Information Technology: Acquisitions, Contracts and Legacy Systems 1536167649, 9781536167641

Table of contents :
Contents
Preface
Chapter 1
Information Technology: Agencies Need to Involve Chief Information Officers in Reviewing Billions of Dollars in Acquisitions(
Abbreviations
Why GAO Did This Study
What GAO Recommends
What GAO Found
Background
Agencies Are to Follow Federal Requirements for Acquisitions
Federal Law Establishes Agency IT Management Responsibilities
OMB Established Guidance for Agencies to Implement FITARA
Agencies Identified $14.7 Billion in IT Obligations, but Did Not Identify an Additional $4.5 Billion
Most Agency CIOs Are Not Reviewing and Approving IT Acquisitions in Accordance with OMB’s Requirements
Conclusion
Recommendations for Executive Action
Agency Comments and Our Evaluation
List of Committees
Appendix I: Objectives, Scope, and Methodology
Appendix II: IT-Related Product and Service Codes
Appendix III: Estimated Total Fiscal Year 2016 IT Obligations by Agency
Appendix IV: Agency Acquisition Processes Used to Review and Approve IT Acquisitions
Appendix V: Details on Selected IT Acquisitions
Appendix VI: Comments from the Department of Education
Appendix VII: Comments from the Department of Energy
Appendix VIII: Comments from the Department of Housing and Urban Development
Appendix IX: Comments from the Department of the Interior
Appendix X: Comments from the Department of Labor
Appendix XI: Comment from the Department of State
Appendix XII: Comments from the Department of Veterans Affairs
Appendix XIII: Comments from the Environmental Protection Agency
Appendix XIV: Comments from the National Aeronautics and Space Administration
Appendix XV: Comments from the Nuclear Regulatory Commission
Appendix XVI: Comments from the Office of Personnel Management
Appendix XVII: Comments from the Small Business Administration
Appendix XVIII: Comments from the Social Security Administration
Appendix XIX: Comments from the U.S. Agency for International Development
Chapter 2
Information Technology: Agencies Need Better Information on the Use of Noncompetitive and Bridge Contracts(
Abbreviations
Why GAO Did This Study
What GAO Recommends
What GAO Found
Background
Awarding Contracts and Orders Noncompetitively
Bridge Contracts
Agencies Obligated More than $10 Billion Annually for Information Technology on Noncompetitively Awarded Contracts and Orders, but Unreliable Data Obscures Full Picture
IT Contract Obligations Totaled More than $50 Billion Annually
Agencies Reported Obligating More than $15 Billion on Noncompetitive Contracts for IT Annually, but Full Extent of Noncompetitive Dollars Is Not Known Due to Unreliable Data
Agencies Cited That Only One Contractor Could Meet the Need or Small Business Requirements as Most Common Reasons for Awarding Noncompetitive Contracts
An Estimated Eight Percent of Fiscal Year 2016 IT Noncompetitive Contracts and Orders Were Bridges, and Agencies Have Difficulty Managing Them
An Estimated Eight Percent of IT Noncompetitive Contracts and Orders in Fiscal Year 2016 Were Bridge Contracts
Agencies Face Continued Challenges with Oversight of Bridge Contracts
Officials Frequently Cited Acquisition Planning Challenges as Necessitating the Use of a Bridge Contract
In the Absence of Government-wide Guidance, Others Have Taken Steps to Define Bridge Contracts
New Definition Narrows Scope of Legacy IT Noncompetitive Contracts and Orders to About Seven Percent
Conclusion
Recommendations for Executive Action
Agency Comments and Our Evaluation
List of Requesters
Appendix I: Objectives, Scope, and Methodology
Selection Methodology for Generalizable Sample
Appendix II: Comments from the Department of Defense
Appendix III: Comments from the Department of Health and Human Services
Appendix IV: Accessible Data
Data Tables
Chapter 3
Information Technology: Agencies Need to Develop Modernization Plans for Critical Legacy Systems(
Abbreviations
Why GAO Did This Study
What GAO Recommends
What GAO Found
Background
GAO Has Reported on the Need to Improve Oversight of Legacy IT
Congress and the Executive Branch Have Made Efforts to Modernize Federal IT
GAO Identified 10 Critical Federal Legacy Systems; Agencies Often Lack Complete Plans for Their Modernization
The Majority of Agencies Lack Complete Plans for Modernizing the Most Critical Legacy Systems
Agencies Reported a Variety of IT Modernization Successes
Conclusion
Recommendations for Executive Action
Agency Comments and Our Evaluation
List of Requesters
Appendix I: Objectives, Scope, and Methodology
Appendix II: The 24 Chief Financial Officers Act Agencies’ Most Critical Legacy Systems in Need of Modernization
Appendix III: Profiles of the 10 Most Critical Legacy Systems in Need of Modernization
System 1
System 2
System 3
System 4
System 5
System 6
System 7
System 8
System 9
System 10
Appendix IV: Comments from the Department of Education
Appendix V: Comments from the Department of Health and Human Services
Appendix VI: Comments from the Department of Homeland Security
Appendix VII: Comments from the Internal Revenue Service
Appendix VIII: Comments from the Office of Personnel Management
Appendix IX: Comments from the Small Business Administration
Appendix X: Comments from the Social Security Administration
Appendix XI: Comments from the Department of Housing and Urban Development
Appendix XII: Comments from the U.S. Agency for International Development
Index
Blank Page

Citation preview

COMPUTER SCIENCE, TECHNOLOGY AND APPLICATIONS

INFORMATION TECHNOLOGY ACQUISITIONS, CONTRACTS AND LEGACY SYSTEMS

No part of this digital document may be reproduced, stored in a retrieval system or transmitted in any form or by any means. The publisher has taken reasonable care in the preparation of this digital document, but makes no expressed or implied warranty of any kind and assumes no responsibility for any errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of information contained herein. This digital document is sold with the clear understanding that the publisher is not engaged in rendering legal, medical or any other professional services.

COMPUTER SCIENCE, TECHNOLOGY AND APPLICATIONS Additional books and e-books in this series can be found on Nova’s website under the Series tab.

COMPUTER SCIENCE, TECHNOLOGY AND APPLICATIONS

INFORMATION TECHNOLOGY ACQUISITIONS, CONTRACTS AND LEGACY SYSTEMS

RICHARD L. XIONG EDITOR

Copyright © 2019 by Nova Science Publishers, Inc. All rights reserved. No part of this book may be reproduced, stored in a retrieval system or transmitted in any form or by any means: electronic, electrostatic, magnetic, tape, mechanical photocopying, recording or otherwise without the written permission of the Publisher. We have partnered with Copyright Clearance Center to make it easy for you to obtain permissions to reuse content from this publication. Simply navigate to this publication’s page on Nova’s website and locate the “Get Permission” button below the title description. This button is linked directly to the title’s permission page on copyright.com. Alternatively, you can visit copyright.com and search by title, ISBN, or ISSN. For further questions about using the service on copyright.com, please contact: Copyright Clearance Center Phone: +1-(978) 750-8400 Fax: +1-(978) 750-4470 E-mail: [email protected].

NOTICE TO THE READER The Publisher has taken reasonable care in the preparation of this book, but makes no expressed or implied warranty of any kind and assumes no responsibility for any errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of information contained in this book. The Publisher shall not be liable for any special, consequential, or exemplary damages resulting, in whole or in part, from the readers’ use of, or reliance upon, this material. Any parts of this book based on government reports are so indicated and copyright is claimed for those parts to the extent applicable to compilations of such works. Independent verification should be sought for any data, advice or recommendations contained in this book. In addition, no responsibility is assumed by the Publisher for any injury and/or damage to persons or property arising from any methods, products, instructions, ideas or otherwise contained in this publication. This publication is designed to provide accurate and authoritative information with regard to the subject matter covered herein. It is sold with the clear understanding that the Publisher is not engaged in rendering legal or any other professional services. If legal or any other expert assistance is required, the services of a competent person should be sought. FROM A DECLARATION OF PARTICIPANTS JOINTLY ADOPTED BY A COMMITTEE OF THE AMERICAN BAR ASSOCIATION AND A COMMITTEE OF PUBLISHERS. Additional color graphics may be available in the e-book version of this book.

Library of Congress Cataloging-in-Publication Data ISBN: HERRN

Published by Nova Science Publishers, Inc. † New York

CONTENTS Preface Chapter 1

Chapter 2

Chapter 3

vii Information Technology: Agencies Need to Involve Chief Information Officers in Reviewing Billions of Dollars in Acquisitions United States Government Accountability Office Information Technology: Agencies Need Better Information on the Use of Noncompetitive and Bridge Contracts United States Government Accountability Office Information Technology: Agencies Need to Develop Modernization Plans for Critical Legacy Systems United States Government Accountability Office

1

95

155

Index

233

Related Nova Publications

239

PREFACE Information systems are critical to the health, economy, and security of the nation. To support these systems, the federal government invested more than $90 billion in information technology (IT) in fiscal year 2016. However, prior IT expenditures have too often produced failed projects. The objective of Chapter 1 is to determine the extent to which federal agencies identify IT contracts and how much is invested in them, and federal agency CIOs are reviewing and approving IT acquisitions. The federal government spends tens of billions of dollars each year on IT products and services. Competition is a key component to achieving the best return on investment for taxpayers. Chapter 2 examines the extent that agencies used noncompetitive contracts for IT, the reasons for using noncompetitive contracts for selected IT procurements, the extent to which IT procurements at selected agencies were bridge contracts, and the extent to which IT procurements were in support of legacy systems. The federal government plans to spend over $90 billion in fiscal year 2019 on IT. About 80 percent of this amount is used to operate and maintain existing IT investments, including aging (also called legacy) systems. As they age, legacy systems can be more costly to maintain, more exposed to cybersecurity risks, and less effective in meeting their intended purpose. Chapter 3 reviews federal agencies’ legacy systems. This chapter identifies the most critical federal legacy systems in need of modernization

viii

Richard L. Xiong

and evaluates agency plans for modernizing them, and identifies examples of legacy system modernization initiatives that agencies considered successful. Chapter 1 - The federal government invested more than $90 billion on IT in fiscal year 2016. However, prior IT expenditures have produced failed projects. Recognizing the severity of issues, in December 2014 Congress enacted IT acquisition reform legislation (referred to as the Federal Information Technology Acquisition Reform Act, or FITARA). Among other things, OMB’s FITARA implementation guidance requires covered agencies’ chief acquisition officers to identify IT contracts for the CIOs to review and approve. GAO’s objectives were to determine the extent to which (1) federal agencies identify IT contracts and how much is invested in them, and (2) federal agency CIOs are reviewing and approving IT acquisitions. To do so, GAO reviewed data on IT contracts from fiscal year 2016 at 22 agencies and compared agency actions to law and OMB guidance. Chapter 2 - The federal government spends tens of billions of dollars each year on IT products and services. Competition is a key component to achieving the best return on investment for taxpayers. Federal acquisition regulations allow for noncompetitive contracts in certain circumstances. Some noncompetitive contracts act as “bridge contracts”— which can be a useful tool to avoid a lapse in service but can also increase the risk of the government overpaying. There is currently no government-wide definition of bridge contracts. GAO was asked to review the federal government’s use of noncompetitive contracts for IT. This chapter examines (1) the extent that agencies used noncompetitive contracts for IT, (2) the reasons for using noncompetitive contracts for selected IT procurements, (3) the extent to which IT procurements at selected agencies were bridge contracts, and (4) the extent to which IT procurements were in support of legacy systems. GAO analyzed FPDSNG data from fiscal years 2013 through 2017 (the most recent and complete data available). GAO developed a generalizable sample of 171 fiscal year 2016 noncompetitive IT contracts and orders awarded by DOD, DHS, and HHS—the agencies with the most spending on IT, to determine the reasons for using noncompetitive contracts and orders,

Preface

ix

and the extent to which these were bridge contracts or supported legacy systems. Chapter 3 - The federal government plans to spend over $90 billion in fiscal year 2019 on IT. About 80 percent of this amount is used to operate and maintain existing IT investments, including aging (also called legacy) systems. As they age, legacy systems can be more costly to maintain, more exposed to cybersecurity risks, and less effective in meeting their intended purpose. GAO was asked to review federal agencies’ legacy systems. This chapter (1) identifies the most critical federal legacy systems in need of modernization and evaluates agency plans for modernizing them, and (2) identifies examples of legacy system modernization initiatives that agencies considered successful. To do so, GAO analyzed a total of 65 legacy systems in need of modernization that 24 agencies had identified. Of these 65, GAO identified the 10 most in need of modernization based on attributes such as age, criticality, and risk. GAO then analyzed agencies’ modernization plans for the 10 selected legacy systems against key IT modernization best practices. The 24 agencies also provided 94 examples of successful IT modernizations from the last 5 years. In addition, GAO identified other examples of modernization successes at these agencies. GAO then selected a total of five examples to highlight a mix of system modernization types and a range of benefits realized. This is a public version of a sensitive report that is being issued concurrently. Information that agencies deemed sensitive has been omitted.

In: Information Technology Editor: Richard L. Xiong

ISBN: 978-1-53616-764-1 © 2019 Nova Science Publishers, Inc.

Chapter 1

INFORMATION TECHNOLOGY: AGENCIES NEED TO INVOLVE CHIEF INFORMATION OFFICERS IN REVIEWING BILLIONS OF DOLLARS IN ACQUISITIONS United States Government Accountability Office

ABBREVIATIONS CAO CIO Commerce Education Energy EPA FITARA 

chief acquisition officer chief information officer Department of Commerce Department of Education Department of Energy Environmental Protection Agency Federal Information Technology

This is an edited, reformatted and augmented version of United States Government Accountability Office; Report to Congressional Committees, Publication No. GAO-18-42, dated January 2018.

2

United States Government Accountability Office

GSA HHS HUD Interior IT Justice Labor NASA NRC NSF OMB OPM SBA SSA State Transportation Treasury USAID USDA VA

Acquisition Reform Act General Services Administration Department of Health and Human Services Department of Housing and Urban Development Department of the Interior information technology Department of Justice Department of Labor National Aeronautics and Space Administration Nuclear Regulatory Commission National Science Foundation Office of Management and Budget Office of Personnel Management Small Business Administration Social Security Administration Department of State Department of Transportation Department of the Treasury U.S. Agency for International Development Department of Agriculture Department of Veterans Affairs

WHY GAO DID THIS STUDY The federal government invested more than $90 billion on IT in fiscal year 2016. However, prior IT expenditures have produced failed projects. Recognizing the severity of issues, in December 2014 Congress enacted IT acquisition reform legislation (referred to as the Federal Information Technology Acquisition Reform Act, or FITARA). Among other things, OMB’s FITARA implementation guidance requires covered agencies’ chief acquisition officers to identify IT contracts for the CIOs to review and approve.

Information Technology

3

GAO’s objectives were to determine the extent to which (1) federal agencies identify IT contracts and how much is invested in them, and (2) federal agency CIOs are reviewing and approving IT acquisitions. To do so, GAO reviewed data on IT contracts from fiscal year 2016 at 22 agencies and compared agency actions to law and OMB guidance.

WHAT GAO RECOMMENDS GAO is making 39 recommendations, including that agencies ensure that acquisition offices are involved in identifying IT and issue related guidance; and to ensure IT acquisitions are reviewed according to OMB guidance. OMB and 20 agencies generally agreed with or did not comment on the recommendations. One agency agreed with one recommendation, but disagreed with another. GAO believes this recommendation is warranted. One agency disagreed with two recommendations. GAO subsequently removed one of these, but believes the other recommendation is warranted, as discussed in the report.

WHAT GAO FOUND Most of the 22 selected agencies did not identify all of their information technology (IT) contracts. The selected agencies identified 78,249 IT-related contracts, to which they obligated $14.7 billion in fiscal year 2016. However, GAO identified 31,493 additional contracts with $4.5 billion obligated, raising the total amount obligated to IT contracts in fiscal year 2016 to at least $19.2 billion (see figure).The percentage of additional IT contract obligations GAO identified varied among the selected agencies. For example, the Department of State did not identify 1 percent of its IT contract obligations. Conversely, 8 agencies did not identify over 40 percent of their IT-related contract obligations.

4

United States Government Accountability Office

Source: GAO analysis of agency and USAspending.gov data. | GAO-18-42. Note: Due to rounding, the totals may not equal the sum of component obligation amounts. Figure. Agency- and GAO-Identified Approximate Dollars Obligated to Fiscal Year 2016 Information Technology (IT) Contracts at the 22 Selected Agencies.

Many of the selected agencies that did not identify these IT acquisitions did not follow Office of Management and Budget’s (OMB) guidance. Specifically, 14 of the 22 agencies did not involve the acquisition office in their process to identify IT acquisitions for Chief Information Officer (CIO) review, as required by OMB. In addition, 7 agencies did not establish guidance to aid officials in recognizing IT. Until agencies involve the acquisitions office in their IT identification processes and establish supporting guidance, they cannot ensure that they will identify all IT acquisitions. Without proper identification of IT acquisitions, agencies and CIOs cannot effectively provide oversight of these acquisitions. In addition to not identifying all IT contracts, 14 of the 22 selected agencies did not fully satisfy OMB’s requirement that the CIO review and approve IT acquisition plans or strategies. Further, only 11 of 96 randomly selected IT contracts at 10 agencies that GAO evaluated were CIOreviewed and approved as required by OMB’s guidance. The 85 IT contracts not reviewed had a total possible value of approximately $23.8 billion. Until agencies ensure that CIOs review and approve IT acquisitions, CIOs will continue to have limited visibility and input into their agencies’ planned IT expenditures and will not be able to use the increased authority that FITARA’s contract approval provision is intended

Information Technology

5

to provide. Further, agencies will likely miss an opportunity to strengthen CIOs’ authority and the oversight of IT acquisitions. As a result, agencies may award IT contracts that are duplicative, wasteful, or poorly conceived. January 10, 2018 Congressional Committees Information systems are critical to the health, economy, and security of the nation. To support these systems, the federal government invested more than $90 billion in information technology (IT) in fiscal year 2016. However, prior IT expenditures have too often produced failed projects— that is, projects with multimillion dollar cost overruns and schedule delays measured in years, and with questionable mission-related achievements. Recognizing the severity of issues related to the government-wide management of IT, in December 2014, Congress enacted IT acquisition reform legislation (commonly referred to as the Federal Information Technology Acquisition Reform Act, or FITARA) as part of the Carl Levin and Howard P. ‘Buck’ McKeon National Defense Authorization Act for Fiscal Year 2015.1 FITARA holds promise for improving agencies’ acquisitions of IT and enabling Congress to monitor agencies’ progress, as well as for holding agencies accountable for reducing duplication and achieving cost savings. In addition, with the enactment of FITARA, the federal government has an opportunity to strengthen the authority of chief information officers (CIO) to provide needed direction and oversight of agencies’ IT acquisitions, among other areas. We recently testified that, while agencies have made progress in implementing the law, its further implementation is critical to improving IT management.2 We have also noted that continued congressional

Carl Levin and Howard P. ‘Buck’ McKeon National Defense Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, division A, title VIII, subtitle D, 128 Stat. 3292, 3438-50 (Dec. 19, 2014). 2 GAO, Information Technology: Sustained Management Attention to the Implementation of FITARA Is Needed to Better Manage Acquisitions and Operations, GAO-17-686T (Washington, D.C.: June 13, 2017). 1

6

United States Government Accountability Office

oversight of agencies’ implementation of FITARA is essential to help ensure that these efforts succeed. Among other things, FITARA requires CIOs of major civilian agencies to review and approve IT contracts. With this in mind, you asked us to review whether CIOs are approving IT contracts as required by this law. Our objectives were to determine the extent to which (1) federal agencies identify IT contracts and how much is invested in them, and (2) federal agency CIOs are reviewing and approving IT acquisitions.3 Our review included the Office of Management and Budget (OMB) and 22 of the 24 agencies covered by the Chief Financial Officers Act.4 We did not include the Department of Defense because it is excluded from the provision in FITARA requiring CIO approval of IT contracts. We also did not include the Department of Homeland Security because we recently issued a report on the department’s implementation of FITARA.5 To determine the extent to which federal agencies identify IT contracts and how much is invested in them, we requested that each of the 22 agencies provide us a list of their IT contract obligations for fiscal year 2016.6 Separately, we identified IT-related contracts from each of these The Federal Acquisition Regulation (FAR) defines “acquisition” as “the acquiring by contract with appropriated funds of supplies or services (including construction) by and for the use of the federal government through purchase or lease, whether the supplies or services are already in existence or must be created, developed, demonstrated, and evaluated. Acquisition begins at the point when agency needs are established and includes the description of requirements to satisfy agency needs, solicitation and selection of sources, award of contracts, contract financing, contract performance, contract administration, and those technical and management functions directly related to the process of fulfilling agency needs by contract.” FAR, 48 C.F.R. 2.101. 4 The 22 agencies are the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, Justice, Labor, State, the Interior, the Treasury, Transportation, and Veterans Affairs; the Environmental Protection Agency; General Services Administration; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development. 5 GAO, Homeland Security: Progress Made to Implement IT Reform, but Additional Chief Information Officer Involvement Needed, GAO-17-284 (Washington, D.C.: May 18, 2017). 6 An obligation is a definite commitment that creates a legal liability of the government for the payment of goods and services ordered or received. Payment may be made immediately or in the future. An agency incurs an obligation, for example, when it places an order, signs a contract, awards a grant, purchases a service, or takes other action that requires the government to make payments to the public or from one government account to another. 3

Information Technology

7

agencies using fiscal year 2016 data reported on USAspending.gov.7 We then compared these resulting lists of IT-related contracts to the agencyprovided lists of contracts to determine which contracts the agencies had not identified. We also reviewed other agency documentation, such as IT acquisition policies and processes, as well as acquisition plans and strategies. In addition, we interviewed the agencies’ acquisition officials and officials from the Office of the CIO to determine their processes for identifying IT contracts. To determine the extent to which federal agency CIOs are reviewing and approving IT acquisitions, we randomly selected 10 contracts at 10 agencies8 (100 total contracts) to review in depth. For each of the 100 selected contracts, we asked the associated agency to confirm that the contract was IT-related and requested evidence of the CIO’s or CIO designee’s review and approval.9 We compared the resulting documentation to FITARA and OMB guidance10 to determine whether the IT acquisitions had been appropriately reviewed and approved. We also reviewed agency documentation on IT acquisition processes and procedures and compared it to the requirements in FITARA and OMB guidance. Further, we interviewed the agencies’ officials, including officials in the Office of the CIO, to clarify their respective processes and policies.

7

USAspending.gov is a publicly accessible website managed by OMB that contains contract data on federal awards and subawards. The contract data on USAspending.gov are imported from the Federal Procurement Data System-Next Generation, which collects information on contract actions. Federal agencies are responsible for ensuring that the information reported to the system is complete and accurate. The system can be accessed at https://www.fpds.gov. 8 We selected the 10 agencies with the most funding obligated to IT in fiscal year 2016, excluding the Departments of Defense and Homeland Security. They are the Departments of Agriculture, Commerce, Health and Human Services, Justice, State, the Treasury, Transportation, and Veterans Affairs; the National Aeronautics and Space Administration; and the Social Security Administration. 9 OMB’s FITARA implementation guidance states that, to be included in its definition of IT for purposes of FITARA, IT must be used by an agency directly. Consequently, we decided that two of the selected contracts should not be included because they were for products or services that will be used by an entity other than the agency. Separately, we determined that two other contracts were not IT-related, and thus FITARA was not applicable. 10 Office of Management and Budget, Management and Oversight of Federal Information Technology, M-15-14 (Washington, D.C.: June 10, 2015).

8

United States Government Accountability Office

We found the data from USAspending.gov and contract data provided by the agencies to be sufficiently reliable for the purposes of our reporting objectives and used the data as evidence to support our findings, conclusions, and recommendations. For the USAspending.gov data, we reviewed publicly available documentation related to the database, such as the USAspending.gov data dictionary. For both the USAspending.gov and agency-provided contract data, we tested the datasets to look for duplicate records and missing data in key fields. We also interviewed agency officials to corroborate the data. A full description of our objectives, scope, and methodology can be found in appendix I. We conducted this performance audit from July 2016 to January 2018 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

BACKGROUND While IT investments have the potential to improve lives and organizations, federally funded IT projects can—and, too often, have— become risky, costly, and unproductive mistakes. We have previously reported that the federal government has spent billions of dollars on failed or troubled IT investments, such as 

the Office of Personnel Management’s (OPM) Retirement Systems Modernization program, which was canceled in February 2011, after spending approximately $231 million on the agency’s third

Information Technology









11

9

attempt to automate the processing of federal employee retirement claims;11 the United States Coast Guard’s effort, initiated in 2010, to replace its aging electronic health records system, but which was discontinued in October 2015 after spending nearly $67 million. As a result, the Coast Guard currently has a manual, paper-based health records management process; the tri-agency12 National Polar-orbiting Operational Environmental Satellite System, which was halted in February 2010 by the White House’s Office of Science and Technology Policy after the program spent 16 years and almost $5 billion;13 the Department of Veterans Affairs’ (VA) Scheduling Replacement Project, which was terminated in September 2009 after spending an estimated $127 million over 9 years;14 the Farm Service Agency’s Modernize and Innovate the Delivery of Agricultural Systems program, which was halted in July 2014 after spending $423 million to modernize IT systems over 10 years;15 and

See, for example, GAO, Office of Personnel Management: Retirement Modernization Planning and Management Shortcomings Need to Be Addressed, GAO-09-529 (Washington, D.C.: Apr. 21, 2009) and Office of Personnel Management: Improvements Needed to Ensure Successful Retirement Systems Modernization, GAO-08-345 (Washington, D.C.: Jan. 31, 2008). 12 The weather satellite program was managed by the National Oceanic and Atmospheric Administration, the Department of Defense, and the National Aeronautics and Space Administration. 13 See, for example, GAO, Polar Satellites: Agencies Need to Address Potential Gaps in Weather and Climate Data Coverage, GAO-11-945T (Washington, D.C.: Sept. 23, 2011); PolarOrbiting Environmental Satellites: Agencies Must Act Quickly to Address Risks That Jeopardize the Continuity of Weather and Climate Data, GAO-10-558 (Washington, D.C.: May 27, 2010); Polar-Orbiting Environmental Satellites: With Costs Increasing and Data Continuity at Risk, Improvements Needed in Tri-agency Decision Making, GAO-09-564 (Washington, D.C.: June 17, 2009); and Environmental Satellites: Polar-orbiting Satellite Acquisition Faces Delays; Decisions Needed on Whether and How to Ensure Climate Data Continuity, GAO-08-518 (Washington, D.C.: May 16, 2008). 14 GAO, Information Technology: Management Improvements Are Essential to VA’s Second Effort to Replace Its Outpatient Scheduling System, GAO-10-579 (Washington, D.C.: May 27, 2010). 15 GAO, Farm Program Modernization: Farm Service Agency Needs to Demonstrate the Capacity to Manage IT Initiatives, GAO-15-506 (Washington, D.C.: June 18, 2015).

10

United States Government Accountability Office 

the Department of Health and Human Services’ (HHS) Healthcare.gov website and its supporting systems, which were to facilitate the establishment of a health insurance marketplace by January 2014, but which encountered significant cost increases, schedule slips, and delayed functionality.16

These failed or troubled projects often suffered from a lack of disciplined and effective management, such as project planning, requirements definition, and program oversight and governance. In many instances, agencies had not consistently applied best practices that are critical to successfully acquiring IT investments. To help address these ongoing challenges, in February 2015, we added improving the management of IT acquisitions and operations to our list of high-risk areas for the federal government.17 This area highlighted several critical IT initiatives in need of additional congressional oversight, including (1) reviews of troubled projects; (2) efforts to increase the use of incremental development; (3) efforts to provide transparency relative to the cost, schedule, and risk levels for major IT investments;18 (4) reviews of agencies’ operational investments; (5) data center consolidation; and (6) efforts to streamline agencies’ portfolios of IT investments. We noted that implementation of these initiatives had been inconsistent and more work remained to demonstrate progress in achieving IT acquisitions and operations outcomes. In our February 2015 high-risk report, we also identified actions that OMB and federal agencies needed to take to make progress in this area. 16

See GAO, Healthcare.gov: CMS Has Taken Steps to Address Problems, but Needs to Further Implement Systems Development Best Practices, GAO-15-238 (Washington, D.C.: Mar. 4, 2015); Healthcare.gov: Actions Needed to Address Weaknesses in Information Security and Privacy Controls, GAO-14-730 (Washington, D.C.: Sept. 16, 2014); and Healthcare.gov: Ineffective Planning and Oversight Practices Underscore the Need for Improved Contract Management, GAO-14-694 (Washington, D.C.: July 30, 2014). 17 GAO, High-Risk Series: An Update, GAO-15-290 (Washington, D.C.: Feb. 11, 2015). 18 According to OMB, a major IT investment is a system or an acquisition requiring special management attention because of its importance to the mission or function of the government; significant program or policy implications; high executive visibility; high development, operating, or maintenance costs; unusual funding mechanism; or is defined as major by the agency’s capital planning and investment control process.

Information Technology

11

These included implementing FITARA and at least 80 percent of our recommendations related to the management of IT acquisitions and operations within 4 years. Specifically, between fiscal years 2010 and 2015, we made 803 recommendations to OMB and federal agencies to address shortcomings in IT acquisitions and operations, including many to improve the implementation of the previously mentioned six critical IT initiatives and other government-wide, cross-cutting efforts. In February 2017, we issued an update to our high-risk series and reported that, while progress had been made in improving the management of IT acquisitions and operations, significant work still remained to be completed.19 For example, as of May 2017, OMB and federal agencies had fully implemented 380 (or about 47 percent) of the 803 recommendations. Nevertheless, in fiscal year 2016, we made 202 new recommendations, thus further reinforcing the need for OMB and agencies to address the shortcomings in IT acquisitions and operations. Also, beyond addressing our prior recommendations, our 2017 high-risk update noted the importance of OMB and federal agencies continuing to expeditiously implement the requirements of FITARA.

Agencies Are to Follow Federal Requirements for Acquisitions The Federal Acquisition Regulation (FAR) is the primary regulation for use by federal executive agencies in their acquisition of supplies and services with appropriated funds. The FAR requires agencies to perform planning for all acquisitions. Acquisition planning begins when an agency need is identified and includes developing requirements and creating written acquisition plans. A detailed acquisition plan must address all of the technical, business, management, and other significant considerations that will control the acquisition. It should include, among other things, a statement of need, cost, a plan of action, and milestones. The FAR is less specific on the requirements for an acquisition strategy, but it states that 19

GAO, High-Risk Series: Progress on Many High-Risk Areas, While Substantial Efforts Needed on Others, GAO-17-317 (Washington, D.C.: Feb. 15, 2017).

12

United States Government Accountability Office

acquisition planning should include developing the overall strategy for managing the acquisition. Once a contract is awarded, the awarding agency must enter certain information into the Federal Procurement Data System-Next Generation, the federal government’s database that captures information on contract awards and obligations and is the primary database that serves as the source of other contracting data systems, such as USAspending.gov. 20 The system captures information on contract awards and obligations, including, the vendor, and amount obligated. Further, agencies must select a product and service code that represents the predominant product or service being purchased. Product and service codes are used to describe and identify products, services, and research and development spending within the system. In an effort to eliminate redundancies and increase efficiencies in federal acquisition, in September 2015, the Category Management Leadership Council21 and OMB developed a government-wide category structure to support category management22 implementation across the federal government. The Council and OMB reviewed the product and service codes and grouped them into 19 individual spend categories, including IT. See appendix II for a list of the 79 IT-related product and service codes.

20

The General Services Administration maintains the Federal Procurement Data System- Next Generation. 21 The Category Management Leadership Council was originally known as the Strategic Sourcing Leadership Council and was formed in December 2012. In December 2014, its charter broadened from just strategic sourcing to category management. The Council is chaired by the Administrator of Federal Procurement Policy and includes representatives from the agencies that comprise the majority of federal procurement spending: the Department of Defense, Energy, Health and Human Services, Homeland Security, Veterans Affairs; the General Services Administration; the National Aeronautics and Space Administration; and the Small Business Administration. The Council seeks to reduce the number of contracts, increase savings, and increase the use of category management. 22 Category management is an approach based on industry leading practices that aims to streamline and manage entire categories of spending more like a single enterprise.

Information Technology

13

Federal Law Establishes Agency IT Management Responsibilities Over the last three decades, Congress has enacted several laws to help federal agencies improve the management of IT investments. For example, the Clinger-Cohen Act of 1996 requires agency heads to appoint CIOs and specifies many of their responsibilities with regard to IT management.23 Among other things, CIOs are responsible for implementing and enforcing applicable government-wide and agency IT management principles, standards, and guidelines; assuming responsibility and accountability for IT investments; and monitoring the performance of IT programs and advising the agency head whether to continue, modify, or terminate such programs.24 The Clinger-Cohen Act, as amended, also defines IT as: any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency or a contractor under a contract with the agency.25 As previously mentioned, recognizing the severity of issues related to the government-wide management of IT, Congress enacted FITARA in December 2014. The law includes provisions related to seven areas at covered agencies:26 

23

Agency CIO authority enhancements. CIOs at agencies are required to (1) approve the IT budget requests of their respective agencies, (2) certify that OMB’s incremental development guidance is being adequately implemented for IT investments, (3) approve the appointment of other agency employees with the title of CIO, and (4) review and approve contracts for IT. With regard

40 U.S.C. § 11101, et. seq. 40 U.S.C. § 11315. 25 40 U.S.C. § 11101(6)(A). 26 For the most part, the provisions apply to the agencies covered by the Chief Financial Officers Act of 1990, 31 U.S.C. § 901(b), except for limited application to the Department of Defense. 24

14

United States Government Accountability Office







27

to the review of IT contracts, FITARA requires that agency CIOs review and approve IT contracts prior to award, unless that contract is associated with a non- major investment.27 When the contract is associated with a non-major investment, the CIO are allowed to delegate the review and approval duties to an official that reports directly to the CIO. Alternatively, the law states that an agency may use its governance processes to approve any IT contract, as long as the agency CIO is a full participant in the governance processes. Federal data center consolidation initiative. Agencies are required to provide OMB with a data center inventory, a strategy for consolidating and optimizing the data centers (to include planned cost savings), and quarterly updates on progress made. The law also requires OMB to develop a goal for how much is to be saved through this initiative, and provide annual reports on cost savings achieved. Enhanced transparency and improved risk management. OMB and agencies are to make detailed information on federal IT investments publicly available, and agency CIOs are to categorize their investments by level of risk. In addition, in the case of major IT investments rated as high risk for 4 consecutive quarters, the law requires that the agency CIO and the investment’s program manager conduct a review aimed at identifying and addressing the causes of the risk. Portfolio review. Agencies are to annually review IT investment portfolios in order to, among other things, increase efficiency and effectiveness and identify potential waste and duplication. In establishing the process associated with such portfolio reviews, the law requires OMB to develop standardized performance metrics, to include cost savings, and to submit quarterly reports to Congress on cost savings.

According to OMB, non-major investments are those that do not meet the criteria of major IT investments.

Information Technology 





15

Expansion of training and use of IT acquisition cadres. Agencies are to update their acquisition human capital plans to address supporting the timely and effective acquisition of IT. In doing so, the law calls for agencies to consider, among other things, establishing IT acquisition cadres or developing agreements with other agencies that have such cadres. Government-wide software purchasing program. The General Services Administration (GSA) is to develop a strategic sourcing initiative to enhance government-wide acquisition and management of software. In doing so, the law requires that, to the maximum extent practicable, GSA should allow for the purchase of a software license agreement that is available for use by all executive branch agencies as a single user. Maximizing the benefit of the federal strategic sourcing initiative. FITARA requires that OMB issue regulations for federal agencies that do not use the federal strategic sourcing initiative to purchase services and supplies that are offered by this initiative. The regulations are to include a requirement for agencies to analyze the comparative value between what is to be purchased and what the strategic sourcing initiative offers.

OMB Established Guidance for Agencies to Implement FITARA In June 2015, OMB released guidance describing how agencies are to implement FITARA.28 The guidance emphasizes the need for CIOs to have full accountability for IT acquisition and management decisions, and gives agencies considerable flexibility in making those decisions. Among other things, the guidance is intended to: 

28

assist agencies in aligning their IT resources with agency missions, goals, and requirements;

M-15-14.

16

United States Government Accountability Office 

 

establish government-wide IT management controls that will meet the law’s requirements, while providing agencies with flexibility to adapt to agency processes and mission requirements; clarify the CIO’s role and strengthen the relationship between department CIOs and bureau or component CIOs; and strengthen CIO accountability for IT cost, schedule, performance, and security.

With regard to CIOs’ review and approval of IT contracts, OMB’s guidance expands upon FITARA in a number of ways. Specifically, according to the guidance:   



29

30

31

CIOs may review and approve IT acquisition strategies and plans, rather than individual IT contracts;29 CIOs can designate other agency officials to act as their representatives, but the CIOs must retain accountability;30 Chief Acquisition Officers (CAO) are responsible for ensuring that all IT contract actions are consistent with CIO-approved acquisition strategies and plans; and CAOs are to indicate to the CIOs when planned acquisition strategies and acquisition plans include IT.31

OMB’s guidance states that CIOs should only review and approve individual IT contract actions if they are not part of an approved acquisition strategy or plan. OMB has interpreted FITARA’s “governance process” provision to permit such delegation. That provision allows covered agencies to use the governance processes of the agency to approve a contract or other agreement for IT if the CIO of the agency is included as a full participant in the governance process. OMB’s FITARA guidance also states that, if the agency has a senior procurement executive separate from the CAO, then the guidance also applies to the senior procurement executive. Of the 22 selected agencies, 7 are not required to have a CAO, by statute: the Department of Justice, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Social Security Administration, and U.S. Agency for International Development. This report refers to all relevant officers as CAOs when discussing them collectively.

Information Technology

17

AGENCIES IDENTIFIED $14.7 BILLION IN IT OBLIGATIONS, BUT DID NOT IDENTIFY AN ADDITIONAL $4.5 BILLION OMB’s FITARA implementation guidance32 requires agencies’ CAOs to indicate to CIOs when planned acquisition strategies and acquisition plans include IT. Given the Category Management Leadership Council and OMB’s categorization of IT product and service codes, CAOs should be identifying the obligations that have IT-related codes. The 22 selected agencies identified 78,249 IT-related contracts, to which they obligated approximately $14.7 billion in fiscal year 2016.33 Of that amount, approximately $14 billion was categorized as IT-related, consistent with the Category Management Leadership Council and OMB’s product and service codes, and approximately $626 million was categorized under other, non-IT codes. The $626 million in obligations with non-IT codes could contain embedded IT or be associated with IT programs. For example, the agencies reported IT-related acquisitions categorized under such non-IT codes as IT/telecommunications training, data analysis, and research and development. Three agencies accounted for most of these non-IT obligations: the Department of Veterans Affairs (VA) accounted for $220 million, the Environmental Protection Agency (EPA) accounted for $156 million, and the Department of Labor (Labor) accounted for $105 million. However, in addition to the obligations that agencies reported to us, we identified 31,493 additional contracts at 21 agencies with IT-related product and service codes.34 The associated agencies obligated 32

M-15-14. One agency stated that it did not include IT contracts under $150,000 (the simplified acquisition threshold), and two agencies stated that they did not include contract modifications. As a result, their total dollar amount was less than it would have been had those categories been included. 34 Two agencies disagreed with the Category Management Leadership Council’s list of ITrelated product and service codes, such as the code for “Maintenance, Repair, and Rebuilding of Equipment-Miscellaneous.” These agencies noted that several contracts under that code were for services that they did not consider being IT-related, including repairs to elevators and air traffic control towers (see discussion after figure 2). In addition, several 33

18

United States Government Accountability Office

approximately $4.5 billion to these contracts, raising the total amount obligated to IT contracts in fiscal year 2016 to at least approximately $19.2 billion.35 Figure 1 reflects the obligations agencies reported to us relative to the obligations we identified.

Source: GAO analysis of agency and USAspending.gov data. | GAO-18-42. Note: Due to rounding, the totals may not equal the sum of component obligation amounts. Figure 1. Agency- and GAO-Identified Approximate Dollars Obligated to Fiscal Year 2016 IT Contracts at the 22 Selected Agencies.

The percentage of additional IT contract obligations that we identified varied among the selected agencies. For instance, the Department of State (State) did not identify 1 percent of its IT contract obligations. Conversely, eight agencies—the Departments of the Interior (Interior), Transportation (Transportation), and the Treasury (Treasury), as well as the National Science Foundation (NSF), the U.S. Agency for International Development (USAID), HHS, GSA, and OPM did not identify over 40 agencies stated that a portion of these IT contracts were awarded on behalf of another entity. OMB’s FITARA implementation guidance states that to be included in its definition of IT for purposes of FITARA, IT must be used by an agency directly. 35 In comparing the IT contracts the agencies provided to us and those that we identified, we gave the agency credit for identifying the entire IT contract if an agency identified any portion of the contract (e.g., a contract modification). Consequently, the total of obligations that agencies did not identify is likely higher than the totals we were able to report.

Information Technology

19

percent of their IT contract obligations. Figure 2 reflects the contract obligations that the selected agencies reported to us (both with IT-related codes and those with non-IT codes) relative to the obligations we identified. For additional information about the IT obligations identified by these agencies, see appendix III.

