRM plan. In addition, to help ensure that FCC selects the best Y “Statement of Dennis R. Patrick, FCC Chairman, before the Committee on Appropriations, U.S. Senate, May 18,1989. “31 USC. 3612(b) and(c) (1982). Page 8 GAO/IMTJS90-62 FCC Information Resources Management B.226427 alternatives for developing systems and properly considers security needs, we recommend that FCC revise its system development policies to conform to federal guidelines and standards. To help ensure a smooth, rapid recovery of automated data processing operations in an emergency, we recommend that FCC prepare and period- ically test an automated data processing continuity of operations plan. Until a plan has been developed and tested, we recommend that FCC report the lack of a plan as a material internal control weakness under the Federal Managers’ Financial Integrity Act. Commenting on a draft of our report, FCCstated that it recognizes the Agency Comments and fundamental importance of IRM in accomplishing its mission, and said Our Evaluation that it has initiated studies during the last 10 months to help guide the IRM program into the next decade. FCC also stated that it annually pub- lishes a strategic IRM plan and that recent editions of it were approved by OMB and the General Services Administration (GSA) as FCC’Sstrategic plan. It said that it published a Blueprint for its IRM program in 1980, and is now in the process of developing a new one. Our report acknowledges that FCC sees the importance of IRM and that FCC has initiated studies which could help it develop a strategic IRM plan. We disagree, however, that FCC'S annual plan is a strategic IRM plan, or that OMB and GSA approved it as a strategic plan. The annual plan does not identify the agency’s strategic priorities or goals, or the information needed to meet these goals. Further, the annual plan itself does not claim to be the agency’s strategic plan. Rather, it states that the agency’s strategic IRM direction was articulated in the 1980 Blueprint. In addition, OMR and GSA officials stated that they do not approve agencies strategic IRM plans, and have not approved FCC’Sannual plan, or any document, as FCC'S strategic IRM plan. After we received FCC’Scomments, the Managing Director acknowledged that OMB and GSA did not approve FCC'S annual plans. FCC’S1980 Blueprint also fell short of being a strategic IRM plan because it did not set the agency’s priorities, nor was it approved by FCC'S Chairman, or supported by a tactical plan. According to FCC's IRM Steering Committee Chairman, a strategic IRM plan is needed and the Committee intends to prepare one, but no date has been set for com- pleting it. Page 9 GAO/IMTEG90-52 FCC Information Resources Management . R-226427 Regarding its system development efforts, FCC states that it has per- formed benefit/cost analyses of alternatives. Although it acknowledges it could have been more thorough and better documented its work, FCC believes its efforts have been reasonable and adequate given the agency’s limited resources, The system development policies of FCC do not conform to federal gui- dance because they do not require adequate benefit/cost analyses (such as analyzing several alternative approaches) or require security anal- yses at all. Our review of six critical systems development projects revealed inadequate benefit/cost analyses and security analyses. FCC therefore risks not selecting the best alternative or properly considering security needs. FCC stated that it has an emergency plan to continue operations if its computers are disabled, and also said that it reported the inadequacy of its plan as a material weakness in its Federal Managers’ Financial Integ- rity Act report. We disagree with this assessment. FCC'S plan is incomplete and out of date, and the backup of the mainframe has not been adequately tested. Because FCC does not have an emergency plan that could be quickly implemented if a disaster occurs, its license processing and other mis- sion-related functions are at risk. Regarding FCC'S comment that it has reported emergency planning as a weakness, FCC’SAssociate Managing Director for Information Manage- ment explained that the report does not actually state it is a weakness, but he believes it is implied by FCC's disclosure in the report that com- puter security is inadequate. Computer security is a very broad topic covering a wide range of security controls. Given FCC's heavy reliance on information technology, emergency planning is a specific weakness that should be reported until it is corrected. FCC stated that, to the degree there are shortcomings in its IRM planning and other activities, it will implement corrective actions. It did not, how- ever, specify what actions it intends to take on our recommendations, so it is unclear whether FCC'S actions will adequately address our concerns. Y As arranged with your office, unless you publicly announce the contents of this report earlier, we plan no further distribution of this report until 30 days from the date of this letter. We will then send copies to the Page 10 GAO/IMTEG90-62 FCC Information Resources Management Chairman and Managing Director of FCC and other interested parties. This report was prepared under the direction of JayEtta Hecker, Director, Resources, Community, and Economic Development Informa- tion Systems, who can be reached at (202) 275-9675. Other major con- tributors are listed in appendix IV. Sincerely yours, kLdt.