Information Technology Management: Social Security Administration Practices Can Be Improved

SSA agreed with this recommendation and developed an Information Technology (IT) Capital Planning and Investment Control (CPIC) process guide that was presented to the CIO-chaired Information Technology Advisory Board (ITAB) in April 2003. The guide describes the select, control, and evaluate phases of SSA's IT investment management process. Our review of the guide determined that it documents the policies, procedures, and key criteria for SSA's IT investment management process and related executive staff operations.

SSA agreed with this recommendation. SSA's information technology (IT) investment management and budget documentation identifies predefined selection criteria that include: (1) support of an agency strategic goal; (2) expected project cost, schedule, benefit, and performance outcomes; (3) summary of accomplishments to date (including studies, pilots, or related procurement awards made or scheduled to be made); and (4) current cost-benefit analysis or return-on-investment data (including identification of risks). The agency's Capital Planning and Investment Control process guide specifically states that an analysis of costs and benefits should be prepared for IT projects and updated throughout their life cycle. Also, as part of SSA's budget call, the Office of Systems distributes instructions throughout the agency that include criteria for reporting cost, benefit, schedule, and risk information for IT projects. The instructions require agency components to describe how project performance will be measured and reported; the planned system's life and the strategy for refreshment and replacement of supporting technology; and a summary of accomplishments to date, including studies, pilots, or related procurement awards made or scheduled to be made. Collectively, these IT investment selection criteria should facilitate objective analyses, comparisons, prioritizations, and selections of SSA's IT investments.

SSA agreed with GAO's recommendation, and in response established guidance that requires executive level officials to prioritize IT investments based on predefined criteria such as costs, benefits, schedule and risks. Further, the agency's Capital Planning and Investment control Process Guide specifically states that an analysis of costs and benefits should be prepared for IT projects and updated throughout their life cycle. SSA also implemented a selection and prioritization methodology (Strategic Objective Portfolio Methodology) that it believes is conducive to achieving success in budget and performance integration. For example, SSA reported that this methodology brings to IT strategic meetings a lead portfolio manager, the customer, developer and planner. The meeting results in a prioritized list of requirements that will compete for funding in SSA's Information Technology Advisory Board process based on the agency's selection criteria.

SSA agreed with this recommendation, and according to its Capital Planning and Investment Control process guide, agency executives are to regularly monitor the progress of ongoing IT projects against projected cost, schedule, and performance (including delivered benefits). SSA stated that IT investments are reviewed and managed in monthly Office of Systems project reviews, CIO milestone reviews, and, on an exception basis, CIO-directed in-process reviews. In addition, IT investments are monitored in quarterly meetings of the CIO-chaired Information Technology Advisory Board.

SSA agreed with this recommendation. According to the agency, its CIO-chaired, executive-level Information Technology Advisory Board (ITAB) is charged with overseeing IT projects, including comparing actual cost, benefit, schedule, and risk data with original estimates to determine whether the projects are proceeding as expected or require corrective action. This includes approving IT projects prior to the beginning of the fiscal year. Further, on a quarterly basis, the ITAB reviews the progress of each IT project and the capital investments that have been agreed to. SSA stated that when projects are not proceeding as planned, the CIO involves appropriate members of the ITAB to determine the reasons for the problems and to take corrective action such as redirecting or terminating the project when necessary.

SSA agreed with this recommendation and has outlined in its Capital Planning and Investment Control (CPIC) process guide the major activities required for a post-implementation review (PIR). The guide states, for example, that a PIR normally is to be conducted 3 to 12 months after the system becomes operational to validate estimated benefits and costs. In addition, the guide states that the PIR is to document lessons learned and provide insights to improve the evaluation phase, as well as decision making and oversight in the selection and control phases of the IT CPIC process. SSA performed a PIR of its Intelligent Work Station/Local Area Network (IWS/LAN) initiative. The agency also has recently taken steps such as capturing baseline information to perform a PIR of its electronic disability system initiative.

