United States General Accounting Office GAO Testimony Before the Subcommittee on Social Security, Committee on Ways and Means, House of Representatives For Release on Delivery Expected at 10 a.m. SOCIAL SECURITY Thursday, July 29, 1999 ADMINISTRATION Update on Year 2000 and Other Key Information Technology Initiatives Statement of Joel C. Willemssen Director, Civil Agencies Information Systems Accounting and Information Management Division GAO/T-AIMD-99-259 Mr. Chairman and Members of the Subcommittee: We are pleased to be here today to discuss the Social Security Administration’s (SSA) progress in implementing key information technology initiatives critical to its ability to effectively serve the public. Achieving Year 2000 (Y2K) readiness is SSA’s top information technology priority. Consistent with our prior reports,1 SSA continues to make excellent progress on Y2K and has taken important steps to implement our recommendations for mitigating risks. Further, it has initiated a number of governmentwide best practices to help ensure its preparedness for the change of century. Nonetheless, SSA’s work is not yet complete; certain tasks integral to ensuring its overall readiness for the year 2000 must still be accomplished. Another major focus of SSA’s information technology activities is implementation of its Intelligent Workstation/Local Area Network (IWS/LAN), which SSA expects will provide the agency with the basic automation infrastructure to support redesigned work processes and improve its service delivery. SSA continues to implement IWS/LAN and reports that it has now installed intelligent workstations and LANs in most of the approximately 2,000 SSA and state Disability Determination Service (DDS) sites included in the initiative. However, it has not yet implemented key processes that are essential to measuring the benefits derived from this investment. The third initiative that I will discuss today is SSA’s development of its Reengineered Disability System (RDS). RDS was intended to support SSA’s modernized disability claims process and was to be the first major programmatic software application to operate on IWS/LAN. However, SSA experienced numerous problems and delays in developing this software. Based on a contractor’s recent assessment of the initiative, SSA has now decided to terminate the original RDS strategy after 7 years of effort and about $71 million in reported costs. SSA now plans to proceed with a new strategy to address the needs of its disability determination process. 1 Social Security Administration: Significant Progress Made in Year 2000 Effort, But Key Risks Remain (GAO/AIMD-98-6, October 22, 1997); Year 2000 Computing Crisis: Continuing Risks of Disruption to Social Security, Medicare, and Treasury Programs (GAO/T-AIMD-98-161, May 7, 1998); and Year 2000 Computing Crisis: Update on the Readiness of the Social Security Administration (GAO/T-AIMD-99-90, February 24,1999). Leter Page 1 GAO/T-AIMD-99-259 Year 2000: Continuing SSA first recognized the potential impact of the Y2K problem in 1989 and, in so doing, was able to launch an early response to this challenge. SSA Progress, But Critical initiated early awareness activities and made significant progress in Tasks Remain assessing and renovating mission-critical mainframe software that enables it to provide Social Security benefits and other assistance to the public. Because of the knowledge and experience gained through its Y2K efforts, SSA has been a recognized federal leader in addressing this issue. Despite its accomplishments, however, our 1997 report on SSA’s Y2K program identified, and recommended actions for addressing three key risk areas:2 • SSA had not ensured Y2K compliance of mission-critical systems used by the 54 state DDSs that provide vital support in administering SSA’s disability programs. Specifically, SSA had not included these DDS systems in its initial assessment of systems that it considered a priority for correction. Without a complete agencywide assessment that included the DDS systems, SSA could not fully evaluate the extent of its Y2K problem or the level of effort that would be required to correct it. We therefore recommended that SSA strengthen its monitoring and oversight of state DDS Y2K activities, expeditiously complete the assessment of mission-critical systems at DDS offices, and discuss the status of DDS Y2K activities in SSA’s quarterly reports to the Office of Management and Budget (OMB). • SSA had not ensured the compliance of its data exchanges with outside sources, such as other federal agencies, state agencies, and private businesses. Unless SSA can ensure that data received from these organizations are Y2K complaint, program benefits and eligibility computations that are derived from the data provided through these exchanges may be compromised and SSA’s databases corrupted. Accordingly, we recommended that SSA quickly complete its Y2K compliance coordination with all data exchange partners. • SSA lacked contingency plans to ensure business continuity in the event of systems failure. Business continuity and contingency plans are essential to ensuring that agencies will have well-defined responses and sufficient time to develop and test alternatives when unpredicted failures occur. At the time of our October 1997 review, SSA officials acknowledged the importance of contingency planning, but had not 2 GAO/AIMD-98-6, October 22, 