&J~& Ralph V. Carlone Assistant Comptroller General Page 11 GAO/IMTEGSO-52 FCC Information Resources Management Contents Letter Appendix I Objectives, Scope,and Methodology Appendix II Summary of Analyses for Six Major FCC Information Systems Appendix III 16 Comments From the GAO Comments 19 Federal Communications Commission Appendix IV 23 Major Contributors to This Report Abbreviations KC Federal Communications Commission GAO General Accounting Office GSA General Services Administration Y IMTEC Information Management and Technology Division IHM information resources management OMB Office of Management and Budget Page 12 GAO/IMTEGSO-62 FCC Information Resources Management Y Page 13 GAO/lMTEG!IO-52 FCC Information Resources Management I) Appendix I Objectives,Scope,and Methodology *- The objective of our review, as agreed with the requesting Subcom- mittee, was to evaluate information resources management activities at the FCC, concentrating on how it plans and manages its information resources. We conducted our work from August 1989 through March 1990 at FCC headquarters in Washington, DC., and the FCC Private Radio Bureau’s Licensing Division in Gettysburg, Pennsylvania. To determine how FCC plans and manages its information resources, we interviewed the agency’s Managing Director, Associate Managing Director for Information Management, and senior program officials, including bureau chiefs. To help evaluate FCC'S planning and manage- ment of information resources, we contracted with an IRM consultant, We also reviewed FCC policy, planning, budget, and system justification documents and relevant reports. To determine FCC’S methodology for developing information systems, we selected six FCCinformation systems that FCC identified as critical to its missions, and which covered different program areas. We reviewed fed- eral guidance on systems development methodology and continuity of operations planning, and compared these to FCC'S policies and practices, Our work was performed in accordance with generally accepted govern- ment auditing standards. The FCC provided written comments on a draft of this report. These comments are presented and evaluated in appendix III. Page 14 GAO/IMTRCSO-52 FCC Information Resources Management Ppt, b=ary of Analyses for Six Major F’CC Information Systems Was the Was a benefit/ Were security risks and system life cost analysis Were alternative requirements System estimated? prepared? approaches described? described? - --~ -~ Automated Land Mobile Application No No Yes No Processing System No ..--__--..-- .._~ -~ Auiomated Re orting Management No No No lnformatlon l ystem Common Carrier Land Mobile System .-No Yes Yes No Automated Marine Application Processing No No No No System __-.--.--~._-.--. .~~. Fees-i Collection System No Noa Yes -..~~~----_____. No Antenna Clearance Svstem No No No No “Benefits were summarized in narrative form, but not quantified or analyzed Page 15 GAO/IMTEC90-62 FCC Information Resources Management Appendix III Comments From the Federal Communications Commission supplementing those in the report text appear at the end of this appendix. FEDERAL COMMUNICATIONS COMMl!SSlON Washington, D. C. 20554 MAY 2 4 1980 OFFICE OF MANAGING OIRECTOR Mr. Ralph V. Carlone Assistant Comptroller General Information Management and Technology Division United States General Accounting Office Washington, D. C. 20548 Dear Mr. Carlone: See comment 1 I appreciate the opportunity to respond to the draft report concerning “Strategic Focus Needed to Improve Information Resources ManageIwnt”. First, let me state that Chairman Sikes is personally committed to excellence in the IRM area. The Chairman and I both recognize the fundamental importance of IRM to the MI: in acconplishing its midon to regulate non-government interstate and international communications services and to foster the introduction of new and innovative telecommunications technology. To provide the strategic focus needed to direct the Information Resource5 Management Program, the Chairman has initiated a number of agency-wide studies to help determine the demands and opportunities that the future will bring to the FCC. This programmatic vision will, in turn, strategically guide the