SSA agreed with this recommendation. The Capital Planning and Investment Control process guide states that the SSA Information Technology Advisory Board is to develop, manage, and regularly (on a quarterly basis) evaluate the performance of SSA's comprehensive IT investment portfolio containing detailed and summary information (including data on costs, benefits, schedules and risk) for all IT investments. In addition, according to SSA, agency IT investments are reviewed and managed in monthly Office of Systems project reviews and CIO milestone reviews.

SSA agreed with GAO's recommendation and reported that, on a continuing basis, the agency reviews assessments of capital planning and investment control processes in other agencies to learn about problematic activities and best practices related to benchmarking. SSA also stated that it performs benchmarking on an ad hoc basis, when the agency believes that it is needed and practical. For example, SSA performed a total cost of ownership (TCO) analysis for its desktop computing environment that benchmarked the TCO experienced in other organizations to assist SSA in making an investment decision in this area. It also reported that it participated in benchmarking activities through discussions with other agencies concerning their implementation of Electronic-Capital Planning and Investment Control (e-CPIC).

SSA agreed with this recommendation. Over the past several years, SSA has completed key elements of its enterprise-wide architecture, including an enterprise-wide architecture framework. Specifically, SSA developed an enterprise information technology architecture (EITA) framework, which provides a structure for organizing the products that describe existing and future SSA architectures. The framework also identifies (1) the strategic information assets that define SSA's business processes; (2) the information necessary to operate these processes; (3) the technologies needed to support business operations; and (4) the transition process for implementing new technologies in response to the changing needs of SSA. As with the Federal Enterprise Architecture Framework, SSA's EITA framework defines three general categories of architecture--data, applications, and infrastructure. SSA also documented its current architectures in the areas of business process, application, data, and infrastructure, and its targeted application architecture. In addition, SSA reflected its future service delivery and e-business goals in its EITA Application Architecture document. SSA's EITA goals and initiatives supporting future service delivery goals include: (1) increasing programmatic automation; (2) developing an administrative business architecture; (3) incorporating enhanced system security technology; (4) providing multi-tiered workload control capabilities; and (5) supporting paperless processing. The e-business goal focuses on providing automated client self-help capabilities such as developing an Internet-based input channel that allows SSA clientele to deal directly with the agency's systems for programmatic transactions. Further, in an effort to continuously improve its enterprise architecture, SSA reported that it has implemented an independent verification and validation process for a third-party subject matter expert to review its entire enterprise architecture for completeness, conformance with OMB requirements, and level of maturity. As a result of these actions, SSA now has procedures in place to help effectively guide and constrain the development and evolution of its information systems.

SSA agreed with this recommendation. SSA established an Enterprise Information Technology Architecture (EITA) change management control process which applies to the technology infrastructure, application, and data components of its EITA. SSA also stated that its legacy systems are fully integrated with its EITA. The legacy systems are described in the agency's EITA within the context of the agency's infrastructure, data, and application architecture processes that include target architectures. In addition, SSA established a transition strategy for its EITA, which describes the agency's strategy for migrating from the existing IT architecture, including legacy systems, to the target enterprise architecture.

In order to ensure that its Software Process Improvement (SPI) policies and procedures are consistently followed, the Social Security Administration's (SSA) Office of Systems developed a systems development, delivery, and support policy. This policy requires that all priority software development efforts adhere to its project management directive, which addresses the key software development process areas, including requirements management, project planning, project tracking and oversight, quality assurance, and configuration management. In addition, the Office of Systems acquired 18 information technology specialists to serve as process consultants to priority software development efforts. Among other tasks, these individuals are responsible for ensuring that software development project managers follow SPI-compliant practices and that any deviations or non-compliance are identified and reported.

In June 2001, SSA's Office of Systems implemented a procedure for granting waivers to deviate from the Software Process Improvement (SPI) project management directive, which includes procedures for software development. Once a project manager develops a waiver, it is forwarded to the SPI office for review. If the SPI office determines that the waiver should be considered, it then forwards the waiver to the Deputy Commissioner for Systems and the Assistant Deputy Commissioner for Systems for its review. The waiver is not granted until it receives a final approval from the Deputy Commissioner or Assistant Deputy Commissioner for Systems.