1997. Leter Page 2 GAO/T-AIMD-99-259 developed specific plans to address how the agency would continue to support its core business processes if its Y2K conversion activities experienced unforeseen disruptions. We therefore recommended that SSA develop specific contingency plans that articulate clear strategies for ensuring the continuity of core business functions. SSA agreed with all of our recommendations and efforts to implement them have either been taken or are underway. Regarding state DDSs, SSA enhanced its monitoring and oversight by establishing a full-time project team, designating project managers and coordinators, and requesting biweekly status reports. It also obtained from each DDS a plan identifying the specific milestones, resources, and schedules for completing Y2K conversion tasks. In its most recent (May 1999) quarterly report to OMB, SSA stated that all DDS claims processing software had been renovated, tested, implemented, and certified Y2K compliant by January 31, 1999. To address data exchanges, SSA identified all of its external data exchanges and coordinated with all of its partners on the schedule and format for making exchanges Y2K compliant. As of June 27, 1999, according to the agency, over 99 percent of SSA’s 1,954 reported external data exchanges had been made compliant. Among SSA’s most critical data exchanges are those with the Department of the Treasury’s Financial Management Service (FMS) and the Federal Reserve System for the disbursement of Title II (Old Age, Survivors, and Disability Insurance program) and Title XVI (Supplemental Security Income program) benefits checks and direct deposit payments. SSA began working with FMS in March 1998 to ensure the compliance of these exchanges, and reported earlier this year that the joint testing of check payment files and testing from SSA through FMS and the Federal Reserve for direct deposit payments had been successfully completed. Further, SSA stated, it began generating and issuing Title II and Title XVI benefits payments using the Y2K compliant software at SSA and FMS in October 1998. Regarding its contingency planning, SSA has instituted a number of key elements, in accordance with our business continuity and contingency planning guidance. 3 In addition to developing its overall strategy for Y2K 3 Year 2000 Computing Crisis: Business Continuity and Contingency Planning (GAO/AIMD-10.1.19, March 1998 [exposure draft], August 1998 [final]). Page 3 GAO/T-AIMD-99-259 business continuity, SSA has completed local contingency plans to support its core business operations and has received contingency plans for all state DDSs. Also included among its plans is SSA’s Benefits Payment Delivery Y2K Contingency Plan, developed in conjunction with Treasury and the Federal Reserve to ensure the continuation of operations supporting Title II and Title XVI benefits payments. Another key element of business continuity and contingency planning, as noted in our guide, is the development of a zero-day or day-one risk reduction strategy, and procedures for the period from late December 1999 through early January 2000. SSA, as a recognized leader in addressing Y2K contingency planning issues, has developed such a strategy. For example, the agency plans for select SSA and DDS sites to process late December 1999 data during the first 2 days of January 2000 as a means of testing the accuracy of the systems prior to the start of business on Monday, January 3. Other features of the strategy include implementation of (1) an integrated control center with responsibility for the internal dissemination of critical data and problem management, (2) a timeline detailing the hours during which certain events will occur (such as when workloads will be placed in the queue and backup generators started) during this rollover period, and (3) a personnel strategy and leave policy that includes commitments from key staff to be available during the rollover period. Such a strategy should help SSA manage the risks associated with the actual rollover and better position it to address any disruptions that occur. SSA has taken other vital steps to help ensure its preparedness for the year 2000. For example, it has used a Y2K test facility to test operating systems, vendor products, and mission-critical systems. SSA’s test and certification procedures included (1) baseline testing to establish current-year data for comparison, (2) forward year testing of applications with business and systems dates set in 2000 and beyond, (3) comparisons of aged baseline results with forward year test results, (4) forward date integration testing of entire business functions (i.e., all interrelated applications), and (5) independent reviews of test outputs to certify Y2K compliance. To ensure the delivery of benefits payments, SSA worked jointly with FMS and the Federal Reserve to test the transfer of approximately 7,500 electronic payments from Treasury to the Richmond, Virginia, Federal Reserve Board through the Automated Clearing House network. SSA reported that it began generating and issuing Title II and Title XVI benefits payments using the compliant software at SSA and FMS in October 1998. Page 4 GAO/T-AIMD-99-259 SSA Implemented a Y2K To further reduce the risk of disruptions, in the fall of 1998 SSA instituted a Change Management Y2K change management process. We previously testified that this effort represented a best