direction of the FCC IRM Program for the next decade. During the first 10 month8 of Chairman Sikes’ tenure we have taken the first steps on this path by: - Initiating a census of all data interchange between the FCC and the public. - Beginning a requirements analysis of all FCC information resources with an end goal of carpletely modernizing our processes and resources. - Initiating a study of the inpact of future technology on the role and mission of the FCC. While looking to future opportunities for IRM at the ECC, we recognize that stringent budget constraints and staff shortages have been the norm for the FCC in general and the agency’s IRM prograam in particular in the recent past. These funding constraints have provided numerous obstacles to earlier IRM efforts. In the interest of building a Page 10 GAO/IMTEG90-62 FCC Information Resources Management Appendix III Comments From the Federal Communications Cmunission Mr. Ralph V. Carlone 2. complete and accurate record, we must note some areas of d&agreement with the findings and conclusions contained in your draft report, specifically: See comment 2 - FCC JI&Q had a strategic plan, published yearly, for well over a decade in accordance with regulations. New versions of the plan are regularly s&m&ted to OMB and GSA, and recent editions have been approved a5 our strategic plan by both agencies. In addition to its yearly plan, FCC published a blueprint for its IRM program in 1980, and we are now in the process of developing a new one. While we may differ with your finding, we endorse your premise of the fundamental importance of strategic IRM planning for the FCC. In the past, austere budgets constrained the FCC’s IRM planning efforts. We intend to renew and SubEaantially increase our efforts in this area in the future. See comment 3 - FCC & performed benefit/cost analysi.5 of alternatives in its systems development efforts. While we concede that our efforts could have been more thorough and better documented, we view our efforts in this area to be “reasonable and adequate” in accordance with the controlling regulations. Past lack of resources at the FCC has severely limited alternatives and, as so often is the ca5e when resource5 are abort, documentation of the decision process was xxnewhat limited. See comment 4 - FCC haa prepared an emergency plan to continue operations if computers are disabled. We have selected and tested an alternate site computer, stored all relevant data and program5 off site, and put in place a methodology for determining criticality of system; on a real time basis depending on the type and duration of the disaster. We made a documented management deci5ion in October 1989 to defer updating this plan until we had put in place an FCC IRM Security Plan. Because our existing plan is out of date and does not address our new on-line systems and our microcomputer ba5ed 5y5tans, the FCC & reported the inadequacy of its emergency plan as part of the agency submission pursuant to the requirements of the Computer Security Act and subsequently, as a material weakness under the Federal Managers’ Financial Integrity Act. See comment 5 To the degree that there are shortcomings in the FCC’s IRM planning processes and past practices , we will be diligent in implementing corrective actions. Indeed, as indicated in the above comments, appropriate actions have already been initiated and new starts are planned or underway to improve the CormJsaion’s overall IRM capabilities and effectiveness. Page 17 GAO/IMTEG!30-62 FCC Information Resources Management , , Appendix III timments From the Federal C&mmunications Commission Mr. Ralph V. Carlone 3. Despite the essential commitment by the Chairman and his management team to rejuvenating strategic IRM planning at !XC, a key to continuing progress in this area will be an adequate level of funding in fiscal year 1992 and beyond. Adequate funding is essential if we are to achieve our goals of IRM providing critical support to the FCC in the accomplishment of its mission. Sincerely, w--w Andrew S. Fishel Managing Director Y Page 18 GAO/IMTEG90-52 FCC Information Resources Managemeni Appendix III Commenta From the Federal Communications Commission The following are GAO comments on the Federal Communications Com- mission’s letter dated May 24, 1990. 