C O N T R O L L E D B Y U . S . D E P A R T M E N T O F H O U S I N G A N D U R B A N D E V E L O P M E N T, OFFICE OF INSPECTOR GENERAL U.S. DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT OFFICE OF INSPECTOR GENERAL OFFICE OF EVALUATION INFORMATION TECHNOLOGY EVALUATIONS DIVISION WASHINGTON, DC HUD IT Modernization Report (2015-OE-0002) HUD OIG Evaluation 2015-OE-0002 HUD OIG Office of Evaluation T: 202-603-8410; E: OE@hudoig.gov HUD IT Modernization Report (2015-OE-0002) | 2 Executive Summary: 2015 Evaluation of the HUD’s IT Modernization Programs HUD IT Modernization Report (2015-OE-0002) | 3 Purpose What HUD OIG Found The U.S. Department of Housing and Urban Development (HUD) relies HUD is preparing to undergo a significant IT contract transition, has had key heavily on information technology (IT) personnel turnovers over the years, and needs to address program office IT legacy to deliver and manage services. IT management and senior leadership systems. Therefore, it is important for HUD OCIO to develop, improve upon, and support is key to successful IT implement crucial and strategic IT programs and policies, which were reviewed in modernization, enterprise architecture this evaluation. (EA), and IT capital planning and HUD had established initial elements of key IT programs and policies as a basis for investment programs. effective IT capital planning, EA, and modernization. In our review, we identified Our objective for this evaluation was to several strategic deficiencies within HUD: review the implementation and maturity A HUD system development life cycle program had not been fully of HUD’s capital planning and established: OCIO maintains many IT systems for investment control (CPIC) process and each program office; however, many mission EA program, focusing on how they 85 systems are out of life cycle and require upgrades to support HUD’s strategic plan and IT 74 modernization roadmap. To accomplish both software and hardware. Based on data in the our objective, we analyzed HUD’s HUD high-level systems report,1 74 of 85 critical processes and policies, operational systems, which are operated by one or more components, are at the end of service or support 11 practices, and program IT budget and project data. from the vendor (figure 1). As of TOTAL SYSTEMS REVIEWED Feb 2014 END OF LIFE SYSTEMS An enterprise risk management office had Recommendations not been established: While some program offices SYSTEMS W/IN LIFE Figure 1, Status of major HUD systems implement and maintain a risk management program, an OCIO-level or department- IMPLEMENT A MISSION- wide enterprise risk management office had not been established. An independent CRITICAL SYSTEM DEVELOPMENT LIFE CYCLE risk management program at the department level can integrate risk management into PROGRAM the strategic and decision-making processes that cut across the organizational layers DEVELOP A COORDINATED EFFORT TO and reduce the practice of managing risks within functional silos or program offices.2 IMPLEMENT AN IT LIFE CYCLE REPLACEMENT PROGRAM FOR MISSION-CRITICAL SYSTEMS At a minimum, it is recommended that the OCIO form a risk management office to establish integration of IT systems across business segments. DEVELOP AN IT ENTERPRISE RISK IT projects and project scopes differed between OCIO and program MANAGEMENT OFFICE DEVELOP AND STAFF AN OFFICE OF THE offices: Project lists, scopes, and investments were not synchronized across OCIO CHIEF INFORMATION OFFICER (OCIO)-LEVEL departments and program offices. We found a number of lists that were not RISK MANAGEMENT OFFICE synchronized, were difficult to cross-reference, and could not be used to determine STANDARDIZE active or non-active projects and investments. Also, not all projects had been COMMUNICATION assigned a project manager according to the lists provided. Finally, these lists did not FINALIZE AND APPLY A STRATEGIC reconcile with the input in the electronic Capital Planning and Investment Control COMMUNICATION PROGRAM OF IT POLICY ACROSS OCIO & BUSINESS SEGMENTS system and IT dashboard.3 APPROVE POLICY & PROCESSES IT policies and procedures were not consistently approved or properly communicated: Many of the HUD policies and procedures were recently updated APPROVE AT APPROPRIATE LEVELS, IMPLEMENT, AND DISSEMINATE POLICY & but had not been approved and signed by the appropriate senior leadership and were PROCESSES AS INTENDED 1 HUD, HUD Enterprise Roadmap, FY2014 – Version 5.0; Exhibit K: HUD High-level Components and Technology report (February 2014) 2 IBM Center for the Business of Government, Managing Risk in Government: An Introduction to Enterprise Risk Management (2010) 3 HUD OIG Evaluation 2015-OE-0003, IT Dashboard Evaluation (January 2015) HUD IT Modernization Report (2015-OE-0002) | 4 not fully implemented or understood across the entire user base. This condition is due in part to a lack of a dissemination process, training, and communication between the program offices and OCIO. HUD had