practice governmentwide that should be adopted by Process other agencies.4 SSA’s process consists of three key components: (1) a quality assurance process, (2) Y2K system recertifications, and (3) a moratorium on discretionary software modifications. A key feature of SSA’s quality assurance process is its use of a validation tool to assess the quality of its previously renovated mission-critical applications. SSA began piloting the tool in November 1998 and expanded its use full-scale in December. The tool searches application programs to identify any date field or date logic that may fail as a result of any inadvertent modifications. The second key component of SSA’s change management process involves its plans to recertify previously renovated applications where date errors had been identified and Y2K compliant software was then modified. The recertification process includes performing forward date testing of the modified software and reevaluating the software using the quality assurance validation tool. In addition, business function experts perform independent reviews of all test outputs before recertifying the software’s compliance. Also, SSA plans to enforce a moratorium on discretionary software changes from September 1, 1999 through March 31, 2000. This moratorium is intended to help mitigate the risks associated with changing its certified systems by reducing the number of software modifications made. In those instances in which software changes are necessary—such as when compliant software must be modified due to legal or other agency requirements—SSA plans to recertify the software’s compliance. Examples of software that will be modified include applications impacted by Title II benefits rate increases and Title XVI cost-of-living adjustments that are to take effect in November, and certain cyclical software modifications that are to occur after September. 4 Year 2000 Computing Crisis: Readiness Improving, But Much Work Remains to Avoid Major Disruptions (GAO/T-AIMD-99-50, January 20, 1999). Page 5 GAO/T-AIMD-99-259 SSA Still Needs to Complete While SSA has been a Y2K leader, it must still complete several critical Critical Tasks to Ensure tasks to ensure its readiness for the year 2000. These tasks include Year 2000 Readiness • ensuring the compliance of all external data exchanges, • completing tasks outlined in its contingency plans, • certifying the compliance of one remaining mission-critical system, • completing hardware and software upgrades in the Office of Telecommunications and Systems Operations, and • correcting date field errors identified through the quality assurance process. SSA reported as of mid-July that six of its external data exchanges were still in the process of being made Y2K compliant. In each instance, these include files that have been addressed by SSA but which need further action on the part of SSA’s business partners to achieve Y2K compliance. For example, SSA transmits one file on cost-of-living adjustments to the Department of Veterans Affairs (VA). While SSA has made the file compliant, VA must still complete its testing in order to receive the file in a Y2K compliant format. VA is scheduled to complete its testing in August. In addition, SSA is waiting to verify the successful transmission of three compliant files from Treasury regarding information on tax refund actions. SSA expects to verify the compliance of the Treasury files during the first week of August. SSA also still needs to verify the successful transmission of two Massachusetts death data files. SSA expects to complete this activity by the end of this week. Completing tasks in its contingency plans and coordinating with its own staff and its business partners to ensure the timely functioning of its core business operations is likewise critical. This includes coordinating with its benefit delivery partners on contingency actions for ensuring timely benefits payments. For example, SSA plans to assist Treasury in developing alternative disbursement processes for problematic financial institutions. SSA is also now in the process of testing all of its contingency plans, with expected completion in September. In addition, SSA must implement its day-one strategy, consisting of actions to be executed during the last days of 1999 and the first few days of 2000. SSA also has one remaining mission-critical stand-alone system—the Integrated Image-Based Data Capture System—which must still be certified as Y2K compliant. This system is used to scan and convert W-2 forms to electronic format for entry into the Annual Wage Reporting System. According to officials in SSA’s Office of Systems, the Page 6 GAO/T-AIMD-99-259 SSA-developed application software has been renovated, tested, and implemented into production; however, SSA cannot certify the system’s compliance until it has completed testing of the system’s upgraded commercial off-the-shelf software used for tracking W-2 form data from the point of receipt to image scanning. This testing is not scheduled to conclude until late August. The installation of software and hardware upgrades inSSA’s Office of Telecommunications and Systems Operations must also be completed. For example, SSA must install Internet browser patches for the IWS/LAN software by August. Finally, SSA must correct a number of date-field errors recently identified using its QA tool. SSA reported that as of July 23, 1999, it had