Social Security Administration:
Effective Information Technology Management Essential for Data Center Initiative
GAO-09-662T: Published: Apr 28, 2009. Publicly Released: Apr 28, 2009.
The American Recovery and Reinvestment Act of 2009 (Recovery Act) provides resources to the Social Security Administration (SSA) to help replace its National Computer Center. This data center, which is 30 years old, houses the backbone of the agency's automated operations, which are critical to providing benefits to nearly 55 million people, issuing Social Security cards, and maintaining earnings records. The act makes $500 million available to SSA for the replacement of its National Computer Center and associated information technology (IT) costs. In this testimony, GAO was asked to comment on key IT management capabilities that will be important to the success of SSA's data center initiative. To do so, GAO relied on previously published products, including frameworks that it has developed for analyzing IT management areas. GAO has not performed a detailed examination of SSA's plans for this initiative, so it is not commenting on the agency's progress or making recommendations.
For an effort as central to SSA's mission as its planned new data center, effective practices in key IT management areas are essential. For example: (1) Effective strategic planning helps an agency set priorities and decide how best to coordinate activities to achieve its goals. For example, a strategic plan identifying interdependencies among modernization project activities helps ensure that these are understood and managed, so that projects--and thus system solutions--are effectively integrated. Given that the new data center is to form the backbone of SSA's automated operations, it is important that the agency identify goals, resources, and dependencies in the context of its strategic vision. (2) An agency's enterprise architecture describes both its operations and the technology used to carry them out. A blueprint for organizational change, an architecture is defined in models that describe (in business and technology terms) an entity's current operation and planned future operation, as well as a plan for transitioning from one to the other. An enterprise architecture can help optimize SSA's data center initiative by ensuring that its planning and implementation take full account of the business and technology environment. (3) For IT investment management, an agency should follow a portfoliobased approach in which investments are selected, controlled, and monitored from an agencywide perspective. By helping to allocate resources effectively, robust investment management processes can help SSA meet the accountability requirements and align with the goals of the Recovery Act. For example, projects funded under the act are to avoid unnecessary delays and cost overruns and are to achieve specific program outcomes. Investment management is aimed at precisely such goals: for example, accurate cost estimating (an important aspect of investment management) provides a sound basis for establishing a baseline to formulate budgets and measure program performance. Further, the act emphasizes energy efficiency--also a major concern for data centers, which have high power and cooling requirements. Investment management tools are important for evaluating the most cost-effective approaches to energy efficiency. (4) Finally, information security should be considered throughout the planning, development, and implementation of the data center. Security is vital for any organization that depends on information systems and networks to carry out its mission--especially for government agencies like SSA, where maintaining the public's trust is essential. One part of information security management is contingency and continuity of operations planning--vital for a data center that is to be the backbone of SSA's operations and service delivery. Data centers are vulnerable to a variety of service disruptions, including accidental file deletions, network failures, systems malfunctions, and disasters. Accordingly, it is necessary to define plans governing how information will be processed, retrieved, and protected in the event of minor interruptions or a full-blown disaster. These capabilities will be important in helping to ensure that SSA's data center effort is successful and effectively uses Recovery Act funds.