effectively developed processes to operate and maintain commodity IT services and systems, including the network infrastructure and service desk functions. However, many mission-essential IT systems are legacy and in need of modernization or replacement. Based on U.S. Government Accountability Office reports, interviews, and documentation reviews during this evaluation, HUD mission IT systems were found to be duplicative and inconsistently integrated among program offices and employed antiquated technologies that required expensive maintenance. Specific program area recommendations have been made in each section of this report, and a consolidated list of recommendations can be found in the appendix A. HUD IT Modernization Report (2015-OE-0002) | 5 CONTENTS Executive Summary: 3 Background 6 Methodology and Scope 6 OCIO Strengths and Weaknesses 7 IT Modernization Roadmap 8 State of HUD’s Modernization Roadmap 8 Roadmap Status 8 HUD IT Infrastructure Contract Status 9 Program Office Review (TRACS and CHUMS) 9 TRACS 9 CHUMS 10 Data Governance 10 HUD IT Modernization Roadmap Recommendations 11 HUD Enterprise Architecture 12 HUD EA Project Status 12 EA Value Measurement 13 HUD EA Recommendations 14 HUD Capital Planning and Investment Control 15 HUD IT Budget 15 HUD CPIC Process Recommendations 16 Appendix A: Summary of Recommendations 17 Appendix B: HUD OCIO Exit Conference Briefing Comments 19 HUD OIG Comments 22 Appendix C: HUD OCIO Draft Report Comments 23 HUD OIG Comments 35 HUD IT Modernization Report (2015-OE-0002) | 6 Background Information technology (IT) plays a critical role in HUD’s ability to carry out its mission and objectives. We reviewed the adequacy of key IT management and modernization controls within HUD, including strategic planning and performance measurement, enterprise architecture (EA) development and use, and modernization within program offices. These basic IT criteria are critical to creating a successful IT environment in HUD and are mandated by Office of Management and Budget (OMB) memorandums and applicable Federal law. Capital planning investments must be submitted annually to Congress via Exhibit 53 and Exhibit 300 reports. Further, EA plans and modernization roadmaps must be submitted to OMB, and regular working capital fund department progress updates must be reported to congressional committees annually. In addition, the Federal Chief Information Officer published an IT roadmap for the Federal Government and respective chief information officers to develop, implement, and maintain agency and department EA programs, the capital planning and investment control (CPIC) process, and modernization strategic planning.4 This evaluation report reviews the status of these programs within HUD. Methodology and Scope We performed the IT modernization evaluation to determine the effectiveness of the HUD capital planning, EA, and IT modernization processes and programs. To address our objective, we reviewed the following: Core HUD Office of the Chief Information Office (OCIO) functions and documentation, including o The CPIC process, o The EA program, and o The IT modernization roadmap. Applicable laws and regulations governing and directing the core functions being reviewed, such as o The Clinger Cohen Act, o The E-Government Act, o OMB memorandums and circulars, and o Other relevant Federal and department policies and guidance such as those of the U.S. Department of Commerce. A modernization and investment review of the following sample systems: o The Computerized Homes Underwriting Management System (CHUMS) and o The Tenant Rental Assistance Certification System (TRACS). Interviews with OCIO personnel. Previous U.S. Government and Accountability Office (GAO) reports referencing HUD’s CPIC, EA, and IT modernization programs. We completed our fieldwork at HUD headquarters in Washington, DC, and conducted the evaluation in accordance with the Quality Standards for Inspections and Evaluation, issued by the Council of Inspectors 4 OCIO; Federal CIO Roadmap HUD IT Modernization Report (2015-OE-0002) | 7 General on Integrity and Efficiency. OCIO was briefed on the draft outcome and recommendations on February 26, 2015, and provided comments in appendix B. OCIO Strengths and Weaknesses During the course of the evaluation, we found the following OCIO strengths and weaknesses in relation to the evaluation topics. Strengths Weaknesses •Documented modernization roadmap to improve EA •Lack of modernization project measurements program •Lack of policy and procedure approval and understanding •Knowledgeable new EA leadership across program offices •Strong, positive attitude to make necessary changes •Deficient system development life cycle program •Lack of a coordinated risk management office •Program office interest in greater coordination with •IT investment governance not operating according to policy OCIO •Program offices' lack of knowledge and understanding of •Instances of mature commodity & enterprise services development, modernization, and