assessed 92 percent (283 of 308) of its mission-critical applications (having a total of about 40 million lines of code),5 and that it had identified 1,565 date field errors. SSA is in the process of correcting these identified date problems. As of mid-July, it reported that 44 of the 283 applications had been corrected, recertified, and returned to production. SSA plans to correct, recertify, and implement all of its remaining applications by November, when it is scheduled to modify some mission-critical applications to reflect Title II benefit rate increases and Title XVI cost-of-living adjustments. IWS/LAN: Installations The second major information technology initiative that I will discuss today is SSA’s IWS/LAN modernization effort. SSA expects IWS/LAN to play a Continue But critical role by providing the basic automation infrastructure to support Contributions to redesigned work processes and to improve the availability and timeliness of information. Under this initiative, SSA planned to replace approximately Improved Mission 40,000 “dumb” terminals6 and other computer equipment used at about Performance Remain 2,000 SSA and state DDS sites with an infrastructure consisting of networks Unclear of intelligent workstations connected to each other and toSSA’s mainframe computers. 5 Thirteen applications were not tested because they are no longer in use (e.g., obsolete, retired, replaced), 10 because they were incompatible with the QA tool, and 1 because it was no longer part of SSA’s inventory. One application remained to be tested. 6 SSA’s “dumb” terminals are connected to its mainframe computers through its data network and are controlled by software executed on the mainframes. Page 7 GAO/T-AIMD-99-259 The resources that SSA plans to invest in acquiring IWS/LAN are enormous. The first phase of the planned project that started in 1996, was to be a 7-year, approximately $1 billion effort to acquire, install, and maintain 56,500 intelligent workstations and 1,742 local area networks, 2,567 notebook computers, systems furniture, and other peripheral devices.7 The basic intelligent workstation that SSA planned to procure included a 100-megahertz Pentium personal computer with 32 megabytes of random access memory and a 1.2-gigabyte hard (fixed) disk drive. We reported in 1998,8 however, that the IWS/LAN contractor—Unisys Corporation—had raised concerns about the availability of the intelligent workstations being acquired, noting that the 100-megahertz workstations specified in the contract were increasingly difficult to obtain. At that time, SSA’s Deputy Commissioner for Systems did not believe it was necessary to upgrade to a faster processor because the 100-megahertz workstation met the agency’s needs. Over the past year, SSA has continued its aggressive implementation of IWS/LAN. The agency reported, as of mid-July 1999, that it had completed the installation of 70,518 workstations and 1,742 LANs at 1,565 SSA sites and 177 DDS sites. As the agency has proceeded with the initiative, however, it has revised its requirements several times based on the need for additional workstations. Specifically, from June 1998 through April 1999, SSA modified its contract with the Unisys Corporation three times to purchase additional workstations and related hardware. These modifications increased from 56,500 to 70,624, the total number of intelligent workstations acquired under the Unisys contract.9 In addition, because Unisys faced difficulty in obtaining the 100-megahertz workstations specified in the initial contract, the additional workstations acquired through the modifications were configured with processor speeds ranging from 266 megahertz to 350 megahertz. 7 The national IWS/LAN initiative consisted of two phases. During phase I, SSA planned to acquire workstations, LANs, notebook computers, systems furniture, and other peripheral devices as the basic, standardized infrastructure to which additional applications and functionality can later be added. Phase II was intended to build upon the IWS/LAN infrastructure provided through the phase I effort. 8 Social Security Administration: Technical and Performance Challenges Threaten Progress of Modernization (GAO/AIMD-98-136, June 19, 1998). 9 SSA also used another procurement vehicle to procure 1,767 additional workstations that are also part of the IWS/LAN architecture. Page 8 GAO/T-AIMD-99-259 According to SSA officials overseeing the initiative, SSA’s initial estimates of its IWS/LAN requirements had not fully considered the needs of all SSA and state DDS sites. As a result, additional workstations were necessary to (1) ensure Y2K hardware compliance at all DDS sites, (2) complete installations in some of SSA’s larger sites, and (3) support training needs. SSA reported that the contract modifications cost about $32 million and that it had completed the installations of all but 106 workstations acquired via the modifications by July 11, 1999.10 Beyond these modifications, however, SSA has continued to increase its requirements and is currently in the process of acquiring additional workstations to support the national IWS/LAN initiative. In particular, SSA’s Office of Systems concluded during fiscal year 1999 that the workstations acquired via the Unisys contract and its subsequent modifications were not sufficient to fulfill the IWS/LAN requirements of all SSA and DDS sites. As a result, the Chief Information