Source: GAO analysis of agency and USAspending.gov data. | GAO-18-42. Figure 2. Agency- and GAO-Identified Dollars Obligated to Fiscal Year 2016 IT Contracts by Selected Agencies in Approximate Dollars ($M).

Agencies offered various reasons for why they had not identified the approximately $4.5 billion in IT obligations. For example, officials from OPM and NSF stated that their agencies only identified new IT contracts and did not include contract modifications in their identified IT obligations, making their submissions much smaller.36 NSF also noted that 36

Contract modifications are any written changes in the terms of a contract.

20

United States Government Accountability Office

it only identified IT contracts over $150,000. In addition, GSA and Transportation officials stated that at least one of the Category Management Leadership Council’s IT product and service codes should not be considered IT. For instance, an official in GSA’s Vendor Management Office stated that contracts using a product and service code for miscellaneous maintenance, repair, and rebuilding should not be categorized as IT. Likewise, Transportation officials provided examples of contracts that the agency did not consider being IT-related, even though they were categorized under IT product and service codes for program review or development services. In addition, Transportation and USAID officials stated that they did not use the complete list of IT product and service codes in their identification efforts. A Treasury official in the Office of the CIO stated that the department focused on codes that were the most important. We agree that the Council’s IT product and service codes could include contracts that are not IT. Further, as previously discussed, IT is included in product and service codes that the Council did not identify as IT. Nonetheless, the Council has provided a valuable service in developing specific categories from which agencies can select in identifying IT. To the extent that agencies have concerns about specific categories, they could raise them to the Council. In addition, the majority of the selected agencies that did not identify the $4.5 billion in IT obligations also did not follow OMB’s guidance to have the CAO identify all IT acquisitions for CIO review and approval. As those tasked with monitoring their respective agencies’ acquisition activities, the offices of the CAOs are in a unique position to identify prospective IT acquisitions to the CIOs. Of the 21 selected agencies that did not identify the approximately $4.5 billion in IT obligations, 8 involved the acquisition offices in the identification of their IT acquisitions.37 For

37

Justice was the only agency for which we did not identify additional IT obligations.

Information Technology

21

example, OPM’s process followed OMB’s guidance by directly involving its senior procurement executive in the identification of the acquisitions.38 Table 1. Responsibility for identifying Information Technology (IT) acquisitions at the 22 selected agencies Agency

Acquisition office

Other than acquisition office X X X X

Department of Agriculture Department of Commerce Department of Education Department of Energya X Department of Health and Human Services X Department of Housing and Urban Development X Department of Justice X X Department of Labor X X Department of State X Department of the Interior X Department of the Treasury X X Department of Transportation X Department of Veterans Affairs X Environmental Protection Agency X General Services Administration X National Aeronautics and Space Administration X National Science Foundation X X Nuclear Regulatory Commission X Office of Personnel Management X X Small Business Administration X Social Security Administration X X U.S. Agency for International Development X X Totals 8 20 Source: GAO analysis of agency-provided data and interviews. | GAO-18-42. a The Departments of Energy and the Treasury allowed their component agencies to develop their own processes for identifying IT acquisitions. The above assessments are based on the agencies’ department-level acquisition processes.

38

As previously stated, OMB’s FITARA guidance states that, if the agency has a senior procurement executive separate from the CAO, then the guidance also applies to the senior procurement executive. This is the case at OPM.

22

United States Government Accountability Office

Conversely, the other 14 agencies did not follow OMB’s guidance to have a process in which the acquisition offices identified, or helped to identify, IT acquisitions for CIO review. Among these agencies, for example, EPA officials indicated that program office officials are responsible for identifying IT requirements and obtaining the appropriate approvals. EPA’s process does not require acquisition office participation. Instead, the program office officials work with IT officials to determine if the contract is IT-related and subject to the IT acquisition approval policy. In addition, 7 agencies reported that they rely on the requesting program offices to self-identify whether their acquisitions are IT-related. Table 1 summarizes the officials responsible for the identification of IT acquisitions at the selected agencies. We have previously reported on the importance of developing and issuing policies or supporting guidance in order to successfully implement processes and achieve related objectives.39 In recognition of the importance of establishing guidance to assist agency officials in identifying IT, 14 of the 22 selected agencies issued such guidance. However, 7 agencies did not. Specifically, the Departments of Agriculture (USDA), Energy (Energy), Justice (Justice), Labor, and Transportation; the National Aeronautics and Space Administration (NASA); and the Social Security Administration (SSA) did not establish guidance regarding the identification of IT-related acquisitions. For instance, officials in Justice’s Office of the CIO stated that the agency does not follow a prescribed process to determine which acquisitions are ITrelated and does not use guidance or checklists to aid with the identification. One other agency, Interior, had established draft guidance to assist officials when identifying IT; however, the agency did not identify a schedule for finalizing the draft guidance. Until agencies involve the acquisition office in their IT identification processes, and establish and effectively implement supporting guidance, they will likely not be able to ensure that all IT acquisitions are identified. 39

GAO, Standards for Internal Control in the Federal Government, GAO-14-704G (Washington, D.C.: September 2014).

Information Technology

23

As a result, agencies risk not having appropriate oversight of IT worth billions of dollars.

MOST AGENCY CIOS ARE NOT REVIEWING AND APPROVING IT ACQUISITIONS IN ACCORDANCE WITH OMB’S REQUIREMENTS FITARA and OMB’s associated implementation guidance require major civilian agency CIOs to review and approve acquisitions of IT either directly, or through the agency’s governance processes. In particular, OMB’s guidance40 states that agencies shall not approve any acquisition plan or strategy that includes IT without the agency CIO’s review and approval. OMB’s guidance also allows the CIO to delegate these responsibilities to other agency officials to act as the CIO’s representative;41 however, staff in OMB’s Office of the Federal CIO noted that these assignments need to be approved by OMB.42 Alternatively, FITARA and OMB’s guidance allow agencies to use IT governance processes to conduct these reviews and approvals as long as the CIO is a full participant in the process. Most of the processes at the 22 selected agencies do not fully satisfy OMB’s requirements that the CIO review and approve IT acquisition plans or strategies (or that the CIO participate in a governance process that reviews and approves IT acquisition plans and strategies).43 Specifically, 8 agencies’ processes fully satisfy OMB’s requirements, while 14 of the agencies’ processes do not fully satisfy the requirements. Of these, 8

40

M-15-14. FITARA allows the CIO of a covered agency to delegate the review and approval of contracts associated with non-major IT investments, but the delegated official must report directly to the agency CIO. 42 According to OMB, they have approved assignment plans from 15 of the 22 selected agencies—USDA, Commerce, Education, HHS, Interior, Justice, Labor, State, Treasury, VA, EPA, GSA, NSF, OPM, and SSA. 43 None of the selected agencies’ CIOs review and approve individual IT contracts as specified in FITARA. 41

24

United States Government Accountability Office

agencies partially satisfy the requirements and 6 do not satisfy the requirements. For example, 





NSF fully satisfies OMB’s requirement by requiring that the CIO review and approve each IT acquisition plan. Similarly, SBA requires the CIO to review and approve each IT acquisition plan over the FAR’s simplified acquisition threshold.44 HUD partially satisfies OMB’s requirements in that its process only requires the office of the CIO to review a subset of IT acquisitions (those over $500,000). In addition, the HUD CIO has delegated the approval authority to the Deputy CIO and others within the Office of the CIO, but this delegation has not been approved by OMB. VA does not yet have a process in place that satisfies OMB’s requirements, but officials in VA’s Office of Information and Technology stated that they are currently developing processes and procedures necessary to implement FITARA accountability and responsibilities for IT acquisitions. While the agency did not submit a documented time frame for its plans, VA officials stated that they would like to implement the new process by the second quarter of fiscal year 2018.

Table 2 summarizes the extent to which the selected agencies’ processes satisfy OMB’s requirements for the CIO to review and approve IT acquisition plans. Appendix IV provides additional details about the agencies’ processes that are used to review and approve IT acquisitions. Of 96 randomly selected IT contracts at 10 agencies, only 11 acquisitions associated with these contracts had been reviewed and approved as required by OMB. The acquisitions associated with 85 contracts, with a total possible value of approximately $23.8 billion,45 did

44

The FAR allows agencies to use simplified procedures for acquisitions under $150,000, with a higher threshold available for certain situations not applicable here. 45 The total possible value is the base contract amount and any options for additional supplies or services that could extend the term of the contract.

Information Technology

25

not receive the appropriate level of review. Further, despite having CIO review and approval processes in place that fully or partially satisfied OMB’s requirements, four agencies (the Department of Commerce (Commerce), HHS, Justice, and SSA) did not consistently ensure that the CIO or a designee reviewed and approved the acquisition plan or strategy. Table 2. Degree to which selected agencies’ processes satisfy the Office of Management and Budget’s (OMB) requirements for chief information officer review and approval of information technology acquisitions plans Agency Department of Agriculture

Process satisfies OMB’s requirements

Department of Commerce

🌑

Department of Education

🌓

Department of Energy

🌕

Department of Health and Human Services

🌑

Department of Housing and Urban Development

🌓

Department of Justice

🌓

Department of Labor

🌓

Department of State

🌕

Department of the Interior

🌓

Department of the Treasury

🌕

Department of Transportation

🌓

Department of Veterans Affairs

🌕

Environmental Protection Agency

🌑

General Services Administration

🌑

National Aeronautics and Space Administration

🌕

National Science Foundation

🌑

Nuclear Regulatory Commission

🌑

Office of Personnel Management

🌓

Small Business Administration

🌑

Social Security Administration

🌑

U.S. Agency for International Development

🌕

🌓

Legend: 🌑 = Fully satisfies OMB’s requirements. 🌓 = Satisfies certain elements of OMB’s requirements, but not all. 🌕 = Does not satisfy OMB’s requirements. Source: GAO analysis of agency documentation. | GAO-18-42.

26

United States Government Accountability Office Table 3. Number and total possible value of selected information technology acquisitions approved by agency chief information officers consistent with the office of Management and Budget’s (OMB) requirements

Agency

Acquisitions reviewed and approved in accord with OMB’s requirements (associated contract value in millions)

Department of Agriculture Department of Commerce Department of Health and Human Services Department of Justice Department of State Department of the Treasury Department of Transportation Department of Veterans Affairs National Aeronautics and Space Administration Social Security Administration Totals Source: GAO analysis of OMB guidance, interviews. | GAO-18-42.

1 ($0.2) 3 ($3.4)

Acquisitions not correctly reviewed and approved (associated contract value in millions) 10 ($30.3) 10 ($487.6) 8 ($48.6) 7 ($26.8) 8 ($4.3) 10 ($163.8) 10 ($28.0) 10 ($22,367.0) 9 ($552.6)

7 ($22.8) 3 ($50.4) 11 ($26.4) 85 ($23,759.4) USAspending.gov data, agency documentation, and

Table 3 summarizes the number and total possible value of IT contracts that we reviewed for consistency with OMB’s requirements. Appendix V provides more details on the selected IT acquisitions and the CIO approval of them. Four key factors contributed to the acquisitions associated with the 85 contracts not being reviewed and approved by the CIOs in accordance with OMB’s requirements: 

Non-compliant processes. As previously mentioned, agencies’ processes at 7 of the 10 agencies did not fully satisfy OMB’s requirements that the CIO review and approve IT acquisition plans and strategies. Four agencies reported that they were following their own agency processes which we determined do not fully

Information Technology







27

align with requirements. For example, NASA officials responsible for information regarding one of the selected contracts stated that the CIO only provides technical guidance and concurrence on the acquisition plan and does not approve the acquisition plan. This is not consistent with OMB’s requirement that the CIO or designee review and approve IT acquisition plans. In addition, for 16 contracts, the respective agencies stated that there were no acquisition plans associated with the particular acquisitions. For example, a director in USDA’s Forest Service’s acquisition office issued waivers for 2 acquisitions, making them exempt from needing acquisition plans. Thus, the CIO did not review and approve acquisition plans for those contracts. As noted earlier, OMB’s guidance states that if there is not an acquisition plan or strategy, the contract action itself should be reviewed and approved. However, in all 16 cases, the associated agencies’ CIOs did not undertake such reviews. Improper delegation. We identified 16 instances where agencies allowed CIOs to delegate their review to levels lower than agency policy or OMB allows. For example, Treasury’s CIO delegated contract approval to the component CIOs—one of whom further delegated this approval based on monetary thresholds to a variety of other officials. According to the component’s policy, one of the selected acquisitions, worth over $22 million, should have been approved by the component’s Deputy CIOs, Associate CIOs, or Deputy Associate CIOs. However, this particular acquisition was approved by an IT Project Manager. Further, two agencies allowed their CIOs to delegate IT acquisition approvals to other officials, without having these assignments approved by OMB. For example, three of NASA’s selected acquisitions were reviewed and approved by the component CIOs; however, NASA had not had these assignments approved by OMB. Approval of other documentation. In 26 instances, CIOs or designees reviewed and approved acquisition documentation other than the required acquisition plan or strategy. For example, CIOs

28

United States Government Accountability Office



or designees reviewed and approved documents such as a requisition, a procurement request, or a business case analysis. While the CIOs or designees reviewed and approved some form of acquisition documentation prior to the award of these acquisitions, these forms of documentation did not have all the elements typically associated with an acquisition plan. As a result, the CIO (or designee) may not have been adequately equipped to make an informed decision about the acquisition. Undocumented approvals. We identified 2 instances where the agency reported that the CIO or designee approved the IT acquisition, but did not document the approval. For example, regarding one contract, Commerce officials stated that one of the agency’s selected acquisitions was reviewed and approved by its component CIO for the Bureau of Economic Analysis. However, the agency could not provide evidence to show the CIO’s approval beyond an e-mail after the contract was signed stating that the CIO was aware of and had approved that particular acquisition.

Until agencies fully satisfy FITARA and OMB’s requirements by ensuring that CIOs, or their appropriate designees, review and approve IT acquisitions, CIOs risk continuing to have limited visibility and input into their agencies’ planned IT expenditures and not being able to use the increased authority that FITARA’s contract approval provision is intended to provide. In addition, agencies are missing an opportunity to strengthen CIOs’ authority and to provide needed direction and oversight of their IT acquisitions. As a result, agencies may award IT contracts that are duplicative, wasteful, or poorly conceived.

CONCLUSION Recommendations for Executive Action Given the history of failures and amount of money at stake, it is imperative that agencies properly oversee IT acquisitions. While the 22

Information Technology

29

selected agencies reported $14.7 billion in IT obligations, 21 agencies did not identify $4.5 billion as IT. Further, because the selected agencies did not always identify their IT acquisitions, it is likely that agencies have additional unidentified IT spending. Among other reasons, this shortfall existed because many agencies did not ensure that their acquisition offices were involved in the identification process, or provide clear guidance for ensuring that IT was properly identified. Without proper identification of IT acquisitions, agencies and CIOs cannot effectively provide oversight of them. In addition, many of the selected agencies covered by FITARA did not ensure the appropriate CIO review and approval of IT acquisitions that were identified. The CIOs’ review and approval presents an opportunity for CIOs to increase visibility into agency IT and recognize opportunities for improvement. However, the review and approval processes at 14 of the selected agencies were not in full compliance with OMB requirements, and only 11 of 96 randomly selected IT acquisitions were appropriately reviewed and approved by the CIO. As a result, agencies awarded IT contracts with a total possible value of $23.8 billion without the required CIO review and approval. Consequently, CIOs had limited visibility and insight into their agencies’ IT, thereby increasing the risk of entering into contracts that were duplicative, wasteful, or poorly conceived. We are making a total of 39 recommendations to federal agencies. We are making the following 3 recommendations to USDA: 





The Secretary of Agriculture should ensure that the office of the CAO is involved in the process to identify IT acquisitions. (Recommendation 1) The Secretary of Agriculture should direct the CAO and CIO to issue specific guidance to ensure IT-related acquisitions are properly identified. (Recommendation 2) The Secretary of Agriculture should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 3)

30

United States Government Accountability Office We are making the following 2 recommendations to Commerce: 



The Secretary of Commerce should ensure that the office of the CAO is involved in the process to identify IT acquisitions. (Recommendation 4) The Secretary of Commerce should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 5)

We are making the following 2 recommendations to Education: 



The Secretary of Education should ensure that the office of the CAO is involved in the process to identify IT acquisitions. (Recommendation 6) The Secretary of Education should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 7)

We are making the following 2 recommendations to Energy: 



The Secretary of Energy should direct the CAO and CIO to issue specific guidance to ensure IT-related acquisitions are properly identified. (Recommendation 8) The Secretary of Energy should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 9)

We are making the following recommendation to HHS: 

The Secretary of HHS should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 10)

Information Technology

31

We are making the following 2 recommendations to the Department of Housing and Urban Development: 



The Secretary of Housing and Urban Development should ensure that the office of the CAO is involved in the process to identify IT acquisitions. (Recommendation 11) The Secretary of Housing and Urban Development should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 12)

We are making the following 3 recommendations to Interior: 





The Secretary of the Interior should ensure that the office of the CAO is involved in the process to identify IT acquisitions. (Recommendation 13) The Secretary of Interior should direct the CAO and CIO to finalize and issue guidance on identifying IT acquisitions in order to ensure the CIO review and approval of those acquisitions. (Recommendation 14) The Secretary of the Interior should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 15)

We are making the following 2 recommendations to Justice: 



The Attorney General should direct the senior procurement executive and CIO to issue specific guidance to ensure IT-related acquisitions are properly identified. (Recommendation 16) The Attorney General should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 17)

32

United States Government Accountability Office We are making the following 3 recommendations to Labor: 





The Secretary of Labor should ensure that the office of the CAO is involved in the process to identify IT acquisitions. (Recommendation 18) The Secretary of Labor should direct the CAO and CIO to issue specific guidance to ensure IT-related acquisitions are properly identified. (Recommendation 19) The Secretary of Labor should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 20)

We are making the following 2 recommendations to State: 



The Secretary of State should ensure that the office of the CAO is involved in the process to identify IT acquisitions. (Recommendation 21) The Secretary of State should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 22)

We are making the following recommendation to Treasury: 

The Secretary of the Treasury should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 23)

We are making the following 3 recommendations to Transportation: 

The Secretary of Transportation should ensure that the office of the CAO is involved in the process to identify IT acquisitions. (Recommendation 24)

Information Technology 



33

The Secretary of Transportation should direct the CAO and CIO to issue specific guidance to ensure IT-related acquisitions are properly identified. (Recommendation 25) The Secretary of Transportation should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 26)

We are making the following 2 recommendations to VA: 



The Secretary of VA should ensure that the office of the CAO is involved in the process to identify IT acquisitions. (Recommendation 27) The Secretary of VA should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 28)

We are making the following recommendation to EPA: 

The Administrator of EPA should ensure that the office of the CAO is involved in the process to identify IT acquisitions. (Recommendation 29)

We are making the following 3 recommendations to NASA: 





The Administrator of NASA should ensure that the office of the CAO is involved in the process to identify IT acquisitions. (Recommendation 30) The Administrator of NASA should direct the CAO and CIO to issue specific guidance to ensure IT-related acquisitions are properly identified. (Recommendation 31) The Administrator of NASA should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 32)

34

United States Government Accountability Office We are making the following recommendation to NRC: 

The Chairman of NRC should ensure that the office of the senior procurement executive is involved in the process to identify IT acquisitions. (Recommendation 33)

We are making the following recommendation to OPM: 

The Director of OPM should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 34)

We are making the following recommendation to SBA: 

The Administrator of SBA should ensure that the office of the senior procurement executive is involved in the process to identify IT acquisitions. (Recommendation 35)

We are making the following 3 recommendations to SSA: 





The Commissioner of SSA should ensure that the office of the senior procurement executive is involved in the process to identify IT acquisitions. (Recommendation 36) The Commissioner of SSA should direct the senior procurement executive and CIO to issue specific guidance to ensure IT-related acquisitions are properly identified. (Recommendation 37) The Commissioner of SSA should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 38)

Information Technology

35

We are making the following recommendation to USAID: 

The Administrator of USAID should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. (Recommendation 39)

AGENCY COMMENTS AND OUR EVALUATION We provided a draft of this chapter to OMB and the other 22 agencies included in our review. Among the comments received, 16 agencies (Energy, GSA, HHS, HUD, Interior, Justice, Labor, NASA, OPM, SBA, SSA, State, Transportation, USAID, USDA, and VA) agreed with our recommendations; 2 agencies (EPA and OMB) did not agree or disagree with our recommendations; 1 agency (Education) partially agreed with our recommendations; 1 agency (NRC) disagreed with our recommendations; and 2 agencies (Treasury and NSF) had no comments on the recommendations. One other agency (Commerce) did not provide comments on the report. The agencies’ comments that we received, and our evaluations of them, are summarized as follows: 



In comments provided via e-mail on December 8, 2017, an OMB GAO liaison did not agree or disagree with our findings. The official stated that improved coordination and collaboration between CIOs, CAOs, and senior procurement executives is critical, but represents a significant cultural shift for most agencies. The official added that OMB’s Office of Federal Procurement Policy and Office of the Federal CIO are working closely with agency CAOs and CIOs through the CIO Council and CAO Council to discuss practices that agencies have found helpful in achieving this cultural change. In comments provided via e-mail on November 18, 2017, a Senior Advisor from USDA’s Office of the CIO stated that the

36

United States Government Accountability Office



department concurred with the findings in our report and had no additional comments. In written comments, Education concurred with one of our recommendations, which called for the department to ensure that the office of the CAO is involved in the process to identify IT acquisitions. However, Education did not concur with a second recommendation to ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. The department stated that the CIO reviews and approves IT acquisition strategies and plans as part of his review and approval of IT investments. Specifically, the department stated that its Departmental Directive OCIO: 3-108, “Information Technology Investment Management” establishes a process for Office of the CIO review of IT acquisitions. Further, the department stated that its Statement of Work Review Process adds increased rigor to the CIO’s review and approval by requiring all acquisitions with IT elements to be submitted for Office of the CIO review. Finally, the department stated that the Federal Student Aid Investment Review Board charter documents the agency CIO as a voting member. The department added the CIO is required to vote on Federal Student Aid IT investments greater than $10 million. For Federal Student Aid investments less than $10 million, the CIO is provided the same level of insight as any other Investment Review Board member, but has delegated the required vote to the Federal Student Aid CIO. The IT Investment Management Directive, together with the department’s associated Lifecycle Management Framework (referenced in the directive), indicates that the office of the CIO is to review IT acquisition plans. However, the department’s Statement of Work Review Process does not require the review and approval of acquisition plans. Instead, the process states that the office of the CIO may review IT acquisition plans or strategies as one of several possible documents, including statements of work or cost estimates.

Information Technology











37

We also reviewed the Federal Student Aid Investment Review Board charter and updated our report to reflect the department CIO’s involvement on the Federal Student Aid’s Investment Review Board. Based on this collective information, we updated our assessment of Education’s IT acquisition policy to reflect that the department had partially met OMB’s requirements. Nevertheless, the CIO’s review of the department’s acquisition plans and strategies should be required, rather than optional. Thus, we believe that our recommendation to ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance is still warranted. Education’s comments are reprinted in appendix VI. In written comments, Energy concurred with our two recommendations directed to the department and stated that it has activities underway to revise the department’s acquisition policy. Energy added that it planned to address the recommendations by December 31, 2017. Energy’s comments are reprinted in appendix VII. In comments provided via e-mail on December 7, 2017, a Management Analyst in HHS’s Office of the CIO stated that the department agreed with the recommendation and had no comments on the report. In written comments, HUD stated that it concurred with our two recommendations to the department. HUD’s comments are reprinted in appendix VIII. In written comments, Interior stated that it concurred with our three recommendations to the department. Interior’s comments are reprinted in appendix IX. In comments provided via e-mail on November 27, 2017, a Program Analyst from Justice’s Internal Review and Evaluation Office stated that the department concurred with our two recommendations. The department also provided technical comments, which we have incorporated in the report, as appropriate.

38

United States Government Accountability Office 



In written comments, Labor concurred with our three recommendations that we directed to the department. These recommendations called for the department to (1) ensure that the office of the CAO is involved in the process to identify IT acquisitions, (2) issue specific guidance to ensure IT-related acquisitions are properly identified, and (3) ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. Labor detailed actions recently taken to implement each of the recommendations and submitted documentation to support its assertions. For example, the department submitted its Acquisition Plan Preparation Guide and related acquisition plan templates to show that it had issued guidance on identifying IT and required the CIO review and approval of IT acquisition plans. Implementation of these steps should help ensure appropriate oversight of IT acquisitions. Labor’s comments are reprinted in appendix X. In written comments, State agreed with both of our recommendations. In particular, regarding our recommendation to ensure that the office of the CAO is involved in the process to identify IT acquisitions, the department stated that senior State officials, including the CAO and CIO, will develop a plan to ensure that the CAO monitors acquisition activities and ensures acquisition decisions are consistent with all applicable laws, such as FITARA. Further, regarding the recommendation to ensure that the department’s IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance, State referenced its capital planning and investment control guide that describes how a group under the direction of the CIO reviews acquisition strategies during the IT portfolio selection process. However, while the guide states that the CIO is to approve the finalized IT portfolio, the guide does not state that the CIO is to review the individual acquisition strategy documents. As a result, our recommendation is still warranted. State’s comments are reprinted in appendix XI.

Information Technology 





39

In comments provided via e-mail on December 7, 2017, an Audit Liaison from Treasury’s Office of the CIO stated that the department had no comments on the report. The department did not say whether it agreed or disagreed with the recommendation, but noted that it had planned corrective actions to work with Treasury stakeholders, to include the Chief Procurement Executive, Bureau CIOs, and Acquisition officials; and OMB officials to develop acquisition plans and strategies according to OMB’s FITARA guidance for IT acquisition. In comments provided via e-mail on November 27, 2017, the Director of Audit Relations and Program Improvement within the Department of Transportation stated that the department concurred with the findings and recommendations. In written comments, VA concurred with our two recommendations to the department and stated that it is taking steps to address the recommendations. Specifically, regarding the recommendation to ensure that the office of the CAO is involved in the process to identify IT acquisitions, the department stated that it had addressed this concern by implementing an updated version of the Acquisition and Management of VA IT Resources directive in November 2017. In its discussion of this directive, the department stated that the CIO, in conjunction with the CAO, collaborates on all IT actions to ensure FITARA compliance. While the directive clarifies the scope of VA’s IT resources subject to the oversight authority of the CIO, the directive does not indicate that the office of the CAO is also involved in this process. It will be important for VA to consider this recommendation as it continues to implement FITARA requirements. Further, regarding the recommendation to ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance, the department stated that its Office of Strategic Sourcing is currently developing processes and procedures necessary to implement FITARA accountability and responsibilities for IT acquisitions. The department also stated that

40

United States Government Accountability Office







the new acquisition review process is scheduled to be implemented in the second quarter of fiscal year 2018. VA’s comments are reprinted in appendix XII. In written comments, EPA stated it did not take exception to the report’s findings, conclusions, and recommendations. Regarding the recommendation to ensure that the office of the CAO is involved in the process to identify IT acquisitions, the agency stated that the policy which implements interim guidance from the CIO to comply with FITARA requirements is being updated. The agency added that future policy revisions are to include the requirement that the CAO or a designee will address this recommendation. EPA’s comments are reprinted in appendix XIII. In comments provided via e-mail on November 17, 2017, a program analyst in GSA’s GAO/Office of Inspector General Audit Management Division stated that the agency concurred with the report and had no additional comments. In written comments, NASA concurred with the three recommendations to the agency and stated that it believes it has already addressed them. Specifically, regarding the recommendation to ensure that the Office of the CAO is involved in the process to identify IT acquisitions, NASA asserted that its CAO is already adequately involved. However, NASA did not provide evidence that it fulfills this requirement. For instance, none of the processes mentioned in NASA’s comments support the assertion that the acquisition office is involved in the identification of individual acquisitions as IT. Further, the discussion of a form used to identify IT acquisitions (NASA Form 1707) confirmed our original conclusion that the officials identifying IT acquisitions are not in the acquisition office. In addition, NASA concurred with our recommendation to issue specific guidance to ensure IT-related acquisitions are properly identified, and stated that the agency currently has several policies that provide such guidance. However, the policies named by the agency (NASA Policy Directive 1000.5B, NASA Interim

Information Technology



41

Directive 1000.110, NASA FAR Supplement 1804.7301, and NASA FAR Supplement 1807.71) do not contain guidance on how the identifying officials should determine whether an acquisition is IT-related. For example, our review of NASA Form 1707 (required by NASA FAR Supplement 1804.7301) showed that, while this form has instructions on how to fill out its IT section, it does not contain guidance on how to properly identify an acquisition as IT-related. In addition, NASA did not provide an official policy on the role of the Center Functional Review Team in the identification process. Further, NASA concurred with our recommendation to ensure that its IT acquisition plans or strategies are reviewed and approved according to OMB guidance and stated that, on September 27, 2017, the CIO had issued a memo delegating the authority to review and approve all IT acquisitions to the Center CIOs. However, as previously mentioned, these delegations of authority need to be approved by OMB, and NASA’s delegation of IT acquisition authority had not been approved by OMB, as required. In addition, NASA has not demonstrated that the CIO’s review and approval is occurring, as none of the 9 acquisitions we randomly selected were reviewed and approved by the CIO. NASA also stated that the CIO and Assistant Administrator for Procurement review acquisition plans as part of their participation in Acquisition Strategy Meetings. However, as we mention in the report, not all IT contracts have acquisition strategy meetings. NASA’s comments are reprinted in appendix XIV. In written comments, NRC did not concur with our recommendations and stated that our draft report did not accurately reflect the agency’s process for reviewing and approving IT acquisitions. With regard to our recommendation to ensure that the office of the senior procurement officer is involved in the process to identify IT acquisitions, the agency provided technical comments which stated that acquisition office officials review acquisitions to ensure that IT is properly identified. However, the

42

United States Government Accountability Office

 



46

agency did not provide supporting documentary evidence to support this assertion. Lacking evidence from the agency that would enable us to verify the implementation of the process described in its comments, we maintain that our recommendation is warranted. In addition, our draft of this chapter included a recommendation for NRC to ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance. NRC disagreed with this recommendation and stated in its technical comments that the agency does not require the development of acquisition plans for acquisitions under $1 million. Thus, the NRC CIO does not review acquisition plans under that threshold. The agency also stated that it has a process for approving contract actions under the $1 million threshold. According to OMB guidance, in the absence of acquisition plans or strategies, CIOs may approve the corresponding contract actions.46 Since NRC has a process for approving contract actions under the $1 million threshold, we revised the report to reflect that NRC has processes in place for the review and approval of acquisition plans in a manner consistent with OMB guidance and removed the associated recommendation. NRC’s comments are reprinted in appendix XV and its technical comments have been incorporated in the report, as appropriate. In comments provided via e-mail on November 21, 2017, an NSF liaison stated that the agency had no comments. In written comments, OPM concurred with our recommendation and stated that the agency will review and update its policies and processes as needed, so that they are aligned with OMB’s guidance. OPM’s comments are reprinted in appendix XVI. In written comments, SBA agreed with our recommendation to ensure that the office of the CAO is involved in the process to

M-15-14.

Information Technology



43

identify IT acquisitions. SBA noted that it is not required to have a CAO, but agreed with having its acquisition workforce involved in IT acquisitions. Based on the agency’s comments, we modified the associated recommendation to refer to the agency’s senior procurement executive rather than the CAO. SBA stated that it has already begun to implement the recommendation for fiscal year 2018. SBA’s comments are reprinted in appendix XVII. In written comments, SSA agreed with the three recommendations that we had directed to the agency, stated that it had taken steps to address the recommendations, and submitted supporting documentation. In particular, SSA agreed with the recommendation to ensure that the office of the CAO is involved in the process to identify IT acquisitions and, in response, provided documentation that is to detail the involvement of its Chief Financial Officer (who is the agency’s senior procurement executive) in identifying and approving IT acquisitions. Implementation of these steps should help ensure appropriate oversight of IT acquisitions. Regarding our recommendation to issue specific guidance to ensure IT-related acquisitions are properly identified, SSA agreed with the recommendation and stated that, according to its IT Acquisition Approval Policy, the Chief Financial Officer notifies the CIO of IT acquisitions by submitting acquisition plans to the CIO for approval. However, while SSA’s policy does support this method of CIO notification, it does not provide guidance to assist in identifying IT. Further, SSA agreed with our recommendation to ensure that IT acquisition plans or strategies are reviewed and approved according to OMB’s guidance and provided its September 2017 policy for acquisition plan approval. After reviewing this policy and SSA’s 2017 capital planning and investment control process, we updated our report to show that SSA’s processes satisfy OMB’s requirements.

44

United States Government Accountability Office



While SSA has made progress in implementing OMB’s FITARA requirements, the agency needs to demonstrate that the CIO’s review and approval are occurring, as 3 of the 10 acquisitions we randomly selected were not reviewed and approved as required by OMB’s guidance. It will be important for SSA to consider this recommendation as it continues to implement FITARA requirements. SSA’s comments are reprinted in appendix XVIII. The agency also provided technical comments, which we have incorporated in the report as appropriate. In written comments, USAID agreed with our recommendation and stated that the CIO and CAO are working together to (1) ensure all IT- related acquisition plans and strategies are reviewed and approved by the CIO and (2) further communicate this requirement to the acquisition planning stakeholders. USAID’s comments are reprinted in appendix XIX. The agency also provided technical comments, which we have incorporated in the report as appropriate.

We are sending copies of this chapter to the appropriate congressional committees, the Secretaries of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, Labor, State, the Interior, the Treasury, Transportation, and Veterans Affairs; the U.S. Attorney General of the Department of Justice; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, Small Business Administration, and the U.S. Agency for International Development; the Commissioner of the Social Security Administration; the Directors of the National Science Foundation and the Office of Personnel Management; and the Chairman of the Nuclear Regulatory Commission. David A. Powner Director, Information Technology Management Issues

Information Technology

List of Committees The Honorable Trey Gowdy Chairman Committee on Oversight and Government Reform House of Representatives The Honorable Elijah Cummings Ranking Member Committee on Oversight and Government Reform House of Representatives The Honorable Will Hurd Chairman Subcommittee on Information Technology Committee on Oversight and Government Reform House of Representatives The Honorable Robin L. Kelly Ranking Member Subcommittee on Information Technology Committee on Oversight and Government Reform House of Representatives The Honorable Mark Meadows Chairman Subcommittee on Government Operations Committee on Oversight and Government Reform House of Representatives The Honorable Gerald E. Connolly Ranking Member Subcommittee on Government Operations Committee on Oversight and Government Reform House of Representatives

45

46

United States Government Accountability Office

APPENDIX I: OBJECTIVES, SCOPE, AND METHODOLOGY Our objectives were to determine the extent to which (1) federal agencies identify information technology (IT) contracts and how much is invested in them, and (2) federal agency Chief Information Officers (CIO) are reviewing and approving IT acquisitions. For both objectives, our review included the Office of Management and Budget (OMB) and 22 agencies of the 24 agencies covered by the Chief Financial Officer Act.47 We did not include the Department of Defense because it is excluded from the relevant provision in the Federal Information Technology Acquisition Reform Act (FITARA) requiring CIO approval of IT contracts. Further, we did not include the Department of Homeland Security because we recently issued a report that reviewed the department’s implementation of FITARA, including the CIO’s approval of IT contracts.48 For specific information on the CIOs’ review of individual IT contracts, we focused on 10 agencies covered by FITARA that obligated the most money to IT contracts in fiscal year 2016 (except the Departments of Defense and Homeland Security).49 To determine the extent to which federal agencies identify IT contracts and how much is invested in them, we requested that each of the 22 selected agencies submit a list of their IT contract obligations for fiscal year 2016. We also requested the associated contract identification number, obligation amount, and product and service code.

47

48

49

The 22 agencies are the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, Justice, Labor, State, the Interior, the Treasury, Transportation, and Veterans Affairs; the Environmental Protection Agency; General Services Administration; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development. GAO, Homeland Security: Progress Made to Implement IT Reform, but Additional Chief Information Officer Involvement Needed, GAO-17-284 (Washington, D.C.: May 18, 2017). The 10 agencies with the most obligated to IT contracts in 2016 are the Departments of Agriculture, Commerce, Health and Human Services, Justice, State, the Treasury, Transportation, and Veterans Affairs; the National Aeronautics and Space Administration; and Social Security Administration.

Information Technology

47

In order to determine if the agencies gave us a full accounting of their IT obligations, we used the Category Management Leadership Council’s50 categorizations of federal government spending by product and service codes. In particular, we used the Council’s list of 79 IT-related codes, which is listed in appendix II,51 to identify fiscal year 2016 IT-related contract obligations on USAspending.gov.52 For each funding agency, we downloaded all contracts associated with the IT-related codes, such as purchase orders, blanket purchase agreements, and government-wide acquisition contracts.53 By comparing the resulting list of IT-related contracts on USAspending.gov data to those provided by the agencies, we were able to determine which IT-related contract obligations the agencies had not identified. In doing so, we gave the agency credit for identifying the entire IT contract if an agency identified any portion of the contract (e.g., a contract modification). Consequently, the total of obligations that agencies did not identify is likely higher than the totals we were able to report. To assess the reliability of the USAspending.gov data, we reviewed publicly available documentation related to the database, such as the 50

51

52

53

The Council is chaired by the Administrator of Federal Procurement Policy and includes representatives from the agencies that comprise the majority of federal procurement spending: the Department of Defense, Energy, Health and Human Services, Homeland Security, Veterans Affairs, the General Services Administration, the National Aeronautics and Space Administration, and the Small Business Administration. The Category Management Leadership Council developed its list of 79 IT-related codes by mapping product and service codes to the following categories: IT software, IT hardware, IT consulting, IT security, IT outsourcing, and telecommunications. The full list is available at https://www.acquisition.gov/Category_Management. USAspending.gov is a free, publicly accessible website managed by OMB that contains contract data on federal awards and subawards. The contract data on USAspending.gov are imported from the Federal Procurement Data System-Next Generation, which collects information on contract actions. Federal agencies are responsible for ensuring that the information reported to the system is complete and accurate. The system can be accessed at https://www.fpds.gov. A purchase order is an offer by the government to buy supplies or services upon specified terms and conditions, using simplified acquisition procedures. A blanket purchase agreement is a simple method of filling needs for supplies or services by establishing “charge accounts” with qualified sources of supplies. A government-wide acquisition contract is a task-order or delivery-order contract for IT established by one agency for government-wide use that is operated by an executive agent designated by OMB pursuant to statute or under a delegation of procurement authority issued by the General Services Administration.

48

United States Government Accountability Office

USAspending.gov data dictionary. We also reviewed the results of our previous reports on USAspending.gov that had identified deficiencies in the accuracy and reliability of the reported data.54 For both the USAspending.gov and agency-supplied contract data, we tested the datasets to look for duplicate records and missing data in key fields. We also interviewed agency officials to corroborate the data. We found the contract data from USAspending.gov, while sometimes incomplete, were sufficient for our purpose of identifying IT contracts and demonstrating the amount of obligations toward IT contracts. In addition, we found the contract data provided by the agencies to be sufficiently reliable for the purposes of our reporting objectives. We used these data as evidence to support our findings, conclusions, and recommendations. We also compared the product and service codes in the lists of IT contracts provided by the agencies to the list of IT product and service codes developed by the Category Management Leadership Council. From this comparison, we determined which agency-submitted obligations were associated with IT-related product and service codes and which obligations were associated with non-IT codes. To determine the cause for any discrepancies between the agencyprovided list of obligations and those found on USAspending.gov, we asked each agency to describe and provide evidence of the Chief Acquisition Officer’s (CAO) involvement in the process for identifying IT acquisitions for CIO review.55 We also collected both testimonial evidence 54

55

For example, see GAO, DATA Act: As Reporting Deadline Nears, Challenges Remain That Will Affect Data Quality, GAO-17-496 (Washington, D.C.: Apr. 28, 2017); DATA Act: Office of Inspector General Reports Help Identify Agencies’ Implementation Challenges, GAO-17-460 (Washington, D.C.: Apr. 26, 2017); Data Transparency: Oversight Needed to Address Underreporting and Inconsistencies on Federal Award Website, GAO-14-476 (Washington, D.C.: June 30, 2014); IT Dashboard: Agencies Are Managing Investment Risk, but Related Ratings Need to Be More Accurate and Available, GAO-14-64 (Washington, D.C.: Dec. 12, 2013); and Information Technology Dashboard: Opportunities Exist to Improve Transparency and Oversight of Investment Risk at Select Agencies, GAO13-98 (Washington, D.C.: Oct. 16, 2012). OMB’s FITARA guidance states that, if the agency has a senior procurement executive separate from the CAO, then the guidance applies to the senior procurement executive rather than the CAO. Of the 22 selected agencies, 7 are not required to have a CAO: the Department of Justice, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Social Security Administration, and U.S. Agency for International Development. In order to standardize our

Information Technology

49

and documentation that described the identification process for potential IT acquisitions. We analyzed these data from each agency to determine the involvement of the CAO and officials within the CAO’s acquisition office. We also determined the involvement of officials positioned outside of the acquisition office, such as officials from the office requesting the IT acquisition or from the Office of the CIO. As a result, we were able to establish which officials were responsible for identifying acquisitions for IT review at each agency. We also reviewed the submitted evidence to determine whether the agencies provided guidance that clearly described or defined IT to the identifying officials. To determine the extent to which federal agency CIOs are reviewing and approving IT acquisitions, we first compiled a composite list of ITrelated contracts from fiscal year 2016 for each of the 10 selected agencies by combining:    

contracts associated with IT-related product and service codes from USAspending.gov, contracts associated with IT vendors from USAspending.gov, contracts linked with major IT investments as listed on OMB’s IT Dashboard, and contracts provided by agencies in response to our earlier request for a list of IT contracts.