enhancement planning delivery (for example, Enterprise Service Desk) •Lack of appropriate funding plan to implement roadmap HUD IT Modernization Report (2015-OE-0002) | 8 IT Modernization Roadmap An effective IT modernization roadmap provides the following: Improves the organization’s ability to effectively, efficiently, and economically leverage IT. Increases the organization’s capability to collect, process, and make available quality data and information to drive and support agency-wide mission and objectives. Identifies government and industry standards and best practices to produce modernized systems that support the agency’s mission, are transparent, and are in alignment with business models and segments. We found that HUD had many legacy systems and inefficiencies throughout the IT mission-critical system inventory. Further, in the fiscal year (FY) 2014 HUD Enterprise Roadmap, HUD OCIO recognized that the IT environment had the following challenges:5 Current state of HUD IT architecture 1. Program centric, 3. Lack of cohesiveness 5. Lack of IT standards compliance-driven EA in IT governance for deploying systems 2. Disparate collection of 4. Complex and 6. Architecture not data and information redundant IT integrated within IT life investments cycle The future state environment, as outlined in the FY 2014 HUD Enterprise Roadmap, will result in mission- driven and customer-focused IT architecture, reduction in duplication, increased efficiency, and alignment of IT investments with business needs. To reach the stated efficiencies, HUD must gain senior leadership’s full support and approval of the roadmap, communicate and implement the roadmap, synchronize efforts among the business segments, and improve measurements of the roadmap’s implementation. State of HUD’s Modernization Roadmap Roadmap Status HUD OCIO had conceptually developed an IT enterprise modernization roadmap and transition plan to achieve an efficient IT target environment but must gain support of senior HUD leaders through the IT governance structure and continue implementation. GAO developed and recommended using the modernization roadmap process in the GAO-12-791 report.6 HUD should continue to leverage this process to refine the roadmap and achieve modernization that supports business needs and enhance efficiencies through reduction of duplicative and legacy systems. 5 Exhibit N: HUD EA Self-Assessment, HUD FY 2014 Enterprise Roadmap, v 5.0. (March 28, 2014) 6 GAO, GAO-12-791 Report, Organizational Transformation: Enterprise Architecture Value Needs to Be Measures and Reported, pg. 44-45 (September 2012) HUD IT Modernization Report (2015-OE-0002) | 9 Finally, we determined that HUD should develop a strategic approach to measure the overall modernization effort. HUD had taken steps to define the scope and a strategy to implement modernization projects in alignment with the HUD mission; however, HUD had not developed comprehensive plans and measurements to determine the health and effectiveness of IT projects. For example, the “HUD Integrated Sequencing Plan, Development, Modernization, and Enhancement (DME) Funded Activities FY2010-2015” showed that the Affirmatively Furthering the Fair Housing Data Mapping Tool project was to have been completed in FY 2013. However, this project appeared in the “FY 2014 IT Expenditure Plan” as an ongoing project. Our findings for EA roadmap implementation are consistent with the recommendations in the GAO-14-283 report.7 HUD IT Infrastructure Contract Status The transition of HUD IT Services (HITS) to HUD Enterprise Architecture Transformation (HEAT) is a large ongoing contract initiative within the HUD modernization roadmap. The goal of this effort is to recompete the contract and obtain the greatest efficiencies by the service providers. The initial target to begin the transition was FY 2012;8 however, delays have prevented the transition from occurring as of this evaluation. The HITS contract expired in 2013, and HUD is in the second and last year of a sole-source contract extension. The HUD FY 2013 EA policy and FY 2014 Modernization Roadmap include a migration requirement for HITS to HEAT transition, yet HUD had not documented a transition plan. Program Office Review (TRACS and CHUMS) The Tenant Rental Assistance Certification System (TRACS) and Computerized Homes Underwriting Management System (CHUMS) were reviewed, and we determined that both were legacy and mission-critical IT systems. We determined that the program offices did not have a clear understanding or vision of the OCIO EA program, the modernization roadmap, or a HUD risk management process. Modernization of these programs had not been completed; therefore, program offices had implemented their own risk management, modernization efforts, and organizational IT components to manage IT system functions. The OCIO modernization roadmap and the program office transformation initiatives need to align and be coordinated to ensure implementation and operations