Officer (CIO), in November 1998, approved a request for a $45 million, 5-year follow-on contract to acquire, install, and maintain at least 6,900 additional workstations and about 275 additional LANs. According to a Systems official, the intelligent workstation that SSA has specified for the follow-on contract is, at a minimum, a 333-megahertz Pentium II processor with 64 megabytes of random access memory and a 4-gigabyte hard (fixed) disk drive. SSA is currently evaluating vendors’ proposals and expects to award the contract by the end of July. Although the CIO approved the Unisys contract modifications and the follow-on contract, SSA’s Deputy Commissioner for Finance, Assessment and Management had previously expressed concerns about SSA’s need for the additional workstations and their expected benefits. In particular, in letters to the CIO in November 1998 and April 1999, the Deputy Commissioner recommended that the CIO approve the additional workstations from Unisys and the follow-on contract award on the condition that SSA would, respectively, (1) reassess the total number of work year savings for IWS/LAN and (2) reconcile the number of workstations against staffing levels. The CIO agreed to these conditions and requested that relevant agency components determine the reasons for the additional workstations and identify the benefits expected to be 10 According to SSA, the remaining workstations are to be installed by October 1999. Page 9 GAO/T-AIMD-99-259 achieved from them. Although this effort has been ongoing for about 8 months, as of July 22, the study had not been finalized. IWS/LAN’s Actual Last June, we expressed concern that SSA lacked target goals and a defined Contribution to Improved process for measuring IWS/LAN performance—essential to determining whether its investment in IWS/LAN was yielding expected improvements in Productivity and Mission service to the public.11 According to the Clinger-Cohen Act and OMB Performance Remains guidance, effective technology investment decision-making requires that Unclear processes be implemented and data collected to ensure that (1) project proposals are funded on the basis of management evaluations of costs, risks, and expected benefits to mission performance and (2) once funded, projects are controlled by examining costs, the development schedule, and actual versus expected results. We therefore recommended that SSA establish a formal oversight process for measuring the actual performance of IWS/LAN, including identifying the impact that each phase of this initiative has on mission performance and conducting postimplementation reviews of the project. Although SSA agreed with the need for performance goals and measures, its Information Technology Systems Review Staff had neither completed nor established plans for performing in-process reviews of IWS/LAN to (1) compare the estimated cost levels to actual cost data, (2) compare the estimated and actual schedules, (3) compare expected and actual benefits realized, and (4) assess risks. In addition, while the Clinger-Cohen Act and OMB guidelines call for postimplementation evaluations to determine the actual project cost, benefits, risks, and returns, SSA has not scheduled a postimplementation review to validate the IWS/LAN phase I projected savings and to apply lessons learned to make other information technology investment decisions. According to the Director of the Information Technology Systems Review Staff, the agency has no plans to perform either in-process or postimplementation reviews unless problems are identified that warrant such an effort. As expressed in our earlier report, it is essential that SSA conduct in-process and postimplementation reviews for the IWS/LAN initiative. Since 1994, we have expressed concerns regarding SSA’s need to measure 11 GAO/AIMD-98-136, June 19, 1998. Page 10 GAO/T-AIMD-99-259 the actual benefits achieved from its implementation.12 Moreover, as the agency continues to expand IWS/LAN via its follow-on workstation acquisitions, it is critical for the agency to know how well it has achieved the savings projected in its initial assessments supporting this initiative. Without such reviews, the agency will be unable to make informed decisions concerning (1) whether it should continue, modify, or terminate its investment in a particular initiative or (2) how it can improve and refine its information technology investment decision-making process. SSA Will Need to Continue Our 1998 report also noted concerns among state DDSs about the loss of to Address DDS Network network management and control over IWS/LAN operations in their offices and dissatisfaction with the service and technical support received from Management Concerns the IWS/LAN contractor.13 Accordingly, we recommended that SSA work closely with the DDSs to identify and resolve the network management concerns. SSA has worked with the DDSs to address these issues. For example, it is providing additional servers to give the DDSs certain administrative rights capabilities, such as access to specific login scripts and full control over DDS applications. SSA has also worked with the DDSs to streamline the maintenance process and establish agreements that would allow the DDSs to perform their own IWS/LAN maintenance. Under such agreements, according to SSA, states could rely on their in-house technical staff—rather than the services of the IWS/LAN