We then randomly selected 10 IT contracts from each of the 10 agencies on which to perform additional analysis (100 total contracts).56 For each of the 100 selected contracts, we asked the associated agency to confirm that the contract was, in fact, IT-related and requested evidence of CIO or CIO designee review and approval of the contract’s associated acquisition.57 language, we refer to all CAOs and equivalent senior procurement executives as CAOs in this report. 56 Since OMB’s FITARA guidance was to be implemented by December 31, 2015, we selected fiscal year 2016 contract actions that were signed on January 1, 2016, or later. 57 OMB’s FITARA implementation guidance states that to be included in its definition of IT for purposes of FITARA, IT must be used by an agency directly. Consequently, we determined

50

United States Government Accountability Office

We compared the resulting documentation to FITARA and OMB guidance to determine the extent to which the IT acquisitions had been reviewed and approved. In order to receive full credit, agencies had to provide evidence that the CIO had reviewed and approved the acquisition plans or strategies for those IT acquisitions associated with major IT investments.58 For IT acquisitions associated with non-major IT investments, agencies had to provide evidence that the CIO, or a designee that reports directly to the CIO, reviewed and approved the acquisition plan or strategy. If agencies could not associate the IT acquisition with a particular IT investment, we looked for evidence that the CIO reviewed and approved the acquisition plan or strategy, since FITARA does not state that the review and approval of these IT acquisitions can be delegated. To determine whether agencies had processes in place to ensure the review and approval of IT acquisitions, we reviewed agency documentation on IT acquisition processes and procedures and compared it to the requirements in FITARA and OMB guidance.59 We also interviewed agency officials to clarify their respective processes and policies. In order to receive full credit, agencies had to provide evidence that they had a process in place that required the agency CIO to review and approve IT acquisition plans or strategies with the exception of those associated with non-major IT investments. Agencies received partial or no credit if their processes had one or more of the following shortfalls:

that two of the selected contracts should not be included because they were for products or services that will be used by an entity other than the agency. Separately, we determined that two other contracts were not IT-related, and thus FITARA was not applicable. 58 The Federal Acquisition Regulation (FAR) is the primary regulation for use by federal executive agencies in their acquisition of supplies and services with appropriated funds. According to the FAR, a detailed acquisition plan must address all the technical, business, management, and other significant considerations that will control the acquisition. It should include, among other things, a statement of need, cost, a plan of action, and milestones. The FAR is less specific on the requirements for an acquisition strategy, but it states that acquisition planning should include developing the overall strategy for managing the acquisition. 59 M-15-14.

Information Technology     

51

approval was not documented, delegated IT acquisition review and approval without OMB approval of those delegations, did not provide the CIOs or their delegates oversight of all IT acquisitions, involved the review of other documentation instead of the required acquisition plans or strategies, or did not provide department CIO oversight over IT acquisitions at the component level.

We conducted this performance audit from July 2016 to January 2018 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

APPENDIX II: IT-RELATED PRODUCT AND SERVICE CODES In September 2015, the Category Management Leadership Council and the Office of Management and Budget (OMB) identified a total of 79 information technology (IT)-related product and service codes, of which 43 are for IT services and 36 are for IT products.60 Table 4 provides details on the IT-related services and product codes.

60

The full list of product and service acquisition.gov/Category_Management.

codes

is

available

at

https://www.

52

United States Government Accountability Office Table 4. Information Technology (IT)-related product and service codes

Product and service code IT services D301 D302 D303 D304

D305 D306 D307 D308 D309 D310

D311 D312 D313 D314 D315 D316 D317 D318

D319 D320 D321 D322

D324

Description of product and service code

IT and Telecom- Facility Operation and Maintenance IT and Telecom- Systems Development IT and Telecom- Data Entry IT and Telecom- Telecommunications and Transmission Includes: Telephone Service Via Landline, Wireless, or Satellite, Including Cellular, Land Mobile Radio, and VOIP. Excludes: Internet Services (D322) IT and Telecom- Teleprocessing, Timeshare, and Cloud Computing. Includes: Software As A Service, Infrastructure As A Service IT and Telecom- Systems Analysis IT and Telecom- IT Strategy and Architecture IT and Telecom- Programming IT and Telecom- Information and Data Broadcasting or Data Distribution IT and Telecom- Cyber Security and Data Backup. Includes: Information Assurance, Virus Detection, Network Management, Situational Awareness and Incident Response, Secure Web Hosting, Backup and Security Services IT and Telecom- Data Conversion IT and Telecom- Optical Scanning IT and Telecom- Computer Aided Design/Computer Aided Manufacturing IT and Telecom- System Acquisition Support. Includes: Preparation of Statement of Work, Benchmarks, Specifications, etc. IT and Telecom- Digitizing. Includes: Cartographic and Geographic Information IT and Telecom- Telecommunications Network Management. Includes: Network Engineering and Operational Support IT and Telecom- Web-Based Subscription. Includes: Subscriptions to Data, Electronic Equivalent of Books, Periodicals, Newspapers, etc. IT and Telecom- Integrated Hardware/Software/Services Solutions, Predominantly Services. Includes: Contracts Buying Hardware, Software, and Related Services, Where Services Are the Predominant Portion of the Contract Value IT and Telecom- Annual Software Maintenance Service Plans IT and Telecom- Annual Hardware Maintenance Service Plans IT and Telecom- Help Desk IT and Telecom- Internet. Includes: Internet Access Via Wired, Wireless, and Satellite Media, Including Broadband and Dial Up. Excludes: Telecommunications and Transmission Services (D304) IT and Telecom- Business Continuity

Information Technology Product and service code D325

D399 H170 H970 J058 J060 J070 J099 K060 K070 L070 N058 N060 N070 R409a R413 R415 S113b W058 W070 IT products 5805 5810 5811 5820

53

Description of product and service code

IT and Telecom- Data Centers and Storage. Includes: Data Center Consolidation, Modernization, and Transformation; Enterprise Resource Planning; Data Center Design IT and Telecom- Other IT and Telecommunications Quality Control- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment Other Quality Control, Testing, and Inspection- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment Maintenance/Repair/Rebuild of Equipment- Communication, Detection, and Coherent Radiation Equipment Maintenance/Repair/Rebuild of Equipment- Fiber Optics Materials, Components, Assemblies, and Accessories Maintenance, Repair, and Rebuilding of Equipment- Automatic Data Processing Equipment (Including Firmware), Software, Supplies, and Support Equipment Maintenance/Repair/Rebuild of Equipment- Miscellaneous Modification of Equipment- Fiber Optics Materials, Components, Assemblies, and Accessories Modification of Equipment- Automatic Data Processing Equipment (Including Firmware), Software, Supplies, and Support Equipment Technical Representative- Automatic Data Processing Equipment (Including Firmware), Software, Supplies, and Support Equipment Installation of Equipment- Communication, Detection, and Coherent Radiation Equipment Installation of Equipment- Fiber Optics Materials, Components, Assemblies, and Accessories Installation of Equipment- Automatic Data Processing Equipment (Including Firmware), Software, Supplies, and Support Equipment Program Review/Development Services Support- Professional: Specifications Development Support- Professional: Technology Sharing/Utilization Telephone and-or Communications Services (Includes Telegraph, Telex, and Cablevision Services) Lease Or Rental of Equipment- Communication, Detection, and Coherent Radiation Equipment Lease Or Rental of Equipment- Automated Data Processing Equipment/Software/Supplies/Support Equipment Telephone and Telegraph Equipment Communications Security Equipment and Components Other Cryptologic Equipment and Components Radio and Television Communication Equipment, Except Airborne

54

United States Government Accountability Office Table 4. (Continued)

Product Description of product and service code and service code 5821 Radio and Television Communication Equipment, Airborne 5850 Visible and Invisible Light Communication Equipment 5895 Miscellaneous Communication Equipment 6007c Filters 6008c Optical Multiplexers/Demultiplexers 6010 Fiber Optic Conductors 6015 Fiber Optic Cables 6020 Fiber Optic Cable Assemblies and Harnesses 6021 Fiber Optic Switches 6025c Fiber Optic Transmitters 6030 Fiber Optic Devices 6031c Integrated Optical Circuits 6032 Fiber Optic Light Sources and Photo Detectors 6034c Fiber Optic Mod/Demodulators 6035 Fiber Optic Light Transfer and Image Transfer Devices 6040d Fiber Optic Sensors 6060 Fiber Optic Interconnectors 6070 Fiber Optic Accessories and Supplies 6080 Fiber Optic Kits and Sets 6099 Miscellaneous Fiber Optic Components 7010 Information Technology Equipment System Configuration 7020 Information Technology Central Processing Unit (CPU, Computer), Analog 7021 Information Technology Central Processing Unit (CPU, Computer), Digital 7022 Information Technology Central Processing Unit (CPU, Computer), Hybrid 7025 Information Technology Input / Output and Storage Devices 7030 Information Technology Software 7035 Information Technology Support Equipment 7040 Punched Card Equipment 7042 Mini and Micro Computer Control Devices 7045 Information Technology Supplies 7050 Information Technology Components 7435 Office Information System Equipment Source: GAO analysis of Federal Procurement Data System and Category Management Leadership Council’s documentation. | GAO-18-42. a Code R409 was merged with code R407 (Program Review/Development Services) into a new code R410 (Support- Professional: Program Evaluation/Review/Development). b Code S113 was merged with code D304 (IT and Telecom- Telecommunications and Transmission). c Codes 6007, 6008, 6025, 6031, and 6034 were integrated under code 6030 (Fiber Optic Devices). d Code 6040 was integrated under code 6099 (Miscellaneous Fiber Optic Components).

Information Technology

55

APPENDIX III: ESTIMATED TOTAL FISCAL YEAR 2016 IT OBLIGATIONS BY AGENCY The 22 selected agencies identified approximately $14.7 billion in obligations for information technology (IT)-related contracts in fiscal year 2016. Of that amount, approximately $14 billion was categorized as ITrelated per the Category Management Leadership Council’s product and service codes, and approximately $626 million was categorized under other, non-IT codes. Table 5. Estimated total fiscal year 2016 Information Technology (IT) obligations by agency Agency

Agency-identified obligations associated with non-IT codes ($M)

Additional GAOidentified obligations ($M) $81 (9%)

Total identified IT obligations ($M)

-

Agencyidentified obligations associated with IT codes ($M) $814 (91%)

Department of Agriculture Department of Commerce Department of Education Department of Energy Department of Health and Human Services Department of Housing and Urban Development Department of Justice Department of Labor Department of State Department of the Interior Department of the Treasury Department of Transportation

$13 (1%)

$1,135 (94%)

$62 (5%)

$1,210

-

$261 (98%)

$5 (2%)

$266

$8 (0%)

$216 (98%) $1,105 (50%)

$5 (2%)a $1,110 (50%)

$221 $2,223

-

$189 (79%)

$52 (21%)

$240

$105 (22%) $7 (1%)

$1,594 (100%) $324 (67%) $1,704 (99%) $300 (50%)

$55 (11%) $17 (1%) $292 (49%)

$1,594 $485 $1,720 $599

-

$701 (46%)

$839 (54%)

$1,540

$1 (0%)

$706 (53%)

$614 (46%)

$1,320

$894

56

United States Government Accountability Office Table 5. (Continued)

Agency

Agency-identified obligations associated with non-IT codes ($M)

Agencyidentified obligations associated with IT codes ($M) $2,422 (70%)

Additional GAOidentified obligations ($M) $808 (23%)

Total identified IT obligations ($M)

Department of $220 (6%) $3,450 Veterans Affairs Environmental $156 (43%) $189 (52%) $17 (5%) $362 Protection Agency General Services $53 (8%) $318 (50%) $263 (42%)a $633 Administration National Aeronautics $843 (97%) $27 (3%) $870 and Space Administration National Science $24 (18%) $17 (13%) $94 (70%) $136 Foundation Nuclear Regulatory $14 (10%) $115 (87%) $4 (3%) $132 Commission Office of Personnel $1 (0%) $91 (55%) $75 (45%) $167 Management Small Business $79 (98%) $2 (2%) $81 Administration Social Security $24 (3%) $899 (95%) $23 (2%) $946 Administration U.S. Agency for $22 (21%) $83 (79%)a $106 International Development Totals $626 (3%) $14,042 (73%) $4,529 (24%) $19,197 Source: GAO analysis of USAspending.gov and agency data. | GAO-18-42. Note: Due to rounding, the combined obligation amounts may not equal the totals, and the percentages in each row may not add up to 100 percent. a The agency stated that a portion of this amount is for IT contracts that the agency funded on behalf of another entity.

In addition to the obligations that agencies reported to us, we identified an additional $4.5 billion in obligations for contracts with IT-related product and service codes, raising the total amount obligated to IT contracts in fiscal year 2016 to at least approximately $19.2 billion. Table 5 provides details on each selected agency’s obligations for IT-related contracts in fiscal year 2016.

Information Technology

57

APPENDIX IV: AGENCY ACQUISITION PROCESSES USED TO REVIEW AND APPROVE IT ACQUISITIONS Table 6. Degree to which selected agencies’ processes comply with the Office of Management and Budget’s (OMB) requirements on Chief Information Officers’ (CIO) review and approval of Information Technology (IT) acquisition plans Agency

Complies with OMB requirements

Description of acquisition processes

Department of Agriculture (USDA)

🌓

USDA’s CIO or designee is to review and approve a subset of IT acquisition plans or strategies. Specifically, an Associate CIO is to review and approve acquisition documentation including an acquisition plan, when applicable, for acquisitions of IT-related advisory and assistance services over $500,000. To review and approve other IT acquisitions, the CIO is to use the Acquisition Approval Request Process. As a part of this process, requests for IT acquisitions are to be submitted to the Office of the CIO along with a statement of work, among other items. The request is to be reviewed by the Office of the CIO and then approved by the CIO or a delegate based on acquisition amount. In particular, the CIO is to be responsible for approving IT requests equal to or above $50 million, but can delegate to the Deputy CIO. The Deputy CIO is to be responsible for approving requests valued between $25,000 and $50 million, but can delegate to the Associate CIO. The component CIOs can approve IT requests under $25,000. In addition to these approval processes, the agency’s Integrated Advisory Board (chaired by an Associate CIO) is to take acquisition strategies into consideration when making technical recommendations on IT investments. Further, the Office of the CIO is to regularly review and score IT investments on a number of criteria, including the investment’s associated acquisition strategy and plan. However, neither of these processes currently allow for the approval of a particular acquisition strategy or plan.

58

United States Government Accountability Office Table 6. (Continued)

Agency

Complies with OMB requirements

Description of acquisition processes

Department of Commerce (Commerce)

🌑

Department of Education (Education)

🌓

Department of Energy (Energy)

🌕

Commerce’s CIO is to review and approve IT acquisition plans through its Commerce Information Technology Review Board that the CIO chairs. The Board is to review and approve IT acquisitions at or above $10 million. Acquisitions below this threshold are to be delegated to bureau CIOs. In addition, Commerce’s Office of the CIO is to review and approve project artifacts as part of its IT Compliance Checklist for all IT acquisitions, including the acquisition plan or the contract. Education’s CIO has delegated the review and approval of IT acquisition plans and strategies. Specifically, the Office of the CIO’s Investment Acquisition Management Team is to review and approve acquisition plans as part of its Lifecycle Management Framework. However, the department’s guidance on the CIO approval process states that the Office of the CIO may review IT acquisition plans or strategies as one of several possible documents. As such, reviewing acquisition plans and strategies is not required. The department CIO is also a voting member of Federal Student Aid’s Investment Review Board. The department CIO is required to vote on IT investments greater than $10 million. The department CIO has delegated the required vote on IT investments less than $10 million to the Federal Student Aid’s CIO. Energy’s CIO does not review and approve IT acquisition plans or strategies. Instead, Energy’s Office of the CIO is to review and approve acquisition documentation, which may include an acquisition plan, for a subset of IT acquisitions. However, acquisition plans are not required to be submitted. In addition, the agency’s process only covers IT acquisitions that originate in headquarters. Energy’s CIO is also a member of the Energy Systems Acquisition Advisory Board which is to review acquisitions related to capital assets with a total project cost of $100 million or greater.

Information Technology

59

Agency

Complies with OMB requirements

Description of acquisition processes

Department of Health and Human Services (HHS)

🌑

Department of Housing and Urban Development (HUD)

🌓

Department of Justice (Justice)

🌓

HHS’s Office of the CIO is to review and approve IT acquisition strategies that meet certain thresholds and provide a recommendation to the CIO or designee. Specifically, the CIO or designee is to review and approve all IT acquisition strategies at the department level for acquisitions greater than $150,000 through the Information Technology Acquisitions Review process. In addition, the department CIO is to review and approve IT acquisition strategies originating at the components for investments greater than or equal to $20 million annually or $100 million over 5 years. The CIO has delegated the approval of acquisition strategies for investments less than this threshold to the operating division CIOs. HUD’s Office of the CIO is to review IT acquisition requests that include an acquisition plan or strategy only for acquisitions at or above $500,000. The approval authority has been delegated to the Deputy CIO and Customer Relationship Coordinators within the Office of the CIO. However, HUD’s delegation of contract review and approval has not been approved by OMB. Moreover, HUD’s CIO does not have input in reviewing and approving IT acquisition requests of one of its components, the Government National Mortgage Association. Justice’s CIO is to review and approve acquisition plans through Justice’s CIO Acquisition Review Board. In particular, all IT acquisitions are to be submitted to the CIO board, and the CIO is to be specifically involved in those acquisitions over $2.5 million. Component CIOs are authorized to approve procurement actions equal to or less than $500,000, but still are required to inform the CIO board of the acquisition. However, the CIO board is not yet chartered. Two components—the Federal Bureau of Investigation and the Federal Bureau of Prisons—are exempt from going through the CIO board because they are to use a CIO-approved Alternative IT Acquisition Review Program, of which a representative of the department Office of the CIO is a member.

60

United States Government Accountability Office Table 6. (Continued)

Agency

Complies with OMB requirements

Description of acquisition processes

Department of Labor (Labor)

🌓

Department of State (State)

🌕

Department of the Interior (Interior)

🌓

Department of the Treasury (Treasury)

🌕

Labor’s CIO is to review and approve a subset of IT acquisition plans. Specifically, Labor’s policy requires that IT acquisition plans associated with major investments be reviewed and approved by the CIO or the Office of the CIO; however, acquisitions not associated with a major investment are not to receive this level of review. In addition, the CIO is to review and approve other acquisition documentation, such as a statement of work, as part of Labor’s IT Acquisition Review Board. The CIO also is to review IT acquisition spend plan information through the annual IT Spend Plan process. All acquisitions are to go through the IT Spend Plan process. However, only IT acquisitions over $150,000 that were not preapproved through the Spend Plan process are to go through the IT Acquisition Review Board review and approval process. While State’s CIO does not review and approve IT acquisition plans/strategies, the CIO is to review and approve other acquisition documentation (e.g., a statement of work or cost/benefit analysis) for acquisition requests $10 million or more per fiscal year. State is updating its procedures and policies to fulfill FITARA requirements and plans to complete this effort during the fourth quarter of fiscal year 2017. Interior’s CIO is to review and approve acquisition strategies valued at $50 million or more through his/her membership on the Acquisition Procurement Advisory Committee. However, the CIO’s membership on the committee has not yet been documented. In addition, acquisitions valued below $50 million are to be approved by IT request reviewers that do not report directly to the CIO. The agency plans to create a reporting chain from the reviewer to associate CIOs or the CIO, possibly in 2018. Treasury’s CIO does not review and approve IT acquisition plans/strategies. The department CIO has delegated approval authority of IT acquisitions to the associate and component CIOs, who are required to approve IT acquisitions’ related business cases, not

Information Technology Agency

Complies with OMB requirements

Department of Transportation (Transportation)

🌓

Department of Veterans Affairs (VA)

🌕

Environmental Protection Agency (EPA)

🌑

61

Description of acquisition processes IT acquisition plans or strategies. Each component CIO may use a different IT review and approval process as the department does not mandate standardization among its components. Treasury’s main IT governance process for acquisitions is the Major Acquisition Program review process. The key component of this process is a briefing that is attended by stakeholders such as the relevant component CIO and the contracting officer. The Treasury CIO may also attend, but participation is not mandatory. These briefings provide insight into acquisitions and acquisition strategies for major acquisitions only. This process is not used to approve acquisition requests. Transportation’s Deputy CIO, through the department’s Acquisition Strategy Review Board, is to approve acquisition plans for acquisitions over $20 million or over $10 million if high risk. The component CIOs are to review the acquisition plans, as applicable, for the acquisitions that do not meet this threshold. These delegations, however, have not been approved by OMB. In addition, the CIO is to approve IT acquisitions through the annual Spend Plan process. Spend plans submitted through this process provide a high-level overview of proposed IT purchases. However, the Transportation CIO does not have approval authority over the Federal Aviation Administration’s acquisition requests. VA’s CIO does not review IT acquisition plans or strategies. The agency acknowledges that its processes are not in compliance with FITARA. Officials from VA’s Office of Information and Technology stated that they are currently developing processes and procedures necessary to implement FITARA accountability and responsibilities for IT acquisitions. While the agency did not submit any documented timelines for their plans, VA officials stated that they would like to implement the new process by the second quarter of fiscal year 2018. EPA’s CIO is to review and approve IT acquisition strategy documentation, including a work statement, a description of the acquisition, and a cost estimate, for IT hosting requests and requests for IT services greater than $1 million a year. The CIO has

62

United States Government Accountability Office Table 6. (Continued)

Agency

Complies with OMB requirements

General Services Administration (GSA)

🌑

National Aeronautics and Space Administration (NASA)

🌕

National Science Foundation (NSF)

🌑

Description of acquisition processes delegated approval for the acquisition of IT hardware, IT software, and IT services (less than $1 million a year) to other officials. GSA’s CIO has delegated IT acquisition plan review and approval to the Associate CIOs. In addition, the Office of the CIO’s Vendor Management Office is to be notified of all IT acquisition requests over $150,000 and is to specifically review acquisition documentation (including acquisition plans) related to requests valued at more than $700,000. NASA’s CIO does not review and approve IT acquisition plans or strategies. Instead, requesters are to submit a form with every procurement request that requires the requester to self-identify whether the request includes IT and has been coordinated with the component CIO. NASA has a process for the CIO review of IT acquisitions over $50 million; however, this process does not allow for the CIO approval of these IT acquisitions. Generally, procurements under $50 million follow each particular component’s IT procurement policies. NASA officials noted that IT expenditures under functional areas other than the Office of the CIO are not always reviewed by the CIO. Further, NASA’s FITARA implementation plan states that the CIO approves IT contracts greater than $20 million, but it does not specify what exactly is being reviewed and approved. According to agency officials, the CIO reviews and approves IT requirements documentation, which can include the CIO’s participation in an Acquisition Strategy Meeting or a Procurement Strategy Meeting (the agency defines this meeting as an “acquisition plan in a meeting”). However, not all IT contracts are subject to these meetings. IT acquisitions below $20 million have been delegated to the component CIOs. However, NASA’s delegation of IT contract review and approval has not been approved by OMB. NSF’s CIO is to review and approve each IT acquisition plan over $150,000 (the simplified acquisition threshold where regulation allows agencies to use simplified acquisition procedures).

Information Technology

63

Agency

Complies with OMB requirements

Description of acquisition processes

Nuclear Regulatory Commission (NRC)

🌑

Office of Personnel Management (OPM)

🌓

Small Business Administration (SBA)

🌑

NRC’s CIO is to review and approve IT acquisition plans over $1 million as a member of the Strategic Sourcing Group. The group’s approval is required before any action can be taken on an acquisition over $1 million. According to the agency, NRC does not require the development of acquisition plans for acquisitions under $1 million. In the absence of acquisition plans or strategies, NRC has a process for approving contract actions under the $1 million threshold. In addition, NRC’s CIO is to review and approve high level information on every IT procurement request, such as the purpose, description, and committed amount, prior to contract award. OPM’s CIO does not review and approve IT acquisition plans or strategies. Instead, a member of the Office of the CIO is to review and approve IT acquisition plans for acquisitions over $150,000. In addition, as a member of the Capital Investment Committee, the CIO is to review and approve acquisition requests over $250,000, including documentation such as cost information and an alternatives analysis. In addition, the CIO co-chairs the agency’s IT Investment Review Board which is to review all major IT investments. Following the approval of the Capital Investment Committee and/or the Investment Review Board, the CIO is to review and approve submitted IT Acquisition Checklists with documentation such as a statement of work or cost estimate for investments over $250,000. According to the agency, the Deputy CIO has been performing this approval. However, OMB has not approved the agency’s delegation of IT acquisition review and approval to the Office of the CIO or the Deputy CIO. SBA’s CIO is to review and approve IT acquisition plans over $150,000 (the simplified acquisition threshold where regulation allows agencies to use simplified acquisition procedures). In addition, SBA CIO is a member of two governance boards that may review and approve IT contracts or acquisition plans, the Business Technology Investment Council, and the Contract Review Board.

64

United States Government Accountability Office Table 6. (Continued)

Agency

Complies with OMB requirements

Description of acquisition processes

Social Security Administration (SSA)

🌑

U.S. Agency for International Development (USAID)

🌕

SSA’s CIO is to review and approve all IT acquisition plans with a value over $5 million. The review and approval of acquisition plans for IT acquisitions between $1 million and $5 million has been delegated to the Assistant Deputy Commissioner of Systems. Acquisitions under $1 million are to be reviewed and approved by a designated division director, who is a member of the CIO staff. USAID’s processes do not require the CIO to review and approve IT acquisition plans or strategies. Specifically, USAID’s Office of the CIO is to review IT acquisitions and the CIO or designee is to provide final approval as part of the Information Technology Acquisition Assessment and Authorization process. As a part of this process, the acquisition planner is to ensure that the acquisition plan contains sufficient information on the IT requirements and the Office of the CIO approvals, but there are no formal requirements that the acquisition plan be submitted to the Office of the CIO or that the CIO approves the acquisition plan.

Legend: 🌑 = Fully satisfies OMB’s requirements. 🌓 = Satisfies certain elements of OMB’s requirements, but not all. 🌕 = Does not satisfy OMB’s requirements. Source: GAO analysis of agency documentation | GAO-18-42.

The Federal Information Technology Acquisition Reform Act (FITARA) and the Office of Management and Budget’s (OMB) associated implementation guidance require major civilian agency chief information officers (CIO) to review and approve acquisitions of information technology (IT) either directly, or as full participants in the agency’s governance processes. In particular, OMB’s guidance61 states that agencies shall not approve an acquisition plan or strategy that includes IT without

61

M-15-14.

Information Technology

65

the agency CIO’s review and approval.62 OMB’s guidance also allows the CIO to delegate these responsibilities to other agency officials to act as the CIO’s representative; however, staff in OMB’s Office of the Federal CIO noted that these assignments need to be approved by OMB.63 Alternatively, FITARA and OMB’s guidance allows agencies to use IT governance processes to conduct these reviews and approvals, as long as the CIO is a full participant in the process. Table 6 provides details on the selected agencies’ acquisition processes and the degree to which the processes comply with OMB’s requirements.

APPENDIX V: DETAILS ON SELECTED IT ACQUISITIONS Of 96 randomly selected information technology (IT) contracts at 10 agencies, 9 acquisitions associated with these contracts had been reviewed and approved as required by the Office of Management and Budget (OMB). The acquisitions associated with the remaining 87 contracts did not receive the appropriate levels of Chief Information Officer (CIO) review and approval in accordance with OMB requirements.64 Table 7 provides details on the selected IT acquisitions and the CIO review and approval of them.

62

FITARA allows the CIO of a covered agency to delegate the review and approval of contracts associated with non-major IT investments, but the delegated official must report directly to the agency CIO. 63 According to OMB, they have approved assignment plans from 15 of the 22 selected agencies—USDA, Commerce, Education, HHS, Interior, Justice, Labor, State, Treasury, VA, EPA, GSA, NSF, OPM, and SSA. 64 Our initial sample consisted of 100 contracts. OMB’s FITARA implementation guidance states that to be included in its definition of IT for purposes of FITARA, IT must be used by an agency directly. Consequently, we determined that two of the selected contracts should not be included because they were for products or services that will be used by an entity other than the agency. Separately, we determined that two other contracts were not IT- related, and thus FITARA was not applicable. See appendix I for more information on our methodology.

Table 7. Extent to which selected Information Technology (IT) acquisitions were reviewed and approved by the Chief Information Officer (CIO) in accordance with the Office of Management and Budget’s (OMB) requirements Agency

Procurement ID

Department of Agriculture

Department of Commerce

AG3144K160255

Associated investment type Non-major

Amount obligated for contract action ($M) $0.284

Total possible contract amount ($M) $0.284

AG3198K160050 AG7604K160018 AG3198D160088

Major Non-major Non-major

$0.798 $0.549 $0.413

$0.798 $0.549 $0.413

AG32SBD160085 AG32SBK160043

Non-major Non-major

$0.162 $0.0

$0.162 $0.353

AG3144D160117

Major

$0.080

$0.398

AG7604K160006

Major

$1.289

$2.616

AG3198B160007

Major

$0.0

$24.5

AG3151K160024 DOC46PAPT1600373

Non-major Major

$0.182 $4.507

$0.182 $4.507

DOC45PAPT1600332 DOC16372a

Non-major Not associated

$0.439 $0.274

$0.439 $0.337

Did CIO approve acquisition plan or strategy per OMB requirements? No, incorrect designee approved other documentation. No No No, incorrect designee approved other documentation No No, correct designee, but approved other documentation No, CIO approved other documentation No, correct designee, but approved other documentation No, correct designee, but approved other documentation No No, correct designee, but approved other documentation No No

Agency

Procurement ID

Department of Commerce

Department of Health and Human Services

Department of Justice

DOCSA130116NC0025 DOC16061a DOCAB133E16CT0021 DOCAB133016CT0040 DOCWC133016NC0248

Associated investment type Non-major Not associated Major Major Major

Amount obligated for contract action ($M) $0.640 $0.180 $0.242 $0.224 $0.160

Total possible contract amount ($M) $0.640 $0.180 $0.242 $0.224 $0.800

DOCYA132116NC0341 DOC50PAPT1600023 HHSH250201600070W HHSN27600009 HHSF223201610359G HHSF223201610007B

Not associated Major Major Non-major Not associated Non-major

$0.216 $0 $0.172 $0.167 $0.148 $0

$0.216 $480 $0.172 $1.2 $0.228 $44

HHSN275201600308U HHSN272201600080U HHSN269201600181U HHSD2002016F89486 HHSD2002010372030018

Non-major Non-major Non-major Major Non-major

$0.268 $0.181 $0.193 $0.144 $0.371

$0.268 $0.181 $0.193 $0.793 $1.760

HHSN316201600006W

n/a

n/a

n/a

DJBP0700NASR9M10193 DJJ16G29OSS586021

Non-major Major

$0.713 $0.426

$0.713 $0.426

Did CIO approve acquisition plan or strategy per OMB requirements? No No No No No, incorrect designee approved other documentation No No, approved by incorrect designee Yes. Approved by correct designee No No No, correct designee, but approved other documentation No, approved by incorrect designee No, approved by incorrect designee No, approved by incorrect designee No, approved by incorrect designee No, incorrect designee approved other documentation Determined to be not applicable to FITARA as it was an IT contract for another agency’s use No Yes. Approved by CIO via participation in agency process

Table 7. (Continued) Agency

Procurement ID

Department of Justice

Department of State

DJA16AHDQG0554

Associated investment type Non-major

Amount obligated for contract action ($M) $0.347

Total possible contract amount ($M) $0.347

DJD16HQE0319

Major

$2.341

$2.341

DJF161200P0006490 DJF161200D0002600

Major Non-major

$0.252 $4.975

$0.252 $24.875

DJJ25000021 DJF161200E0008280 DJM16A41G0494 DJF161200G0003779 SAQMMA16F5319 SAQMMA16F4122 SAQMMA16M0638 SWHARC16M0003 SAQMMA16C0291 SAQMMA16F3988 SINLEC16F0091

Non-major Major Non-major Major Non-major Major Major Not associated Non-major Non-major n/a

$0.678 $0.232 $0.159 $0.269 $0.550 $0.249 $0.251 $0.439 $0.488 $0.790 n/a

$0.678 $0.232 $0.159 $0.269 $0.869 $0.249 $0.251 $0.439 $1.158 $0.790 n/a

SAQMMA16F1545 SAQMMA16L0220

Non-major Major

$0.263 $0.255

$0.263 $0.255

Did CIO approve acquisition plan or strategy per OMB requirements? No, correct designee, but approved other documentation Yes. Approved by CIO via participation in agency process No No, approved by governance process; not documented Yes. Approved by correct designee No No No, not documented No No No No No No Determined to be not applicable to FITARA as it was an IT contract for another country’s use No No, correct designee, but approved other documentation

Agency

Procurement ID

Department of State Department of the Treasury

SAQMMA16F4255

Department of Transportation

Associated investment type n/a

Amount obligated for contract action ($M) n/a

Total possible contract amount ($M) n/a

$0.499 $1.662

$0.499 $1.662

TIRNO12Z000210039

Not associated Both major and non-major Major

$0.751

$0.751

TIRNO16K00156

Major

$5.671

$5.671

TIRNO16K00327

Major

$22.250

$22.255

TIRNO16C00060 TIRNO12Z000210062

Major Non-major

$0.566 $0.839

$0.566 $0.839

TMHQ16C0011

Major

$0.628

$2.308

TDOXOFR16F0023

Non-major

$1.538

$3.611

TIRNO11D000220015

Major

$6.950

$125.656

DTFAWA16F00022

Not associated

$0.591

$0.591

DTFAWA11D00004CAL L1053

Not associated

$0.911

$0.911

TEPS1634706 TIRNO12Z000210064

Did CIO approve acquisition plan or strategy per OMB requirements? Determined to be not applicable to FITARA as it was not IT-related No No, correct designee, but approved other documentation No, correct designee, but approved other documentation No, correct designee, but approved other documentation No, correct designee, but approved other documentation No No, correct designee, but approved other documentation No, correct designee, but approved other documentation No, correct designee, but approved other documentation No, correct designee, but approved other documentation No, governance process without CIO approved other documentation. OMB did not approve delegation. No, governance process without CIO approved other documentation. OMB did not approve delegation.

Table 7. (Continued) Agency

Procurement ID

Department of Transportation

Department of Veterans Affairs

DTPH5616F00069

Associated investment type Not associated

Amount obligated for contract action ($M) $0.124

Total possible contract amount ($M) $0.258

DTFAWA16C00021

Major

$23.000

$23.000

DTRT5716F50064

Not associated

$0.027

$0.682

DTFH6116F00021 DTNH2216F00053

Non-major Non-major

$0.201 $0.237

$0.201 $0.237

DTFAAC16D00044CALL 0001

Non-major

$0.648

$0.648

DTFACT11D00009CALL 0377

Not associated

$0.304

$0.304

DTFAWA04C00045CAL L0006

Major

$1.187

$1.187

VA11816C0924 VA11816F1415

Not associated Not associated

$5.000 $1.133

$5.000 $1.133

Did CIO approve acquisition plan or strategy per OMB requirements? No, incorrect designee approved other documentation. OMB did not approve delegation. No, approved by governance process without CIO. OMB did not approve delegation. No, approved by incorrect designee. OMB did not approve delegation. No No, incorrect designee approved other documentation. OMB did not approve delegation. No, approved by governance process without CIO. OMB did not approve delegation. No, governance process without CIO approved other documentation. OMB did not approve delegation. No, approved by governance process without CIO. OMB did not approve delegation No No

Agency

Procurement ID

Department of Veterans Affairs

National Aeronautics and Space Administration

VA11816F1577 VA11816F10060006 VA11816F1095 VA11816D1027

Associated investment type Not associated Not associated Not associated Not associated

Amount obligated for contract action ($M) $0.212 $0.251 $0.168 $0.000

Total possible contract amount ($M) $0.212 $0.251 $0.168 $22,300.000

VA11810150042 VA25016F2191 VA11816F1248 VA11816F1585

Not associated Not associated Not associated Not associated

$14.020 $0.869 $0.650 $2.646

$55.847 $0.869 $0.888 $2.646

NNS16AA25T

Non-major

$0.560

$43.890

NNX16ME22D NNJ16JB17D NNG16VU01C

Non-major Non-major Non-major

$0.236 $0.220 $2.000

$0.236 $0.220 $206.000

NNL16AB33T NNX16ME92D NNJ16JA52B

Non-major Non-major Non-major

$0.469 $0.602 $3.200

$0.847 $0.602 $300.177

NNG16LK59D NNH16CI04D

Not associated n/a

$0.157 n/a

$0.157 n/a

NNH16CW00P

Not associated

$0.425

$0.425

Did CIO approve acquisition plan or strategy per OMB requirements? No No No No, CIO approved other documentation No No No No, approved by governance process without CIO No, approved by incorrect designee; OMB did not approve designation No No No, approved by incorrect designee; OMB did not approve designation No No No, approved by incorrect designee; OMB did not approve designation No Determined to be not applicable to FITARA as it was not IT-related No

Table 7. (Continued) Agency

Procurement ID

Associated Amount obligated Total possible Did CIO approve acquisition plan investment for contract action contract amount or strategy per OMB type ($M) ($M) requirements? Social Security SS001650247 Major $0.233 $0.233 Yes. Approved by correct designee Administration SS001640009 Major $0 $50.000 No SS001630168 Major $4.796 $4.796 Yes. Approved by CIO SS001660018 Major $0.174 $0.174 Yes. Approved by correct designee SS001630476 Major $6.580 $6.880 Yes. Approved by CIO SS001630703 Major $1.245 $2.491 Yes. Approved by correct designee SS001630375 Major $0.861 $0.861 Yes. Approved by correct designee SS001630714 Major $0.252 $0.252 No SS6103000018 Major $7.378 $7.378 Yes. Approved by CIO SS001630195 Major $0.191 $0.191 No Source: GAO analysis of OMB guidance, USAspending.gov data, and agency documentation. | GAO-18-42. a Agency officials stated that this contract was related to research and development and, therefore, not considered IT. The definition of IT in OMB’s guidance does not make it clear whether research and development is to be included.

Information Technology

APPENDIX VI: COMMENTS FROM THE DEPARTMENT OF EDUCATION

73

74

United States Government Accountability Office

APPENDIX VII: COMMENTS FROM THE DEPARTMENT OF ENERGY

Information Technology

75

76

United States Government Accountability Office

APPENDIX VIII: COMMENTS FROM THE DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT

Information Technology

APPENDIX IX: COMMENTS FROM THE DEPARTMENT OF THE INTERIOR

77

78

United States Government Accountability Office

APPENDIX X: COMMENTS FROM THE DEPARTMENT OF LABOR

Information Technology

79

80

United States Government Accountability Office

APPENDIX XI: COMMENT FROM THE DEPARTMENT OF STATE

Information Technology

APPENDIX XII: COMMENTS FROM THE DEPARTMENT OF VETERANS AFFAIRS

81

82

United States Government Accountability Office

Information Technology

APPENDIX XIII: COMMENTS FROM THE ENVIRONMENTAL PROTECTION AGENCY

83

84

United States Government Accountability Office

Information Technology

APPENDIX XIV: COMMENTS FROM THE NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

85

86

United States Government Accountability Office

Information Technology

87

88

United States Government Accountability Office

APPENDIX XV: COMMENTS FROM THE NUCLEAR REGULATORY COMMISSION

Information Technology

APPENDIX XVI: COMMENTS FROM THE OFFICE OF PERSONNEL MANAGEMENT

89

90

United States Government Accountability Office

APPENDIX XVII: COMMENTS FROM THE SMALL BUSINESS ADMINISTRATION

Information Technology

APPENDIX XVIII: COMMENTS FROM THE SOCIAL SECURITY ADMINISTRATION

91

92

United States Government Accountability Office

APPENDIX XIX: COMMENTS FROM THE U.S. AGENCY FOR INTERNATIONAL DEVELOPMENT

Information Technology

93

In: Information Technology Editor: Richard L. Xiong

ISBN: 978-1-53616-764-1 © 2019 Nova Science Publishers, Inc.

Chapter 2

INFORMATION TECHNOLOGY: AGENCIES NEED BETTER INFORMATION ON THE USE OF NONCOMPETITIVE AND BRIDGE CONTRACTS United States Government Accountability Office

ABBREVIATIONS CBP DOD DHS DISA DLA FAR FDA 

Customs and Border Protection Department of Defense Department of Homeland Security Defense Information Systems Agency Defense Logistics Agency Federal Acquisition Regulation Food and Drug Administration

This is an edited, reformatted and augmented version of United States Government Accountability Office; Report to Congressional Requesters, Accessible Version, Publication No. GAO-19-63, dated December 2018.