of systems within business segments. TRACS TRACS legacy components TRACS satisfies an important role in HUD’s multifamily Six of ten software platform components require modernization. housing program. TRACS accounts for 78 percent of all of HUD’s housing subsidy processing ($9.8 billion). Of that 78 percent, 50 percent represents voucher payments within the Office of Multifamily Housing Programs, and the other 50 percent is for Section 8 programs. For nearly 7 years, the TRACS program office had requested DME funding through the capital planning process to upgrade critical systems and 7 GAO, GAO-14-283 Report, HUD’s Expenditure Plan Satisfied Statutory Conditions; Sustained Controls and Modernization Approach Needed (February 2014) 8 HUD, Working Capital Fund, Fiscal Year 2012, retrieved at http://portal.hud.gov/hudportal/documents/huddoc?id=WorkingCapFund_2012.pdf HUD IT Modernization Report (2015-OE-0002) | 10 components. Specifically, a need for $3.5 million had been identified by the program office to modernize critical components. TRACS had been requesting a system upgrade since fiscal year 2013. The program office for TRACS submitted an impact assessment, which stated, “TRACS has no vendor support agreement, therefore, when the old system catastrophically fails, there is no means to manage Housing’s rental assistance programs and/or pay subsidy payments of approximately $9.8 billion annually.” The TRACS program office was scheduled to receive the funding for DME purposes; however, in 2013, the funding was redirected. CHUMS CHUMS legacy components One of two software platform CHUMS, within the Office of Single-Family Housing, is an components requires modernization. integral business process in HUD as a loan endorsement system for the Federal Housing Administration. The system is outdated, and security maintenance is impacted by legacy platforms, putting 1.5 million personally identifiable information records at risk. CHUMS modernization was not on the OCIO FY 2014 DME list; however, it is on the OCIO FY 2015 draft spending plan for funding with conditions. According to the FY 2015 draft spending plan, CHUMS will be reviewed for contract and hardware consolidation with other systems. CHUMS does not have an alternative operational solution in the event of an IT component failure. CHUMS program officials fully understand the IT modernization need and estimate the cost to be $25 million. Our detailed review of two mission-critical applications revealed material risks to HUD. A cursory review of other mission-critical applications revealed similar risks that need to be addressed with proper IT modernization planning, funding of approved modernization projects, and continual IT governance. Data Governance Data governance was not directly within scope of this evaluation; however, it does relate to IT modernization efforts and, therefore, was reviewed at a strategic level. Key observations and considerations are discussed below. Data governance is the overall management of availability, usability, integrity, and security of the data employed in an enterprise.9 Successful implementation of major modernization initiatives such as New Core and HEAT, while maintaining a secure environment, require a sound data governance program. Systemic data governance issues were revealed during this evaluation. For example, TRACS data are susceptible to quality and integrity issues due to the implementation of four different unsupported database platforms. Data governance within HUD is necessary to achieve a seamless interface between TRACS and New Core, which is HUD’s initiative to replace its aging financial systems. According to HUD’s EA documentation, the HUD Data Stewards Advisory Group and the EA program officials had conducted studies in 2012-2013 of HUD’s data management practices. The studies identified a number of data governance deficiencies. HUD also recognized that OMB Memorandum M-13-13, Open Data Policy – Managing Information as an Asset, required actions and improvements to data management practices. Improvements in the program will be key to modernization success. The following recommendations can improve the HUD data governance 9 TechTarget definition of “data governance” HUD IT Modernization Report (2015-OE-0002) | 11 program: Support the Data Stewards Advisory Group: The Data Stewards Advisory Group should meet regularly with attendance from HUD and business segment leadership to develop a data management strategy. Review and fix data accuracy: OCFO should identify the system data owners and develop a plan to clean and consolidate data before migrations. Continue and finalize the master data management and enterprise data modeling projects: OCFO should devote personnel resources to these projects to define data redundancy, quality, and integrity issues before transition of modernization projects (for example, HEAT, TRACS) or other IT migrations. HUD IT Modernization Roadmap Recommendations 1. Formalize and fully implement segment governance: As noted in the EA documentation, segment governance had not been formally established.10 This condition limits the ability for senior departmental and segment leadership to make consistent decisions across segments to create financial, business, and IT efficiencies. 