1. The FCC stated that it recognizes the fundamental importance of IHM to GAO Comments help it accomplish its mission of regulating communications services and fostering new technologies. It said that to provide the strategic focus needed to direct the IRM program, the Chairman has begun a number of studies to help determine the demands and opportunities that FCC will face in the future. This vision will guide the direction for FCC'S IRM pro- gram for the next decade. Our report notes top management’s recogni- tion that the increased use of information technology can help the agency accomplish its mission. We note that the December 1988 IRM Steering Committee charter makes it responsible for defining the long- term goals and direction of the IRM program and aiding the bureaus in developing tactical information technology plans. We also acknowledge that FCChas started a number of studies and that these could be useful to top management in developing a strategic IRM plan. 2. FCC stated that it has annually published a strategic plan for well over a decade and that recent editions were approved by OMB and GSA as FCC'S strategic plan. FCC said that it published a Blueprint for its IRM program in 1980, and is now in the process of developing a new one. It also said it intends to substantially increase its planning efforts in the future. We disagree that FCC'S annual plan is a strategic plan, or that OMB and GSA approved recent editions as FCC'S strategic plan. The annual plan that FCC refers to does not identify the agency’s strategic goals, informa- tion needed to meet strategic goals, or strategic priorities. Further, the annual plan itself does not claim to be the agency’s strategic plan. Rather, it states the current strategic direction was articulated in the 1980 Blueprint. The Chairman of the IRM Steering Committee, respon- sible for preparing strategic IRM plans at FCC,stated that he considers the annually prepared plans to be more tactical than strategic. Regarding FCC'S comment that recent editions of its annual IRM plan were approved by OMB and GSA as a strategic plan, officials from both agencies stated that they do not approve agencies strategic IRM plans, and that they have not approved FCC’Splan as a strategic IRM plan. A project manager in the GSA'S Office of Software Development and Information Technology told us that, at FCC’Srequest, she reviewed and commented on the 1990 annual plan. This did not, however, constitute GSA approval of FCC'S plan. Following the receipt of agency comments, FCC'S Managing Page 19 GAO/IMTEC90-52 FCC Information Resources Management Appendix III Comments From the Federal Communicationa Cbmmission Director stated that, in fact, OMB and GSA did not approve FCC’Sannual plans. Our report discusses FCC'S 1980 Blueprint, noting that the Blueprint fell short of being a strategic IRM plan because it did not set the agency’s priorities, and was not approved by the FCC'S Chairman, or supported by tactical plans. FCC did not make some of the mission-related improve- ments identified in the Blueprint. It did not introduce automation into its reference rooms before service problems occurred or examine the feasi- bility of using electronic filing to speed up some licensing processes. According to FCC'S IRM Steering Committee Chairman, a strategic IRM plan is needed and the Committee intends to prepare one. As noted in this report, no date has been set for completing the plan. 3. FCC stated that it has performed benefit/cost analyses of alternatives in its systems development efforts. Although it admits it could have been more thorough and better documented its work, FCC said its efforts have been reasonable and adequate given the agency’s past lack of resources. It added that scarce resources have limited the alternatives it could consider, and has caused it to somewhat limit the documentation of its decision process. As discussed in this report, FCC'S system development policies do not conform to federal guidance because they do not require thorough ben- efit/cost analyses or require security analyses at all. FCC did not thor- oughly analyze the benefits and costs of alternative systems over the estimated useful life for five of the six critical systems development projects we reviewed. In addition, FCC'S analyses did not discuss security requirements for any of the six projects. Our recommendation is intended to help FCC ensure that it selects the best alternatives for devel- oping systems and properly considers security needs. 4. FCC stated that it has prepared an emergency plan to continue opera- tions if its computers are disabled. In addition, FCC states that it reported the inadequacy of its emergency plan as a material weakness in its Federal Managers’ Financial Integrity Act report. We do not agree that FCC has an emergency plan. As discussed in this report, the official responsible for emergency planning told us that while FCChas some of the components of a plan, such as obtaining a main- frame backup agreement, FCC has not prepared a plan, identified critical information systems, or developed detailed emergency procedures. Nor Page 20 GAO/IMTEC-90-62 FCC Information Resources Management Appendix III Comments From the Federal Communications Comndr3sion has FCC tested its ability to recover and operate critical information sys- tems at the current backup facility, or had a management