96

United States Government Accountability Office FPDS-NG FSS GSA HHS IDIQ IT J&A JETS MGT OFPP OMB SBA SOCOM

Federal Procurement Data System-Next Generation Federal Supply Schedule General Services Administration Department of Health and Human Services Indefinite Delivery / Indefinite Quantity Information Technology Justification and Approval J6 Enterprise Technology Services Modernizing Government Technology Act Office of Federal Procurement Policy Office of Management and Budget Small Business Administration U.S. Special Operations Command

WHY GAO DID THIS STUDY The federal government spends tens of billions of dollars each year on IT products and services. Competition is a key component to achieving the best return on investment for taxpayers. Federal acquisition regulations allow for noncompetitive contracts in certain circumstances. Some noncompetitive contracts act as “bridge contracts”— which can be a useful tool to avoid a lapse in service but can also increase the risk of the government overpaying. There is currently no government-wide definition of bridge contracts. GAO was asked to review the federal government’s use of noncompetitive contracts for IT. This chapter examines (1) the extent that agencies used noncompetitive contracts for IT, (2) the reasons for using noncompetitive contracts for selected IT procurements, (3) the extent to which IT procurements at selected agencies were bridge contracts, and (4) the extent to which IT procurements were in support of legacy systems. GAO analyzed FPDSNG data from fiscal years 2013 through 2017 (the most recent and complete data available). GAO developed a generalizable sample of 171 fiscal year 2016 noncompetitive IT contracts and orders

Information Technology

97

awarded by DOD, DHS, and HHS—the agencies with the most spending on IT, to determine the reasons for using noncompetitive contracts and orders, and the extent to which these were bridge contracts or supported legacy systems.

WHAT GAO RECOMMENDS GAO recommended DOD and HHS identify the reasons why competition data for certain orders in FPDS-NG were misreported and take corrective action. DOD and HHS concurred.

WHAT GAO FOUND From fiscal years 2013 through 2017, federal agencies reported obligating more than $15 billion per year, or about 30 percent, of information technology (IT) contract spending on a noncompetitive basis (see Figure).

Source: GAO analysis of Federal Procurement Data System - Next generation data  GAO-19-63. Reported Competition on Information Technology Contract Obligations, Fiscal Years 2013- 2017 (fiscal year 2017 dollars).

98

United States Government Accountability Office

GAO found, however, that Departments of Defense (DOD), Homeland Security (DHS), and Health and Human Services (HHS) contracting officials misreported competition data in the Federal Procurement Data System-Next Generation (FPDS-NG) for 22 of the 41 orders GAO reviewed. GAO’s findings call into question competition data associated with nearly $3 billion in annual obligations for IT-related orders. DHS identified underlying issues resulting in the errors for its orders and took corrective action. DOD and HHS, however, had limited insight into why the errors occurred. Without identifying the issues contributing to the errors, DOD and HHS are unable to take action to ensure that competition data are accurately recorded in the future, and are at risk of using inaccurate information to assess whether they are achieving their competition objectives. GAO found that DOD, DHS, and HHS primarily cited two reasons for awarding a noncompetitive contract or order: (1) only one source could meet the need (for example, the contractor owned proprietary technical or data rights) or (2) the agency awarded the contract to a small business to help meet agency goals. GAO estimates that about 8 percent of 2016 noncompetitive IT contracts and orders at DOD, DS, and HHS were bridge contracts, awarded in part because of acquisition planning challenges. GAO previously recommended that the Office of Federal Procurement Policy define bridge contracts and provide guidance on their use, but it has not yet done so. GAO believes that addressing this recommendation will help agencies better manage their use of bridge contracts. Additionally, GAO estimates that about 7 percent of noncompetitive IT contracts and orders were used to support outdated or obsolete legacy IT systems. Officials from the agencies GAO reviewed stated these systems are needed for their mission or that they are in the process of modernizing the legacy systems or buying new systems. December 11, 2018 Congressional Requesters

Information Technology

99

The federal government obligates tens of billions of dollars for products and services related to information technology (IT) each year. Meeting the federal government’s IT needs is critical to the health, economy, and security of the nation. Competition for these IT products and services is a key component to fostering IT innovation and achieving the best return on investment for taxpayers. Federal agencies are generally required to award contracts competitively but are permitted to award noncompetitive contracts under certain circumstances, such as when only one contractor can meet the need or to eligible small businesses in order to meet agencies’ small business goals. In some cases, noncompetitive contracts act as “bridge contracts.” While there is no government-wide definition for bridge contracts, GAO has defined it as an extension to an existing contract beyond the period of performance (including base and option years), or a new, short-term contract awarded on a sole-source basis to an incumbent contractor to avoid a lapse in service caused by a delay in awarding a follow-on contract.1 Bridge contracts can be a useful tool to avoid a gap in services and are typically envisioned as short-term. However, in October 2015, we found that some bridge contracts spanned multiple years, potentially undetected by approving officials. When noncompetitive bridge contracts are used frequently or for prolonged periods, the government is at risk of paying more than it should for products and services. In addition, our past work found that agencies are investing most of their IT dollars on maintaining legacy IT systems, which are becoming increasingly obsolete. For example, in May 2016, we found that many systems use outdated software languages and hardware parts that are no longer supported by their vendors. The government, in these instances, runs the risk of maintaining systems that have outlived their effectiveness.2 You asked us to review the federal government’s use of noncompetitive contracts for IT, including the use of bridge contracts. This chapter examines (1) the extent to which agencies used noncompetitive 1

GAO, Sole-source Contracting: Defining and Tracking Bridge Contracts Would Help Agencies Manage Their Use, GAO-16-15 (Washington, D.C.: Oct.14, 2015). 2 GAO, Information Technology: Federal Agencies Need To Address Aging Legacy Systems, GAO-16-696T (Washington, D.C.: May 25, 2016).

100

United States Government Accountability Office

contracts to procure IT products and services for fiscal years 2013 through 2017; (2) the reasons for using noncompetitive contracts for selected IT procurements; (3) the extent to which IT procurements at selected agencies were bridge contracts; and (4) the extent to which noncompetitive IT procurements at selected agencies were in support of legacy systems. For the last objective, you requested that we ascertain the extent to which our generalizable sample of contracts and orders were in support of legacy systems as defined by the Modernizing Government Technology Act (MGT), which was enacted in December 2017, after our work was underway.3 To examine the extent to which agencies used noncompetitive contracts and orders to procure IT products and services, we analyzed government-wide Federal Procurement Data System-Next Generation (FPDS-NG) data on IT obligations from fiscal years 2013 through 2017 (the most recent and complete data available).4 To define IT, we used the Office of Management and Budget’s (OMB) Category Management Leadership Council list of IT product and service codes to identify ITrelated products and services.5 To assess the reliability of the FPDS-NG data, we electronically tested for missing data, outliers, and inconsistent coding, and compared data on selected noncompetitive contracts to contract documentation we obtained. Based on these steps, we determined that FPDS-NG data were sufficiently reliable for describing general trends in government-wide and IT contract obligations data for fiscal years 2013 through 2017. We determined, however, that a subset of noncompetitive

3

The MGT Act was enacted as part of the Fiscal Year 2018 National Defense Authorization Act on December 12, 2017. National Defense Authorization Act for Fiscal Year 2018, Pub. L. No. 115-91, div. A. title X, subtitle G, 131 Stat. 1283, 1586-94 (Dec. 12, 2017). 4 For the purposes of our report, we are considering noncompetitive contracts and orders to be those that use the exceptions to full and open competition listed in Federal Acquisition Regulation (FAR) § 6.302, orders awarded in accordance with FAR § 8.405-6 and FAR § 13.106-1, contracts and orders awarded on a sole-source basis in accordance with FAR subpart 19.8 under the 8(a) small business program, and orders awarded under multiple award contracts that use the exceptions to fair opportunity listed in FAR § 16.505. 5 OMB’s category management leadership council identified 79 related codes for IT services and products. Under IT, there are six subcategories—consulting, hardware, software, outsourcing, telecommunications, and security.

Information Technology

101

obligations were inaccurately coded as noncompetitive and thus not reliable. We explore this issue further in the body of this chapter. To determine the reasons for using noncompetitive contracts and orders for selected IT procurements, we selected the three agencies with the highest reported obligations on IT noncompetitive contracts for fiscal years 2012 through 2016 (the most recent year of data available at the time we began our review)—the Departments of Defense (DOD), Homeland Security (DHS), and Health and Human Services (HHS). These three agencies collectively accounted for 70 percent of all noncompetitively awarded contracts for IT during this period. From these agencies, we selected a generalizable stratified random sample of 171 fiscal year 2016 noncompetitive contracts and orders for IT above the simplified acquisition threshold of $150,000 to determine the reasons for using noncompetitive contracts and orders.6 The sample was proportionate to the amount of noncompetitive contracts and orders for IT at each agency. For each of the contracts and orders in our generalizable sample, we analyzed selected contract documentation, such as justification and approval documents (J&A), exception to fair opportunity documents, and small business coordination records. Based on our review of documentation, we excluded 29 contracts and orders because they were awarded competitively, but had been miscoded as noncompetitive or as having an exception to fair opportunity. As a result, our sample consisted of 142 contracts and orders. See Table 1 for a breakdown by agency.

6

For the purposes of this report, contracts include definitive contracts, purchase orders, and blanket purchase agreements; single-award contracts include an indefinite-delivery vehicle or blanket purchase agreement to one vendor; multiple-award contracts include indefinitedelivery vehicles or blanket purchase agreements to two or more vendors. Orders refer to task or delivery orders as defined in FAR 2.101. Since all our contracts and orders were awarded in fiscal year (FY) 2016, the prior simplified acquisition threshold of $150,000 applies to our generalizable sample. In 2016, the simplified acquisition threshold was generally $150,000. See 80 FR 38293 (Oct. 1, 2015). In December 2017, the simplified acquisition threshold increased to $250,000. See 41 U.S.C. § 134 (2018). Although DOD and DHS issued class deviations implementing this increase, and the Civilian Agency Advisory Council issued guidance permitting civilian agencies to issue class deviations to implement the increased threshold, this change has not yet been implemented in the FAR. FAR Case 2018-004, Increased Micro-Purchase and Simplified Acquisition Thresholds (open as of Nov. 26, 2018).

102

United States Government Accountability Office

Table 1. Number of Noncompetitively Awarded Contracts and Orders GAO Reviewed Agency

Number of contracts

Number of orders on single award contracts

Number of orders on multiple award contracts

Total number of contracts and orders initially reviewed 111

Excluded due to Revised miscoding in the total Federal Procurement Data System

Department of 36 54 21 16 95 Defense Department of 10 10 10 30 6 24 Homeland Security Department of 10 10 10 30 7 23 Health and Human Services Total 56 74 41 171 29 142 Source: GAO analysis of Federal Procurement Data System-Next Generation data and agency documentation.| GAO-19-63. Note: Contracts include definitive contracts, purchase orders, and blanket purchase agreements; noncompetitive orders refer to task and delivery orders as defined in FAR § 2.101 and orders off of blanket purchase agreements. Single award describes indefinite-delivery vehicles or blanket purchase agreements awarded to one vendor and those awarded to more than one vendor are referred to as multiple award.

To determine the extent to which IT procurements at selected agencies were bridge contracts or in support of legacy systems, we leveraged the generalizable sample described above to estimate the percentage of bridge contracts and legacy IT systems at DOD, DHS, and HHS. Agencies provided information as to whether the contracts and orders within the generalizable sample met GAO’s definition of a bridge contract and whether the systems they supported met the definition of legacy IT systems in OMB’s draft IT Modernization Initiative or the definition provided under the Modernizing Government Technology Act (MGT).7

7

Pub. L. No. 115-91, div. A. title X, subtitle G.

Information Technology

103

OMB’s draft IT Modernization Initiative defined legacy systems as spending dedicated to maintaining the existing IT portfolio excluding provisioned services such as cloud, while the MGT Act defined them as an outdated or obsolete IT system.8 We verified the agencies’ determinations of bridge contracts by reviewing documentation for the contracts and orders in our generalizable sample. To obtain additional insights into the bridge contracts and legacy systems, we selected a nonprobability sample of 26 contracts and orders from our generalizable sample of 142 contracts and orders for in-depth review. Our selection was based on factors such as obtaining a mix of bridge contracts and contracts used in support of legacy IT systems. For our in-depth review, we collected and analyzed contract file documentation for the selected contracts and orders. In cases where we selected a potential bridge contract, we also reviewed the contract preceding it, additional bridge contracts (if any), and, if awarded at the time of our review, the follow-on contract. We interviewed contracting and program officials to gain insights into the facts and circumstances surrounding the awards of IT noncompetitive contracts and orders. For bridge contracts and orders, we asked about the reasons why bridge contracts were needed and status of follow-on contracts; for legacy contracts, we asked about the nature of the requirement and plans to move to newer technologies or systems. For more information on our scope and methodology, see Appendix I. We conducted this performance audit from April 2017 to December 2018 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

8

OMB’s definition of legacy system was in place at the time we began our review. In December 2017, the MGT was enacted and we requested that each agency reassess how they would characterize the nature of the IT systems using the revised definition provided under the MGT Act.

104

United States Government Accountability Office

BACKGROUND The federal government obligates tens of billions annually on IT. Prior IT expenditures, however, have too often produced failed projects—that is, projects with multimillion dollar cost overruns and schedule delays and with questionable mission-related achievements.9 In our 2017 high risk series update, we reported that improving the management of IT acquisitions and operations remains a high risk area because the federal government has spent billions of dollars on failed IT investments.10

Awarding Contracts and Orders Noncompetitively Agencies are generally required to use full and open competition— meaning all responsible sources are permitted to compete—when awarding contracts.11 However, the Competition in Contracting Act of 1984 recognizes that full and open competition is not feasible in all circumstances and authorizes contracting without full and open competition under certain conditions.12 In addition, there are competitionrelated requirements for other types of contract vehicles, including multiple award indefinite-delivery/indefinite-quantity (IDIQ) contracts and the General Services Administration’s (GSA) Federal Supply Schedule (FSS).13 The rules regarding exceptions to full and open competition and 9

GAO, Information Technology: Agencies Need to Involve Chief Information Officers in Reviewing Billions of Dollars in Acquisitions, GAO-18-42 (Washington, D.C.: Jan. 10, 2018). 10 GAO, High Risk Series: Progress on Many High-Risk Areas, While Substantial Efforts Needed on Others, GAO 17-317 (Washington, D.C.: Feb. 15, 2017). 11 See FAR § 2.101; FAR subpart 6.1. 12 See Deficit Reduction Act of 1984, Pub. L. No. 98-369, div. B, title VII (“Competition in Contracting Act of 1984”) (July 18, 1984); 10 U.S.C. § 2304, et seq.; 41 U.S.C. § 3301, et seq. See also FAR part 6 (“Competition Requirements”). 13 An IDIQ contract provides for an indefinite quantity, within stated limits, of supplies or services during a fixed period. The government places orders for individual requirements. FAR § 16.504(a). If multiple awards are made, awardees are generally given a fair opportunity to be considered for each order. See FAR §§ 16.504(a), 16.505(b). The FSS program managed by GSA provides agencies a simplified method of purchasing commercial products and services at prices associated with volume buying. A schedule is a

Information Technology

105

other competition-related requirements are outlined in various parts of the Federal Acquisition Regulation (FAR). For example: 



Contracting officers may award a contract without providing for full and open competition if one of seven exceptions listed in FAR Subpart 6.3 apply. Examples of allowable exceptions include circumstances when products or services required by the agency are available from only one source, when disclosure of the agency’s need would compromise national security, or when the need for products and services is of such an unusual and compelling urgency that the federal government faces the risk of serious financial or other injury.14 Generally, exceptions to full and open competition under FAR subpart 6.3 must be supported by written justifications that contain sufficient facts and rationale to justify use of the specific exception.15 Depending on the proposed value of the contract, the justifications require review and approval at successively higher approval levels within the agency.16 Contracting officers are also authorized to issue orders under multiple award IDIQ contracts noncompetitively. Generally contracting officers must provide each IDIQ contract holder with a fair opportunity to be considered for each order unless exceptions apply.17 Contracting officers who issue orders over certain thresholds under an exception to fair opportunity are required to provide written justification for doing so.18 In April 2017 we found

set of contracts awarded to multiple vendors that provide similar products and services. Certain FSS orders may require competitive procedures under FAR § 8.405. 14 See FAR § 6.302. The other four exceptions to the requirement for full and open competition in FAR subpart 6.3 may be based on the following circumstances, as detailed in the FAR: (1) industrial mobilization; engineering, developmental or research capability; or expert services; (2) international agreement; (3) authorized or required by statute; and (4) public interest. 15 See FAR §§ 6.302, 6.303. 16 See FAR § 6.304. Under the FAR, generally for a proposed contract not exceeding $700,000, the contracting officers’ certification is sufficient, and no higher level review is needed. 17 See FAR § 16.505(b)(2). 18 See FAR § 16.505 (b)(2)(ii). Orders over $3,500 but less than the simplified acquisition threshold require the contracting officer to document the basis for using the exception in accordance with FAR § 16.505(b)(2)(ii)(A). Orders in excess of the simplified acquisition

106

United States Government Accountability Office





that government-wide, more than 85 percent of all order obligations under multiple-award IDIQ contracts were competed from fiscal years 2011 through 2015.19 Orders placed under GSA’s FSS program are also exempt from FAR part 6 requirements.20 However, ordering procedures require certain FSS orders exceeding the simplified acquisition threshold to be placed on a “competitive basis,” which includes requesting proposals from as many schedule contractors as practicable.21 If a contracting officer decides not to provide opportunity to all contract holders when placing an FSS order over the simplified acquisition threshold, that decision must be documented and approved.22 The FAR allows for orders to be placed under these circumstances based on the following justifications: when an urgent and compelling need exists; when only one source is capable of providing the supplies or services because they are unique or highly specialized; when in the interest of economy and efficiency, the new work is a logical follow-on to an original FSS order that was placed on a “competitive basis;” and when an item is “peculiar to one manufacturer.”23 Agencies may also award contracts on a sole-source basis in coordination with the Small Business Administration (SBA) to eligible 8(a) program participants.24 While agencies are generally

threshold require additional information in accordance with FAR § 16.505(b)(2)(ii)(B), and are approved in accordance with FAR § 16.505 (b)(2)(ii)(C). Generally, under the FAR, for proposed orders exceeding the simplified acquisition threshold, but not exceeding $700,000, the contracting officer’s certification will serve as the approval with no additional higher level review necessary. 19 GAO, Federal Contracts: Agencies Widely Used Indefinite Contracts to Provide Flexibility to Meet Mission Needs, GAO 17-329 (Washington, D.C.: Apr. 13, 2017). 20 See FAR § 8.405-6; FAR § 6.102(d)(3) (“Use of multiple award schedules issued under the procedures established by the Administrator of General Services consistent with the requirement of 41 U.S.C. 152(3)(A) for the multiple award schedule program of the General Services Administration is a competitive procedure.”). 21 FAR §§ 8.405-1(d), 8.405-2(c)(3). 22 See FAR § 8.405-6(a)(1)(ii), (c). 23 FAR § 8.405-6(c)(2)(iv) (referring to FAR § 8.405-6(a)(1)(i) and (b)(1)). 24 As GAO previously reported, the 8(a) program was designed to assist small, disadvantaged businesses in competing in the American economy through business development. Over the course of the program, qualified small, disadvantaged businesses can receive business

Information Technology

107

not required to justify these sole-source awards, contracts that exceed a total value of $22 million require a written justification in accordance with FAR Subpart 6.3.25

Bridge Contracts In certain situations, it may become evident that services could lapse before a subsequent contract can be awarded. In these cases, because of time constraints, contracting officers generally use one of two options: (1) extend the existing contract or (2) award a short-term stand-alone contract to the incumbent contractor on a sole-source basis to avoid a lapse in services.26 While no government-wide definition of bridge contracts exists, we developed the following definitions related to bridge contracts that we used for our October 2015 report: 

 

Bridge contract. An extension to an existing contract beyond the period of performance (including base and option years), or a new, short-term contract awarded on a sole-source basis to an incumbent contractor to avoid a lapse in service caused by a delay in awarding a follow-on contract. Predecessor contract. The contract in place prior to the award of a bridge contract. Follow-on contract. A longer-term contract that follows a bridge contract for the same or similar services. This contract can be competitively awarded or awarded on a sole-source basis.27

development support from SBA. One of the key areas of support is eligibility for set-aside competitive and sole-source federal contracts for 8(a) businesses, which can be an important factor in their financial development. See GAO, Alaska Native Corporations: Oversight Weaknesses Continue to Limit SBA’s Ability to Monitor Compliance with 8(a) Program Requirements, GAO-16-113 (Washington, D.C.: Mar. 21, 2016). 25 . See FAR §§ 19.805-1(b) and 19.808-1(a). 26 See FAR § 52.217-8; FAR subpart 6.3. 27 GAO-16-15.

108

United States Government Accountability Office

Contracts, orders, and extensions (both competitive and noncompetitive) are included in our definition of a “bridge contract” because the focus of the definition is on the intent of the contract, order, or extension.28 DOD and some of its components, including the Navy, the Defense Logistics Agency (DLA), and the Defense Information Systems Agency (DISA), have established their own bridge contract definitions and policies. Congress enacted legislation in 2017 that established a definition of “bridge contracts” for DOD and its components.29 For the purposes of this chapter, we use the same definition as we used in our October 2015 report to define bridge contracts, unless otherwise specified. We acknowledge that in the absence of a government-wide definition, agencies may have differing views of what constitutes a bridge contract. We discuss these views further in the body of this chapter. In our October 2015 report on bridge contracts, we found that the agencies included in our review—DOD, HHS, and the Department of Justice—had limited or no insight into their use of bridge contracts. In addition, we found that while bridge contracts are typically envisioned as short term, some bridge contracts included in our review involved one or more bridges that spanned multiple years—potentially undetected by approving officials. The fact that the full length of a bridge contract, or multiple bridge contracts for the same requirement, is not readily apparent from documents that may require review and approval, such as an individual J&A, presents a challenge for those agency officials responsible for approving the use of bridge contracts. Approving officials signing off on individual J&As may not have insight into the total number of bridge contracts that may be put in place by looking at individual J&As alone. In October 2015, we recommended that the Administrator of the Office of Federal Procurement Policy (OFPP) take the following two actions: (1) GAO’s definition includes all types of contract extensions, both those that may be considered “competitive”, e.g., the use of FAR 52.217-8 when it was evaluated at award, and those that are “noncompetitive”, e.g., those that are used to extend the period of performance beyond that of the original contract and require a J&A, when the intention is to bridge a gap in services. When collectively referring to all of these subsets, we refer to them as “bridge contracts”, when we are describing specific examples, we specifically use “bridge contract”, “bridge order”, or “extensions”. 29 See Pub. L. No. 115-91, § 851. 28

Information Technology

109

take appropriate steps to develop a standard definition for bridge contracts and incorporate it as appropriate into relevant FAR sections; and (2) as an interim measure until the FAR is amended, provide guidance to agencies on:  

a definition of bridge contracts, with consideration of contract extensions as well as stand-alone bridge contracts; and suggestions for agencies to track and manage their use of these contracts, such as identifying a contract as a bridge in a J&A when it meets the definition, and listing the history of previous extensions and stand-alone bridge contracts.

OFPP concurred with our recommendation to provide guidance to agencies on bridge contracts, and stated its intention is to work with members of the FAR Council to explore the value of incorporating a definition of bridge contracts in the FAR. As of November 2018, OFPP had not yet implemented our recommendations but has taken steps to develop guidance on bridge contracts. Specifically, OFPP staff told us they have drafted management guidance, which includes a definition of bridge contracts, and provided it to agencies’ Chief Acquisition Officers and Senior Procurement Executives for review. OFPP staff told us they received many comments on the draft guidance and were in the process of addressing those comments.

AGENCIES OBLIGATED MORE THAN $10 BILLION ANNUALLY FOR INFORMATION TECHNOLOGY ON NONCOMPETITIVELY AWARDED CONTRACTS AND ORDERS, BUT UNRELIABLE DATA OBSCURES FULL PICTURE Federal agencies reported annually obligating between $53 billion in fiscal year 2013 to $59 billion in fiscal year 2017 on IT-related products

110

United States Government Accountability Office

and services. Of that amount, agencies reported that more than $15 billion each year—or about 30 percent of all obligations for IT products and services—were awarded noncompetitively. However, in a generalizable sample of contracts and orders, we found significant errors in certain types of orders, which call into question the reliability of competition data associated with roughly $3 billion per year in obligations. As a result, the actual amount agencies obligated on noncompetitive contract awards for IT products and services is unknown.

IT Contract Obligations Totaled More than $50 Billion Annually

Source: GAO analysis of Federal Procurement Data System – Next Generation data GAO-19-63. Note: Obligation amounts obtained from Federal Procurement Data System-Next Generation were adjusted for inflation using the fiscal year 2017 Gross Domestic Product Index. Figure 1. Government-wide Information Technology (IT) Contract Obligations in Comparison with Total Contract Obligations, Fiscal Years 2013-2017 (fiscal year 2017 dollars).

Information Technology

111

From fiscal years 2013 through 2017, we found that total IT obligations reported by federal agencies ranged from nearly $53 billion in fiscal year 2013 to $59 billion in fiscal year 2017. The amount obligated on IT products and services generally accounted for about one-tenth of total federal contract spending (see Figure 1). For fiscal years 2013 through 2017, the three agencies we reviewed in more depth—DOD, DHS and HHS––collectively accounted for about twothirds of federal IT spending (see Figure 2).

Source: GAO analysis of Federal Procurement Data System – Next Generation data GAO-19-63. Note: Obligation amounts obtained from Federal Procurement Data System-Next Generation were adjusted for inflation using the fiscal year 2017 Gross Domestic Product Index. Figure 2. Comparison of Information Technology Contract Obligations by Agency, Fiscal Years 2013 through 2017 (fiscal year 2017 dollars).

112

United States Government Accountability Office

Agencies Reported Obligating More than $15 Billion on Noncompetitive Contracts for IT Annually, but Full Extent of Noncompetitive Dollars Is Not Known Due to Unreliable Data From fiscal years 2013 through 2017, agencies reported in FPDS-NG obligating more than $15 billion—about 30 percent of all annual IT obligations—each year on noncompetitively awarded contracts and orders.

Source: GAO analysis of Federal Procurement Data System – Next Generation data GAO-19-63. Note: Obligation data obtained from Federal Procurement Data System-Next Generation were adjusted for inflation using the fiscal year 2017 Gross Domestic Product Index. These data include about $3 billion in annual obligations on certain multiple award orders for which we determined the reported competition data were unreliable. Between $10 million and $148 million annually did not include a code for competition. Therefore, these dollars are excluded from the figure. Figure 3. Reported Competition on Information Technology Contract Obligations, Fiscal Years 2013-2017 (fiscal year 2017 dollars).

Information Technology

113

We determined, however, that the agencies’ reporting of certain competition data was unreliable (see Figure 3). Specifically, we found that contracting officers miscoded 22 out of 41 orders in our sample, of which 21 cited “follow-on action following competitive initial action” or “other statutory authority” as the legal authority for using an exception to fair opportunity.30 DOD contracting officers had miscoded 11 of the 21 orders, while DHS and HHS contracting officers had miscoded 4 and 6 orders, respectively. This miscoding occurred at such a high rate that it put into question the reliability of the competition data on orders totaling roughly $3 billion per year in annual obligations. In each of these cases, contracting officers identified these orders as being noncompetitively awarded when they were, in fact, competitively awarded. As an assessment of the extent to which contracts and orders that were identified as being competitively awarded were properly coded was outside the scope of our review, we are not in a position to assess the overall reliability of competition information of IT-related contracts. For these 21 orders, we found that DHS was aware of issues surrounding most of their miscodings and had taken actions to fix the problems, while DOD and HHS generally had limited insights as to why these errors occurred. DHS miscoded 4 orders, 3 of which were orders awarded under single award contracts. DHS officials told us that orders issued from single award contracts should inherit the competition characteristics of the parent contract.31 However, as FPDS-NG currently operates, contracting officers have the ability to input a different competition code for these orders. In this case, each of the single award contracts was competitively awarded and therefore all the subsequent orders issued from these contracts should be considered competitively awarded, as there are no additional opportunities for competition. DHS has taken actions to address this issue. DHS officials stated that in conjunction with DOD they have asked GSA, which manages the FPDS-NG data system, to modify FPDS-NG to 30 31

The remaining miscoded order was awarded by DHS and was coded as “only one source.” Single award describes indefinite-delivery vehicles or blanket purchase agreements awarded to one vendor and those awarded to more than one vendor are referred to as multiple award.

114

United States Government Accountability Office

automatically prefill competition codes for orders awarded under single award contracts. DHS officials noted that GSA expects to correct the issue in the first quarter of fiscal year 2019, which should mitigate the risks of agencies miscoding orders issued under single award contracts in the future. DHS officials have also provided training to their contracting personnel that single award orders must inherit the characteristics of the parent contract. DOD and HHS officials, on the other hand, had limited insights as to why their orders were miscoded. For example, DOD miscoded a total of 11 orders (5 orders awarded under single award contracts and 6 awarded under multiple award contracts). For 8 of these orders, contracting officers did not provide the reasons as to why these errors occurred. For the remaining 3 orders awarded—each of which were issued under single award contracts—contracting officials told us that they had used the “follow-on action following competitive initial action” because the underlying contract had been competed. Similarly, at HHS, which miscoded a total of 6 orders (4 awarded under single award contracts and 2 awarded under multiple award contracts), component officials told us that these errors were accidental and could not provide any additional insight as to why these errors were made. While GSA’s changes in the FPDS-NG system, when implemented, may help address the issue of miscoding competition data on orders issued from single award contracts, it will not address errors in coding for multiple award orders that cited exceptions to competition even when they were competed. The FAR notes that FPDS-NG data are used in a variety of ways, including assessing the effects of policies and management initiatives, yet we have previously reported on the shortcomings of the FPDS-NG system, including issues with the accuracy of the data.32

32

GAO, Federal Contracting: Improvements Needed in How Some Agencies Report Personal Services Contracts, GAO-17-610 (Washington, D.C.: July 27, 2017); and GAO, Improvements Needed to the Federal Procurement Data System-Next Generation, GAO-05960R (Washington D.C.: Sept. 27, 2005); FAR subpart 4.6.

Information Technology

115

Miscoding of competition requirements may hinder the accomplishment of certain statutory, policy, and regulatory requirements. For example, 



The FAR requires agency competition advocates, among other duties and responsibilities, to prepare and submit an annual report to their agencies’ senior procurement executive and chief acquisition officer on actions taken to achieve full and open competition in the agency and recommend goals and plans for increasing competition.33 OMB required agencies to reduce their reliance on noncompetitive contracts, which it categorized as high-risk, because, absent competition, agencies must negotiate contracts without a direct market mechanism to help determine price.34

Federal internal control standards state that management should use quality information to achieve an entity’s objectives. Without identifying the reasons why contracting officers are miscoding these orders in FPDSNG, DOD and HHS are unable to take action to ensure that competition data are accurately recorded, and are at risk of using inaccurate information to assess whether they are achieving their competition objectives. After excluding the $3 billion in annual obligations we determined was not sufficiently reliable, we found that from fiscal years 2013 through 2017 about 90 percent of noncompetitive IT obligations reported in FPDS-NG were used to buy services, hardware, and software (see Figure 4).35 Services include the maintenance and repair of IT equipment as well as professional technology support. Hardware includes products such as fiber optic cables and computers, and software includes items such as information technology software and maintenance service plans.

33

FAR § 6.502(b). OMB, Memorandum for the Head of Departments and Agencies: Improving Government Acquisition, M-09-25 (July 29, 2009.) 35 For the purposes of this report, we are referring to the category management leadership council’s outsourcing category as services, as this category is predominantly for services. 34

116

United States Government Accountability Office

Source: GAO analysis of Federal Procurement Data System – Next Generation data GAO-19-63. Note: Obligation amounts obtained from FPDS-NG were adjusted for inflation, using the fiscal year 2017 Gross Domestic Product Index, and exclude about $3 billion in multiple award orders that cited “follow-on action following competitive initial action” and “other statutory authority” as exceptions to fair opportunity,” which we determined were unreliable. Figure 4. Fiscal Year 2017 Information Technology Noncompetitive Obligations by Spending Category.

AGENCIES CITED THAT ONLY ONE CONTRACTOR COULD MEET THE NEED OR SMALL BUSINESS REQUIREMENTS AS MOST COMMON REASONS FOR AWARDING NONCOMPETITIVE CONTRACTS The documentation for the contracts and orders at the three agencies we reviewed generally cited either that only one source could meet their

Information Technology

117

needs or that they were awarding the contract sole-source to an 8(a) small business participant when noncompetitively awarding IT contracts or orders.36 Specifically, based on our generalizable sample, we estimate that nearly 60 percent of fiscal year 2016 noncompetitive contracts and orders at DOD, DHS, and HHS were awarded noncompetitively because agencies cited that only one contractor could meet the need, and approximately 26 percent of contracts and orders were awarded sole-source to an 8(a) small business participant.37 We estimate that agencies cited a variety of other reasons for not competing approximately 16 percent of noncompetitive contracts and orders, such as unusual and compelling urgency, international agreement, and national security.38 Within our sample of 142 contracts and orders, we analyzed J&As or similar documents to obtain additional detail as to why the contracts and orders were awarded noncompetitively. See Table 2 for a breakdown of the overall reasons cited for awarding contracts noncompetitively within our sample. Table 2. Reasons Cited for Awarding 142 Noncompetitive Contracts and Orders We Reviewed Reasons cited Number of times cited Only one source could meet the need 79 Sole-source to 8(a) small business participants 42 Other reasonsa 23 Total 144b Source: GAO analysis of contract documentation. | GAO-19-63. a Other reasons include international agreement, authorized by statute, and national security. b Although our sample included 142 contracts, 2 contracts we reviewed cited more than one reason for award in their contract documentation. 36

Generally, documentation accompanying noncompetitive contacts and orders cited only one source could meet the agency’s need pursuant to FAR § 6.302-1, FAR § 16.505 or FAR § 8.405-6. Noncompetitive contracts and orders awarded to a small business participant in the 8(a) program were awarded pursuant to FAR subpart 19.8 and FAR § 6.302-5(b)(4). 37 Estimates are based on the results of our generalizable stratified random sample of contracts and orders. All percentage estimates in this report have a margin of error of plus or minus 9 percentage points or fewer, unless otherwise noted. See appendix I for more details. 38 Estimated percentages do not add to 100 because a contract or order could have more than one reason for not competing. The noncompetitive contacts and orders cited other reasons such as unusual and compelling urgency, international agreement, authorized or required by statute, or national security. See FAR §§ 6.302-2, 6.302-4, 6.302-5, or 6.302- 6.

118

United States Government Accountability Office

For 79 of the 142 contracts and orders we reviewed, agencies cited that only one source could meet the need. We found that this exception was the most commonly cited reason for a sole-source IT contract or order at DOD and DHS, but not at HHS. At HHS, the most common reason was that the contract or order was awarded on a sole source basis to an 8(a), which we discuss in more detail later. Agencies justified use of the “only one source” exception on the basis that the contractor owned the proprietary technical or data rights; the contractor had unique qualifications or experience; compatibility issues; or that a brand-name product was needed (see Figure 5).

Source: GAO analysis of Federal Procurement Data System – Next Generation data GAO-19-63. Note: In some cases, contract and order documentation, such as the justification and approval document, cited more than one reason as to why only one contractor could meet the agency’s need. Therefore, the number of reasons exceeds the 79 contracts and orders reviewed by GAO. Figure 5. Reasons Cited by Departments of Defense, Homeland Security, and Health and Human Services as to Why Only One Contractor Could Meet Their Needs.

The following examples illustrate the reasons cited by the agencies as to why only one contractor could meet their needs: 

Proprietary data rights issues and compatibility issues. The Navy issued a 9-month, approximately $350,000 order under an IDIQ contract for two data terminal sets. The terminal sets, which according to Navy officials, have been used by the Navy since the 1990s to exchange radar tracking and other information among

Information Technology

119

airborne, land-based, and ship-board tactical data systems and with certain allies. The Navy’s J&A document noted that the contractor owned the proprietary data rights to the transmitting equipment and software, and the Navy required the equipment to be compatible and interchangeable with systems currently fielded throughout the Navy. Furthermore, the document noted that seeking competition through the development of a new source would result in additional costs that would far exceed any possible cost savings that another source could provide and would cause unacceptable schedule delays. This example illustrates that decisions the program officials make during the acquisition process to acquire or not acquire certain rights to technical data can have far-reaching implications for DOD’s ability to sustain and competitively procure parts and services for those systems, as we have previously reported.39 In our May 2014 report on competition in defense contracting, we found that 7 of 14 justifications we reviewed explained that the awards could not be competed due to a lack of technical data. All 7 of these justifications or supporting documents described situations, ranging from 3 to 30 years in duration, where DOD was unable to conduct a competition because data rights were not purchased with the initial award.40 We recommended in May 2014 that DOD ensure that existing acquisition planning guidance promotes early vendor engagement and allows both the government and vendors adequate time to prepare for competition. DOD concurred with our recommendation. In April 2015, DOD updated its acquisition guidance to incorporate new guidelines for creating and maintaining a competitive environment. These guidelines emphasize acquisition planning steps including involvement with

39

40

GAO, Defense Acquisitions: DOD Should Clarify Requirements for Assessing and Documenting Technical Data Needs GAO-11-469 (Washington, D.C.: May 11, 2011). GAO, Defense Contracting: Early Attention in the Acquisition Process Needed to Enhance Competition GAO-14-395 (Washington, D.C: May 5, 2014).

120

United States Government Accountability Office





41

industry in obtaining feedback on draft solicitations, market research, and requirements development.41 Unique qualifications and experience. DHS placed four separate orders under an IDIQ contract for data center support totaling approximately $7 million. The requirement was to maintain mission critical services during a data center support pilot, prototype, and transition period starting in fiscal year 2015. Among other things, DHS’s J&A noted that no other contractors had sufficient experience with DHS’s infrastructure and requirements necessary to maintain services at the required level during the transition period. HHS awarded an approximately $4 million contract to buy support services for an IT center for a 12-month ordering period, including options. HHS’s J&A noted that only the incumbent contractor had the requisite knowledge and experience to operate and maintain the mission and business systems in the IT center during the transition of operations from one location to another. The justification further stated that HHS had no efforts underway to increase competition in the future as this requirement is not anticipated to be a recurring requirement. Program officials stated that they are migrating from legacy IT systems to a new commercial off-the-shelf system. Brand-name products. DOD awarded a 5-month, approximately $500,000 contract for brand name equipment and installation that supported various video-teleconference systems. The J&A stated that this particular brand name product was the only product that would be compatible with current configurations installed in one of its complexes. To increase competition in the future, the J&A stated that technical personnel will continue to evaluate the marketplace for commercially available supplies and installation that can meet DOD’s requirements.

See Defense Federal Acquisition Regulation Supplement (DFARS) Procedures, Guidance, and Information (PGI) 206—Competition Requirements (added Apr. 20, 2015).