2. Develop and finalize the IT infrastructure services contract migration plan: OCIO is working to finalize the HEAT migration plan but should include the program offices and segments in the development of the plan. In addition, the HUD EA document should be updated to align with the adopted HEAT plan. 3. Implement project health assessments to measure the effectiveness of IT project planning and execution: HUD had developed project scope, implementation strategy, schedule, and related goals in the modernization roadmap and FY 2014 IT Expenditure Plan. However, measurements need to be developed to define the health and status of the modernization projects. This is consistent with recommendations from the GAO-14-283 report. This recommendation also applies to the CPIC process. 10 HUD, HUD Enterprise Roadmap, FY2014 – Version 5.0 (March 28, 2014) HUD IT Modernization Report (2015-OE-0002) | 12 HUD Enterprise Architecture We found that the HUD EA program was Enterprise architecture adds value to business gradually progressing, and a critical lead EA The value of employing an EA program and outcome measurements are realized cost savings through consolidation position was filled in 2014. HUD had drafted both and reuse of shared services and elimination of antiquated and an EA policy and EA roadmap as recommended by redundant mission operations, enhancing information sharing GAO in 2012,11 and had made improvements in the through data standardization and system integration, and optimizing service delivery through streamlining and normalizing EA program since GAO began citing issues business processes and mission operations. starting in 2009. Based on the HUD EA Division’s self-assessment and our evaluation, we agree that the EA program, using the GAO EA Maturity Model Framework, is at stage (level) 2 as shown in figure 2. Although HUD was improving the overall EA program and continuing to make progress, HUD OCIO needs to continue implementing the EA strategies and projects set forth in the HUD EA roadmap.12 In addition, the HUD FY 2013 target EA policy from November 2012 requires an update and Figure 2. HUD EA Maturity Model Assessment Level review, incorporating the latest OCIO goals and objectives, project updates, and formating corrections. HUD EA Project Status The HUD EA program tracks all DME of systems and major IT projects. To assist with managing IT projects and IT modernization efforts, HUD OCIO employs an enterprise Project Management Office (ePMO). The ePMO is in the process of implementing a project health assessment to identify underperforming projects in the IT portfolio. However, at the time of this evaluation, neither initiative had been fully implemented or documented, resulting in ad hoc project management across the program offices and hindering HUD’s ability to identify underperforming projects. The following processes are required by HUD OCIO to fully implement and mature the ePMO.13 Define and institutionalize the right technical tools to perform Provide employee training ePMO functions Develop, finalize, and communicate the ePMO processes Define and fill ePMO positions & procedures (in coordination with the CPIC process, Develop and execute a strategic communications plan to gain EA program & roadmap) leadership and program office or segment buy-in We found a number of active IT investment and project lists in HUD OCIO that were inconsistent or did not 11 GAO, GAO-12-791 Report, Organizational Transformation: EA Value Needs to Be Measures and Reported, pg. 10 (September 2012) 12 When properly managed, EA can help optimize the relationships among an organization’s business operations and the IT infrastructure and applications supporting them. 13 HUD OCIO, Executive Status Briefing Enterprise Program Management Division: ePMO (November 2014) HUD IT Modernization Report (2015-OE-0002) | 13 reflect the data in the EA roadmap. Figure 3 shows a partial example of two lists with differing data for two active investments. Two organizational components within OCIO (ePMO and the Information Technology Investment Management office) maintain IT project lists for major IT investments; however, they did not agree. We recommend that these lists be reconciled into one authoritative list and approved in accordance with the HUD IT governance framework.14 We identified a third list, Exhibit E, HUD Project Information Report, from the FY 2014 HUD Enterprise Roadmap as the most comprehensive project list. The Exhibit E list assessed the compatibility for the project to follow the HUD enterprise roadmap and support the business strategy. Adopting this list for all OCIO entities as the authoritative project list would ensure consistency and be a beneficial step in