SSA strengthened its entity-wide security framework by completing policy/risk models and technical system standards (security settings) for its major systems platforms. PricewaterhouseCoopers LLP audited SSA's systems of accounting and internal controls and reported that SSA had established and published technical security configuration standards (policy/risks models and technical standards) for its major platforms, including NT, Unix, AS 400, and SSA's firewall servers.

SSA agreed with this recommendation and implemented actions to enhance its ability to effectively monitor and provide corrective actions for noncompliance with its technical system standards and risk policy models for major platforms. An independent audit of SSA's internal controls determined that SSA had developed procedures to support the monitoring and compliance aspects of the technical system standards for its major platforms, including the Windows NT, Windows 2000, AS 400, and WANG platforms. In addition, SSA implemented new tools to monitor adherence to platform security configuration standards for these platforms. Each platform is monitored periodically to ensure that administrators are adhering to the risk models and related technical system standards. In addition, SSA implemented corrective action prcedures to address instances of noncompliance with its major platforms' security configuration standards, including the establishment of a team of network experts to perform corrective actions for noncompliance issues. As a result of these actions, SSA improved its ability to provide effective oversight and evaluation of information security related to its major platforms and perform corrective actions for noncompliance with its platforms' security configuration standards.

SSA agreed with this recommendation, and in response, developed policy/risk models and technical system standard settings for its major system platforms. The policy/risk models protect the operating system from intrusion or the unauthorized escalation of system privileges. The security settings define the profiles for user access to applications or transactions within the applications, thus strengthening the security for the application utilizing the platform. SSA also developed and implemented new tools and procedures to monitor adherence to its major platforms' technical system standards, as well as procedures for corrective actions for noncompliance with these standards. As a result, SSA now has the necessary guidance and controls to provide effective oversight and evaluation of information security related to these platforms, including improved security for the applications utilizing the platforms.

SSA agreed with this recommendation. In June 2003, the agency completed an assessment of its Office of Systems' current and future information technology (IT) knowledge and skills needs. As a result of this assessment, SSA managers included data in the agency's online skills inventory reflecting the competencies, skills, and retirement eligibility for approximately 2,300 IT specialists.

SSA agreed with this recommendation, and developed an online Skills Inventory Planning System (SIPS). The SIPS has been used to capture information on the competencies and skills of technical employees in SSA's Office of Systems, collect information on future skill needs, perform a gap analysis between current skills and future skills requirements on which to develop IT workforce planning strategies, track skills lost to potential retirements, and support the Office of System's human capital strategy.

SSA agreed with this recommendation, and in June 2003, it performed a gap analysis between its current and future information technology staff requirements. The gap analysis is being used in the agency's Office of Systems workforce strategies and planning efforts including, project allocations, human capital resource allocations, training, recruitment, retention, and reassessment of the Office of Systems organization. SSA plans to conduct a skills inventory and gap analysis annually.

SSA agreed with this recommendation, and using its online Skills Inventory Planning Systems, the agency identified and assessed its current and future information technology (IT) staff skills and requirements, and performed a related gap analysis. SSA subsequently developed an IT workforce strategic plan that provides the framework for linking workforce strategies and planning to the findings of the gap analysis. Further, SSA established an oversight committee to identify steps for developing a strategy to integrate skill gap issues with its human capital planning efforts. The committee identified specific areas that linked skill gaps to budget, recruitment, and training strategies. Further, the findings of the gap analysis are used to periodically update SSA's IT recruitment plan.

SSA agreed with this recommendation. Relying on its online Skills Inventory Planning System and a gap analysis of its current and future IT staff requirements, SSA developed an IT Workforce Strategic Plan. The plan links workforce strategies to the Agency Strategic Plan and information resources management (IRM) strategies. SSA documented the effectiveness of its strategies for recruiting, training, and retaining IT staff in its IT Workforce Strategic Plan and in the Office of Systems 2004 Strategic Recruitment and Retention Plan. Using the information that the skills survey provided, SSA's Office of Systems has targeted hiring employees with the skills to match requirements defined in its gap analysis and in support of its Agency Strategic goals and IRM strategies. As a result of these actions, SSA senior decisionmakers will have assurance that they are effectively addressing IT knowledge and skill gaps in support of its strategic goals and IRM strategies.