Information Technology

121

For 42 of the 142 contracts and orders we reviewed, we found that agencies awarded a sole-source contract or order to 8(a) small business participants.42 HHS awarded 13 of its 23 sole-source contracts and orders we reviewed to 8(a) small business participants, DOD awarded 25 of 95, and DHS 4 of 24. We found that all contracts and orders in our review that were awarded on a sole-source basis to 8(a) small business participants were below the applicable competitive thresholds or otherwise below the FAR thresholds that require a written justification.43 As previously discussed, agencies may award contracts on a solesource basis to eligible 8(a) participants, either in coordination with SBA or when they are below the competitive threshold.44 While agencies are generally not required to justify these smaller dollar value sole-source 8(a) awards, contracts that exceed a total value of $22 million require a written justification.45 Since none of the 8(a) sole source contracts and orders in our review required written justifications, the contract files generally did not provide the rationale behind the sole-source award. Policy and contracting officials from all three agencies we reviewed stated they made sole-source awards to 8(a) small business participants to help meet the agency’s small business contracting goals and save time. HHS officials further stated that they consider their awards to 8(a) small business participants a success because they are supporting small businesses. Officials stated that once a requirement is awarded through the 8(a) program, the FAR requires that requirement be set aside for an 8(a) contractor unless the requirement has changed or that an 8(a) contractor is not capable or available to complete the work.46 For 23 of the 142 contracts

42

See FAR subpart 19.8. See FAR § 19.805-1. 44 GAO has conducted prior work on the 8(a) program, for example: GAO, DOD Small Business Contracting: Use of Sole Source 8(a) Contracts Over $20 Million Continues to Decline, GAO-16-557 (Washington, D.C.: June 8, 2016); and GAO, Federal Contracting: Slow Start to Implementation of Justifications for 8(a) Sole-Source Contracts, GAO-13-118 (Washington, D.C.: Dec. 12, 2012); FAR § 19.805-1. 45 FAR § 19.808-1. 46 Specifically, the FAR says: “Once a requirement has been accepted by SBA into the 8(a) program, any follow-on requirements shall remain in the 8(a) program unless there is a mandatory source (see 8.002 or .003) or SBA agrees to release the requirement from the 8(a) program in accordance with 13 C.F.R. 124.504(d).” FAR § 19.815(a). 43

122

United States Government Accountability Office

and orders we reviewed, we found that agencies cited other reasons for awarding contracts and orders noncompetitively. For example: 





47

Urgent and compelling need. DHS’s Coast Guard awarded an approximately 10-month, $6.5 million order (encompassing all options) for critical payroll services in its human resources management system under a GSA federal supply schedule contract. The Coast Guard justified the award based on an urgent and compelling need.47 A Coast Guard official explained that the efforts to competitively award a follow-on contract had been delayed as the Coast Guard had not developed a defined statement of work in a timely manner, and that the agency had received a larger number of proposals than initially anticipated. Therefore, the evaluation process took longer than expected. In addition, the Coast Guard’s competitive follow-on contract, which was awarded in June 2018, was protested. In October 2018, GAO denied the protest and the Coast Guard is currently planning to transition to the newly awarded contract.48 International agreement. The Army placed an approximately 8month, $1 million order under an IDIQ contract for radio systems and cited international agreement as the reason for a noncompetitive award.49 This order was part of a foreign military sales contract with the Government of Denmark. Authorized or required by statute. The Defense Logistics Agency (DLA) cited “authorized or required by statute” when it placed an approximately $1.5 million, 12-month order under an IDIQ

FAR § 8.405-6. This contract award was protested to GAO. GAO provides an objective, independent, and impartial forum for the resolution of disputes concerning the awards of federal contracts. GAO’s role in resolving a bid protest is an adjudicative process handled by GAO’s Office of General Counsel. 49 Contracting officers may award a contract without providing for full and open competition when precluded by the terms of an international agreement or treaty between the United States and a foreign government or international organization or the written directions of a foreign government reimbursing the agency for the cost of the acquisition of the supplies or services for such government. FAR § 6.302-4(a)(2). 48

Information Technology



123

contract for sustainment support services for an application that is used for planning and initiating contracting requirements in contingency environments.50 DLA noted that this model was contracted under the Small Business Innovation Research Program, which supports scientific and technological innovation through the investment of federal research funds into various research projects.51 National security. The U.S. Special Operations Command (SOCOM) placed an approximately 8-month, $1 million order for radio spare parts and cited national security as the reason for a noncompetitive award.52

AN ESTIMATED EIGHT PERCENT OF FISCAL YEAR 2016 IT NONCOMPETITIVE CONTRACTS AND ORDERS WERE BRIDGES, AND AGENCIES HAVE DIFFICULTY MANAGING THEM We estimate that about 8 percent of contracts and orders above $150,000 in fiscal year 2016 at DOD, DHS, and HHS were bridge contracts.53 Consistent with our October 2015 findings, agencies we reviewed face continued challenges with oversight of bridge contracts, 50

Contracting officers may award a contract without providing for full and open competition when (i) a statute expressly authorizes or requires that the acquisition be made through another agency or from a specified source; or (ii) the agency’s need is for a brand name commercial item for authorized resale. FAR § 6.302-5(a)(2). 51 Small Business Innovation Research Program projects are managed through a three-phase program structure. Phase 1 projects are competitively selected based on scientific and technical merit; Phase 2 expands on efforts for phase 1 projects focusing on technology efforts to prototype; Phase 3 known as commercialization transitions a technology into commercial product or process for sale to government or private-sector customers. For GAO’s prior work on the Small Business Innovation Research Program, see GAO, Small Business Research Programs: Agencies Have Improved Compliance with Spending and Reporting Requirements, but Challenges Remain GAO-16-492 (Washington, D.C.: May 26, 2016). 52 Contracting officers may award a contract without providing for full and open competition when the disclosure of the agency’s needs would compromise national security. FAR § 6.302-6(a)(2). 53 The 95 percent confidence interval for this estimate ranges from 3.9 percent to 13.4 percent.

124

United States Government Accountability Office

based on 15 contracts and orders we reviewed in-depth.54 For example, we found that in 9 of the 15 cases, bridge contracts were associated with additional bridges not apparent in the documentation related to the contract and order we reviewed, such as a J&A, and corresponded with longer periods of performance and higher contract values than initially apparent. Agency officials cited a variety of reasons for needing bridge contracts, including acquisition planning challenges, source selection challenges, and bid protests.

An Estimated Eight Percent of IT Noncompetitive Contracts and Orders in Fiscal Year 2016 Were Bridge Contracts Based on our generalizable sample, we estimate that about 8 percent of contracts and orders above $150,000 in fiscal year 2016 at DOD, DHS, and HHS were bridge contracts.55 We verified, using our definition of bridge contracts as criteria, that 13 of 142 contracts and orders in our generalizable sample were bridge contracts based on reviews of J&As, limited source justifications, or exceptions to fair opportunity, among other documents.56 In addition, we found two additional bridge contracts related to our generalizable sample while conducting our in-depth review, bringing the total number of bridge contracts we identified during this review to 15.

Agencies Face Continued Challenges with Oversight of Bridge Contracts We found that the bridge contracts we reviewed were often longer than initially apparent from our review of related documentation, such as a J&A, and sometimes spanned multiple years. 54

GAO-16-15. The 95 percent confidence interval for this estimate ranges from 3.9 to 13.4 percent. 56 Three bridge contracts identified did not fully meet our definition of a bridge contract because they were not awarded to the incumbent contractor. In addition, we also identified one bridge contract that was not “short-term.” For the purposes of our report, we considered these awards to be bridge contracts, as they were intended to bridge a gap in service due to a delay in the award of a follow-on contract. 55

Information Technology

125

Table 3. Periods of Performance and Associated Contract Values for 15 Bridge Contracts for Information Technology (IT) GAO Reviewed Department

Component

Department of Defense (DOD) DOD

Air Force

DOD

DOD

DOD

Requirement

Enterprise-based logistics services and support Army Operations and maintenance of the Army Training Requirements Resource System Defense Information IT systems and Systems Agency support services (DISA)a DISA/Air Forceb Installation and operational support of IT hardware and systems Defense Logistics IT infrastructure Agency support services

Total estimated dollar value of bridge contracts (in millions) 1.9

Total estimated period of performance of bridge contracts (in months) 9

0.4

5

2.5

12

0.2

12

7.8

29c

DOD

Navy

IT supplies

0.4

n/ad

DOD

Air Force

High speed data acquisition system and ground support equipment for testing Radio supplies and services

6.9

5

7.0

12

23.6

25

0.9

9

DOD

U.S. Special Operations Command Department of Customs and Border IT engineering and Homeland Protection operations services Security (DHS) DHS Coast Guard Data monitoring and maintenance support services

126

United States Government Accountability Office Table 3. (Continued)

Department

Component

Requirement

DHS

Coast Guard

Direct access support services IT support services

Department of Assistant Secretary Health and for Administration Human Services (HHS) HHS Food and Drug Administration HHS

HHS

Database and application server support National Institutes of Text mining software Health subscription and maintenance services Indian Health Project management Service and support services for the resource and patient management system

Total estimated dollar value of bridge contracts (in millions) 19.2

Total estimated period of performance of bridge contracts (in months) 32

6.9

20

0.3

12

1.7

77

4.7

18

Source: GAO analysis of agency contract documentation. | GAO-19-63. (Continued …) Note: Although some organizations included in this table, such as DISA and DLA, have a bridge contract policy and definition, other entities, such as DHS and HHS, do not. For consistency, we applied GAO’s definition of bridge contracts in GAO-16-15 to our analysis of all the bridge contracts included in our review. In some instances, we included bridge contracts that were not awarded to the incumbent contractor. aThe bridge contract consolidates requirements and includes extensions to three separate predecessor contracts. b DISA was the contracting office for this bridge contract, but it supports an Air Force requirement. cDLA contracting officials told us that from their perspective, only 3 of the 29 months were bridge contracts. DLA did not consider 26 of the 29 months to be bridges since they were in the 8(a) program and solesourced, and the follow-on task order was sole-sourced within the 8(a) program. We included these contracts in our analyses since our understanding of the intent of those 8(a) contracts was to bridge a gap in services until they could consolidate requirements and award a follow-on indefinite-delivery indefinite-quantity contract to meet their needs. We acknowledge that in the absence of a governmentwide definition, agencies may have differing views of what constitutes a bridge contract. dThis bridge contained delivery dates rather than a period of performance.

Bridge contracts can be a useful tool in certain circumstances to avoid a gap in providing products and services, but they are typically envisioned to be used for short periods of time. When we conducted an in-depth

Information Technology

127

review of the bridge contracts, such as by reviewing the contract files for the predecessor, bridge, and follow-contracts, we found that in most cases, these involved one or more bridges that spanned longer periods and corresponded with higher contract values than initially apparent. Specifically, we found that 9 of the 15 bridge contracts had additional bridges related to the same requirement that were not initially apparent from documents requiring varying levels of approval by agency officials, such as the J&As. Collectively, agencies awarded bridge contracts associated with these 15 contracts and orders with estimated contract values of about $84 million (see Table 3). The following examples illustrate contracts we reviewed in which the periods of performance were longer than initially apparent: 

HHS’s Indian Health Service (IHS) awarded a 4-month, approximately $1.6 million bridge order for project management and support services for IHS’s resource and patient management system. We found, however, that the predecessor contract had already been extended by 6 months before the award of the bridge order due to acquisition planning challenges associated with delays in developing the acquisition package for the follow-on contract. Subsequently, the 4- month bridge order was extended for an additional 6 months, in part because the follow-on award—which had been awarded to a new contractor—was protested by the incumbent contractor due to concerns over proposal evaluation criteria. Ultimately, the protest was dismissed. Following the resolution of the bid protest, officials awarded an additional 2month bridge order for transition activities. In total, the bridge orders and extensions spanned 18 months and had an estimated value of about $4.7 million. Figure 6 depicts the bridge orders and extensions and indicates the 4-month bridge and 6-month extension we had initially identified.

128

United States Government Accountability Office

Source: GAO analysis of Federal Procurement Data System – Next Generation data GAO-19-63. Figure 6. Timeline for the Indian Health Service’s Project Management and Support Services Bridge.



The Air Force awarded a 3-month, approximately $630,000 bridge contract to support a logistics system used to monitor weapon system availability and readiness. We found, however, that the Air Force had previously awarded a 3-month bridge contract due to delays resulting from a recent reorganization, which, according to Air Force officials, made it unclear which contracting office would assume responsibility for the requirement. The Air Force subsequently awarded an additional 3-month bridge contract due to acquisition planning challenges, such as planning for the award of the follow-on sole-source contract. The total period of performance for the bridges was 9 months with an estimated value of about $1.9 million (see Figure 7).

As of August 2018, 13 of the 15 bridge contracts had follow-ons in place—5 were awarded competitively and 8 were awarded noncompetitively. Two bridge contracts do not currently have follow-on contracts in place for various reasons. For example, in one instance, the Coast Guard’s requirement for human resources and payroll support services has continued to operate under a bridge contract because the Coast Guard’s planned follow-on contract—a strategic sourcing IDIQ— was awarded in June 2018, and subsequently protested, among other delays.57 57

As we noted earlier in the report, in October 2018, GAO denied the protest and the Coast Guard is currently planning to transition to the newly awarded IDIQ contract.

Information Technology

129

Source: GAO analysis of Federal Procurement Data System – Next Generation data GAO-19-63. Figure 7. Timeline for Air Force’s Enterprise-Based Logistics Services and Support Bridge.

Officials Frequently Cited Acquisition Planning Challenges as Necessitating the Use of a Bridge Contract Based on our reviews of contract documentation and information provided by agency officials, we found that acquisition planning challenges were the principal cause for needing to use a bridge contract across the 15 bridge contracts we reviewed. In particular, acquisition packages prepared by program offices to begin developing a solicitation were often not prepared in a timely fashion. Acquisition packages include statements of work and independent government cost estimates, among other documents, and are generally prepared by the program office, with the assistance of the contracting office.58 In addition to acquisition planning challenges, officials cited delays in source selection and bid protests, among others, as additional reasons justifying the need to use a bridge contract (see Figure 8). The following examples illustrate reasons officials cited for needing a bridge contract:

58 58

For our past work on acquisition planning challenges, see GAO, Acquisition Planning: Opportunities to Build Strong Foundations for Better Service Contracts, GAO-11-672 (Washington, D.C.: Aug. 9, 2011).

130

United States Government Accountability Office 





DOD’s DISA awarded a bridge contract for IT support services due to acquisition planning challenges, and specifically, the late submission of acquisition packages. According to contracting officials, the bridge contract was originally intended to consolidate 3 of the previous contracts associated with this requirement, but a fourth was added much later in the process. DISA contracting officials said that the program office did not submit acquisition package documentation in a timely manner, and, once submitted, the documentation required numerous revisions. These officials added that they had to award an additional bridge contract to avoid a lapse in service once they received a completed package from the program office because there was not enough time to do a competitive source selection and analysis. DOD’s SOCOM extended an IDIQ contract for radio supplies and services due to source selection delays and acquisition workforce challenges. For example, contracting officials said they extended the IDIQ for 12 months because the contracting office was working on a source selection for the follow-on contract for modernized radios and simply did not have the manpower to award a new sustainment contract for the existing radios at the same time. DHS’s Customs and Border Protection (CBP) awarded an approximately 16-month bridge contract in June 2016 for engineering and operations support of CBP’s Oracle products and services due to bid protests associated with March 2016 orders for this requirement. We found the protests were filed on the basis that CBP had issued the task order on a sole-source basis, which precluded other contractors from competing for the award. GAO dismissed the protest in May 2016 as a result of CBP’s stated intent to terminate the task order and compete the requirement as part of its corrective action plan.

According to CBP contracting officials, they awarded the approximately 16-month bridge contract to the incumbent contractor to continue services until GAO issued a decision and the services could be

Information Technology

131

transitioned to the awardee. In September 2017, CBP officials awarded the competitive follow-on contract to a new vendor, but this award was also protested due to alleged organizational conflicts of interest, improperly evaluated technical proposals, and an unreasonable best-value tradeoff determination. As a result, CBP officials issued a stop-work order effective October 2017. To continue services during the protest, CBP officials extended the existing bridge contract by 3 months and then again by another 6 months. In January 2018, GAO dismissed the protest in its entirety and the stop-work order was lifted. According to a CBP contracting official, CBP did not exercise the final 3 months of options of the 6-month extension.

Source: GAO analysis of Federal Procurement Data System – Next Generation data GAO-19-63. Note: In some cases, more than one reason was cited for using a bridge contract. Therefore, the number of reasons exceeds the 15 bridge contracts included in this analysis. “Other delays” includes requirement consolidation and proprietary issues, among others. We identified each of these reasons in, at most, 2 contracts reviewed. Figure 8. Reasons for Delays Found in In-Depth Review of 15 Bridge Contracts.

In 2015, we found that the full length of a bridge contract, or multiple bridge contracts, is not always readily apparent from review of an individual J&A, which presents challenges for approving officials, as they may not have insight into the total number of bridges put into place by

132

United States Government Accountability Office

looking at individual J&As alone.59 We found a similar situation in our current review. For example, the J&As for the 8 bridge contracts with J&As did not include complete information on the periods of performance or estimated values of all related bridge contracts.60

In the Absence of Government-wide Guidance, Others Have Taken Steps to Define Bridge Contracts OFPP has not yet taken action to address the challenges related to the use of bridge contracts that we found in October 2015. At that time, we recommended that OFPP take appropriate steps to develop a standard definition of bridge contracts and incorporate it as appropriate into relevant FAR sections, and to provide guidance to federal agencies in the interim. We further recommended that the guidance include (1) a definition of bridge contracts, with consideration of contract extensions as well as standalone bridge contracts, and (2) suggestions for agencies to track and manage their use of these contracts, such as identifying a contract as a bridge in a J&A when it meets the definition, and listing the history of previous extensions and stand-alone bridge contracts back to the predecessor contract in the J&A. However, as of November 2018, OFPP had not yet done so. As a result, agencies continue to face similar challenges with regard to the use of bridge contracts that we identified in 2015 and there is a lack of government-wide guidance that could help to address them. In the absence of a federal government-wide definition, others have taken steps to establish a bridge contracts definition. For example, Congress has established a statutory definition of bridge contracts that is

59 60

GAO-16-15. Of the remaining 7 bridge contracts in our in-depth review, 4 were awarded to 8(a) program participants and written justifications were not required, and 2 did not include written justifications because they were orders placed under existing IDIQ contracts that were extended or had expired. In one instance, the J&A for a bridge contract did include information on periods of performance and estimated value; however, the J&A did not include approval signatures.

Information Technology

133

applicable to DOD and its components. Specifically, Section 851 of the National Defense Authorization Act for Fiscal Year 2018 defined a bridge contract as (1) an extension to an existing contract beyond the period of performance to avoid a lapse in service caused by a delay in awarding a subsequent contract; or (2) a new short-term contract awarded on a solesource basis to avoid a lapse in service caused by a delay in awarding a subsequent contract.61 Section 851 requires that, by October 1, 2018, the Secretary of Defense is to ensure that DOD program officials plan appropriately to avoid the use of a bridge contract for services. In instances where bridge contracts were awarded due to poor acquisition planning, the legislation outlines notification requirements with associated monetary thresholds for bridge contracts.62 Acting on this requirement and in response to our prior bridge contracts report, DOD established a bridge contracts policy memorandum in January 2018. The policy defines bridge contracts as modifications to existing contracts to extend the period of performance, increase the contract ceiling or value or both, or a new, interim sole-source contract awarded to the same or a new contractor to cover the timeframe between the end of the existing contract and the award of a follow-on contract.63 The DOD policy excludes extensions awarded using the option to extend services clause as bridge contracts unless the extension exceeds 6 months.64 61

Pub. L. No. 115-91, § 851(a)(1). See 10 U.S.C. § 2329(e) (outlining the monetary thresholds for each notification requirement). 63 Prior to the implementation of DOD’s bridge contract policy, the Navy, DISA and DLA established bridge contract policies that include definitions of bridge contracts, but are slightly different and not entirely consistent with DOD’s definition. For example, the Navy defines bridge contracts as a noncompetitive contract to bridge the time between the end of one contract action and the beginning of another related contract. DISA defines a bridge contract as a short-term, sole-source contract awarded generally to the incumbent contractor to continue critical services when a follow-on competitive action could not be competed in a timely manner. DISA’s guidance states bridge contracts include noncompetitive contract modifications required to bridge performance between an existing contract and the award of a subsequent contract. DLA defines bridge contracts as a noncompetitive contract/order, or contract/order with an existing contractor to bridge the time between the original end of that contractor’s contract/order (following exercise of all options or extension provisions meeting the requirements of FAR § 17.207) and the competitive follow-on contract or order. 64 See FAR § 52.217-8. 62

134

United States Government Accountability Office

In addition, DOD’s bridge contract policy directs the military departments and DOD components to develop a plan to reduce bridge contracts and to report their results annually to the Office of the Under Secretary of Defense for Acquisition and Sustainment. As of August 2018, DHS and HHS did not have component- or department-level policies that define or provide guidance on the use of bridge contracts. Differing definitions of bridge contracts can lead to varying perspectives as to what constitutes a bridge contract. For example: 

Differing views on whether a contract within the 8(a) program can be a bridge. In one instance, we reviewed a 3-month, approximately $1.9 million bridge contract that DLA awarded to the incumbent contractor for a variety of IT contractor support services for DLA’s Information Operations (J6). This bridge contract was awarded to continue services until DLA could award a 12-month, roughly $2.9 million sole-source contract (including all options) to an 8(a) small business participant to consolidate tasks from 20 contracts as part of a reorganization effort within J6. After that contract expired, DLA awarded a second 12-month, about $3 million contract (including all options) to the same 8(a) small business participant to continue these task consolidation efforts. DLA subsequently awarded a 2-month $122,000 contract extension to continue services until it could award a follow-on order under DLA’s J6 Enterprise Technology Services (JETS) multiple award IDIQ contract, the award of which had also been delayed. Although the 8(a) contracts were not awarded to the incumbent of the initial 3-month bridge, we believe that these contracts could be considered bridge contracts as they were meant to bridge a gap in services until the reorganization efforts were complete and the JETS contract was awarded. DLA contracting officials, however, told us they do not consider the 8(a) contracts to be bridge contracts as these two contracts and the follow-on task order under JETS were awarded sole-source to 8(a) small business participants.

Information Technology



135

DLA officials added that they plan to keep the requirement in the 8(a) program. Differing views as to whether contract extension are bridges. DOD’s policy generally does not include contract extensions using the “option to extend services” clause as bridges, unless the option is extended beyond the 6 months allowed by the clause. Navy policy, however, states that using the option to extend services clause is considered a bridge if the option was not priced at contract award. Similarly, HHS officials stated that the department does not consider contract extensions using the “option to extend services” clause to be bridge contract actions if the total amount of the services covered are evaluated in the initial award, and if the length does not extend beyond the allowable 6 months. The differences among agencies’ views and policies may be due to the extent to which the extensions are considered “competitive”.65 For the purposes of our definition, if the extension—whether it was competed or not—was used to bridge a gap in service until a follow-on contract could be awarded, then it would be considered a bridge.

Without agreement as to what constitutes a bridge contract, agencies’ efforts to improve oversight of and to identify challenges associated with the use of bridge contracts will be hindered. While we are not making any new recommendations in this area, we continue to believe that our October 2015 recommendation to OFPP to establish a government-wide definition and provide guidance to agencies on their use remains valid.

65

For example, before an option can be exercised, a contracting officer must determine, among other things, that the exercise of the option meets the competition requirements delineated in FAR Part 6. FAR §17.207(f). An option that was evaluated as part of the initial competition and exercisable at an amount specified in or reasonably determinable from the terms of the basic contract would generally satisfy the requirements of Part 6.

136

United States Government Accountability Office

NEW DEFINITION NARROWS SCOPE OF LEGACY IT NONCOMPETITIVE CONTRACTS AND ORDERS TO ABOUT SEVEN PERCENT An estimated 7 percent of IT noncompetitive contracts and orders at selected agencies in fiscal year 2016 were in support of legacy IT systems as newly defined in statute, which is considerably fewer than we found when using the previous definition of legacy IT.66 At the time our review began, OMB’s draft definition for legacy IT systems stated that legacy IT spending was spending dedicated to maintaining the existing IT portfolio, excluding provisioned services such as cloud. Using this definition, and based on our generalizable sample, we estimated that about 80 percent of IT noncompetitive contracts and orders over $150,000 in fiscal year 2016 at DOD, DHS, and HHS were awarded in support of legacy IT systems. In December 2017, however, Congress enacted the Modernizing Government Technology Act (MGT) as part of the National Defense Authorization Act for Fiscal Year 2018. This act defined a legacy IT system as an “outdated or obsolete system of information technology.”67 Using this new statutory definition of a legacy IT system, we requested that each agency reassess how it would characterize the nature of the IT system using the revised definition provided under the MGT Act. For the 142 contracts and orders we reviewed, we found that when using the new definition, agencies significantly reduced the number of contracts and orders identified as supporting legacy IT systems. For example, using the OMB draft definition agencies identified that 118 out of 142 contracts and orders were supporting legacy IT systems. However, when using the more recent MGT Act definition, agencies identified only 10 out of 137 contracts and orders as supporting legacy IT systems (see Figure 9).68

66

The 95 percent confidence interval for this estimate ranges from 3.3 to 13.0 percent. See Pub. L. No. 115-91, §§ 1076-1078. 68 We received the requested information on how agencies would characterize the nature of the IT system, using the revised definition provided under the MGT Act for 137 of the 142 contracts and orders in our generalizable sample; however, HHS was unable to provide us with the requested information for 5 of its contracts and orders. 67

Information Technology

137

Source: GAO analysis of agency contract documentation and information provided by agency officials  GAO-19-63. Note: We assessed whether 142 contracts and orders supported legacy IT systems using the OMB definition, i.e., spending dedicated to maintaining the existing IT portfolio but excluding provisioned services such as cloud. We assessed whether 137 of the contracts and orders in our review supported legacy IT systems using the MGT definition, i.e., outdated or obsolete IT systems. For those contracts and orders that were undetermined, the Department of Health and Human Services was unable to provide us with the requested information as to whether 5 contracts and orders were in support of legacy IT using the MGT definition. Figure 9. Number of Contracts and Orders GAO Reviewed That Supported Legacy Information Technology (IT) Systems Under Two Different Definitions.

Consequently, using the definition provided under the MGT Act, we estimate that about 7 percent of IT noncompetitive contracts and orders

138

United States Government Accountability Office

over $150,000 in fiscal year 2016 at DOD, DHS, and HHS were awarded in support of outdated or obsolete legacy IT systems.69 Agencies’ program officials said that they are still supporting outdated or obsolete legacy IT systems (as defined by the MGT Act) because they are needed for the mission, or they are in the process of buying new updated systems or modernizing current ones. For example: 





69

Army officials awarded a 5-year, roughly $1.2 million contract to install, configure, troubleshoot, and replace Land Mobile Radio equipment at Ft. Sill, Oklahoma. An Army official noted that all equipment is older than 12 years and is nearing its end of life. The radio equipment, however, is required to support first responder and emergency service personnel critical communications. An Army official did not indicate any plans to modernize, but noted that the impact of this system not being supported would significantly affect all of Fort Sill’s land mobile radio communications. The Air Force awarded a $218,000 order to buy repair services for the C-130H aircraft’s radar display unit and electronic flight instrument. An Air Force official noted that legacy hardware that was bought through the order is part of critical systems that are required to safely fly the aircraft. The system, however, is obsolete and the associated hardware is no longer supported by the vendor. The official told us that there is currently a re-engineering effort to modernize the systems that use this hardware. HHS issued a 12–month, nearly $2.5 million order to buy operations and maintenance support for a Food and Drug Administration (FDA) system used to review and approve prescription drug applications. According to an FDA program official, efforts are underway to retire the system by gradually transferring current business processes to a commercial-off-theshelf solution that can better meet government needs. This official,

The 95 percent confidence interval for this estimate ranges from 3.3 to 13.0 percent.

Information Technology

139

however, told us that the system currently remains in use because FDA’s Office of New Drugs is still heavily reliant on the system.

CONCLUSION Competition is a cornerstone of the federal acquisition system and a critical tool for achieving the best possible return on investment for taxpayers. In the case of information technology, federal agencies awarded slightly under a third of their contract dollars under some form of noncompetitive contract. Further, our current work was able to quantify that about a tenth of all information technology-related contracts and orders were made under some form of a noncompetitively awarded bridge contract, which provides new context for the issues associated with their use. The challenges themselves, however, remain much the same since we first reported on the issue in 2015. OFPP has yet to issue guidance or promulgate revised regulations to help agencies identify and manage their use of bridge contracts, and our current work finds that the full scope of bridge contracts or the underlying acquisition issues that necessitated their use in the first place may not be readily apparent to agency officials who are approving their use. We continue to believe that our 2015 recommendation would improve the use of bridge contracts, and we encourage OFPP to complete its ongoing efforts in a timely fashion. The frequency of the errors in reporting and their concentration within a specific type of contract action signals the need for more management attention and corrective action. These errors resulted in the potential misreporting of billions of dollars awarded under orders as being noncompetitively awarded when, in fact, they were competed. One agency included in our review—DHS—has taken steps to address the problems that underlie the errors in coding and provided additional training to its staff. DOD and HHS could benefit from additional insight as to the reasons behind the high rates of miscoding to improve the accuracy of this information.

140

United States Government Accountability Office

RECOMMENDATIONS FOR EXECUTIVE ACTION We are making a total of two recommendations, one to DOD and one to HHS. 



The Secretary of Defense should direct the Under Secretary of Defense for Acquisition and Sustainment to identify the reasons behind the high rate of miscoding for orders awarded under multiple award contracts and use this information to identify and take action to improve the reliability of the competition data entered into FPDS-NG (Recommendation 1). The Secretary of Health and Human Services should direct the Associate Deputy Assistant Secretary for Acquisition to identify the reasons behind the high rate of miscoding for orders awarded under multiple award contracts and use this information to identify and take action to improve the reliability of the competition data entered into FPDS-NG (Recommendation 2).

AGENCY COMMENTS AND OUR EVALUATION We provided a draft of this chapter to DOD, DHS, HHS, and OMB for review and comment. DOD and HHS provided written comments and concurred with the recommendation we made to each department. In its written response, reproduced in appendix II, DOD stated it will analyze FPDS-NG data in an effort to identify why the miscoding of orders on multiple award contracts occurs, and use the information to advise the contracting community of actions to improve the reliability of competition data. In its written response, reproduced in appendix III, HHS stated that the Division of Acquisition within HHS’s Office of Grants and Acquisition Policy and Accountability uses a data quality management platform to ensure data accuracy. HHS is currently in the process of performing the

Information Technology

141

annual data validation and verification of the acquisition community’s contract data for fiscal year 2018. Once this process is complete the Division of Acquisition will contact contracting offices that produced records that were flagged as containing errors and provide recommendations that should help improve the fiscal year 2019 accuracy rating. HHS added that it will closely monitor those checks and all others to ensure contract data are accurate. However, in its letter, HHS did not specify how its annual data validation and verification process would specifically address the fact that we found a high rate of miscoding of competition data for certain orders. OMB staff informed us that they had no comments on this chapter. DHS, HHS and the Air Force provided technical comments, which we incorporated as appropriate. We are sending copies of this chapter to the appropriate congressional committees, the Secretary of Defense, the Secretary of Homeland Security, the Secretary of Health and Human Services, and the Director of the Office of Management and Budget. Timothy J. DiNapoli Director, Contracting and National Security Acquisitions

List of Requesters The Honorable Ron Johnson Chairman The Honorable Claire McCaskill Ranking Member Committee on Homeland Security and Governmental Affairs United States Senate The Honorable Trey Gowdy Chairman

142

United States Government Accountability Office The Honorable Elijah E. Cummings Ranking Member Committee on Oversight and Government Reform House of Representatives The Honorable Mark Meadows Chairman The Honorable Gerald E. Connolly Ranking Member Subcommittee on Government Operations Committee on Oversight and Government Reform House of Representatives

APPENDIX I: OBJECTIVES, SCOPE, AND METHODOLOGY Our report examines (1) the extent to which agencies used noncompetitive contracts to procure Information Technology (IT) products and services for fiscal years 2013 through 2017; (2) the reasons for using noncompetitive contracts for selected IT procurements; (3) the extent to which IT procurements at selected agencies were bridge contracts; and (4) the extent to which noncompetitive IT procurements at selected agencies were in support of legacy systems. To examine the extent to which agencies used noncompetitive contracts and orders to procure IT products and services, we analyzed government-wide Federal Procurement Data System-Next Generation (FPDS-NG) data on IT obligations from fiscal years 2013 through 2017.70 To define IT, we used the Office of Management and Budget’s (OMB) 70

For the purposes of our report, we are considering noncompetitive contracts and orders to be those that use the exceptions to full and open competition listed in FAR § 6.302, orders awarded in accordance with FAR § 8.405-6 and FAR § 13.106-1, contracts and orders awarded on a sole-source basis in accordance with FAR subpart 19.8 under the 8(a) small business program, and orders awarded under multiple award contracts that use the exceptions to fair opportunity listed in FAR § 16.505.

Information Technology

143

Category Management Leadership Council list of IT products and service codes, which identified a total of 79 IT-related codes for IT services and products. Data were adjusted for inflation to fiscal year 2017 dollars, using the Fiscal Year Gross Domestic Product Price Index. To assess the reliability of the FPDS-NG data, we electronically tested for missing data, outliers, and inconsistent coding. Based on these steps, we determined that FPDS-NG data were sufficiently reliable for describing general trends in government-wide and IT contract obligations data for fiscal years 2013 through 2017. In addition, as we later describe, we compared data for a generalizable sample of 171 noncompetitive contracts and orders to contract documentation, and we determined that 29 of these had been inaccurately coded in FPDS-NG as noncompetitive. As such, we determined that the data were not reliable for the purposes of reporting the actual amount agencies obligated on noncompetitive contracts and orders for IT products and services. Specifically, we determined, that data for IT noncompetitive obligations awarded under multiple award contracts that cited “follow-on action following competitive initial action” or “other statutory authority” as the legal authority for using an exception to fair opportunity for the Departments of Defense (DOD), Homeland Security (DHS), and Health and Human Services (HHS) in fiscal year 2016 were not reliable.71 Evidence from our review of this sample suggests there was a high rate of miscoding for these orders; thus, we applied these findings to the remaining agencies and fiscal years because we do not have confidence that the data were more reliable than what we had found. To determine the reasons for using noncompetitive contracts for selected IT procurements, we selected the three agencies with the highest reported obligations on IT noncompetitive contracts for fiscal years 2012 through 2016 (the most recent year of data available at the time we began our review)—DOD, DHS and HHS. These three agencies collectively accounted for about 70 percent of all noncompetitively awarded contracts 71

For the purposes of this report, contracts include definitive contracts, purchase orders, and blanket purchase agreements; single-award contracts include an indefinite-delivery vehicle or blanket purchase agreement to one vendor; multiple-award contracts include those that have been awarded under an indefinite-delivery vehicle or blanket purchase agreement to two or more vendors. Orders refer to task orders as defined in FAR 2.101.

144

United States Government Accountability Office

for IT during this period. From these agencies, we selected a generalizable stratified random sample of 171 fiscal year 2016 noncompetitive contracts and orders for IT above the simplified acquisition threshold of $150,000.72 The sample was proportionate to the amount of noncompetitive contracts and orders for IT at each agency. Table 4. Number of Noncompetitively Awarded Contracts and Orders GAO Reviewed Agency

Number Number of of orders on contracts single award contracts

Number of orders on multiple award contracts

Total number of contracts and orders initially reviewed 111

Excluded due to miscoding in the Federal Procurement Data System

Revised total

Department of 36 54 21 16 95 Defense Department of 10 10 10 30 6 24 Homeland Security Department of 10 10 10 30 7 23 Health and Human Services Total 56 74 41 171 29 142 Source: GAO analysis of Federal Procurement Data System-Next Generation data and agency documentation | GAO-19-63. Note: Contracts include definitive contracts, purchase orders, and blanket purchase agreements; noncompetitive orders refer to task and delivery orders as defined in FAR § 2.101 and orders off of blanket purchase agreements. Single award describes indefinite-delivery vehicles or blanket purchase agreements awarded to one vendor and those awarded to more than one vendor are referred to as multiple award.

Based on our review of documentation collected for the generalizable sample, we excluded 29 contracts and orders because they were awarded 72

Since all our contracts and orders were awarded in fiscal year 2016, the prior simplified acquisition threshold of $150,000 applies to our generalizable sample. In 2016, the simplified acquisition threshold was generally $150,000. See 80 FR 38293 (Oct. 1, 2015). In December 2017, the simplified acquisition threshold increased to $250,000. See 41 U.S.C. § 134 (2018). Although DOD and DHS issued class deviations implementing this increase, and the Civilian Agency Advisory Council (CAAC) issued guidance permitting civilian agencies to issue class deviations to implement the increased threshold, this change has not yet been implemented in the FAR. FAR Case 2018-004, Increased Micro-Purchase and Simplified Acquisition Thresholds (open as of Nov. 26, 2018).

Information Technology

145

competitively, but had been miscoded as noncompetitive or as having an exception to fair opportunity. As a result, our sample consisted of 142 contracts and orders. See Table 4 for a breakdown by agency. To determine the extent to which IT procurements at selected agencies were bridge contracts or in support of legacy systems, agencies provided information as to whether the contracts and orders met GAO’s definition of a bridge contract—which we defined as an extension to an existing contract beyond the period of performance (including base and option years) or a new, short-term contract awarded on a sole-source basis to an incumbent contractor to avoid a lapse in service caused by a delay in awarding a follow-on contract—and whether they met the definitions of legacy IT systems in OMB’s draft IT Modernization Initiative and the Modernizing Government Technology Act (MGT).73 OMB’s draft IT Modernization Initiative defined legacy systems as spending dedicated to maintaining the existing IT portfolio but excluding provisioned services, such as cloud, while the MGT Act defines them as outdated or obsolete.74 We verified the agencies’ determinations of whether a contract or order was a bridge by reviewing documentation, such as justification and approval and exception to fair opportunity documents, for the contracts and orders in our generalizable sample, and conducting follow-up with agency officials as needed. We verified agencies’ determination of whether or not a contract or order was in support of a legacy system, as defined in OMB’s draft IT Modernization Initiative by reviewing the agencies’ determination and comparing these determinations to additional documentation, such as the statement of work, and conducting follow-up with program officials about the nature of the requirement where needed. We verified agencies’ determination of whether a contract or order was in support of a legacy system as defined in the MGT Act by reviewing agencies’ rationale for these determinations and following up with agency officials where we 73

The MGT Act was enacted as part of the Fiscal Year 2018 National Defense Authorization Act on December 12, 2017. National Defense Authorization Act for Fiscal Year 2018, Pub. L. No. 115-91, div. A. title X, subtitle G, 131 Stat. 1283, 1586-94 (Dec. 12, 2017). 74 OMB’s definition of legacy system was in place at the time we began our review. In December 2017, the MGT was enacted and we requested that each agency reassess how it would characterize the nature of the IT systems using the revised definition provided under the MGT Act.

146

United States Government Accountability Office

identified discrepancies between the determination and rationale. To obtain additional insights into bridge contracts and legacy systems, we selected a nonprobability sample of 26 contracts and orders from our generalizable sample of 142 contracts and orders for in-depth review. We selected these contracts based on factors such as obtaining a mix of bridge contracts and other contracts used in support of legacy IT systems and location of the contract files. For our in-depth review of contracts and orders, we collected and analyzed contract file documentation for the selected contracts and orders and interviewed contracting and program officials to gain insights into the facts and circumstances surrounding the awards of IT noncompetitive contracts and orders. In cases where we selected a potential bridge contract, we also reviewed the predecessor contract, additional bridge contracts (if any), and, follow-on contract, if awarded at the time of our review. For bridge contracts and orders, we asked about the reasons why bridges were needed and the status of follow-on contracts. We verified, using the definition of bridge contracts that we developed for our October 2015 report as criteria, that 13 of 142 contracts and orders in our generalizable sample were bridge contracts based on reviews of justification and approval documents, limited source justifications, or exceptions to fair opportunity, among other documents.75 We acknowledge, however, that in the absence of a government-wide definition, agencies may have differing views of what constitutes a bridge contract. In addition, we found 2 additional bridge contracts not included in our generalizable sample while conducting our in-depth review. For example, we selected three noncompetitive orders from our generalizable sample for in-depth review that were used to buy accessories and maintenance for the U.S. Special Operations Command (SOCOM) PRC-152 and 117G radios. We found that although the three orders were not bridge contracts, the underlying indefinite delivery/indefinite quantity (IDIQ) contract—which outlines the terms and conditions, including 75

Three bridge contracts identified did not fully meet our definition of a bridge contract because they were not awarded to the incumbent contractor. In addition, we also identified one bridge contract that was not “short-term.” For the purposes of our report, we considered these awards to be bridge contracts, as they were intended to bridge a gap in service due to a delay in the award of a follow-on contract.

Information Technology

147

pricing for the orders—had been extended 12 months to continue services until the follow-on IDIQ could be awarded. We also selected an Air Force order for equipment for the Joint Strike Fighter instrumentation pallet for in-depth review. Further analysis revealed that the underlying IDIQ was extended for 5 additional months to continue services until officials could award a follow-on contract for this requirement. Including these 2 additional bridge contracts brings the total number of bridge contracts we identified during this review to 15. For legacy contracts and orders we asked about the nature of the requirement and plan to move to newer technologies or systems. The selection process for the generalizable sample is described in detail below.

Selection Methodology for Generalizable Sample We selected a generalizable stratified random sample of 171 contracts and orders from a sample frame of 3,671 fiscal year 2016 IT noncompetitive contracts and orders, including orders under multiple award indefinite delivery/indefinite quantity contracts over $150,000 to generate percentage estimates to the population. We excluded contracts and orders with estimated values below the simplified acquisition threshold of $150,000 as these contracts have streamlined acquisition procedures. We stratified the sample frame into nine mutually exclusive strata by agency and type of award, i.e., contract, order, and multiple award order for each of the three agencies. We computed the minimum sample size needed for a proportion estimate to achieve an overall precision of at least plus or minus 10 percentage points or fewer at the 95 percent confidence level. We increased the computed sample size to account for about 10 percent of the population to be out of scope, such as competitive or non-IT contracts or orders. We then proportionally allocated the sample size across the defined strata and increased sample sizes where necessary so that each stratum would contain at least 10 sampled contracts or orders. The stratified sample frame and sizes are described in Table 5 below.

148

United States Government Accountability Office

Table 5. Fiscal Year 2016 Noncompetitive Contracts and Orders for Information Technology over $150,000 at the Departments of Defense (DOD), Homeland Security (DHS) and Health and Human Services (HHS) Stratum Agency Type Population size Sample Size 1 DOD Contracts 901 36 2 DOD Orders on Single Award Contracts 1,378 54 2.5 DOD Orders on Multiple Award Contracts 728 21 3 HHS Contracts 79 10 4 HHS Orders on Single Award Contracts 42 10 4.5 HHS Orders on Multiple Award Contracts 134 10 5 DHS Contracts 64 10 6 DHS Orders on Single Award Contracts 155 10 6.5 DHS Orders on Multiple Award Contracts 190 10 Total n/a n/a 3,671 171 Source: GAO analysis of Federal Procurement Data System-Next Generation data and agency documentation | GAO-19-63. Note: Noncompetitive contracts and orders were awarded in accordance with FAR §§ 6.302, 8.405-6, 13.106-1, 16.505, and those awarded on a sole-source basis in accordance with FAR subpart 19.8. Contracts include definitive contracts, purchase orders, and blanket purchase agreements; noncompetitive orders refer to task and delivery orders as defined in FAR § 2.101. Single award describes indefinite-delivery vehicles or blanket purchase agreements awarded to one vendor and those awarded to more than one vendor are referred to as multiple award.