team annually review the plan, procedures and test results and record the results for follow-up action. FCC officials told us they consider the directive on emergency planning to be the agency’s plan. We note, however, that the stated purpose of the directive is to “provide guidance for establishing policies, plans, and procedures for contingency operations.” In its comments, FCC states that the plan is out of date because it does not address the FCC'S new on-line and microcomputer-based systems. For these reasons we believe that FCC does not have an emergency plan that could be quickly implemented if a disaster occurs. As a result, its license processing and other mission-related functions are at risk. FCCstates that it selected and tested an alternate site computer, and stored all relevant data and programs off site. These are important mea- sures. However, FCC has not adequately tested the backup mainframe computer. According to the Chief of FCC’SInformation Processing Divi- sion, FCC checked that the other agency’s backup computer is basically compatible with its own, but it has not tried to run any of its licensing or other systems using this computer. FCC also commented that it has put in place a methodology for deter- mining the criticality of its systems on a real-time basis. The Associate Managing Director for Information Management explained that, after a disaster occurs, the FCC'S Contingency Crisis Committee, composed of representatives from each of FCC'S bureaus and offices, would meet, decide what the most critical information systems are and make arrangements for running these systems. This approach would be time- consuming and ineffective unless there is adequate pre-disaster plan- ning, such as preparing, as FCC’Sdirective requires, lists of each bureau’s critical systems. Such lists have not been prepared. In addition, the Con- tingency Crisis Committee may not be well prepared to cope with a dis- aster because it has not met since 1982. With regard to FCC'S comment that it has reported emergency planning as a weakness in its 1989 Federal Managers’ Financial Integrity Act report, we noted that this weakness is not stated in the FCC'S report. Also, the official responsible for FCC’Scontingency planning, the Chief of Page 21 GAO/IMTEGSO-62 FCC Information Resources Management Appendix III Comments F’rom the Federal C4unmunications Commidon . the Information Processing Division, said it was not reported as a weak- ness. However, FCC’S Associate Managing Director for Information Man- agement explained that, while the report does not actually state emergency plans are inadequate, he believes it is implied by FCC’S disclo- sure in the report that computer security is inadequate. However, this implication is not obvious because computer security is a very broad topic. For instance, a recent GAO report on security lists 18 types of com- puter security controls, ranging from the need for adequate personnel selection and screening processes to the need to control modifications to computer programs.’ Given the FCC’S heavy reliance on information tech- nology to support licensing and other mission-related functions, we con- tinue to believe that emergency planning is a specific weakness and should be reported until the weakness is corrected. 5. FCC stated that to the degree that there are shortcomings in its IRM planning and its past practices, it will diligently implement corrective actions. It added that it believes it has already initiated appropriate actions and plans others to improve its IRM capabilities and effectiveness. Our recommendations were intended to help facilitate IRM improve- ments. Although FCC said it will take corrective actions, it did not specify what actions it intends to take on our recommendations. There- fore, at this point, it is unclear whether FCC’s actions will adequately address our concerns. ‘Computer Security: Governmentwide Planning Process Had Limited Impact (GAO/IMTEC-90-48, May 10, 1990). Page 22 GAO/IMTEG90-62 FCC Information Resources Management t: Appendix IV Major Contributors to This Report David G. Gill, Assistant Director Information James Houtz, Evaluator-in-Charge Management and Karlin Richardson, Technical Adviser Technology Division, Alice Morris, Evaluator Washington, D.C. (610449) Page 23 GAO/IMTEC!-90-62 FCC Information Resources Management i $ ! --se -.-B--P -~ -_-- --.- ._.. II_ -1” “.I ..1... I .I .““.11 *“-..ll.l..“l -.--^.. . . ..-.--_. --..- _____I_,__ “ll--_” l,.,l*-^..l”-l--- 1 I” ,~._I_..“. _. .,“l”l.-” “,,I ..“_..“I. _“._ ._.~.- ._..... I_.-.-..-----__--- --- -_-.-~--_-
Federal Communications Commission: Strategic Focus Needed to Improve Information Resources Management
Published by the Government Accountability Office on 1990-07-20.
Below is a raw (and likely hideous) rendition of the original report. (PDF)