coordinating projects across the agency. Figure 3. Example HUD Investment Lists EA Value Measurement OMB provides guidance through the Federal Enterprise Architecture program for developing EA value measurement programs. Agencies are required to measure enterprise architecture strategic mission value (outcomes and benefits) by means of an EA value measurement plan. This plan is intended to establish enterprise outcomes and a documented method of metrics that are measureable, meaningful, repeatable, actionable, and aligned with HUD’s enterprise architecture strategic goals. In addition, the measurements should periodically measure and report the enterprise architecture and roadmap outcomes and benefits. According to GAO, HUD had completed this report for FY 2011 but had not established goals for reducing redundancy or updating legacy systems.15 HUD submitted to OMB an FY 2013 EA value measurement report, but we found that a number of measurements were incomplete, reducing HUD’s ability to make strategic decisions and implement the IT target environment. The agency is required to establish and determine a way to measure the agency EA program through self-assessments and EA value measurement reports. 14 Found in HUD OCIO, Information Technology Management Framework and Governance Concept of Operations, v 2.0. (June 2011) 15 GAO, GAO-12-791 Report, Organizational Transformation: Enterprise Architecture Value Needs to Be Measured and Reported, pg. 44-45 (September 2012) HUD IT Modernization Report (2015-OE-0002) | 14 HUD EA Recommendations 1. Validate the accuracy of IT investment lists by segment and the associated projects and ensure alignment with EA strategy: Leveraging the IT governance structure,16 OCIO should develop a consolidated project list by IT investment that is aligned to the EA and enterprise roadmap strategy. 2. Define and assess measurements in a yearly EA value measurement report in accordance with OMB EA framework guidance:17 These measures provide input to senior leadership on the status of efficiencies that EA has created for the agency. Value measurement reports should be part of the yearly agency enterprise roadmap submission to OMB. The HUD EA value measurement report should include targets for the following measurements: Category Inventory-outcome Area of measurement Measurement indicator Completeness % of IT investments going through the investment review board Spending System inventories that have been reviewed by the EA team Accuracy % of IT investments approved by the investment review board Spending System inventories aligned to the target architecture Spending Outcomes Cost savings-avoidance # of duplicative or overlapping investments Systems Outcomes Cost savings-avoidance # of dollars saved or how the EA program contributes in cost savings through system consolidation Services System inventories Accuracy % of agency services that are up to date and accurate Services Outcomes Reduction of duplication # of duplicate services EA helped identify Security Outcome Reduction of duplication # of duplicate security implementations EA helped identify 16 The HUD IT governance structure is a structure that “empowers business areas to influence IT strategic priorities and ensure that all portfolio & project activities align with mission area needs.” It can be found in the FY 2013 EA document and the Information Technology Management Framework and Governance Concept of Operations. 17 Value measurement reports should be included as part of yearly enterprise roadmap submissions to OMB according to OMB memorandum, Increasing Shared Approaches to Information Technology Services, dated May 2, 2012; the OMB Common Approach to Federal Enterprise Architecture; and GAO report GAO-12-791. HUD IT Modernization Report (2015-OE-0002) | 15 HUD Capital Planning and Investment Control We found that HUD had a documented CPIC process that generally included elements of an effective IT investment management process. However, HUD lacked measurements and automated methods for tracking the IT portfolio (IT investments and projects). HUD was unable to identify underperforming projects or whether the investments had created cost-saving or operational efficiencies. HUD is in the process of implementing Project Health Assessments (PHA) through the enterprise project management office to address the identification of underperforming projects. However, as of this report, OIG has not seen evidence of the PHA implementation. In the 2015 appropriations bill, the committee requested that HUD provide “details regarding HUD’s portfolio of IT investments and the status of the Department’s efforts in applying IT management controls.”18 The bill also “strongly urges HUD establish a true working capital fund” with a cost- accounting structure to appropriately allocate charges to offices for services consumed. Our findings were consistent with the issues identified in the GAO report, GAO-15-56.19 The following adjustments would improve HUD’s CPIC processes: Establish a process to assess IT projects and identify underperformance; Establish criteria for determining large and small IT investments; Conduct meetings in accordance with the IT governance policy, such as the Executive Investment Board; Align investment decisions with business segments and a departmental strategy; and Transition to HUDPlus from manual spreadsheets for tracking IT projects. HUD IT Budget HUD’s primary IT funding consisted of direct appropriations HUD IT funding for IT as well as program office sources. HUD had not $461 established a working capital fund as recommended by the appropriations committee in the 2015 appropriations bill. $350 HUD IT budget In Millions $353 $294 Since 2012, the majority of the IT budget had been dedicated $265 $270 $277 $256 HUD DME to operations and maintenance and not committed to DME budget and modernization. HUD’s IT budget had decreased over the $66.3 HUD O&M budget last 3 fiscal years, and the IT DME budget had decreased in $0.2 $24.2 $15.9 FY 2015 (figure 4). The overall IT budget across the Federal FY 2012 FY 2013 FY 2014 FY 2015 Government had decreased 0.23 percent (excluding the Figure 4, HUD IT & IT DME budget 18 House of Representatives, Report 113: Departments of Transportation, and Housing and Urban Development, and Related Agencies Appropriations Bill, 2015 19 GAO, GAO-15-56 Report, HUD Can Take Additional Actions to Improve Its Governance (December 2014) HUD IT Modernization Report (2015-OE-0002) | 16 Department of Defense), HUD’s future IT budget will require ongoing operations and maintenance funding for IT while HUD’s IT budget systems, while likely needing an increase in budget to modernize the legacy systems in the HUD infrastructure. had decreased 2.97 percent from FY 2014 to FY 2015, according to the 20 FY 2015 IT Federal budget. However, 15 major Federal agencies saw an increase in their IT budgets for FY 2015. Furthermore, HUD’s IT budget decreased an overall 12.8 percent from FY 2012 to FY 2014 while decreasing a staggering 36 percent from FY 2013 to FY 2014 alone. HUD’s future IT budget will require ongoing operations and maintenance funding for IT systems, while likely needing an increased budget to modernize a large number of legacy systems in the HUD infrastructure. For HUD to fully implement the OCIO modernization roadmap and improve efficiencies and realize cost reductions, it must have a viable enterprise strategic approach, be properly budgeted, develop attainable EA measurements, further develop data governance, and disseminate CPIC process guidance to program offices. HUD CPIC Process Recommendations 1. Fully develop, approve at appropriate levels, and disseminate current CPIC process policies and procedures: CPIC process policies and procedures had not been approved or disseminated to program offices. 2. Ensure that the Executive Investment Board meets in accordance with IT governance policy (related to recommendation from GAO-15-56): OCIO should ensure that the Executive Investment Board meets as outlined in its charter and the HUD IT governance policy and distributes its decisions to appropriate stakeholders. 3. Implement HUDPlus: OCIO should finalize the implementation of HUDPlus to automate, track, and analyze the IT investment submissions and requirements. 4. Provide CPIC training to all stakeholders to ensure program consistency and effectiveness across all program offices: OCIO should conduct training for all intended users before and upon implementation of the latest CPIC guidance. 20 OMB, President’s Fiscal Year 2015 IT Budget of the U.S. Government (2015) HUD IT Modernization Report (2015-OE-0002) | 17 Appendix A: Summary of Recommendations Report Number Recommendation Status Overall IT modernization recommendations IT Modernization 1. Develop a coordinated mission-critical system development life 2015-OE-0002 cycle replacement program for mission-critical systems. IT Modernization 2. Develop and staff a risk management office at the OCIO level to 2015-OE-0002 manage department-wide information system risk management. IT Modernization 3. Finalize, apply, and strategically communicate all standard IT 2015-OE-0002 policy across OCIO and the program offices to ensure that there is a common understanding of the modernization, EA, and CPIC policies. IT Modernization 4. Approve at appropriate levels, Implement, and disseminate policy 2015-OE-0002 & processes as intended. IT modernization roadmap recommendation IT Modernization 5. Formalize and fully implement segment governance. 