We selected contracts and orders from the following components: 





DOD: Air Force, Army, Navy, Defense Information Systems Agency, Defense Logistics Agency, Defense Security Service, Defense Threat Reduction Agency, U.S. Special Operations Command, and Washington Headquarter Services; HHS: Centers for Disease Control, Centers for Medicare and Medicaid Services, Food and Drug Administration, Indian Health Service, National Institutes of Health, and the Office of the Assistant Secretary for Administration; DHS: Federal Emergency Management Agency, Office of Procurement Operations, U.S. Citizenship and Immigration Services, U.S. Coast Guard, U.S. Customs and Border Protection, and the U.S. Secret Service.

Information Technology

149

We excluded 29 contracts and orders as we determined they had been miscoded as noncompetitive or as not having an exception to fair opportunity. Based on these exclusions, we estimate the number of noncompetitive contracts and orders in this population was about 3,000 (+/- 6.7 percent). All estimates in this chapter have a margin of error, at the 95 percent confidence level, of plus or minus 9 percentage points or fewer. We conducted this performance audit from April 2017 to December 2018 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

APPENDIX II: COMMENTS FROM THE DEPARTMENT OF DEFENSE

150

United States Government Accountability Office

APPENDIX III: COMMENTS FROM THE DEPARTMENT OF HEALTH AND HUMAN SERVICES

Information Technology

151

APPENDIX IV: ACCESSIBLE DATA Data Tables Accessible Data for Reported Competition on Information Technology Contract Obligations, Fiscal Years 2013-2017 (fiscal year 2017 dollars) Fiscal year "2013 "2014 "2015 "2016 "2017

Competed 36.8 38.2 38.29 41.59 43.34

Coded as noncompetitive but undetermined due to unreliable data 2.75 2.96 3.37 2.98 2.56

Noncompeted 12.81 12.7 12.65 12.68 12.8

152

United States Government Accountability Office

Accessible Data for Figure 1: Government-wide Information Technology (IT) Contract Obligations in Comparison with Total Contract Obligations, Fiscal Years 2013-2017 (fiscal year 2017 dollars) Fiscal year 2013 2014 2015 2016 2017

Government-wide obligations 490.1 463.7 450.5 481.3 507.7

IT obligations 53.5 53.9 54.4 57.3 58.7

Accessible Data for Figure 2: Comparison of Information Technology Contract Obligations by Agency, Fiscal Years 2013 through 2017 (fiscal year 2017 dollars) Fiscal year 2013 2014 2015 2016 2017

Other 17.97 19.73 20.42 20.98 21.79

HHS 3.59 4.31 4.7 4.86 5.23

DHS 3.48 3.59 3.89 4.05 4.06

DOD 27.46 26.27 25.34 27.39 27.64

Accessible Data for Figure 3: Reported Competition on Information Technology Contract Obligations, Fiscal Years 2013-2017 (fiscal year 2017 dollars) Fiscal year 2013 2014 2015 2016 2017

Competed 36.8 38.2 38.29 41.59 43.34

Coded as noncompetitive but undetermined due to unreliable data 2.75 2.96 3.37 2.98 2.56

Noncompeted 12.81 12.7 12.65 12.68 12.8

Accessible Data for Figure 4: Fiscal Year 2017 Information Technology Noncompetitive Obligations by Spending Category Consulting 0.3

Security 0.5

Telecommunications 0.5

Software 2.3

Hardware 3.1

Services 6.1

Information Technology

153

Accessible Data for Figure 5: Reasons Cited by Departments of Defense, Homeland Security, and Health and Human Services as to Why Only One Contractor Could Meet Their Needs Category Brand-name product Compatibility issues Unique qualifications experience or expertise Proprietary data rights

Number of contracts and orders 5 50 50 65

Accessible Data for Figure 8: Reasons for Delays Found in InDepth Review of 15 Bridge Contracts Reasons for delay Acquisition planning challenges Other delays Source selection delays Bid protest Acquisition workforce challenges

Number of delays 13 10 5 3 3

Accessible Data for Figure 9: Number of Contracts and Orders GAO Reviewed That Supported Legacy Information Technology (IT) Systems Under Two Different Definitions Category

Legacy IT (Office of Management and Budget definition) Legacy IT (Modernizing Government Technology Act definition)

Identified as supporting legacy IT systems 118

Identified as not supporting legacy IT systems 24

Undetermined

10

127

5

0

In: Information Technology Editor: Richard L. Xiong

ISBN: 978-1-53616-764-1 © 2019 Nova Science Publishers, Inc.

Chapter 3

INFORMATION TECHNOLOGY: AGENCIES NEED TO DEVELOP MODERNIZATION PLANS FOR CRITICAL LEGACY SYSTEMS United States Government Accountability Office

ABBREVIATIONS CIO COBOL DHS DOD Education Energy FAA GSA HHS 

Chief Information Officer Common Business Oriented Language Department of Homeland Security Department of Defense Department of Education Department of Energy Federal Aviation Administration General Services Administration Department of Health and Human Services

This is an edited, reformatted and augmented version of United States Government Accountability Office; Report to Congressional Requesters, Accessible Version, Publication No. GAO-19-471, dated June 11, 2019.

156

United States Government Accountability Office HUD ICS IRS IT Interior Justice LOUO MGT NRC OIG OMB OPM SCADA SBA SSA State Transportation Treasury VA

Department of Housing and Urban Development Industrial Control System Internal Revenue Service information technology Department of the Interior Department of Justice limited official use only Modernizing Government Technology Nuclear Regulatory Commission Office of Inspector General Office of Management and Budget Office of Personnel Management Supervisory Control and Data Acquisition Small Business Administration Social Security Administration Department of State Department of Transportation Department of the Treasury Department of Veterans Affairs

WHY GAO DID THIS STUDY The federal government plans to spend over $90 billion in fiscal year 2019 on IT. About 80 percent of this amount is used to operate and maintain existing IT investments, including aging (also called legacy) systems. As they age, legacy systems can be more costly to maintain, more exposed to cybersecurity risks, and less effective in meeting their intended purpose. GAO was asked to review federal agencies’ legacy systems. This chapter (1) identifies the most critical federal legacy systems in need of modernization and evaluates agency plans for modernizing them, and (2) identifies examples of legacy system modernization initiatives that agencies considered successful.

Information Technology

157

To do so, GAO analyzed a total of 65 legacy systems in need of modernization that 24 agencies had identified. Of these 65, GAO identified the 10 most in need of modernization based on attributes such as age, criticality, and risk. GAO then analyzed agencies’ modernization plans for the 10 selected legacy systems against key IT modernization best practices. The 24 agencies also provided 94 examples of successful IT modernizations from the last 5 years. In addition, GAO identified other examples of modernization successes at these agencies. GAO then selected a total of five examples to highlight a mix of system modernization types and a range of benefits realized. This is a public version of a sensitive report that is being issued concurrently. Information that agencies deemed sensitive has been omitted.

WHAT GAO RECOMMENDS In the sensitive report, GAO is making a total of eight recommendations—one to each of eight agencies—to ensure that they document modernization plans for the selected legacy systems. The eight agencies agreed with GAO’s findings and recommendations, and seven of the agencies described plans to address the recommendations.

WHAT GAO FOUND Among the 10 most critical legacy systems that GAO identified as in need of modernization (see Table 1), several use outdated languages, have unsupported hardware and software, and are operating with known security vulnerabilities. For example, the selected legacy system at the Department of Education runs on Common Business Oriented Language (COBOL)—a programming language that has a dwindling number of people available with the skills needed to support it. In addition, the Department of the

158

United States Government Accountability Office

Interior’s system contains obsolete hardware that is not supported by the manufacturers. Regarding cybersecurity, the Department of Homeland Security’s system had a large number of reported vulnerabilities, of which 168 were considered high or critical risk to the network as of September 2018. Table 1. The 10 Most Critical Federal Legacy Systems in Need of Modernization Agency

System namea

Age of system, in years 14 46 50

Age of oldest hardware, in years 3 3 Unknownb

System criticality (according to agency) Moderately high High High

Security risk (according to agency) Moderate High High

Department of Defense Department of Education Department of Health and Human Services Department of Homeland Security Department of the Interior

System 1 System 2 System 3 System 4

8 – 11c

11

High

High

System 5

18

18

High

System 6

51

4

High

System 7

35

7

High

System 8

34

14

High

System 9

17

10

High

System 10

45

5

High

Moderately high Moderately low Moderately high Moderately low Moderately high Moderate

Department of the Treasury Department of Transportation Office of Personnel Management Small Business Administration Social Security Administration

Source: GAO analysis of agency data. | GAO-19-471. aDue to sensitivity concerns, GAO substituted a numeric identifier for the system names. bThe agency stated that the system’s hardware had various refresh dates and was not able to identify the oldest hardware. cThe agency stated that the majority of the network’s hardware was purchased between 2008 and 2011.

Of the 10 agencies responsible for these legacy systems, seven agencies (the Departments of Defense, Homeland Security, the Interior, the Treasury; as well as the Office of Personnel Management; Small Business

Information Technology

159

Administration; and Social Security Administration) had documented plans for modernizing the systems (see Table 2). Table 2. Extent to Which Agencies’ Legacy System Documented Modernization Plans Included Key Elements Agency

System namea

Includes milestones complete the to modernization

Describes work necessary to modernize system

Department of Defense Department of Education

System 1 System 2

Department of Health and Human Services

System 3

Department of Homeland Security Department of the Interior Department of the Treasury Department of Transportation

System 4

Yes No modernization plan No modernization plan No

Yes No modernization plan No modernization plan Yes

Summarizes planned disposition of legacy system Yes No modernization plan No modernization plan No

Office of Personnel Management Small Business Administration Social Security Administration

System 8

Yes Partial No modernization plan Partial

Yes Yes No modernization plan Partial

Yes No No modernization plan No

System 9

Yes

No

Yes

System 10

Partial

Partial

No

System 5 System 6 System 7

Source: GAO analysis of agency data. | GAO-19-471. Agencies received a “partial” if the element was completed for a portion of the modernization. aDue to sensitivity concerns, GAO substituted a numeric identifier for the system names.

The Departments of Education, Health and Human Services, and Transportation did not have documented modernization plans. Of the seven agencies with plans, only the Departments of the Interior and Defense’s modernization plans included the key elements identified in best practices (milestones, a description of the work necessary to complete the modernization, and a plan for the disposition of the legacy system). Until

160

United States Government Accountability Office

the other eight agencies establish complete modernization plans, they will have an increased risk of cost overruns, schedule delays, and project failure. The five examples that GAO selected of successful information technology (IT) modernization initiatives included transforming legacy code into a more modern programming language and moving legacy software to the cloud. Doing so allowed the agencies to reportedly leverage IT to successfully address their missions and achieve a wide range of benefits, including cost savings. June 11, 2019 Congressional Requesters According to the President’s Budget, the federal government plans to spend over $90 billion in fiscal year 2019 on information technology (IT).1 Of this amount, the government plans to spend about 80 percent on the operations and maintenance of existing IT investments, including aging (also called legacy) systems.2 However, federal legacy systems are becoming increasingly obsolete. In May 2016, we reported that many of the government’s IT investments used outdated software languages and hardware parts that were unsupported.3 We also reported instances where agencies were using systems that had components that were at least 50 years old or the vendors were no longer providing support for hardware or software. As they age, legacy systems can become more expensive to maintain, more exposed to cybersecurity risks, and less effective in accomplishing their intended purpose. 1

2

3

Office of Management and Budget, Analytical Perspectives, Budget of the United States Government, Fiscal Year 2019 (Washington, D.C.: 2018) and Department of Defense, Information Technology and Cyberspace Activities Budget Overview, Fiscal Year 2019 President’s Budget Request, (March 2018). The Modernizing Government Technology (MGT) Act defines a legacy IT system as a system that is outdated or obsolete. National Defense Authorization Act for Fiscal Year 2018, Pub. L. No. 115-91, Div. A, Title X, Subtitle G (2017). GAO, Information Technology: Federal Agencies Need to Address Aging Legacy Systems, GAO-16-468 (Washington, D.C.: May 25, 2016).

Information Technology

161

Accordingly, you asked us to review federal agencies’ legacy systems. Our specific objectives were to (1) identify the most critical federal legacy systems in need of modernization and evaluate plans for modernizing them, and (2) identify examples of legacy system modernization initiatives in the last 5 years that agencies considered successful. This chapter presents a public version of a “limited official use only” (LOUO) report that we are also issuing today.4 The Department of Homeland Security (DHS) and the Department of the Interior (Interior) determined that certain information in our original report should be protected from public disclosure. Therefore, we will not release the LOUO report to the general public because of the sensitive information it contains. The LOUO report includes eight recommendations that we made to eight agencies to identify and document modernization plans for particular legacy systems, including milestones, a description of the work necessary, and details on the disposition of the legacy system.5 In this public version of the report, we have omitted sensitive information regarding particular legacy systems, including the systems’ names and other information that would identify the systems. Although the information provided in this chapter is more limited, this chapter addresses the same objectives as the LOUO report and is based on the same audit methodology. We provided a draft of this chapter to agency officials to obtain their review and comments on the sensitivity of the information contained herein. We confirmed with the agency officials that this chapter can be made available to the public without jeopardizing the security of federal agencies’ legacy systems. To identify the most critical legacy systems in need of modernization, we followed up with each of the 24 federal agencies’ covered by the Chief Financial Officers Act of 1990 regarding their legacy systems that they had

4

5

GAO, Information Technology: Agencies Need to Develop Modernization Plans for Critical Legacy Systems, GAO-19-351SU (Washington, D.C.: June 11, 2019). We made recommendations to the Departments of Education, Health and Human Services, Homeland Security, Transportation, the Treasury; the Office of Personnel Management; Small Business Administration; and Social Security Administration.

162

United States Government Accountability Office

identified in 2017 as most in need of modernization.6 All 24 agencies either confirmed or updated their lists of these systems most in need of modernization. This resulted in a collective list of 65 systems. We then reviewed available technical literature7 and consulted with system development experts within GAO to develop a set of attributes for determining system obsolescence and their need for modernization. These attributes included a system’s age, hardware age, operating and labor costs, vendor warranty and support status, and security risk.8 We assigned point values to each system based on the systems’ agency-reported attributes. We totaled each system’s assigned point values and used the results to rank the 65 legacy systems. We then designated the 10 systems with the highest scores as those legacy systems most in need of modernization.9 However, due to sensitivity concerns, in this chapter we substituted a numeric identifier for the system names and are not providing detailed descriptions. To evaluate agencies’ plans for modernizing the 10 federal legacy systems most in need of modernization, we requested that the relevant agencies provide us with their documented plans for modernizing the selected systems. We reviewed government and industry best practices 6

7

8

9

The 24 major federal agencies covered by the Chief Financial Officers Act of 1990 are the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; Environmental Protection Agency; General Services Administration; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development. 31 U.S.C. §90l(b). Our review of literature included General Services Administration, Unified Shared Services Management, Modernization and Migration Management (M3) Playbook (Aug. 3, 2016); M3 Playbook Guidance (Aug. 3, 2016); American Technology Council, Report to the President on Federal IT Modernization (Dec. 13, 2017); Office of Management and Budget, Management of Federal High Value Assets, M-17-09 (Washington, D.C.: Dec. 9, 2016); American Council for Technology-Industry Advisory Council, Legacy System Modernization: Addressing Challenges on the Path to Success (Fairfax, VA: Oct. 7, 2016); and Dr. Gregory S. Dawson, Arizona State University, IBM Center for The Business of Government, A Roadmap for IT Modernization in Government (Washington, D.C.: 2018). A legacy system may run on updated hardware, and thus, the system’s age and hardware age may not be the same. The 10 agencies with the most critical legacy systems in need of modernization are the Departments of Defense, Education, Health and Human Services, Homeland Security, the Interior, the Treasury, and Transportation; the Office of Personnel Management; the Small Business Administration; and the Social Security Administration.

Information Technology

163

related to the modernization of legacy systems. 10 Based on our reviews of these documents, we determined that agencies’ documented plans for system modernization should include, at a minimum, (1) milestones to complete the modernization, (2) a description of the work necessary to modernize the system, and (3) details regarding the disposition of the legacy system. We then analyzed agencies’ documented modernization plans for the selected legacy systems to determine whether the plans included these elements. We supplemented our work with interviews of officials in the agencies’ offices of the Chief Information Officer (CIO) and program offices for the selected legacy systems. To identify legacy system modernization initiatives that agencies indicated were successful, we asked each of the 24 agencies to provide us with examples of those modernization initiatives that they completed between 2014 and 2018 and deemed to be successful. In addition, we identified other examples of modernization successes at these agencies. We also coordinated with the selected agencies’ Offices of Inspector General (OIG) to determine whether those offices had any past or current audit work that would contradict the agencies’ determination that the initiatives were successful. We then selected initiatives that reflected a mix of different agencies, types of system modernizations undertaken, and types of benefits realized from the initiatives. A full description of our objectives, scope, and methodology can be found in appendix I. We conducted this performance audit from January 2018 to June 2019 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the 10

General Services Administration, Unified Shared Services Management, Modernization and Migration Management (M3) Playbook (Aug. 3, 2016); M3 Playbook Guidance (Aug. 3, 2016); American Technology Council, Report to the President on Federal IT Modernization (Dec. 13, 2017); Office of Management and Budget, Management of Federal High Value Assets, M-17-09 (Washington, D.C.: Dec. 9, 2016); American Council for TechnologyIndustry Advisory Council, Legacy System Modernization: Addressing Challenges on the Path to Success (Fairfax, VA: Oct. 7, 2016); and Dr. Gregory S. Dawson, Arizona State University, IBM Center for The Business of Government, A Roadmap for IT Modernization in Government (Washington, D.C.: 2018).

164

United States Government Accountability Office

evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

BACKGROUND Historically, the federal government has had difficulties acquiring, developing, and managing IT investments.11 Further, federal agencies have struggled with appropriately planning and budgeting for modernizing legacy systems; upgrading underlying infrastructure; and investing in high quality, lower cost service delivery technology. The consequences of not updating legacy systems has contributed to, among other things, security risks, unmet mission needs, staffing issues, and increased costs. 



11

Security risks. Legacy systems may operate with known security vulnerabilities that are either technically difficult or prohibitively expensive to address. In some cases, vendors no longer provide support for hardware or software, creating security vulnerabilities and additional costs. For example, in November 2017, the Department of Education’s (Education) Inspector General identified security weaknesses that included the department’s use of unsupported operating systems, databases, and applications.12 By using unsupported software, the department put its sensitive information at risk, including the personal records and financial information of millions of federal student aid applicants.13 Unmet mission needs. Legacy systems may not be able to reliably meet mission needs because they are outdated or obsolete. For instance, in 2016, the Department of State’s (State) Inspector

As a result of the many issues the federal government has experienced, we identified “Improving the Management of IT Acquisitions and Operations” as a high-risk area in February 2015. GAO, High-Risk Series: An Update, GAO-15-290 (Washington, D.C.: Feb. 11, 2015). 12 Department of Education, Office of Inspector General, FY 2018 Management Challenges, (Washington, D.C.: November 2017). 13 According to Education’s Office of General Counsel, Education has developed corrective action plans to address the Inspector General’s recommendation.

Information Technology





14

165

General reported on the unreliability of the Bureau of Consular Affairs’ legacy systems.14 Specifically, during the summers of 2014 and 2015, outages in the legacy systems slowed and, at times, stopped the processing of routine consular services such as visa processing. For example, in June 2015, system outages caused by a hardware failure halted visa processing for 13 days, creating a backlog of 650,000 visas. Staffing issues. In order to operate and maintain legacy systems, staff may need experience with older technology and programming languages, such as the Common Business Oriented Language (COBOL).15 Agencies have had difficulty finding employees with such knowledge and may have to pay a premium to hire specialized staff or contractors. For example, we reported in May 2016 that the Social Security Administration (SSA) had to rehire retired employees to maintain its COBOL systems.16 Further, having a shortage of expert personnel available to maintain a critical system creates significant risk to an agency’s mission. For instance, we reported in June 2018 that the Internal Revenue Service (IRS) was experiencing shortages of staff with the skills to support key tax processing systems that used legacy programming languages.17 These staff shortages not only posed risks to the operation of the key tax processing systems, but they also hindered the agency’s efforts to modernize its core tax processing system. Increased costs. The cost of operating and maintaining legacy systems increases over time. The issue of cost is linked to the three previously described consequences—either because the other

U.S. Department of State, Office of Inspector General, Inspection of the Bureau of Consular Affairs, Office of Consular Systems and Technology, ISP-I-17-04, (Arlington, VA: December 2016). 15 COBOL, which was introduced in 1959, became the first widely used, high-level programming language for business applications. The Gartner Group, a leading IT research and advisory company, has reported that organizations using COBOL should consider replacing the language, as procurement and operating costs are expected to steadily rise, and because there is a decrease in people available with the proper skill sets to support the language. 16 GAO-16-468. 17 GAO, Information Technology: IRS Needs to Take Additional Actions to Address Significant Risks to Tax Processing, GAO-18-298 (Washington, D.C.: June 28, 2018).

166

United States Government Accountability Office issues directly raise costs or, as in the case of not meeting mission needs, the agency is not receiving a favorable return on investment. Further, in an era of constrained budgets, the high costs of maintaining legacy systems could limit agencies’ ability to modernize and develop new or replacement systems.

During the course of our review, agencies reported that they consider several factors prior to deciding whether to modernize a legacy system. In particular, agencies evaluate factors, such as the inherent risks, the criticality of the system, the associated costs, and the system’s operational performance. 

18

Risks. Agencies consider the risks associated with maintaining the legacy system as well as modernizing the legacy system. For instance, agencies may prioritize the modernization of legacy systems that have security vulnerabilities or software that is unsupported by the vendor.18 However, limited system accessibility may also reduce the need to modernize a legacy system. For example, air-gapped systems, which are systems that are isolated from the internet, may mitigate a legacy system’s cybersecurity risk by preventing remote hackers from having system access.19 Conversely, we have also reported that air-gapped systems are not necessarily secure: they could potentially be accessed by other means than the internet, such as through Universal Serial Bus devices.20 Even so, removing the threat of remote access is a mitigation technique used by agencies such as the Nuclear

When computer systems or software are no longer supported, the vendor of the product ceases to provide patches, security fixes, or updates, leaving system vulnerabilities open to exploitation. 19 Michael DePhillips and Susan Pepper, “Computer Security – Indirect Vulnerabilities and Threat Vectors (Air-Gap In-depth)” (paper presented at the International Conference on Physical Protection of Nuclear Material and Nuclear Facilities, Vienna, Austria: November 2017). 20 GAO, Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities, GAO-19-128 (Washington, D.C.: Oct. 9, 2018).

Information Technology







167

Regulatory Commission (NRC). According to NRC, the agency reduced the riskiness of using computers with unsupported operating systems by putting these computers on isolated networks or by disconnecting them from networks entirely. Criticality. Agencies consider how critical the system is to the agency’s mission. Several agencies stated that they would consider how essential a legacy system is to their agencies’ missions before deciding to modernize it. For example, the Department of Health and Human Services (HHS) stated that, when deciding to modernize a legacy system, it considers the degree to which core mission functions of the agency or other agencies are dependent on the system. Similarly, Department of Energy (Energy) officials noted that the department is required to maintain several legacy systems associated with the storage of its nuclear waste. Costs. Agencies consider the costs of maintaining a legacy system and modernizing the system. For example, according to the Department of Veterans Affairs (VA), there are systems for which a life-cycle cost analysis of the legacy system may show that the cost to modernize exceeds the projected costs to maintain the system. Similarly, the Department of Defense (DOD) noted that, before deciding on a modernization solution, it is important to assess the costs of the transition to a new or replacement solution. An agency also may decide to modernize a system when there is potential for cost savings to be realized with a modernization effort. For example, HHS stated that it may pursue the modernization of a legacy system if the department anticipates reductions in operations and maintenance costs due to efficiencies gained through the modernization. Performance. Before making the decision to modernize, agencies consider the legacy system’s operational performance. Specifically, if the legacy system is performing poorly, the agency may decide to modernize it. For example, the Department of Transportation (Transportation) stated that, if a legacy system is no longer functioning properly, it should be modernized. In addition,

168

United States Government Accountability Office HHS noted that the ability to improve the functionality of the legacy system could be a reason to modernize it.

GAO Has Reported on the Need to Improve Oversight of Legacy IT As previously mentioned, in May 2016, we reported that federal legacy IT investments were becoming increasingly obsolete.21 In this regard, agencies had reported operating systems that used outdated languages and old parts, which were difficult to replace. Further, we noted that each of the 12 selected agencies had reported using unsupported operating systems and components, which could create security vulnerabilities and additional costs.22 At the time, five of the selected agencies reported using 1980s and 1990s Microsoft operating systems that stopped being supported by the vendor more than a decade ago. We concluded that agencies were, in part, maintaining obsolete investments because they were not required to identify, evaluate, and prioritize investments to determine whether the investments should be kept as-is, modernized, replaced, or retired. We pointed out that the Office of Management and Budget (OMB) had created draft guidance that would require agencies to do so, but OMB had not committed to a firm time frame for when the guidance would be issued. As such, we made 16 recommendations to OMB and the selected federal agencies to better manage legacy systems and investments. Most agencies agreed with the recommendations or had no comment. However, as of May 2019, 13 recommendations had not been implemented. In particular, OMB has not finalized and issued its draft guidance on legacy systems. Until this guidance is finalized and issued, the federal government will continue to run the risk of maintaining

21 22

GAO-16-468. The agencies in our 2016 review were the 12 that reported the highest planned IT spending for fiscal year 2015. These agencies were the Departments of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, Justice, State, Transportation, the Treasury, and Veterans Affairs; and the Social Security Administration.

Information Technology

169

investments that have outlived their effectiveness and are increasingly difficult to protect from cybersecurity vulnerabilities.

Congress and the Executive Branch Have Made Efforts to Modernize Federal IT Congress and the executive branch have initiated several efforts to modernize federal IT, including: 

Identification of High Value Assets. In a December 2016 memorandum, OMB observed that continued increases in computing power combined with declining computing and storage costs and increased network connectivity had expanded the government’s capacity to store and process data.23 However, OMB noted that this rise in technology and interconnectivity also meant that the federal government’s critical networks, systems, and data were more exposed to cyber risks. As a result, OMB issued guidance to assist federal agencies covered by the Chief Financial Officers Act in managing the risks to these assets, which it designated as High Value Assets.24

Subsequently, in December 2018, OMB issued a memorandum that provided further guidance regarding the establishment and enhancement of the High Value Asset program.25 It stated that the program is to be operated by DHS in coordination with OMB. Further, the new guidance

23

OMB, Management of Federal High Value Assets, M-17-09 (Washington, D.C.: Dec. 9, 2016). OMB’s December 2016 memorandum defined High Value Assets as those assets, federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause significant impact to the United States’ national security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people. This definition replaced a previous definition from OMB Memorandum M-16-04. 25 OMB, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program, M-19-03 (Washington, D.C.: Dec. 10, 2018). This memorandum rescinded the previous guidance on High Value Assets, M-16-04 and M-17-09. 24

170

United States Government Accountability Office

expanded the program to apply to all agencies (i.e., agencies covered by the Chief Financial Officers Act, as well as those not covered by the act) and expanded the definition of High Value Assets.26 The guidance required agencies to identify and report these assets (which may include legacy systems), assess them for security risks, and remediate any weaknesses identified, including those associated with obsolete or unsupported technology. 

Assessment of federal IT modernization. On May 11, 2017, the President signed Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.27 This executive order outlined actions to enhance cybersecurity across federal agencies and critical infrastructure to improve the nation’s cyber posture and capabilities against cybersecurity threats. Among other things, the order tasked the Director of the American Technology Council to coordinate a report to the President from the Secretary of DHS, the Director of OMB, and the Administrator of the General Services Administration (GSA), in consultation with the Secretary of Commerce, regarding modernizing federal IT.28

As a result, the Report to the President on Federal IT Modernization was issued on December 13, 2017, and outlined the current and envisioned

According to OMB’s December 2018 guidance, an agency may designate federal information or an information system as a High Value Asset when one or more of these categories apply to it: (1) the information or information system that processes, stores, or transmits the information is of high value to the federal government or its adversaries; (2) the agency that owns the information or information system cannot accomplish its primary mission essential functions within expected timelines without the information or information system; and (3) the information or information system serves a critical function in maintaining the security and resilience of the federal civilian enterprise. 27 Exec. Order No. 13800, 82 Fed Reg. 22391 (2017). 28 The American Technology Council was established in May 2017, and has the goal of helping to transform and modernize federal agency IT and how the federal government uses and delivers digital services. The President is the chairman of this council, and the Federal CIO and the United States Digital Service Administrator are among the members. 26

Information Technology

171

state of federal IT.29 The report focused on modernization efforts to improve the security posture of federal IT and recognized that agencies have attempted to modernize systems but have been stymied by a variety of factors, including resource prioritization, ability to procure services quickly, and technical issues. The report provided multiple recommendations intended to address these issues through the modernization and consolidation of networks and the use of shared services. In particular, the report recommended that the federal government prioritize the modernization of legacy IT by focusing on enhancing security and privacy controls for those assets that are essential for agencies to serve the American people and whose security posture is most vulnerable (i.e., High Value Assets). 

Enactment of the Modernizing Government Technology (MGT) Act. To help further agencies’ efforts to modernize IT, in December 2017, Congress and the President enacted a law to authorize the availability of funding mechanisms to improve, retire, or replace existing IT systems to enhance cybersecurity and to improve efficiency and effectiveness. The law, known as the MGT Act, authorizes agencies to establish working capital funds for use in transitioning from legacy systems, as well as for addressing evolving threats to information security.30 The law also created the Technology Modernization Fund, within the Department of the Treasury (Treasury), from which agencies can “borrow” money to retire and replace legacy systems, as well as acquire or develop systems.

Subsequently, in February 2018, OMB issued guidance for agencies to implement the MGT Act.31 The guidance was intended to provide agencies 29

American Technology Council, Report to the President on Federal IT Modernization, (Washington, D.C.: Dec. 13, 2017). 30 National Defense Authorization Act for Fiscal Year 2018, Pub. L. No. 115-91, Div. A, Title X, Subtitle G (2017). 31 OMB, Implementation of the Modernizing Government Technology Act, M-18-12 (Washington, D.C.: Feb. 27, 2018).

172

United States Government Accountability Office

additional information regarding the Technology Modernization Fund, and the administration and funding of the related IT working capital funds.32 Specifically, the guidance allowed agencies to begin submitting initial project proposals for modernization on February 27, 2018. In addition, in accordance with the MGT Act, the guidance provides details regarding a Technology Modernization Board, which is to consist of (1) the Federal CIO; (2) a senior official with IT technical expertise from GSA; (3) a member of DHS’s National Protection and Program Directorate;33 and (4) four federal employees with technical expertise in IT development, financial management, cybersecurity and privacy, and acquisition, appointed by the Director of OMB.34 As of February 2019, the Technology Management Fund Board had approved funds for seven IT modernization projects across five agencies: the Department of Agriculture, Energy, the Department of Housing and Urban Development (HUD), the Department of Labor, and GSA. For example, the board approved $20 million for HUD to modernize a mainframe and five COBOL-based applications that are expensive to maintain. According to the board’s website, without these funds, HUD would not have been able to pursue this project for several years. 

32

33

34

35

Issuance of the President’s Management Agenda. In March 2018, the Administration issued the President’s Management Agenda, which lays out a long-term vision for modernizing the federal government.35 The agenda identifies three related drivers of transformation—IT modernization; data, accountability, and

OMB staff stated that, while the MGT Act authorizes agencies to establish working capital funds, the Act does not confer the transfer authority necessary to operate an IT working capital fund. The National Protection and Program Directorate was the DHS component responsible for addressing physical and cyber infrastructure protection. The Cybersecurity and Infrastructure Security Agency Act of 2018 renamed the National Protection and Program Directorate to be the Cybersecurity and Infrastructure Security Agency and established a director and responsibilities for the agency. As of February 2019, these four employees were the Acting Administrator of OMB’s U.S. Digital Service, the Small Business Administration’s CIO, SSA’s CIO, and VA’s Chief Technology Officer. President’s Management Council and Executive Office of the President, President’s Management Agenda (Washington, D.C.: Mar. 20, 2018).

Information Technology

173

transparency; and the workforce of the future—that are intended to push change across the federal government. The President’s Management Agenda identifies 14 related CrossAgency Priority goals, many of which have elements that involve IT.36 In particular, the Cross-Agency Priority goal on IT modernization states that modern technology must function as the backbone of how government serves the public in the digital age. Further, the goal on IT modernization provides three priorities that are to guide the Administration’s efforts to modernize federal IT: (1) enhancing mission effectiveness by improving the quality and efficiency of critical services, including the increased utilization of cloud-based solutions;37 (2) reducing cybersecurity risks to the federal mission by leveraging current commercial capabilities and implementing cutting edge cybersecurity capabilities; and (3) building a modern IT workforce by recruiting, reskilling, and retaining professionals able to help drive modernization with up-to-date technology.

GAO IDENTIFIED 10 CRITICAL FEDERAL LEGACY SYSTEMS; AGENCIES OFTEN LACK COMPLETE PLANS FOR THEIR MODERNIZATION As determined by our review of 65 critical federal legacy systems (see appendix II), the 10 most critical legacy systems in need of modernization are maintained by 10 different federal agencies whose missions are essential to government operations, such as emergency management,

36

37

Cross-Agency Priority goals were established in response to the GPRA Modernization Act of 2010, Pub. L. No. 111-352, Sec. 5 (Jan. 4, 2011); 124 Stat. 3866, 3873; 31 U.S.C. § 1120(a)(1)(B). Cloud computing is a means for delivering computing services via IT networks. When executed effectively, cloud-based solutions can allow agencies to pay for only the IT services used, thus paying less for more services.

174

United States Government Accountability Office

health care, and wartime readiness.38 These legacy systems provide vital support to the agencies’ missions. According to the agencies, these legacy systems range from about 8 to 51 years old and, collectively, cost approximately $337 million annually to operate and maintain.39 Several of the systems use older languages, such as COBOL and assembly language code.40 However, as we reported in June 2018, reliance on assembly language code and COBOL has risks, such as a rise in procurement and operating costs, and a decrease in the availability of individuals with the proper skill sets.41 Further, several of these legacy systems are also operating with known security vulnerabilities and unsupported hardware and software. For example, DHS’s Federal Emergency Management Agency performed a security assessment on its selected legacy system in September 2018. This review found 249 reported vulnerabilities, of which 168 were considered high or critical risk to the network. With regard to unsupported hardware and software, Interior’s system contains obsolete hardware that is not supported by the manufacturers. Moreover, the system’s original hardware and software installation did not include any long-term vendor support. Thus, any original components that remain operational may have had long-term exposure to security and performance weaknesses.

38

To identify the 10 most critical legacy systems in need of modernization, we collected information on 65 of the most critical federal legacy systems and assigned point values based on system attributes, including a system’s age, hardware’s age, system criticality, and security risk (see appendix II for the full list of 65 systems). We then selected the 10 systems with the highest scores as the most critical legacy systems in need of modernization. 39 SSA was unable to isolate the costs for just System 10 and, as a result, this number includes the cost of operating some of SSA’s other mainframe systems. 40 As we reported in May 2016, assembly language code is a low-level computer language initially used in the 1950s. Programs written in assembly language are conservative of machine resources and quite fast; however, they are much more difficult to write and maintain than other languages. Programs written in assembly language may only run on the type of computer for which they were originally developed. 41 GAO, Information Technology: IRS Needs to Take Additional Actions to Address Significant Risks to Tax Processing, GAO-18-298 (Washington, D.C.: June 28, 2018).

Table 1. The 10 most critical federal legacy systems in need of modernization Agency

System namea

System descriptiona

Age of system, in years

Department of Defense Department of Education Department of Health and Human Services Department of Homeland Security Department of the Interior Department of the Treasury Department of Transportation Office of Personnel Management

System 1

A maintenance system that supports wartime readiness, among other things A system that contains student information

14

Age of oldest hardware, in years 3

46

System 3

An information system that supports clinical and patient administrative activities

System 4

Security risk (according to agency) Moderate

3

System criticality (according to agency) Moderately high High

50

Unknownb

High

High

Between 8 and 11c 18

11

High

High

18

High

System 6

A network that consists of routers, switches, and other network appliances A system that supports the operation of certain dams and power plants A system that contains taxpayer information

51

4

High

System 7

A system that contains information on aircraft

35

7

High

System 8

Hardware, software, and service components that support information technology applications and services

34

14

High

Moderately high Moderately low Moderately high Moderately low

System 2

System 5

High

Table 1. (Continued) Agency

System namea

System descriptiona

Age of system, in years

Small Business Administration Social Security Administration

System 9

A system that controls access to applications A group of systems that contain information on Social Security beneficiaries

System 10

17

Age of oldest hardware, in years 10

System criticality (according to agency) High

45

5

High

Key: Agencies reported the system criticality and security risk on a scale of 1 to 5 (with 5 being the most critical and the highest risk). Low-1: According to the agency, system has low security risk or criticality. Moderately low-2: According to the agency, system has moderately low security risk or criticality. Moderate-3: According to the agency, system has moderate security risk or criticality. Moderately high-4: According to the agency, system has moderately high security risk or criticality. High-5: According to the agency, system has high security risk or criticality. Source: GAO analysis of agency data. | GAO-19-471 a Due to sensitivity concerns, we substituted a numeric identifier for the system names and only provided general details. bThe agency stated that the system’s hardware had various refresh dates and that it was not able to identify the oldest hardware. c The agency stated that the majority of the network’s hardware was purchased between 2008 and 2011.

Security risk (according to agency) Moderately high Moderate

Information Technology

177

Table 1 provides a generalized list of each of the 10 most critical legacy systems that we identified, as well as agency-reported system attributes, including the system’s age, hardware’s age, system criticality, and security risk. (Due to sensitivity concerns, we substituted a numeric identifier for the system names and are not providing detailed descriptions). Appendix III provides additional generalized agencyreported details on each of these 10 legacy systems.

The Majority of Agencies Lack Complete Plans for Modernizing the Most Critical Legacy Systems Given the age of the hardware and software in legacy systems, the systems’ criticality to agency missions, and the security risks posed by operating aging systems, it is imperative that agencies carefully plan for their successful modernization. Documenting modernization plans in sufficient detail increases the likelihood that modernization initiatives will succeed. According to our review of government and industry best practices for the modernization of federal IT,42 agencies should have documented modernization plans for legacy systems that, at a minimum, include three key elements: (1) milestones to complete the modernization, a description of the work necessary to modernize the legacy system, and (3) details regarding the disposition of the legacy system. Of the 10 identified agencies with critical systems most in need of modernization, seven (DOD, DHS, Interior, Treasury, the Office of Personnel Management (OPM), the Small Business Administration (SBA), and SSA) had documented modernization plans for their respective critical legacy systems and three did not have documented plans. The three 42

GSA, Unified Shared Services Management, Modernization and Migration Management (M3) Playbook (Aug. 3, 2016); M3 Playbook Guidance (Aug. 3, 2016); American Technology Council, Report to the President on Federal IT Modernization (Dec. 13, 2017); OMB, Management of Federal High Value Assets, M-17-09 (Washington, D.C.: Dec. 9, 2016); American Council for Technology-Industry Advisory Council, Legacy System Modernization: Addressing Challenges on the Path to Success (Fairfax, VA: Oct. 7, 2016); and Dr. Gregory S. Dawson, Arizona State University, IBM Center for The Business of Government, A Roadmap for IT Modernization in Government (Washington, D.C.: 2018).