contractor, Unisys Corporation—to address maintenance problems. At the conclusion of our review, SSA had entered into a maintenance agreement with one state DDS—Wisconsin— and was considering the requests of four other DDSs. Other issues also continue to concern the DDSs. For example, representatives of the National Council of Disability Determination Directors, which represents the state DDSs, stated that they remain concerned about SSA’s attempts to implement a standard print solution. In addition, they stated that SSA has not ensured that the workstations implemented adhere to a standard configuration that provides all DDS system administrators with the same rights. SSA has acknowledged these issues and plans to work with the states to address them. 12 Social Security Administration: Risks Associated With Information Technology Investment Continue (GAO/AIMD-94-143, September 19, 1994). 13 GAO/AIMD-98-136, June 19, 1998. Page 11 GAO/T-AIMD-99-259 RDS: Development SSA’s work toward developing RDS has been ongoing for many years. The initiative began in 1992 as the Modernized Disability System and was Problems Have Led redesignated as RDS in 1994 to coincide with the agency’s efforts to SSA to Discontinue the reengineer the disability claims process. As shown in figure 1, SSA had planned to implement the RDS software starting November 1996 and to Initiative complete the national rollout by May 2001. Figure 1: Planned RDS Rollout Schedule Implement Release 4 and complete national rollout Implement Release 3 Implement Release 2 Implement Release 1.1 Implement Release 1 1996 1997 1998 1999 2000 2001 2002 Source: SSA. When completed, RDS was to be the first major programmatic software application to operate on SSA’s IWS/LAN infrastructure and be part of the enabling platform for SSA’s modernized disability claims process. Specifically, RDS was to automate the Title II and Title XVI disability claims processes—from the initial claims-taking in the field office to the gathering and evaluation of medical evidence in the state DDSs, to payment execution in the field office or processing center, and include the handling of appeals in hearing offices. SSA anticipated that this automation would contribute to increased productivity, decreased disability claims processing times, and more consistent and uniform disability decisions. However, Page 12 GAO/T-AIMD-99-259 after approximately 7 years and more than $71 million14 reportedly spent on the initiative, SSA has not succeeded in developing RDS and no longer plans to continue the effort. As figure 2 shows, from 1993 through 1999, SSA took various steps toward developing the RDS software. Figure 2: Actual RDS Rollout Schedule Further RDS rollout suspended Reintroduced Release 1 Pilot Began defining Release 2 Piloted, enhanced, and converted Release 1 to NT Platform Developed Release 1 for OS/2 Platform 1993 1994 1995 1996 1997 1998 1999 Source: SSA. However, even in its earliest stages, this effort proved problematic and was plagued with delays. For example, in September 1996, we reported that software development problems had delayed the scheduled implementation of RDS by more than 2 years.15 An assessment of the development effort revealed a number of factors as having contributed to that delay, including (1) using programmers with insufficient experience, (2) using software development tools that did not perform effectively, and 14 The reported costs were for RDS software design and development, pilot tests, and contractor support. 15 Social Security Administration: Effective Leadership Needed to Meet Daunting Challenges (GAO/HEHS-96-196, September 12, 1996). Page 13 GAO/T-AIMD-99-259 (3) establishing initial software development schedules that were too optimistic. SSA proceeded with the initiative nonetheless and, in August 1997, began pilot testing the first release of the RDS software in its Alexandria, Virginia, field office and the federal DDS16 for the specific purposes of (1) assessing the performance, cost, and benefits of the software and (2) determining IWS/LAN phase II equipment requirements. However, as we previously reported, SSA encountered performance problems during the pilot tests.17 For example, Systems officials stated that, using RDS, the reported productivity of claims representatives in the SSA field office dropped due to the system’s slow response time. Specifically, the officials stated that before the installation of RDS, each field office claims representative processed approximately five case interviews per day. After RDS was installed, each claims representative could process only about three cases per day. In response to the RDS performance problems, SSA delayed its plans for expanding the pilot to other offices and, in March 1998, contracted with Booz-Allen and Hamilton to independently evaluate and recommend options for proceeding with the initiative. According to the statement of work, Booz-Allen and Hamilton was tasked to provide SSA with a comparative cost, benefit, risk, and schedule assessment for RDS, and to propose alternative strategies for achieving its underlying objectives. The contractor was originally scheduled to deliver its report to SSA in September 1998, at which time SSA planned to select an option for proceeding to achieve objectives intended for the initiative. However, SSA later extended this milestone, with the draft report being delivered in February 1999. Systems officials subsequently required the contractor to address additional comments and concerns put forth by SSA and the DDSs, resulting in additional delays. SSA provided the report to us on July 26. According to the Booz-Allen and Hamilton report, the RDS software had defects that would diminish the current case-processing rate at DDS sites. In addition, SSA had not been timely in addressing the software defects. For example, 90 software problems identified by SSA staff remained unresolved after more than 120 days. As a result, the Booz-Allen and 16 The federal DDS provides backup services to state DDSs when the state offices cannot process their workloads and serves as a model office for testing new technologies and work processes. 