2015-OE-0002 IT Modernization 6. Develop and finalize the IT infrastructure services contract 2015-OE-0002 migration plan. Related to GAO- 7. Implement project health assessments to measure the 14-283 Report effectiveness of IT project planning and execution. Enterprise architecture recommendation HUD IT Modernization Report (2015-OE-0002) | 18 IT Modernization 8. Validate the accuracy of IT investment lists by segment and the 2015-OE-0002 associated projects and ensure alignment with EA strategy. IT Modernization 9. Define and assess measurements in a yearly EA value 2015-OE-0002 measurement report in accordance with OMB EA framework guidance. IT capital planning and investment control process recommendations IT Modernization 10. Fully develop, approve at appropriate levels, and disseminate 2015-OE-0002 current CPIC process policies and procedures. Related to GAO- 11. Ensure that the Executive Investment Board meets in accordance 15-56 Report with IT governance policy (related to recommendation from GAO- 15-56). IT Modernization 12. Implement HUDPlus to automate, track, and analyze the IT 2015-OE-0002 investment submissions and requirements. IT Modernization 13. Provide CPIC training to all stakeholders to ensure program 2015-OE-0002 consistency and effectiveness across all program offices. HUD IT Modernization Report (2015-OE-0002) | 19 Appendix B: HUD OCIO Exit Conference Briefing Comments Note: HUD OIG comments supplementing HUD OCIO’s responses appear at the end of this appendix. HUD IT Modernization Report (2015-OE-0002) | 20 See HUD OIG comment 1. HUD IT Modernization Report (2015-OE-0002) | 21 See HUD OIG comment 2. HUD IT Modernization Report (2015-OE-0002) | 22 HUD OIG Comments The following are HUD OIG’s responses to HUD OCIO’s comments, dated March 27, 2015. 1. We recognize that OCIO EA is improving and making progress in developing a consolidated and consistent IT modernization plan. In addition, OCIO recently filled a key EA vacancy with a qualified and experienced individual. Work will need to continue, specifically in developing a strategic plan to communicate OCIO initiatives across all business segments and to gain senior leadership support of the modernization plan and required funding to pay for a simplified and scalable architecture. Regarding HUD OCIO’s comment requesting more understanding of the measurement, stating “% of Agency services that are up to date and accurate,” we are looking for a measure that displays program office applications or services in need of modernization due to a lack of vender or contract support in hardware, software, or other technical deficiencies. As programs or services are modernized, this measure would show the benefits of a sufficiently funded EA modernization roadmap. 2. We revised our report to reflect this comment. See the HUD EA Project Status section. HUD IT Modernization Report (2015-OE-0002) | 23 Appendix C: HUD OCIO Draft Report Comments Note: HUD OIG comments supplementing HUD OCIO’s responses appear at the end of this appendix. See HUD OIG comment 1. HUD IT Modernization Report (2015-OE-0002) | 24 See HUD OIG comment 1. HUD IT Modernization Report (2015-OE-0002) | 25 See HUD OIG comment 1. See HUD OIG comment 1. See HUD OIG comment 1. See HUD OIG comment 1. HUD IT Modernization Report (2015-OE-0002) | 26 See HUD OIG comment 1. HUD IT Modernization Report (2015-OE-0002) | 27 HUD IT Modernization Report (2015-OE-0002) | 28 See HUD OIG comment 1. HUD IT Modernization Report (2015-OE-0002) | 29 See HUD OIG comment 1. HUD IT Modernization Report (2015-OE-0002) | 30 HUD IT Modernization Report (2015-OE-0002) | 31 See HUD OIG comment 1. See HUD OIG comment 2. See HUD OIG comment 1. HUD IT Modernization Report (2015-OE-0002) | 32 See HUD OIG comment 1. HUD IT Modernization Report (2015-OE-0002) | 33 See HUD OIG comment 3. HUD IT Modernization Report (2015-OE-0002) | 34 See HUD OIG comment 1. HUD IT Modernization Report (2015-OE-0002) | 35 HUD OIG Comments The following are HUD OIG’s responses to HUD OCIO’s comments, provided September 25, 2015. 1. We recognize that OCIO is continually improving and developing plans for IT modernization initiatives. For example, OCIO developed a new HUD 2015 Enterprise Roadmap between this report and receiving OCIO comments in addition to the initiatives documented in these provided comments. Continued effort, senior leadership support, and resources will be essential to implement and maintain the initiatives laid out by the OCIO in the provided comments. 2. Although this comment explains the practicing Executive Investment Board (EIB) process, it does not reflect the documented policy, which is the reason for the recommendation. The intended outcomes identified in the IT governance policy may be met but there was no evidence of those EIB outcomes such as meeting notes or minutes. Further, per the IT Governance policy, investment recommendations are submitted to the EIB from subcommittees, in particular the Customer Care Committee (CCC). It may be challenging to make collective strategic decisions on the IT investment portfolio if the EIB does not meet on a regular or on an as-needed basis. 3. We revised our report to reflect this comment and provided artifact. See the HUD EA section.
HUD Information Technology (IT) Modernization Report
Published by the Department of Housing and Urban Development, Office of Inspector General on 2015-09-30.
Below is a raw (and likely hideous) rendition of the original report. (PDF)