178

United States Government Accountability Office

agencies that did not have documented modernization plans for their critical legacy systems were: (1) Education, (2) HHS, and Transportation. Of the seven agencies with documented plans, DOD and Interior had modernization plans that addressed each of the three key elements. For example, Interior submitted documentation of both completed and forthcoming milestones leading to the deployment of the modernized system. The department also provided a list of the mandatory requirements for the updated system, as well as the work that needed to be performed at each stage of the project, including the disposition of the legacy system. Likewise, DOD provided documentation of the milestones and the work needed to complete the modernization of its legacy system. In addition, the documentation discussed the department’s plans for the disposition of the legacy system. While the other five agencies—Treasury, DHS, OPM, SBA, and SSA— had developed modernization plans for their respective legacy systems, their plans did not fully address one or more of the three key elements. For instance, DHS’s Federal Emergency Management Agency’s modernization plan for its selected legacy system described the work that the department needed to accomplish, but did not include the associated milestones or the disposition of the legacy system. Similarly, SBA included milestones and a plan for the disposition of the legacy system, but did not include a description of the work necessary to accomplish the modernization. Treasury, OPM, and SSA partially included one or more of the key elements in their modernization plans. For instance, OPM’s and SSA’s plans included upcoming milestones for one part of the initiative, but not the entire effort. Similarly, OPM’s modernization plans only described a portion of the work necessary to complete each modernization initiative. Further, none of these four agencies’ modernization plans included considerations for the disposition of legacy system components following the completion of the modernization initiatives. While agencies may be

Information Technology

179

using development practices that minimize initial planning, such as agile, 43 agencies should have high-level information on cost, scope, and timing.44 Table 2. Extent to which agencies’ legacy system documented modernization plans included key elements Agency

System namea

Describes work necessary to modernize system

System 1

Includes milestones to complete the modernization Yes

Yes

Summarizes planned disposition of legacy system Yes

Department of Defense Department of Homeland Security Department of the Interior Department of the Treasury Office of Personnel Management Small Business Administration Social Security Administration

System 4

No

Yes

No

System 5

Yes

Yes

Yes

System 6

Partial

Yes

No

System 8

Partial

Partial

No

System 9

Yes

No

Yes

System 10

Partial

Partial

No

Legend: Yes – Agency included element in modernization plan. Partial – Agency partially included the element in the modernization plan (e.g., the element was completed for only a portion of the modernization, rather than the entire modernization). No – Agency did not include element in modernization plan. Source: GAO analysis of agency modernization plans. | GAO-19-471. aDue to sensitivity concerns, we have substituted the systems’ names with a numeric identifier.

Table 2 identifies the seven agencies with documented modernization plans for their critical systems, as well as the extent to which the plans were sufficiently detailed to include the three key elements (Due to 43

Agile development is a type of incremental development, which calls for the rapid delivery of software in small, short increments. Many organizations, especially in the federal government, are accustomed to using a waterfall software development model, which consists of long, sequential phases. 44 GAO, FEMA Grants Modernization: Improvements Needed to Strengthen Program Management and Cybersecurity, GAO-19-164 (Washington, D.C.: Apr. 9, 2019).

180

United States Government Accountability Office

sensitivity concerns, we substituted a numeric identifier for the system names). The agencies provided a variety of explanations for the missing modernization plans. For example, according to the three agencies without documented modernization plans: 

 

Education’s modernization plans were pending the results of a comprehensive IT visualization and engineering project that would determine which IT systems and services could be feasibly modernized, consolidated, or eliminated; HHS had entered into a contract to begin a modernization initiative but had not yet completed its plans; and Transportation had solicited information from industry to determine whether the agency’s ideas for modernization were feasible.

Of the five agencies which had plans that lacked key elements, officials within SSA’s office of the CIO stated that the agency has yet to complete its modernization planning, even though modernization efforts are currently underway. The officials said that they will update the planning documentation and make further decisions as the modernization effort progresses. Officials within DHS’s Federal Emergency Management Agency’s Office of the CIO stated that its plans for modernizing the system we reviewed (System 4) are contingent on receiving funding and being able to allocate staffing resources to planning activities. According to the officials, the agency is also integrating its plans for modernizing System 4 with the management of the rest of the agency’s systems. Similarly, Treasury officials stated that IRS’s efforts to complete planning for the remaining modernization activities have been delayed due to budget constraints. In addition, officials within OPM’s Office of the CIO stated that its modernization plan did not extend to fiscal year 2019 because there were changes in leadership during the creation of the plan, and because of uncertainty in funding amounts.

Information Technology

181

While we recognize that system modernizations are dependent on funding, it is important for agencies to prioritize funding for the modernization of these critical legacy systems. In addition, Congress provided increased authority for agencies to fund such modernization efforts through the MGT Act’s Technology Modernization Fund and the related IT working capital funds. Until the agencies establish complete legacy system modernization plans that include milestones, describe the work necessary to modernize the system, and detail the disposition of the legacy system, the agencies’ modernization initiatives will have an increased likelihood of cost overruns, schedule delays, and overall project failure. Project failure would be particularly detrimental in these 10 cases, not only because of wasted resources, but also because it would prolong the lifespan of increasingly vulnerable and obsolete systems, exposing the agency and system clients to security threats and potentially significant performance issues. Further, agencies may not be effectively planning for the modernization of legacy systems, in part, because they are not required to. As we reported in May 2016, agencies are not required to identify, evaluate, and prioritize existing IT investments to determine whether they should be kept as-is, modernized, replaced, or retired.45 We recommended that OMB direct agencies to identify legacy systems needing to be replaced or modernized. As of April 2019, OMB had not implemented this recommendation. OMB staff stated that agencies were directed to manage the risk to High Value Assets associated with legacy systems in OMB’s December 2018 guidance.46 While OMB’s guidance does direct agencies to identify, report, assess, and remediate issues associated with High Value Assets, it does not require agencies to do so for all legacy systems. Until OMB requires agencies to do so, the federal government will continue to run the risk of continuing to maintain investments that have outlived their effectiveness. 45 46

GAO-16-468. OMB, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program, M-19-03 (Washington, D.C.: Dec. 10, 2018).

182

United States Government Accountability Office

Agencies Reported a Variety of IT Modernization Successes The 24 Chief Financial Officers Act agencies in our review identified a total of 94 examples of successful modernizations of legacy systems undertaken in the last 5 years. The initiatives were of several types, including those aimed at transforming legacy code into a more modern programming language, migrating legacy services (e.g., email) to the cloud, and re-designing a legacy mainframe to a cloud-based application. Among these examples, the five that we selected reflect a mix of different agencies, types of system modernization initiatives, and types of benefits realized from the initiatives. Table 3 provides details on the five examples of successful IT modernization initiatives, as reported by their respective agencies, as well as the reported benefits related to those initiatives. The five agencies attributed the success of their modernization initiatives to various factors, including:      

  

using automated technologies to examine programming code and perform testing (DOD and Treasury); testing the system thoroughly (SSA and Treasury); actively engaging the end users and stakeholders throughout the modernization process (SSA and Treasury); cultivating a partnership between industry and government (DOD); following management practices on change and life cycle management (Education); developing and implementing an enterprise-wide cost collection and data analysis process for commodity IT to track and measure progress against consolidation, optimization, and savings targets (DHS); creating an interface that was consistent across systems (SSA); having strong executive leadership and support (Treasury); and using agile principles to facilitate the team’s ownership of the project (Treasury).

Table 3. Agency-reported examples of successful Information Technology (IT) modernization initiatives in the last 5 years and associated benefits Agency Department of Defense (DOD)

Department of Education (Education)

Department of Homeland Security (DHS)

Initiative description Standard Base Supply System and Enterprise Solution Supply. In April 2015, the Air Force, a component of DOD, began an initiative to modernize its Standard Base Supply System and Enterprise Solution-Supply (legacy systems responsible for the management of supplies and equipment for warfighting missions). To do so, among other things, the component transformed millions of lines of Common Business Oriented Language (COBOL) code to Java code. In February 2018, the Air Force completed the migration to the modernized version of the Integrated Logistics Systems-Supply system. Direct Loan Consolidation System. In 2012, Education began its initiative to modernize the Direct Loan Consolidation System, its system that allows students to apply for, receive, and consolidate federal education loans. Among other things, this modernization allowed loans to be assigned to multiple servicers, corrected information security findings, and provided better customer service. In June 2016, Education decommissioned the legacy system. Functions that were performed by the legacy system are now performed by another existing system, which has an application process in place for borrowers and a real-time interface to help prepopulate the application.

Benefits reported by agencies  Avoided spending $11 million on costs associated with hosting the system due to decommissioning the legacy system earlier than anticipated  Avoided spending $25 million annually on hosting costs  Minimized the use of legacy code, which can be costly and difficult to maintain

Employing Shared Services/ Cloud. In August 2012, DHS initiated the modernization of multiple IT infrastructure systems. This included an agencywide transition to a DHS private cloud email system and migrating legacy services to 13 DHS private cloud offerings.a In particular, all eight of DHS’s operational components migrated applicable legacy services to 13 DHS private cloud offerings by the end of fiscal year 2016.

 Realized cumulative $1.6 billion in cost savings  Streamlined the supply chain for IT services  Reduced the amount of labor needed to maintain legacy systems and software  Enhanced security

 Improved customer experience through website consolidation  Consolidated customer call centers  Reduced applicant data entry errors by prepopulating data from another system  Reduced the amount of oversight required by lowering the number of contractors and systems  Closed multiple critical security vulnerabilities Improved customer service

Table 3. (Continued) Agency

Department of the Treasury (Treasury)

Social Security Administration (SSA)

Initiative description As a result, DHS components were able to retire legacy systems and replace legacy software application procurement requirements. For example, U.S. Citizenship and Immigration Services migrated several legacy services to the cloud, including email, which ultimately saved the agency $42,000. Treasury Offset Program. Treasury began the modernization initiative for this system in July 2011 using Agile development principles.b In November 2014, Treasury migrated its legacy COBOL- and Java-based Treasury Offset Program system to its new Java-based Treasury Offset Program Next Generation. The new system easily supported adding new debt collections from federal and state agencies, along with new payment streams.

Benefits reported by agencies

Representative Payee System. SSA began the modernization initiative in December 2011. The agency needed to have the ability to continually add new representative payee records and expand the number of records stored in the database. In April 2016, SSA completed its redesign of the system, changing it from a mainframe based system that used Assembler Language Code and COBOL to a web-based application, and decommissioned the legacy system.

 Improved users’ ability to find data related to criminal history and fraud  Increased security by becoming compliant with current agency standards and federal guidelines  Improved business processes, such as search capability  Improved ability to identify criminal and fraudulent data  Improved system performance and incorporated user requested features

 Enhanced revenue by $759 million by collecting delinquent debts  Increased efficiency of the system  Reduced time spent on manual interventions to keep the system from failing  Automated testing and deployment pipeline, reducing risk and cost

Source: GAO analysis of agency data. | GAO-19-471. aA private cloud is set up specifically for one organization, although there may be multiple customers within that organization and the cloud may exist on or off the customer’s premises. bAgile development is an incremental approach that delivers software functionality in short increments before the system is fully deployed .

Information Technology

185

These factors are largely consistent with government and industry best practices. For example, we reported in 2011 on critical success factors associated with major acquisitions, including engaging stakeholders and having the support of senior executives.47 Similarly, OMB’s guidance on High Value Assets calls for agencies’ plans to address change management and life cycle management.48 Likewise, the Software Engineering Institute’s Capability Maturity Model® Integration for Development recommends that organizations engage stakeholders, practice effective change and life cycle management, and thoroughly test systems, among other practices.49 Further, our Information Technology Investment Management framework recommends involving end users, implementing change and life cycle management processes, and obtaining the support of executive leadership.50 Agencies that follow such practices are better positioned to modernize their legacy systems. Doing so will also allow the agencies to leverage IT to successfully address their missions.

CONCLUSION The 10 most critical federal legacy systems in need of modernization are becoming increasingly obsolete. Several agencies are using outdated computer languages, which can be difficult to maintain and increase costs. Further, several of these legacy systems are also operating with unsupported hardware and software and known security vulnerabilities. Most agencies did not have complete plans to modernize these legacy systems. Due to the criticality and possible cybersecurity risks posed by operating aging systems, having a plan that includes how and when the 47

48

49

50

GAO, Information Technology: Critical Factors Underlying Successful Major Acquisitions, GAO-12-7 (Washington, D.C.: Oct. 21, 2011). OMB, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program, M-19-03 (Washington, D.C.: Dec. 10, 2018). Carnegie Mellon University’s Software Engineering Institute, Capability Maturity Model® Integration for Development, Version 1.3 (CMMI-Dev V1.3) (Pittsburgh, PA: Nov. 2010). GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, GAO-04-394G (Washington, D.C.: March 2004).

186

United States Government Accountability Office

agency plans to modernize is vital. In the absence of such plans, the agencies increase the likelihood of cost overruns, schedule delays, and overall project failure. Such outcomes would be particularly detrimental because of the importance of these systems to agency missions. Successfully modernizing legacy systems is possible, as demonstrated by the five highlighted examples. Agencies attributed the success of their modernization initiatives to a variety of management and technical factors that were consistent with best practices.

RECOMMENDATIONS FOR EXECUTIVE ACTION In the LOUO report that we are issuing concurrently with this chapter, we are making a total of eight recommendations to eight federal agencies to identify and document modernization plans for their respective legacy systems, including milestones, a description of the work necessary, and details on the disposition of the legacy system.

AGENCY COMMENTS AND OUR EVALUATION We requested comments on a draft of this chapter from OMB and the 24 agencies included in our review. The eight agencies to which we made recommendations in the LOUO report agreed with our findings and recommendations. In addition, OMB and the 16 agencies to which we did not make recommendations either agreed with our findings, did not agree or disagree with the findings, or stated that they had no comments. Further, multiple agencies provided technical comments, which we have incorporated, as appropriate. The following eight agencies agreed with our recommendations:

Information Technology 



 



187

In written comments from Education, the agency stated that it concurred with the recommendation and indicated its intent to address it. Education’s comments are reprinted in appendix IV. In written comments from HHS on the LOUO version of this chapter, the agency stated that it concurred with the recommendation and intends to evaluate ways to provide its modernization plan, including milestones and a description of the work necessary to modernize the system. HHS also provided technical comments that we incorporated, as appropriate. HHS deemed some of the information in its original agency comment letter pertaining to particular legacy systems to be sensitive, which must be protected from public disclosure. Therefore, we have omitted the sensitive information from the version of the agency comment letter that is reprinted in appendix V of this chapter. In written comments, DHS stated that it concurred with our recommendation. DHS’s comments are reprinted in appendix VI. In comments received via email from Transportation’s Director of Audit Relations and Program Improvement on May 9, 2019, the agency stated that it agreed with our recommendation. In comments from Treasury’s Supervisory IT Specialist/ Performance and Governance Analyst, received via email on May 17, 2019, the department stated that it agreed with our recommendation. In addition, Treasury’s component agency, IRS, provided written comments which stated that it agreed with the recommendation. The agency said it intends to develop a multiyear retirement strategy for its system to address the recommendation. In its written comments, IRS also stated that our draft report did not accurately convey that the legacy system replacement project is intended to only replace core components of its selected legacy system. The agency said that, even when the entire replacement project is completed, it will only address a portion of the work required to retire the legacy system. In response, we modified our

188

United States Government Accountability Office







discussion of this project in the report. IRS’s comments are reprinted in appendix VII. In written comments from OPM on the LOUO version of this chapter, the agency stated that it concurred with the recommendation and indicated its plans to address the recommendation. OPM also provided technical comments that we incorporated, as appropriate. OPM deemed some of the information in its original agency comment letter pertaining to particular legacy systems to be sensitive, which must be protected from public disclosure. Therefore, we have omitted the sensitive information in the version of the agency comment letter that is reprinted in appendix VIII. In written comments, SBA concurred with our recommendation and stated that it intends to include a description of the work necessary to modernize the legacy system in the initiative’s project plan. The agency estimated that it will address the recommendation by July 31, 2019. SBA deemed some of the information in its original agency comment letter pertaining to particular legacy systems to be sensitive, which must be protected from public disclosure. Therefore, we have omitted the sensitive information from the version of the agency comment letter that is reprinted in appendix IX. In written comments from SSA, the agency stated that it agreed with our recommendation. The agency added that it is modernizing its legacy system using agile software methods and a multiyear roadmap of development activities. The agency further stated that, as it completes its modernization work, it expects to retire most of the legacy software associated with System 10. SSA also provided technical comments that we incorporated, as appropriate. SSA’s comments are reprinted in appendix X.

Information Technology

189

In addition, we received responses via email from 14 agencies to which we did not make recommendations. Of these agencies, three agreed with our findings and 11 stated that they did not have comments on the report. Two other agencies—HUD and the U.S. Agency for International Development—provided written comments in which they expressed appreciation for the opportunity to review the report, but did not state whether they agreed or disagreed with our findings. These agencies’ comments are reprinted in appendixes XI and XII, respectively. Further, in an email from OMB staff on May 22, 2019, the agency did not state whether it agreed or disagreed with our findings, but provided technical comments that we incorporated, as appropriate. We are sending copies of this chapter to the appropriate congressional committees; the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, Labor, State, the Interior, the Treasury, Transportation, and Veterans Affairs; the U.S. Attorney General (Department of Justice); the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, Small Business Administration, and the U.S. Agency for International Development; the Commissioner of the Social Security Administration; the Directors of the National Science Foundation and the Office of Personnel Management; and the Chairman of the Nuclear Regulatory Commission; and other interested parties. Carol C. Harris Director Information Technology Management Issues

List of Requesters The Honorable Elijah E. Cummings Chairman

190

United States Government Accountability Office The Honorable Jim Jordan Ranking Member Committee on Oversight and Reform House of Representatives The Honorable Gerald E. Connolly Chairman The Honorable Mark Meadows Ranking Member Subcommittee on Government Operations Committee on Oversight and Reform House of Representatives The Honorable Will Hurd House of Representatives The Honorable Robin L. Kelly House of Representatives

APPENDIX I: OBJECTIVES, SCOPE, AND METHODOLOGY Our objectives were to (1) identify the most critical federal legacy systems in need of modernization and evaluate plans for modernizing them, and (2) identify examples of information technology (IT) legacy system modernization initiatives in the last 5 years that agencies considered successful. The scope of our review included the 24 agencies covered by the Chief Financial Officers Act of 1990.51 51

The 24 major federal agencies covered by the Chief Financial Officers Act of 1990 are the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; Environmental Protection Agency; General Services Administration; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel

Information Technology

191

This chapter presents a public version of a “limited official use only” (LOUO) report that we are also issuing today.52 The Department of Homeland Security and the Department of the Interior determined that certain information in our original report should be protected from public disclosure. Therefore, we will not release the LOUO report to the general public because of the sensitive information it contains. The LOUO report includes eight recommendations that we made to eight agencies to document modernization plans for particular legacy systems, including milestones, a description of the work necessary, and details on the disposition of the legacy system.53 In this public version of the report, we have omitted sensitive information regarding particular legacy systems. Specifically, we have deleted systems’ names and other information that would identify the particular system, such as specific descriptions of the systems’ purposes and vulnerabilities. Although the information provided in this chapter is more limited, the report addresses the same objectives as the LOUO report and is based on the same audit methodology. We provided a draft of this chapter to agency officials to obtain their review and comments on the sensitivity of the information contained herein. We confirmed with the agency officials that this chapter can be made available to the public without jeopardizing the security of federal agencies’ legacy systems. To identify the most critical legacy systems in need of modernization, we first reviewed the agencies’ 2017 responses to congressional committees’ requests for information that identified the agencies’ top three legacy systems in need of modernization. We then asked the agencies to either confirm that those systems were still considered their top systems in need of modernization or update their lists to include the three systems most in need of modernization. All 24 agencies either confirmed or updated their lists of legacy systems most in need of modernization. This resulted in a

52

53

Management; Small Business Administration; and U.S. Agency for International Development. GAO, Information Technology: Agencies Need to Develop Modernization Plans for Critical Legacy Systems, GAO-19-351SU (Washington, D.C.: June 11, 2019). We made recommendations to the Departments of Education, Health and Human Services, Homeland Security, Transportation, the Treasury; the Office of Personnel Management; Small Business Administration; and Social Security Administration.

192

United States Government Accountability Office

collective list of 65 systems.54 However, due to sensitivity concerns, we are not disclosing the names of the systems in this chapter. Appendix II provides a generalized list of the systems. To develop a set of attributes for determining systems’ obsolescence and their need for modernization, we reviewed available technical literature, such as: 



General Services Administration’s Unified Shared Services Management’s55 Modernization and Migration Management (M3) Playbook and M3 Playbook Guidance,56 American Technology Council’s57 Report to the President on Federal IT Modernization,58

Office of Management and Budget’s Management of Federal High Value Assets Memorandum,59 

54

IBM Center for The Business of Government’s A Roadmap for IT Modernization in Government,60 and

Most agencies provided a list of three legacy systems in need of modernization. However, the Department of Education reported four legacy systems, the Department of Commerce reported two legacy systems, and the Departments of Agriculture and Energy each reported one legacy system. The U.S. Agency for International Development stated that it did not have any legacy systems. 55 The Unified Shared Services Management office resides within the General Services Administration and is to provide the strategy and leadership to make mission-enabling services better, faster, and more affordable. 56 General Services Administration, Unified Shared Services Management, Modernization and Migration Management (M3) Playbook (Aug. 3, 2016); M3 Playbook Guidance (Aug. 3, 2016). 57 The American Technology Council was established in May 2017, and has the goal of helping to transform and modernize federal agency IT and how the federal government uses and delivers digital services. The President is the chairman of this council, and the Federal CIO and the United States Digital Service Administrator are among the members. 58 American Technology Council, Report to the President on Federal IT Modernization (Dec. 13, 2017). 59 Office of Management and Budget, Management of Federal High Value Assets, M-17-09 (Washington, D.C.: Dec. 9, 2016). This was the memorandum that was in place at the time of our analysis. It has since been rescinded and replaced by M-19-03. 60 Dr. Gregory S. Dawson, Arizona State University, IBM Center for The Business of Government, A Roadmap for IT Modernization in Government (Washington, D.C.: 2018).

Information Technology 

193

American Council for Technology-Industry Advisory Council’s Legacy System Modernization: Addressing Challenges on the Path to Success.61

We also consulted with system development experts within GAO and reviewed our prior report on federal legacy systems.62 Using these sources, we developed a set of 14 total attributes for determining systems’ obsolescence and their need for modernization. We then asked the agencies in our review to provide the associated details for the selected systems. We considered these details to rank the systems against the attributes that we compiled. We assigned point values to each system based on the systems’ agency-reported attributes. Table 4 details the nine attributes and associated point values and ranges we used to initially rank the legacy systems. We then totaled the assigned points for each legacy system and ranked the results from highest to lowest number of assigned points. While we had planned to select the top 20 systems with the most points for more detailed analysis, three systems were ranked in nineteenth place. As a result, we selected 21 systems for our review. We collected additional information on the 21 selected systems and performed a second round of analysis, scoring, and ranking. Based on the second set of scores, we identified the 10 systems with the highest scores as being the most critical legacy systems in need of modernization. We also supplemented our review with interviews of officials in the agencies’ offices of the Chief Information Officer and program offices for the selected legacy systems. Table 5 details the five attributes and associated point values and ranges we used to rank the legacy systems in the subsequent round of analysis. Table 6 lists these 10 selected systems according to their

61

62

American Council for Technology-Industry Advisory Council, Legacy System Modernization: Addressing Challenges on the Path to Success (Fairfax, VA: Oct. 7, 2016). GAO, Information Technology: Federal Agencies Need to Address Aging Legacy Systems, GAO-16-468 (Washington, D.C.: May 25, 2016).

194

United States Government Accountability Office

designated identifiers. However, due to sensitivity concerns, we substituted a numeric identifier for the name of each system. Table 4. Attributes and associated point values used to rank legacy systems System attribute Initial year of implementation

High Value Asseta status Date of oldest hardware

Hardware warranty status Operating system support status Software support status Use of legacy programming language System criticality (on a scale of 1 to 5, 5 being most critical) Security risk (on a scale of 1 to 5, 5 having the most risk)

Point values 0 points if the system had been implemented in the 2010s 2 points if the system had been implemented in the 2000s 4 points if the system had been implemented in the 1990s 6 points if the system had been implemented in the 1980s 8 points if the system had been implemented in the 1970s 10 points if the system had been implemented before 1970 10 points if system had been a High Value Asset; 0 points if not 0 points if the oldest hardware had been installed in the 2010s 1 point if the oldest hardware had been installed in the 2000s 2 points if the oldest hardware had been installed in the 1990s 3 points if the oldest hardware had been installed in the 1980s 4 points if the oldest hardware had been installed in the 1970s 5 points if the oldest hardware had been installed before 1970 5 points if the system’s hardware was no longer under warranty; 0 points if the hardware was under warranty 5 points if the system’s operating system was no longer supported by the vendor; 0 points if the operating system was supported 5 points if the system’s software was no longer supported by the vendor; 0 points if the software was supported 5 points if the system used a programming language that the agency identified as a legacy language; 0 points if the system did not use legacy programming languages 1 – 5 points, as assessed by the agency

1 – 5 points, as assessed by the agency

Source: GAO analysis. | GAO-19-471. aAt the time of our analysis, the Office of Management and Budget’s memorandum M-17-09 was in place and defined High Value Assets as those assets, federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause significant impact to the United States’ national security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people. This memorandum and definition has since been rescinded and replaced by M-19-03.

Information Technology

195

Table 5. Attributes and associated point values used to rank legacy systems in the subsequent round of analysis System attribute Status of modernization plans Number of users

Potential annual cost savings of system modernization

Annual operating costs

Annual labor costs

Point values 5 points if the agency did not have plans to modernize the system; 0 points if the agency had plans to modernize the system 0 points if the system had under 100 users 1 point if the system had 100 to 5,000 users 2 points if the system had 5,000 to 25,000 users 3 points if the system had 25,000 to 100,000 users 4 points if the system had 100,000 to 500,000 users 5 points if the system had more than 500,000 users 0 points if the modernization of the system could potentially result in cost savings of less than $100,000 1 point if the modernization of the system could potentially result in cost savings of $100,000 to $500,000 2 points if the modernization of the system could potentially result in cost savings of $500,000 to $2 million 3 points if the modernization of the system could potentially result in cost savings of $2 million to $10 million 4 points if the modernization of the system could potentially result in cost savings of $10 million to $20 million 5 points if the modernization of the system could potentially result in cost savings of more than $20 million 0 points if the system’s annual operating costs were under $100,000 1 point if the system’s annual operating costs were between $100,000 and $500,000 2 points if the system’s annual operating costs were between $500,000 and $2 million 3 points if the system’s annual operating costs were between $2 million and $10 million 4 points if the system’s annual operating costs were between $10 million and $20 million 5 points if the system’s annual operating costs were more than $20 million 0 points if the system’s annual labor costs were under $100,000 1 point if the system’s annual labor costs were between $100,000 and $500,000 2 points if the system’s annual labor costs were between $500,000 and $2 million 3 points if the system’s annual labor costs were between $2 million and $10 million 4 points if the system’s annual labor costs were between $10 million and $20 million 5 points if the system’s annual labor costs were more than $20 million

Source: GAO analysis. | GAO-19-471.

196

United States Government Accountability Office Table 6. The 10 selected most critical legacy systems in need of modernization

Agency Department of Defense Department of Education Department of Health and Human Services Department of Homeland Security Department of the Interior Department of the Treasury Department of Transportation Office of Personnel Management Small Business Administration Social Security Administration

System name System 1 System 2 System 3 System 4 System 5 System 6 System 7 System 8 System 9 System 10

Source: GAO analysis of agency documentation. | GAO-19-471.

To evaluate agencies’ plans for modernizing the 10 federal legacy systems most in need of modernization, we requested that agencies provide us with the relevant plans. These modernization plans could have been contained within several types of documentation, since a system modernization could be a new system development, a system acquisition, or a renovation of the legacy system. For example, if an agency was acquiring a new system from a vendor, the plans for modernization could have been contained within an acquisition plan or a statement of work in a contract. Likewise, if an agency was developing a new system on its own, the modernization plans could have been within a project plan or design document. We reviewed government and industry best practice documentation on the identification and modernization of legacy systems, including:

Information Technology 

   

197

General Services Administration’s Unified Shared Services Management’s63 Modernization and Migration Management (M3) Playbook and M3 Playbook Guidance,64 American Technology Council’s65 Report to the President on Federal IT Modernization,66 Office of Management and Budget’s Management of Federal High Value Assets memorandum,67 IBM Center for The Business of Government’s A Roadmap for IT Modernization in Government,68 and American Council for Technology-Industry Advisory Council’s Legacy System Modernization: Addressing Challenges on the Path to Success.69

Based on our reviews of these sources, we determined that agencies’ documented plans for system modernization should include, at a minimum, (1) milestones to complete the modernization, (2) a description of the work necessary to modernize the system, and (3) details regarding the disposition of the legacy system.

63

The Unified Shared Services Management office resides within the General Services Administration and is to provide the strategy and leadership to make mission-enabling services better, faster, and more affordable. 64 General Services Administration, Unified Shared Services Management, Modernization and Migration Management (M3) Playbook (Aug. 3, 2016); M3 Playbook Guidance (Aug. 3, 2016). 65 The American Technology Council was established in May 2017, and has the goal of helping to transform and modernize federal agency IT and how the federal government uses and delivers digital services. The President is the chairman of this council, and the Federal CIO and the United States Digital Service Administrator are among the members. 66 American Technology Council, Report to the President on Federal IT Modernization (Dec. 13, 2017). 67 Office of Management and Budget, Management of Federal High Value Assets, M-17-09 (Washington, D.C.: Dec. 9, 2016). This was the memorandum that was in place at the time of our analysis. It has since been rescinded and replaced by M-19-03. 68 Dr. Gregory S. Dawson, Arizona State University, IBM Center for The Business of Government, A Roadmap for IT Modernization in Government (Washington, D.C.: 2018). 69 American Council for Technology-Industry Advisory Council, Legacy System Modernization: Addressing Challenges on the Path to Success (Fairfax, VA: Oct. 7, 2016).

198

United States Government Accountability Office

We then analyzed agencies’ documented modernization plans for the selected systems to determine whether the plans included these elements. If an agency’s plans included milestones for only a portion of the initiative or only described a portion of the work necessary to complete the modernization, we assigned the agency a partial rating. Appendix III provides details on each of the selected systems and the agencies’ plans for modernizing them. To identify examples of successful IT legacy system modernization initiatives, we first asked each of the 24 agencies to provide us with examples of their successful modernization initiatives completed between 2014 and 2018. The agencies reported 94 examples of successful modernization initiatives. We also reviewed the agencies’ responses to congressional committees’ requests for information to determine other possible successful modernization initiatives at these agencies. Using the examples discovered in this process and the agency-provided examples, we then collected and reviewed documentation describing the modernization initiatives, such as case studies and the agencies’ written responses to our questions about the initiatives. We used our professional judgment to select examples that reflected a mix of different agencies, types of system modernization initiatives, and types of benefits realized from the initiatives. We ultimately included in our review those modernization initiatives that two or more members of our audit team selected as examples that reflected a mix of different agencies, types of system modernization initiatives, and types of benefits realized from the initiatives. We also coordinated with the selected agencies’ Offices of Inspector General to determine whether those offices had any past or current audit work that would contradict the agencies’ determination that the selected initiatives were successful. We conducted this performance audit from January 2018 to June 2019 in accordance with generally accepted government auditing standards.

Information Technology

199

Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

APPENDIX II: THE 24 CHIEF FINANCIAL OFFICERS ACT AGENCIES’ MOST CRITICAL LEGACY SYSTEMS IN NEED OF MODERNIZATION Each of the 24 Chief Financial Officers Act agencies identified their agency’s most critical legacy systems in need of modernization. The agencies identified a total of 65 such systems.70 The agencies also identified various attributes of the legacy systems, including the systems’ age, hardware age,71 system criticality, and security risk. Table 7 provides a generalized list of the most critical legacy systems in need of modernization, as identified by the agencies, as well as selected factors related to each system’s age and criticality. (Due to sensitivity concerns, we substituted alphanumeric identifiers for the names of the agencies’ systems. Specifically, we assigned a number to identify each of the 10 most critical legacy systems in need of modernization that we discuss in this chapter and we assigned a letter or letters to identify the remaining 55 systems).

70

Most agencies provided a list of three legacy systems in need of modernization. However, the Department of Education reported four legacy systems, the Department of Commerce reported two legacy systems, and the Departments of Agriculture and Energy each reported one legacy system. The U.S. Agency for International Development stated that it did not have any legacy systems. 71 A legacy system may run on updated hardware, and, thus, the system’s age and hardware age may not be the same.

Table 7. Combined List of Agencies’ Most Critical Legacy Systems in Need of Modernization System namea Department of Agriculture Department of Commerce Department of Defense

Department of Education

Department of Energy Department of Health and Human Services Department of Homeland Security Department of Housing and Urban Development Department of Justice

System A System B System C System 1 System D System E System 2 System F System G System H System I System 3 System J System K System 4 System L System M System N System O System P System Q System R System S

Age of system, in years 8 16 25 14 55 33 46 13 25 24 32 50 21 7 11 9 6 42 44 44 21 38 49

Age of oldest hardware installed, in years Unknownb 5 7 3 5 12 3 12 5 17 2 Variousc Unknownb 8 11 2 1 2 2 2 10 7 6

System criticality (as determined by agency) High High High Moderately high High High High High High Moderate High High High High High High High High High High High High Moderately high

Security risk (as determined by agency) Moderately low High Low Moderate Low Moderately low High Moderately high High High Low High Moderate Moderate High Moderately low Low Moderate Moderate Moderate High Moderately low Low

System namea Department of Labor

Department of State

Department of the Interior

Department of the Treasury

Department of Transportation

Department of Veterans Affairs Environmental Protection Agency General Services Administration National Aeronautics and Space Administration

System T System U System V System W System X System Y System 5 System Z System AA System 6 System AB System AC System 7 System AD System AE System AF System AG System AH System AI System AJ System AK System AL System AM System AN System AO

Age of system, in years 14 21 15 24 21 20 18 29 23 51 13 10 35 17 19 31 49 31 24 17 14 39 5 8 10

Age of oldest hardware installed, in years 9 10 3 5 5 3 18 9 23 4 10 8 7 4 n/ab 3 2 4 1 1 1 2 10 Unknownb 13

System criticality (as determined by agency) High High High High Moderately high Moderately high High High Moderately high High Moderate High High High High High High High High High High High High High High

Security risk (as determined by agency) Low Low Moderate Moderate Moderate Moderate Moderately high High Low Moderately low Moderate Moderately low Moderately high Moderately high High Low Moderately low Moderate Low Low Low Low Moderate Moderate High

Table 7. (Continued) System namea

Age of system, in years About 19 6 11 20 15 18 18 22 34 29 21 17 13 15 45 34 38

Age of oldest hardware installed, in years 31 6 7 2 9 2 2 2 6 6 6 10 10 3 5 5 4

System criticality (as determined by agency) Moderately high High Moderately high Moderately high Moderately high High Moderate Moderate High High High High Moderately high High High High High

Security risk (as determined by agency) Moderately low Low Moderate Moderate Moderately low Moderately low Moderately low Moderate Moderately low Moderately high Moderately low Moderately high Moderately high Moderately high Moderate Moderate Moderate

System AP System AQ Nuclear Regulatory System ARd Commission System ASd System AT National Science System AU Foundation System AV System AW Office of Personnel System 8 Management System AX System AY Small Business System 9 Administration System AZ System BA Social Security System 10 Administration System BB System BC U.S. Agency for n/a – Agency stated International Development that it does not have any legacy systems. Source: GAO analysis of agency documentation. | GAO-19-471. a Due to sensitivity concerns, we substituted an alphanumeric identifier for the system names. bThe agency procures services from a vendor or another agency and was not able to get the information from the vendor. cThe agency stated that the system’s hardware had various refresh dates and was not able to identify the oldest hardware. d This system has been decommissioned since the agency reported it to us.

Information Technology

203

APPENDIX III: PROFILES OF THE 10 MOST CRITICAL LEGACY SYSTEMS IN NEED OF MODERNIZATION This appendix describes the 10 most critical legacy systems in need of modernization, as identified during our review. The profiles of each system describe (1) the system’s purpose, (2) the reason that the system needs to be modernized, (3) the agency’s plans for modernization, and (4) possible benefits to be realized once the system is modernized.

System 1 The Department of Defense (DOD)—U.S. Air Force’s System 1 provides configuration control and management to support wartime readiness and operational support of aircraft, among other things. See Figure 1 for a photograph of airmen maintaining an aircraft.

Source: Photo U.S. Air Forza, Airman 1st Class Joshua Green.  GAO-19-471. Figure 1. Airmen Maintaining an Air Force Aircraft.

204

United States Government Accountability Office

Department of Defense—U.S. Air Force Reported number of users: Approximately 242,672 Initial year of implementation: 2005 System hardware under warranty? Agency did not know Software vendor supported? No Operating system(s) supported? Yes Legacy programming language(s) used? Yes System criticality (as determined by agency): Moderately high System security risk (as determined by agency): Moderate Reported annual operating costs: $21.8 million Reported annual labor costs: $3.6 million Reported cost of modernization: $12 million Potential cost savings: $34 million annually Other benefits: Increased functionality, increased aircraft touch time and availability Status of modernization plans: Agency has documented modernization plans that include milestones to complete the modernization, descriptions of the work necessary to modernize the legacy system, and plans for the disposition of the legacy system Source: GAO analysis of agency documentation and interviews. | GAO-19-471.

According to Air Force documentation, the cost to maintain and sustain the system has been steadily increasing due to several factors, including (1) costs associated with maintaining and operating the system’s infrastructure and the manpower to maintain the legacy code; and (2) the difficulty and cost of experienced Common Business Oriented Language (COBOL)72 programmers, poor legacy documentation, and an aging infrastructure and code. In addition, the system runs on a mainframe that is hosted by another agency. As a result of these issues, Air Force officials expect annual costs to rise from $21.8 million in 2018 to approximately $35 million beginning in 2020. In September 2018, the Air Force awarded a contract to modernize and migrate the system to a cloud environment by September 2019. DOD contractors developed a project plan for the modernization that contains goals and outlines how the contractor plans to move through the modernization process, listing out sequential tasks leading to project 72

COBOL, which was introduced in 1959, became the first widely used, high-level programming language for business applications. The Gartner Group, a leading information technology research and advisory company, has reported that organizations using COBOL should consider replacing the language, as procurement and operating costs are expected to steadily rise, and because there is a decrease in people available with the proper skill sets to support the language.

Information Technology

205

completion. In addition, it outlines milestones from the starting point through implementation, and provides for the disposition of the legacy system. After the migration, as funding allows, the Air Force plans to incrementally transform the system’s COBOL code to a more modern language. Air Force program office officials stated that the modernized system will save the agency over $34 million a year, resulting in $356 million saved over a 10-year period. Officials also noted that, given the savings, the modernization would pay for itself in only 5 months. The Air Force also expects increased functionality with this modernization leading to increased aircraft touch time73 and aircraft availability by enabling adoption of new technologies.

System 2 The Department of Education’s (Education) System 2 processes and stores student information and supports the processing of federal student aid applications. Department of Education—Federal Student Aid Reported number of users: Over 20 million student applications annually and thousands of other users Initial year of implementation: 1973 System hardware under warranty? Yes Software vendor supported? Yes Operating system(s) supported? Yes Legacy programming language(s) used? Yes System criticality (as determined by agency): High System security risk (as determined by agency): High Reported annual operating costs: $43.9 million Reported annual labor costs: $2.0 million Reported cost of modernization: Agency has not determined costs Potential cost savings: Agency has not calculated Other benefits: Integration across the enterprise, improved cybersecurity and data protection, reduced system complexity, and increased efficiency Status of modernization plans: Agency does not have a modernization plan Source: GAO analysis of agency documentation and interviews. | GAO-19-471.

73

Aircraft touch time is the time spent performing aircraft maintenance tasks.

206

United States Government Accountability Office

Education first implemented System 2 in 1973.74 Agency officials stated that the system runs approximately 1 million lines of Common Business Oriented Language (COBOL)75 on an IBM mainframe. COBOL is a legacy language that can be costly to maintain. The department noted that 18 contractors are employed to maintain the COBOL programming language for this and another system. Education officials stated that the agency would like to modernize System 2 to eliminate reliance on COBOL, simplify user interactions, improve integration with other applications, respond to changing business requirements more quickly, and decrease development and operational costs. Education officials stated that the agency intends to modernize System 2 as part of its Next Generation Financial Services Environment initiative. This initiative is to modernize Federal Student Aid’s technical and operational architecture and improve the customer experience. The agency expects to consolidate all customer-facing websites and implement a new loan servicing platform to benefit federal student loans. Education has not developed a plan for the modernization of System 2. According to agency officials, these plans are pending the results of a comprehensive information technology (IT) visualization and engineering project that will determine which IT systems and services could be feasibly modernized, consolidated, or eliminated. While Education has not calculated the specific cost savings associated with modernizing System 2, the department anticipates potential cost savings, including decreased hardware and software licensing costs and decreased costs associated with changes to business rules. According to the agency, other potential benefits of modernizing this system include integration across the enterprise, improved cybersecurity and data protection, reduced system complexity, and improved system efficiency.

74 75

At the time, Education was part of the Department of Health, Education, and Welfare. COBOL, which was introduced in 1959, became the first widely used, high-level programming language for business applications. The Gartner Group, a leading information technology research and advisory company, has reported that organizations using COBOL should consider replacing the language, as procurement and operating costs are expected to steadily rise, and because there is a decrease in people available with the proper skill sets to support the language.

Information Technology

207

System 3 The Department of Health and Human Services’ (HHS) System 3 is a clinical and patient administrative information system. HHS’s component, Indian Health Service’s (IHS) uses the system to gather, store, and display clinical, administrative, and financial information on patients seen in a clinic, hospital, or remotely through the use of telehealth and home visit practices. Department of Health and Human Services—Indian Health Service Reported number of users: Approximately 20,000 Initial year of implementation: 1969 System hardware under warranty? Yes Software vendor supported? Yes Operating system(s) supported? Yes Legacy programming language(s) used? Yes System criticality (as determined by agency): High System security risk (as determined by agency): High Reported annual operating costs: $79.1 million Reported annual labor costs: $26.7 million Reported cost of modernization: Agency has not calculated Potential cost savings: Agency has not calculated Other benefits: Improves interoperability with other healthcare partners and enhances patient care Status of modernization plans: Agency does not have a modernization plan Source: GAO analysis of agency documentation and interviews. | GAO-19-471.