17 GAO/AIMD-98-136, June 19, 1998. Page 14 GAO/T-AIMD-99-259 Hamilton report recommended that SSA discontinue the RDS initiative and focus on an alternative solution involving the use of an electronic folder to replace the paper-based case folder in the disability determination process. Further, to reduce development risks, the contractor recommended that the electronic folder project be segmented into manageable sections. SSA Plans to Launch a New Based on the assessment it received from Booz-Allen and Hamilton, SSA Initiative has discontinued the development of RDS and has begun to pursue a new strategy for addressing the needs of its disability determination process. According to the RDS project manager, the strategy that SSA is now considering will be multifaceted, incorporating three components: (1) an electronic disability intake process—which will include a subset of the existing RDS software, (2) the existing DDS claims process, and (3) a new system for the Office of Hearings and Appeals. In addition, we were told that the strategy will rely on the use of an electronic folder to transmit data from one processing location to another. The electronic folder is to be a data repository, storing documents that are keyed in, scanned, or faxed, and will essentially replace the current process of moving a paper folder from one location to another and entering data into a separate system. SSA began pilot testing its new strategy on July 26. However, as SSA is beginning to move forward with this new initiative, it needs to take advantage of opportunities to apply improved software development processes. In January 1998, we reported that SSA had begun taking steps to improve its software development capability.18 Significant actions that SSA initiated include (1) launching a formal software process improvement program, (2) acquiring assistance from a nationally recognized research and development center in assessing its strengths and weaknesses and in assisting with improvements,19 and (3) establishing management groups to oversee software process improvement activities. SSA has developed and is currently applying the improved software development processes to 11 projects. Given the failure of RDS, it is imperative that any future software initiatives adhere to the improved processes and methods. Without such linkage, SSA again risks spending millions on a project that will not succeed. On July 27, 18 Social Security Administration: Software Development Process Improvements Started But Work Remains (GAO/AIMD-98-39, January 28, 1998). 19 The Software Engineering Institute at Carnegie Mellon University, in Pittsburgh, Pennsylvania. Page 15 GAO/T-AIMD-99-259 SSA officials told us that the new post-RDS initiative will be linked to the agency’s software development improvement efforts. In summary, SSA has encountered mixed success in implementing its key information technology initiatives. The agency has clearly been a leader on Y2K and has demonstrated a commitment to addressing the challenges of the century date change. Further, the agency has worked aggressively to implement IWS/LAN as its basic automation infrastructure. However, the benefits of the IWS/LAN investment remain uncertain because SSA has not yet assessed its actual contribution to improved mission performance. In addition, after years of problems, SSA terminated RDS, which will delay expected improvements in the processing of disability claims. To avoid repeating past mistakes on its future information technology efforts, SSA will need to, at a minimum, apply disciplined information technology investment management practices and adhere to improved software development processes. Mr. Chairman, this concludes my statement. I would be happy to respond to any questions that you or other members of the Subcommittee may have at this time. Contact and For information about this testimony, please contact Joel Willemssen at (202) 512-6253. Individuals making key contributions to this testimony Acknowledgements included Michael A. Alexander, Yvette R. Banks, Nabajyoti Barkakati, Kenneth A. Johnson, Valerie C. Melvin, and Sonal Vashi. (511770) Leter Page 16 GAO/T-AIMD-99-259 Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary, VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Mail General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. GI00 Official Business Penalty for Private Use $300 Address Correction Requested
Social Security Administration: Update on Year 2000 and Other Key Information Technology Initiatives
Published by the Government Accountability Office on 1999-07-29.
Below is a raw (and likely hideous) rendition of the original report. (PDF)