HHS officials stated that the modernization of System 3 is imperative. Specifically, the agency noted that the system’s technical architecture and infrastructure were outdated. This has resulted in challenges in developing new capabilities in response to business and regulatory requirements. Further, System 3 is coded in C++ and MUMPS. MUMPS is a programming language that HHS considers to be a legacy language. 76 The agency noted that it has become increasingly difficult to find programmers proficient in writing code for MUMPS. Lastly, the system’s more than 50 modules were added over time to address new business requirements. The 76

MUMPS was originally known as the Massachusetts General Hospital Utility MultiProgramming System. It is a programming language developed originally for building medical systems. In January 2018, we reported that there is a dwindling supply of qualified software developers for MUMPS.

208

United States Government Accountability Office

software is installed on hundreds of separate computers, which has led to variations in the configurations at each site. According to IHS, this type of add-on development becomes detrimental over time and eventually requires a complete redesign to improve database design efficiency, process efficiency, workflow integration, and graphical user interfaces. While the agency does not yet have modernization plans, in September 2018, HHS awarded a contract to conduct research for modernizing IHS’s health information technology (IT) infrastructure, applications, and capabilities. According to the department, the research will be conducted in several stages over the next year, and a substantial part of the research will be an evaluation of the current state of health IT across IHS’s health facilities. Once the research is conducted, in consultation with IHS and its stakeholders, the contractor will use the findings and recommendations to propose a prioritized roadmap for modernization. According to HHS, the agency will be completing the modernization initiative over the next 5 years, but anticipated that it may be able to begin to execute an implementation plan as early as 2020. With regards to potential cost savings, HHS noted that the modernization will take significant capital investment to complete and it is unknown whether the modernization will lead to cost savings. HHS officials stated that this modernization could improve interoperability with its health care partners, the Department of Veterans Affairs and the Department of Defense, and significantly enhance direct patient care.

System 4 The Department of Homeland Security—Federal Emergency Management Agency’s (FEMA) System 4 consists of routers, switches, firewalls, and other network appliances (all referred to as devices) to support the connectivity of FEMA sites. According to the agency, System 4 needs to be modernized because there are significant cyber and network vulnerability risks associated with its end of life (i.e., no longer supported or manufactured by the vendor)

Information Technology

209

devices. In particular, the system’s devices typically require replacement every 3 to 5 years from the date of purchase. Despite this, the majority of the hardware was purchased between 8 and 11 years ago. As of December 2018, about 545 of these devices were at the end of life. In a security assessment report performed in September 2018, System 4 received 249 security findings, of which 168 were high or critical risk to the system. Further compounding this issue, the agency is not certain exactly how many devices make up the system. In particular, FEMA officials stated that the vendor completed an inventory of devices in May 2018, but that inventory did not align with other inventory counts. As a result, the agency plans to develop an inventory reconciliation strategy and process to address this issue. Department of Homeland Security— Federal Emergency Management Agency Reported number of users: On average 30,000; more during a disaster Initial year of implementation: Between 2008 and 2011 System hardware under warranty? No Software vendor supported? No Operating system(s) supported? No Legacy programming language(s) used? No System criticality (as determined by agency): High System security risk (as determined by agency): High Reported annual operating costs: $1.9 million Reported annual labor costs: $0 Reported cost of modernization: Agency has not calculated Potential cost savings: Agency has not calculated Other benefits: Ability to meet mission requirements, reduction of network downtime, and increased network availability Status of modernization plans: Agency has documented modernization plans that describe the work necessary to modernize the system; however, they do not contain milestones to complete the modernization or plans for the disposition of legacy system components following system modernization Source: GAO analysis of agency documentation and interviews. | GAO-19-471.

FEMA intends to replace System 4’s devices in two phases. The first phase will target the agency’s smaller facilities, while the second phase is to address the larger facilities, which may require more complex installations. FEMA’s Office of the Chief Information Officer is conducting site surveys to better define requirements and cost estimates.

210

United States Government Accountability Office

While the agency has yet to develop finalized modernization plans for this initiative with milestones, DHS officials and contract information technology staff developed a list of future recommended activities that would help modernize the system as part of their November 2018 quarterly business review. Despite the lack of finalized plans, FEMA intends to replace 240 of the 545 devices that are at the end of support, if funds are available. The agency also intends to upgrade the remaining 305 devices in the future, if funds are available. The agency has not calculated the exact amount of cost savings. Once the system is completely updated and a lifecycle replacement operations and maintenance support plan is in place and funded, FEMA and DHS expect to realize cost savings based on new technology and increased throughput.77 Further, the agency stated that with new equipment, it would be able to meet mission requirements and take advantage of new technologies. In addition, replacing these unsupported devices would significantly reduce downtime and increase network availability.

System 5 The Department of the Interior’s (Interior) System 5 is an Industrial Control System (ICS) Supervisory Control and Data Acquisition (SCADA) System that supports the general operation of dams and power plants on a particular river and its tributaries. The system serves its customers by, among other things, starting and stopping the generators, adjusting the output of electricity to assure electric grid stability, and monitoring the operating conditions of dam and power plant equipment. Figure 2 shows an example of an Interior dam.

77

Throughput refers to the performance of tasks by a computing service or device over a specific period. It measures the amount of completed work against time consumed and may be used to measure the performance of a process, memory, and/or network communications.

Information Technology

211

Source: U.S. Department of the Interior’s Bureau of Reclamation; Creative Commons ShareAlike 2.0 Generic (https://creativecommons.org/licenses/by-sa/2.0/ legalcode).  GAO-19-471. Figure 2. Photograph of a Dam. Department of the Interior—Bureau of Reclamation Reported number of users: 49 Initial year of implementation: 2001 System hardware under warranty? No Software vendor supported? No Operating system(s) supported? No Legacy programming language(s) used? Yes System criticality (as determined by agency): High System security risk (as determined by agency): Moderately high Reported annual operating costs: $427,000 Reported annual labor costs: $448,000 Reported cost of modernization: $4.5 million Potential cost savings: $152,000 per year Other benefits: Increased capacity for new system requirements, elimination of obsolete hardware, increased system reliability Status of modernization plans: Agency has documented modernization plans that include milestones to complete the modernization, descriptions of the work necessary to modernize the legacy system, and plans for the disposition of legacy system components following system modernization Source: GAO analysis of agency documentation and interviews. | GAO-19-471.

The system is approximately 18 years old and contains obsolete hardware that is not supported by the manufacturers. Further, according to a program official, the system’s original hardware and software installation

212

United States Government Accountability Office

did not include any long-term vendor support. Thus, any original components that remain operational may have had long-term exposure to security and performance weaknesses. In January 2014, the Director of National Intelligence testified that ICS and SCADA systems used in electrical power distribution provided an enticing target to malicious actors and that, although newer architectures provide flexibility, functionality, and resilience, large segments of the systems remain vulnerable to attack, potentially causing significant economic or human impact. Further, according to Interior’s system modernization plans, the agency needs to modernize the system in order to increase data collection capabilities and security. Specifically, the system is expected to interface with more plant equipment and collect and report on more data than it has in the past. According to Interior’s plans, the modernized system is expected to accommodate future growth requirements. The plans also support the complete replacement of the system’s obsolete hardware and software. The modernization plans also outline goals, milestones, and the work to be accomplished. The agency plans to complete the modernization by January 2020. By replacing the legacy system, Interior plans to realize a number of potential benefits, including annual cost savings of $152,000. In addition, the system will no longer run on obsolete, unsupported hardware. Furthermore, newer software and hardware are expected to allow for the automation of compliance tasks, increase system security, and expand system availability. According to the system’s fiscal year 2017 operational analysis, these benefits should create a more reliable system for both the agency and the customers of the networked hydroelectric dams.

System 6 The Department of the Treasury’s Internal Revenue Service’s (IRS) System 6 contains taxpayer data. Many IRS processes depend on output, directly or indirectly, from this data source.

Information Technology

213

System 6 was written in a now outdated assembly language code78 and Common Business Oriented Language (COBOL).79 The department and we have raised a number of concerns related to this system’s reliance on assembly language code and COBOL, the maintainability of the system, and staff attrition. For example, in May 2016, we reported that legacy systems using outdated languages may become increasingly more expensive and agencies may pay a premium to hire staff or contractors with the knowledge to maintain these systems.80 Department of the Treasury—Internal Revenue Service Reported number of users: 0a Initial year of implementation: 1968 System hardware under warranty? No Software vendor supported? Yes Operating system(s) supported? Yes Legacy programming language(s) used? Yes System criticality (as determined by agency): High System security risk (as determined by agency): Moderately low Reported annual operating costs: $5.5 million Reported annual labor costs: $10.4 million Reported cost of modernization: $1.6 billion Potential cost savings: None Other benefits: Quick resolution of customer issues, reduced IT costs and complexity, and enhanced analytics and reporting Status of modernization plans: Agency has documented modernization plans that describe the work necessary to modernize the legacy system; however, they only partially include milestones to complete the modernization and do not include details on the disposition of the legacy system Note: aAccording to the agency, the system does not have users in the traditional sense and instead passes along data for applications to use. In 2018, the system assisted the agency in processing over 154 million tax returns. Source: GAO analysis of agency documentation and interviews. | GAO-19-471.

78

As we reported in May 2016, assembly language code is a low-level computer language initially used in the 1950s. Programs written in assembly language are conservative of machine resources and quite fast; however, they are much more difficult to write and maintain than other languages. Programs written in assembly language may only run on the type of computer for which they were originally developed. 79 COBOL, which was introduced in 1959, became the first widely used, high-level programming language for business applications. The Gartner Group, a leading IT research and advisory company, has reported that organizations using COBOL should consider replacing the language, as procurement and operating costs are expected to steadily rise, and because there is a decrease in people available with the proper skill sets to support the language. 80 GAO, Information Technology: Federal Agencies Need to Address Aging Legacy Systems, GAO-16-468 (Washington, D.C.: May 25, 2016).

214

United States Government Accountability Office

IRS plans to address these concerns by modernizing core components of System 6. The new system is intended to provide improved functionality. However, IRS is having trouble fully staffing the modernization effort, resulting in significant delays. While the agency has developed modernization plans, they are incomplete. For example, the plans’ milestones do not go past the current project and their descriptions of the work necessary to complete the project are at a higher level when outlining the goals of future stages. In May 2019, the agency stated that even when the current modernization effort is fully implemented, only a portion of the work required to retire the legacy system will have been completed. The agency has not provided a target date for decommissioning the legacy system. While IRS does not anticipate cost savings associated with the modernization of this system, it anticipates many internal and external benefits for both the taxpayer and the agency. In particular, according to the IRS’s Fiscal Year 2019 Capital Investment Plan, the benefits of modernizing this system include: (1) increased agility of agency response to changing taxpayer priorities and legislation; (2) reduced IT costs and complexity; (3) enhanced analytics and reporting to greatly improve compliance and issue resolution; and (4) reduced burden of manually intensive processes on IRS employees, by enabling automated calculations that currently are not possible.

System 7 The Department of Transportation’s (Transportation) Federal Aviation Administration’s (FAA) System 7 contains information on aircraft and pilots. The system also provides information to other government agencies, including those responsible for homeland security and investigations of aviation accidents.

Information Technology

215

Department of Transportation—Federal Aviation Administration Reported number of users: 160 Initial year of implementation: 1984 System hardware under warranty? Unknown Software vendor supported? No Operating system(s) supported? No Legacy programming language(s) used? No System criticality (as determined by agency): High System security risk (as determined by agency): Moderately high Reported annual operating costs: $3.8 million Reported annual labor costs: $10.7 million Reported cost of modernization: Agency has not calculated Potential cost savings: Agency has not calculated Other benefits: Enhanced security, compliance with law Status of modernization plans: Agency does not have a modernization plan Source: GAO analysis of agency documentation and interviews. | GAO-19-471.

According to Transportation, the system is DOS-based and needs to be updated to continue to efficiently meet its mission.81 Specifically, some of the core system components are mainframe applications that have been in operation since 1984. In addition, the system is running unsupported software, including one operating system that was last supported by the vendor in 2010. FAA is planning to implement a new system to streamline processes, allow for the submission of electronic applications and forms, automate registration processes, improve data availability, and implement additional security controls. However, the agency does not currently have a documented modernization plan. Officials stated that the agency is seeking alternatives to modernize the system and meet legislative requirements. FAA has asked interested vendors to respond to a request for information. According to the agency, the responses to this request are intended to inform strategic decisions about the modernization, and are planned to ultimately lead to proposed solutions from industry. While FAA has not calculated the specific cost savings associated with modernizing the system, the agency stated that it anticipates potential cost savings. Agency officials stated that they plan to have information on the

81

DOS, originally known as a disk operating system, is the operating system of a computer that can be stored on and run off of a computer disk drive.

216

United States Government Accountability Office

anticipated cost savings in November 2019. The agency also expects that the modernized system will provide enhanced security.

System 8 The Office of Personnel Management’s (OPM) System 8 consists of the hardware, software, and service components that support OPM’s information technology (IT) applications and services. This system supports the agency’s business functions and supports the agency in providing investigative products and services for more than 100 federal agencies. Office of Personnel Management Reported number of users: Millions of external users and 9,500 internal users Initial year of implementation: 1985 System hardware under warranty? Yes Software vendor supported? No Operating system(s) supported? Yes Legacy programming language(s) used? Yes System criticality (as determined by agency): High System security risk (as determined by agency): Moderately low Reported annual operating costs: $45.0 million Reported annual labor costs: $6.0 million Reported cost of modernization: Approximately $10 million Potential cost savings: Approximately $16.0 million in cost avoidance in fiscal year 2018 Other benefits: Reduction in cybersecurity and operational risks, ability to address security vulnerabilities, avoidance of operational downtime Status of modernization plans: Agency has documented modernization plans that partially include milestones to complete the modernization and partially describe the work necessary to modernize the legacy system; however, they do not include plans for the disposition of legacy system components following system modernization Source: GAO analysis of agency documentation and interviews. | GAO-19-471.

Modernizing this system is especially important due to past security incidents and persistent security concerns. Specifically, according to OPM, segments of the agency’s infrastructure were allowed to age beyond end of life and now pose a significant risk in performance and security to IT

Information Technology

217

operations.82 Further, in October 2017, OPM’s Office of the Inspector General (OIG) reported that the agency’s IT environment contained many instances of unsupported software and hardware, where the vendor no longer provided patches, security fixes, or updates for the software. As a result, the OIG noted that there was increased risk that OPM’s IT environment contained known vulnerabilities that would never be patched, and could have been exploited to allow unauthorized access to data. In June 2015, OPM reported that an intrusion into its systems had affected the personnel records of about 4.2 million current and former federal employees. Then, in July 2015, the agency reported that a separate but related incident had compromised its systems and the files related to background investigations for 21.5 million individuals. At a June 2015 Congressional hearing, OPM’s Director stated that the modernization of the IT infrastructure was critical to protecting the agency’s data from adversaries. The Director also stated that it was not feasible to implement encryption on networks that were too old, but noted that OPM was taking other steps to secure the networks.83 OPM plans to modernize System 8 by upgrading hardware at the end of life, migrating off of legacy operating systems and support software, and augmenting the agency’s established policies and procedures. In fiscal year 2018, OPM completed software and hardware upgrades, including replacement of core switches, network end points, and laptops. In fiscal year 2019, the agency plans to continue its focus on refreshing aged IT infrastructure, so that its hardware components will have the proper vendor support. OPM developed multiple documents related to the planning of this modernization effort, including a modernization schedule, and its fiscal year 2019 budget justification. However, the modernization plans contained in these documents did not include details for the entire modernization effort. The milestones in these documents, for instance, were either no longer current or only contained milestones regarding one part of the project. While the budget 82

83

OPM, Congressional Budget Justification and Annual Performance Plan, Fiscal Year 2019, (Washington, D.C.: February 2018). OPM: Data Breach, Hearing Before the House Committee on Oversight and Government Reform, 114th Cong. (statement of Director of the Office of Personnel Management Katherine Archuleta).

218

United States Government Accountability Office

justification did outline what it planned to accomplish in fiscal years 2018 and 2019, it did not mention the rest of the work needed to complete the infrastructure modernization. Similarly, the OIG has reported concerns regarding the agency’s plans to modernize its infrastructure.84 Most recently, in June 2018, the OIG reported that OPM was generally continuing in the right direction toward modernizing its IT environment, but the OIG had concerns with the agency’s plan for modernization and its overall approach to IT modernization. For example, the OIG was concerned that OPM’s planning documents did not identify the full scope of the modernization effort or contain cost estimates for the individual initiatives or the effort as a whole. The OIG planned to monitor and continue to report on the agency’s progress in modernizing its infrastructure. OPM anticipates realizing both financial and nonfinancial benefits with the modernization of its infrastructure. For example, as a part of its overall infrastructure modernization, the agency avoided approximately $16 million in costs as part of its data center consolidation efforts for fiscal year 2018. The agency also expects that cybersecurity and operational risks associated with end of life hardware will be reduced. To that end, the agency stated that remediating end of life hardware also should allow OPM the ability to address identified security vulnerabilities and avoid operational downtime, as support is more readily available.

System 9 The Small Business Administration’s (SBA) System 9 is a system that, according to the agency, provides identification, authentication, and authorization services85 for several of the agency’s applications. 84

85

See, for example: OPM Office of the Inspector General, Office of Audits, Management Advisory: U.S. Office of Personnel Management’s Fiscal Year 2017 IT Modernization Expenditure Plan, Report Number 4A-CI-00-18-022 (Feb. 15, 2018) and Final Management Advisory: U.S. Office of Personnel Management’s Fiscal Year 2018 IT Modernization Expenditure Plan, Report Number 4A-CI-00-18-044 (June 20, 2018). Agencies design and implement access controls to provide assurance that access to computer resources (data, equipment, and facilities) is reasonable and restricted to authorized individuals. These controls protect computer resources from unauthorized use, modification,

Information Technology

219

Small Business Administration Reported number of users: Approximately 274,000 Initial year of implementation: 2002 System hardware under warranty? No Software vendor supported? No Operating system(s) supported? No Legacy programming language(s) used? Yes System criticality (as determined by agency): High System security risk (as determined by agency): Moderately high Reported annual operating costs: $62,000 Reported annual labor costs: $214,600 Reported cost of modernization: $750,000 Potential cost savings: None Other benefits: Increased security and stability of the system Status of modernization plans: Agency has a documented modernization plan that includes milestones to complete the modernization and plans for the disposition of the legacy system following system modernization; however, it does not include a description of the work necessary to complete the modernization Source: GAO analysis of agency documentation and interviews. | GAO-19-471.

According to the agency, the system was developed by SBA and originally implemented in 2002. Agency officials stated that System 9’s hardware and software are no longer supported by the associated vendors. Consequently, according to the agency, it is paying for extended support contracts that have increased operating costs for the system. Further, agency officials stated that the system resides on a platform that is scheduled to be decommissioned within the next year. In addition, the system is coded using a programing language that the agency considers to be a legacy programming language (among others). The agency’s documented modernization plan includes milestones to complete the modernization and plans for the disposition of the legacy system following system modernization; however, the plan does not include a description of the work necessary to complete the modernization. However, agency officials stated that it intends to replace the system’s

disclosure, and loss by limiting, preventing or detecting inappropriate access to them. Two of these control areas are identification and authentication, and authorization. Identification and authentication controls allow a computer system to identify and authenticate different users so that activities on the system can be linked to specific individuals. Authorization is the process of granting or denying access rights and permissions to a protected resource, such as a network, a system, an application, a function, or a file.

220

United States Government Accountability Office

functionality with login.gov. Login.gov was developed and is maintained by the General Services Administration as a single sign-on trusted identity platform.86 Login.gov provides identification and authentication for applications and is intended to offer the public secure and private online access to participating government programs. However, according to the agency, since login.gov does not provide authorization controls, SBA intends to develop additional software to provide authorization controls beginning in March 2019. According to the agency, it does not anticipate any cost benefits from modernizing System 9. However, the agency expects that the security and stability of the system will increase.

System 10 The Social Security Administration’s (SSA) System 10 supports the provision of particular Social Security benefits to eligible people. Currently, SSA collects detailed information from the recipients in person, by telephone, and via the internet on multiple platforms (e.g., desktops and hand-held devices), and from internal and external interface methods. System 10 is comprised of many applications that collect information, make payments, and communicate with SSA’s clients. According to SSA’s October 2017 information technology modernization plan, the agency needed to modernize its core systems, including System 10, because of complications related to their age and original system design.87 SSA’s modernization plan indicates that, since implementation, these systems had been subjected to constant modifications to incorporate changes in legislation, regulations, and policy. Through the years, new technologies and capabilities had been integrated

86

Single sign-on reduces the burden of multiple passwords. It is intended to increase security of the data and systems and compliance with federal information technology policies and best practices. 87 Social Security Administration, IT Modernization: A Business and IT Journey (Baltimore, MD: Oct. 2017).

Information Technology

221

into the core systems and delivering new capabilities was becoming exorbitantly expensive. Social Security Administration Reported number of users: Over 30,000 Initial year of implementation: 1974 System hardware under warranty? Yes Software vendor supported? Yes Operating system(s) supported? Yes Legacy programming language(s) used? Yes System criticality (as determined by agency): High System security risk (as determined by agency): Moderate Reported annual operating costs: $139.2 milliona Reported annual labor costs: $6.7 million Reported cost of modernization: $24.6 million (from fiscal year 2017 to 2022) Potential cost savings: Approximately $4 million per year from fiscal year 2019 through fiscal year 2027a Other benefits: Better access to beneficiary data, faster and more efficient claim processing, reduced need for manual data entry, and lower number of improper payments, among others Status of modernization plans: Agency has documented plans that contain milestones that partially cover the modernization effort and partially describe the work necessary to modernize the system; however, they do not contain plans for the disposition of legacy system components following system modernization Note: aThe agency was unable to isolate the operating costs or potential cost savings for this system. The figures presented are the costs and potential savings for all of the systems operating in the mainframe environment. Source: GAO analysis of agency documentation and interviews. | GAO-19-471.

Further, most of the agency’s systems, including System 10, are generally unconnected to each other, creating functional silos servicing independent lines of business. According to the agency, navigating these systems is challenging, and copying beneficiary data from system to system can result in data becoming out of sync. According to the agency’s modernization plan, SSA intends to replace its core systems, including System 10, with new components and platforms, engineered for usability, interoperability, and future adaptability. Work accomplished over several years of incremental modernization has already resulted in moving a substantial portion of System 10 away from old technologies.

222

United States Government Accountability Office

For instance, according to SSA officials in the Office of the Deputy Commissioner, Systems, SSA moved System 10 to a modern, relational database platform and modernized aspects of the user interface.88 According to an SSA 5-year modernization roadmap, the agency is currently working to modernize and create web services as a part of the effort to consolidate SSA’s initial claims processes; however, the roadmap does not offer specific information about these efforts. As for its modernization planning efforts, SSA’s plans include overall modernization goals, a high-level overview of the planned system architecture, milestones for fiscal year 2018, and a description of the work that it had planned to accomplish in fiscal year 2018. However, the plans do not include either System 10-specific milestones or a description of the work necessary to modernize the legacy system beyond fiscal year 2018. Further, the document does not include plans for the disposition of the legacy system after modernization. According to officials in the Office of the Deputy Commissioner, Systems, the agency will update the planning documentation and make further decisions as the modernization effort progresses. SSA expects that modernizing System 10 will result in cost savings in addition to many other benefits. For instance, the agency expects that it will be able to save approximately $38 million from modernizing System 10 and other systems running in the agency’s mainframe environment. In addition, increased staff access to benefit recipients’ data will enable staff to review medical evidence faster and process claims more accurately, among other things. According to the agency’s modernization plan, the improvements to the system should improve productivity and service to the public, as well as reduce the number of improper payments due to technician error.

88

A relational database is a system that allows users to store data in and retrieve data from linked databases that are perceived as a collection of relations or tables.

Information Technology

APPENDIX IV: COMMENTS FROM THE DEPARTMENT OF EDUCATION

223

224

United States Government Accountability Office

APPENDIX V: COMMENTS FROM THE DEPARTMENT OF HEALTH AND HUMAN SERVICES

Information Technology

APPENDIX VI: COMMENTS FROM THE DEPARTMENT OF HOMELAND SECURITY

225

226

United States Government Accountability Office

APPENDIX VII: COMMENTS FROM THE INTERNAL REVENUE SERVICE

Information Technology

APPENDIX VIII: COMMENTS FROM THE OFFICE OF PERSONNEL MANAGEMENT

227

228

United States Government Accountability Office

APPENDIX IX: COMMENTS FROM THE SMALL BUSINESS ADMINISTRATION

Information Technology

APPENDIX X: COMMENTS FROM THE SOCIAL SECURITY ADMINISTRATION

229

230

United States Government Accountability Office

APPENDIX XI: COMMENTS FROM THE DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT

Information Technology

231

APPENDIX XII: COMMENTS FROM THE U.S. AGENCY FOR INTERNATIONAL DEVELOPMENT

INDEX A accountability, 13, 15, 16, 24, 39, 61, 172 acquisitions, vii, viii, 3, 4, 5, 6, 7, 10, 11, 17, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 36, 38, 39, 40, 41, 42, 43, 44, 46, 48, 49, 50, 51, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 104, 185 age, vii, ix, 156, 157, 160, 162, 173, 174, 177, 199, 216, 220 agencies, vii, viii, ix, 2, 3, 4, 5, 6, 7, 8, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 35, 46, 47, 48, 49, 50, 55, 57, 62, 63, 64, 65, 96, 97, 98, 99, 100, 101, 102, 104, 106, 108, 109, 111, 112, 114, 115, 116, 118, 121, 122,123, 126, 127, 132, 135, 136, 139, 142, 143, 144, 145, 146, 147, 156, 157, 158, 160, 161, 162, 163, 164, 166, 167, 168, 169, 170, 171, 172, 173, 174, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 189, 190, 191, 192, 193, 196, 197, 198, 199, 213, 214, 216 agency actions, viii, 3 Air Force, 125, 126, 128, 129, 138, 141, 147, 148, 183, 203, 204, 205 audit, 8, 51, 103, 149, 161, 163, 191, 198

authority, 4, 5, 13, 24, 28, 39, 41, 47, 59, 60, 61, 113, 143, 172, 181

B benefits, ix, 157, 160, 163, 182, 183, 198, 203, 204, 205, 207, 209, 211, 212, 213, 214, 215, 216, 218, 219, 220, 221, 222 breakdown, 101, 117, 145 bridge contracts, v, vii, viii, 95, 96, 98, 99, 102, 103, 107, 108, 109, 123, 124, 125, 126, 128, 129, 131, 132, 133, 134, 135, 139, 142, 145, 146, 153 business function, 216 business processes, 138, 184 businesses, 106

C challenges, 10, 98, 123, 127, 128, 129, 130, 131, 132, 135, 139, 153, 207 civil liberties, 169, 194 competition, 97, 98, 100, 104, 105, 110, 112, 113, 114, 115, 119, 120, 122, 123, 135, 140, 141, 142 complexity, 205, 206, 213, 214 compliance, 29, 39, 61, 212, 214, 215, 220

234

Index

computer, 166, 174, 185, 213, 215, 218 computer systems, 166 computing, 169, 173, 210 Congress, iv, viii, 2, 5, 13, 14, 108, 132, 136, 169, 171, 181 consolidation, 10, 14, 131, 134, 171, 182, 183, 218 coordination, 35, 101, 106, 121, 169 cost, 5, 10, 11, 14, 16, 36, 50, 58, 60, 61, 63, 104, 119, 122, 129, 160, 164, 165, 167, 174, 179, 181, 182, 183, 184, 186, 195, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 218, 219, 220, 221, 222 cost benefits, 220 cost saving, 5, 14, 119, 160, 167, 183, 195, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 219, 221, 222 critical infrastructure, 170 cybersecurity, vii, ix, 156, 158, 160, 166, 169, 170, 171, 172, 173, 185, 205, 206, 216, 218 cybersecurity risks, vii, ix, 156, 160, 173, 185

D data analysis, 17, 182 data availability, 215 data center, 10, 14, 120, 218 data collection, 212 database, 8, 12, 47, 184, 208, 222 Department of Agriculture, 2, 21, 25, 26, 55, 57, 66, 172, 200 Department of Commerce, 1, 21, 25, 26, 55, 58, 66, 192, 199, 200 Department of Defense, 6, 9, 12, 13, 46, 47, 95, 102, 144, 149, 155, 158, 159, 160, 167, 175, 179, 183, 196, 200, 203, 204, 208

Department of Education, 1, 21, 25, 55, 58, 155, 157, 158, 159, 164, 175, 183, 192, 196, 199, 200, 205, 223 Department of Energy, 1, 21, 25, 55, 58, 155, 167, 200 Department of Health and Human Services, 2, 10, 21, 25, 26, 55, 59, 67, 96, 102, 126, 137, 144, 155, 158, 159, 167, 175, 196, 200, 207 Department of Homeland Security, 6, 46, 95, 102, 125, 144, 155, 158, 159, 161, 175, 179, 183, 191, 196, 200, 208, 209 Department of Justice, 2, 16, 21, 25, 26, 44, 48, 55, 59, 67, 108, 156, 189, 200 Department of Labor, 2, 17, 21, 25, 55, 60, 172, 201 Department of the Interior, 2, 21, 25, 55, 60, 156, 158, 159, 161, 175, 179, 191, 196, 201, 210, 211 Department of the Treasury, 2, 21, 25, 26, 55, 60, 69, 156, 158, 159, 171, 175, 179, 184, 196, 201, 212, 213 Department of Transportation, 2, 21, 25, 26, 39, 55, 61, 69, 156, 158, 159, 167, 175, 196, 201, 214, 215 Departments of Agriculture, 6, 7, 22, 44, 46, 162, 168, 189, 190, 192, 199 depth, 7, 103, 111, 124, 126, 132, 146, 166 disposition, 159, 161, 163, 177, 178, 179, 181, 186, 191, 197, 204, 205, 209, 211, 213, 216, 219, 221, 222 documentary evidence, 42

E economy, vii, 5, 99, 106, 169, 194 employees, 13, 165, 172, 214, 217 engineering, 105, 125, 130, 138, 180, 206 environment, 119, 204, 217, 218, 221, 222

Index Environmental Protection Agency, 1, 6, 17, 21, 25, 44, 46, 56, 61, 83, 162, 189, 190, 201 equipment, 13, 115, 119, 120, 125, 138, 147, 183, 210, 212, 218 evidence, 7, 8, 28, 40, 42, 48, 49, 50, 51, 103, 149, 163, 199, 222

F federal agency, vii, viii, 3, 6, 7, 46, 49, 170, 192, 197 federal government, vii, viii, ix, 2, 5, 6, 8, 10, 12, 47, 96, 99, 104, 105, 132, 156, 160, 164, 168, 169, 170, 171, 172, 179, 181, 192, 197 Federal Information Technology Acquisition Reform Act, viii, 2, 5, 46, 64 Federal Student Aid, 36, 37, 58, 205, 206 fiscal year, vii, viii, ix, 2, 3, 5, 6, 7, 11, 17, 18, 24, 40, 43, 46, 47, 49, 55, 60, 61, 96, 97, 100, 101, 106, 109, 110, 111, 112, 114, 115, 116, 117, 120, 123, 124, 136, 138, 141, 142, 143, 144, 147, 151, 152, 156, 160, 168, 180, 183, 212, 216, 217, 218, 221, 222 funding, 7, 10, 47, 171, 172, 180, 181, 205 funds, 6, 11, 50, 123, 171, 172, 181, 210

G governance, 10, 14, 16, 23, 61, 63, 64, 68, 69, 70, 71 guidance, viii, 2, 3, 4, 7, 13, 15, 16, 17, 18, 20, 21, 22, 23, 26, 27, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 48, 49, 50, 58, 64, 65, 72, 98, 101, 109, 119, 132, 133, 134, 135, 139, 144, 168, 169, 170, 171, 172, 181, 185 guidelines, 13, 119, 184

235 H

health, vii, 2, 5, 6, 7, 9, 10, 12, 21, 25, 26, 44, 46, 47, 55, 59, 67, 96, 98, 99, 101, 102, 118, 126, 127, 128, 137, 140, 141, 143, 144, 148, 150, 153, 155, 158, 159, 161, 162, 167, 168, 169, 174, 175, 189, 190, 191, 194, 196, 200, 206, 207, 208, 224 health care, 174, 208 health information, 208 health insurance, 10 history, 28, 109, 132, 184 Housing and Urban Development, 2, 6, 21, 25, 31, 44, 46, 55, 59, 76, 156, 162, 172, 189, 190, 200, 230 human resources, 122, 128

I identification, 4, 20, 22, 29, 40, 41, 46, 49, 196, 218, 219, 220 industry, 12, 120, 162, 177, 180, 182, 185, 196, 215 inflation, 110, 111, 112, 116, 143 information systems, vii, 5, 95, 108, 125, 148, 169, 194 infrastructure, 120, 125, 164, 172, 183, 204, 207, 208, 216, 217, 218 interface, 182, 183, 212, 220, 222 Internal Revenue Service, 156, 165, 212, 213, 226 interoperability, 207, 208, 221 issues, viii, 2, 5, 13, 98, 113, 114, 118, 131, 139, 153, 164, 165, 166, 171, 181, 204, 213 IT acquisitions, vii, viii, 3, 4, 5, 6, 7, 10, 11, 20, 21, 22, 23, 24, 26, 28, 29, 30, 31, 32, 33, 34, 36, 38, 39, 40, 41, 43, 46, 48, 49, 50, 51, 57, 58, 59, 60, 61, 62, 64, 65, 104, 164

236

Index

IT contracts, vii, viii, 2, 3, 4, 6, 14, 16, 17, 18, 19, 23, 24, 26, 28, 29, 41, 46, 48, 49, 56, 62, 63, 96, 98, 117, 147 IT expenditures, vii, viii, 2, 4, 5, 28, 62, 104 IT investments, vii, ix, 8, 10, 13, 14, 23, 36, 49, 50, 57, 58, 63, 65, 104, 156, 160, 164, 168, 181 IT procurements, vii, viii, 96, 100, 101, 102, 142, 143, 145 IT products, vii, viii, 51, 53, 96, 99, 100, 110, 111, 142

J justification, 101, 105, 107, 118, 120, 121, 145, 146, 217, 218

mission, 5, 10, 16, 98, 104, 120, 138, 164, 165, 166, 167, 170, 173, 192, 197, 209, 210, 215 modernization, v, vii, ix, 8, 9, 53, 102, 103, 145, 155, 156, 157, 158, 159, 160, 161, 162, 163, 166, 167, 170, 171, 172, 173, 174, 175, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 190, 191, 192, 193, 195, 196, 197, 198, 199, 200, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222 modernization initiatives, viii, ix, 156, 160, 161, 163, 177, 178, 181, 182, 183, 186, 190, 198

N L languages, 99, 157, 160, 165, 168, 174, 185, 213 leadership, 100, 115, 180, 182, 185, 192, 197 legacy software, 160, 184, 188 legacy systems, v, vii, viii, ix, 96, 98, 99, 100, 102, 103, 142, 145, 146, 155, 156, 157, 158, 160, 161, 162, 164, 165, 166, 167, 168, 170, 171, 173, 174, 175, 177, 178, 181, 182, 183, 184, 185, 186, 187, 188, 190, 191, 192, 193, 194, 195, 196, 199, 200, 202, 203, 213 legislation, viii, 2, 5, 108, 133, 214, 220

M management, 5, 6, 9, 10, 11, 12, 13, 15, 16, 50, 100, 104, 109, 114, 115, 122, 126, 127, 139, 140, 172, 180, 182, 183, 185, 186, 203

national security, 105, 117, 123, 169, 194 noncompetitive contracts, vii, viii, 96, 99, 100, 101, 103, 112, 115, 116, 117, 123, 124, 136, 137, 142, 143, 146, 147, 148, 149

O Office of Management and Budget, 2, 4, 6, 7, 25, 46, 51, 57, 64, 65, 96, 100, 141, 142, 153, 156, 160, 162, 163, 168, 192, 194, 197 Office of the Inspector General, 217, 218 officials, 4, 7, 8, 16, 19, 22, 23, 24, 27, 28, 38, 39, 40, 41, 48, 49, 50, 61, 62, 65, 72, 98, 99, 103, 108, 113, 114, 118, 119, 120, 121, 124, 126, 127, 128, 129, 130, 131, 133, 134, 135, 137, 138, 139, 145, 146, 147, 161, 163, 167, 180, 191, 193, 204, 205, 206, 207, 208, 209, 210, 215, 219, 222

Index operating costs, 165, 174, 195, 204, 205, 206, 207, 209, 211, 213, 215, 216, 219, 221 operating system, 164, 167, 168, 194, 215, 217 operations, 10, 11, 104, 120, 125, 130, 138, 160, 167, 173, 210, 217 oversight, 4, 5, 6, 10, 23, 28, 29, 38, 39, 43, 51, 123, 135, 183

P participants, 64, 106, 117, 121, 132, 134 policy, 10, 22, 27, 37, 40, 41, 43, 60, 115, 126, 133, 135, 220 portfolio, 14, 38, 103, 136, 137, 145 procurement, 12, 16, 21, 28, 31, 34, 35, 41, 43, 47, 48, 59, 62, 63, 115, 165, 174, 184, 204, 206, 213 programming, 157, 160, 165, 182, 194, 204, 205, 206, 207, 209, 211, 213, 215, 216, 219, 221 programming languages, 165, 194 project, 10, 58, 127, 160, 172, 178, 180, 181, 182, 186, 187, 188, 196, 204, 206, 214, 217

R recommendations, iv, 3, 8, 11, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 43, 48, 57, 109, 135, 140, 141, 157, 161, 168, 171, 186, 189, 191, 208 regulatory requirements, 115, 207 reliability, 47, 100, 110, 113, 140, 143, 211 resources, 15, 39, 174, 180, 181, 213, 218 response, 43, 49, 133, 140, 173, 187, 207, 214 rights, iv, 98, 118, 119, 153, 219 risk, viii, ix, 10, 11, 14, 23, 28, 29, 61, 96, 98, 99, 104, 105, 115, 157, 158, 160,

237

162, 164, 165, 166, 168, 174, 175, 176, 177, 181, 184, 194, 199, 200, 201, 202, 204, 205, 207, 209, 211, 213, 215, 216, 219, 221 risk management, 14

S savings, 12, 14, 182, 205, 206, 208, 210, 215, 221 schedule delays, 5, 104, 119, 160, 181, 186 Secret Service, 148 Secretary of Agriculture, 29 Secretary of Commerce, 30, 170 Secretary of Defense, 133, 134, 140, 141 Secretary of Homeland Security, 141 Secretary of the Treasury, 32 security, vii, 2, 5, 6, 7, 10, 12, 16, 21, 22, 25, 26, 44, 46, 47, 48, 52, 53, 56, 64, 72, 91, 95, 98, 99, 100, 101, 102, 105, 117, 118, 123, 125, 141, 143, 144, 148, 152, 153, 155, 156, 157, 158, 159, 161, 162, 164, 165, 166, 168, 169, 170, 171, 172, 174, 175, 176, 177, 179, 181, 183, 184, 185, 189, 190, 191, 194, 196, 199, 200, 201, 202, 204, 205, 207, 208, 209, 211, 212, 213, 214, 215, 216, 218, 219, 220, 221, 225, 229 sensitivity, 158, 159, 161, 162, 176, 177, 179, 180, 191, 192, 194, 199, 202 services, iv, vii, viii, 6, 7, 11, 12, 15, 17, 20, 24, 47, 50, 51, 52, 57, 61, 65, 96, 99, 100, 103, 104, 105, 106, 107, 108, 110, 111, 115, 119, 120, 122, 125, 126, 130, 133, 134, 135, 136, 137, 138, 142, 143, 145, 147, 165, 170, 171, 173, 175, 180, 182, 183, 184, 192, 197, 202, 206, 216 Social Security, 2, 6, 7, 16, 21, 22, 25, 26, 44, 46, 48, 56, 64, 72, 91, 156, 158, 159, 161, 162, 165, 168, 176, 179, 184, 189, 191, 196, 202, 220, 221

238

Index

Social Security Administration, 2, 6, 7, 16, 21, 22, 25, 26, 44, 46, 48, 56, 64, 72, 91, 156, 158, 159, 161, 162, 165, 168, 176, 179, 184, 189, 191, 196, 202, 220, 221 software, 15, 47, 62, 99, 100, 115, 119, 126, 157, 160, 164, 166, 174, 175, 177, 179, 183, 184, 185, 188, 194, 206, 207, 208, 211, 212, 215, 216, 217, 219, 220

T technical comments, 37, 41, 42, 44, 141, 186, 187, 188, 189 Treasury, 2, 6, 7, 18, 20, 21, 23, 27, 32, 35, 39, 44, 46, 60, 61, 65, 156, 158, 161, 162, 168, 171, 177, 178, 180, 182, 184, 187, 189, 190, 191

U U.S. Department of the Interior, 211 United States, v, 1, 9, 95, 122, 141, 155, 160, 169, 170, 192, 194, 197

V vehicles, 101, 102, 104, 113, 144, 148