Information Technology: FDA Needs to Fully Implement Key Management Practices to Lessen Modernization Risks
Highlights
What GAO Found
While FDA has taken several important steps toward modernizing its IT environment, much remains to be done. FDA reported spending about $400 million for IT investments in fiscal year 2011; however, the agency currently lacks a comprehensive IT inventory that identifies and provides key information about the systems it uses and is developing. Office of Management and Budget (OMB) and GAO guidance call for federal agencies to maintain such an inventory in order to monitor and manage their IT investments. This inventory should include information on each system, such as costs, functionality or purpose, and status. However, FDA does not have such a comprehensive list of its systems. Instead, the agency points to budget documents required by OMB, which included information on 44 IT investments for fiscal year 2011. The agency also provided a partial list of 21 mission-critical systems and modernization initiatives. Nonetheless, agency officials acknowledged that these documents do not identify all FDA’s systems or the complete costs, purpose, or status of each system. Until the agency has a complete and comprehensive inventory, it will lack critical information needed to effectively assess its IT portfolio.
Much work remains on FDA’s largest and costliest system modernization effort—the Mission Accomplishments and Regulatory Compliance Services program. This program is estimated to cost about $280 million and is intended to enhance existing applications and develop new systems that provide information for inspections, compliance activities, and laboratory operations. However, much of the planned functionality has not been delivered and its completion is uncertain. Moreover, the program lacks an integrated master schedule identifying all the work activities that need to be performed and their interdependencies. FDA’s Chief Information Officer (CIO) stated that the agency is reevaluating the scope of the initiative. As a result, it is uncertain when or if FDA will meet its goals of replacing key legacy systems and providing modernized functionality to support its mission. In addition, FDA has not yet fully implemented key IT management capabilities essential for successful modernization, as previously recommended by GAO. These include developing an actionable IT strategic plan, developing an enterprise architecture to guide its modernization effort, and assessing its IT human capital needs. This is due in part to the fact that FDA’s IT management structure has been in flux. Since 2008, the agency has had five CIOs, hampering its ability to plan and effectively implement a long-range IT strategy. While the agency recently hired a CIO, without stable leadership and capabilities, the success of FDA’s modernization efforts is in jeopardy.
The agency currently has initiatives under way to improve its data sharing with internal and external partners, including adoption of an enterprisewide standard for formatting data and several projects aimed at enhancing its ability to share data. Effective data sharing is essential to its review and approval process, inspection of imports and manufacturing facilities, and tracking of contaminated products. However, these projects have made mixed progress, and significant work remains for FDA to fully implement standardized data sharing. Further, FDA’s Center for Food Safety and Applied Nutrition has not comprehensively assessed information-sharing needs to ensure that its systems and databases are organized for effective information sharing. This is needed to help ensure more efficient access to and sharing of key information supporting its mission.
Why GAO Did This Study
The Food and Drug Administration (FDA), an agency within the Department of Health and Human Services (HHS), relies heavily on information technology (IT) to carry out its mission of ensuring the safety and effectiveness of regulated consumer products. Specifically, IT systems are critical to FDA’s product review, adverse event reporting, and compliance activities. Recognizing limitations in its IT capabilities, the agency has undertaken various initiatives to modernize its systems. GAO was asked to (1) assess FDA’s current portfolio of IT systems, including the number of systems in use and under development, and their purpose and costs; (2) assess the status and effectiveness of FDA's efforts to modernize the mission-critical systems that support its regulatory programs; and (3) examine the agency's progress in effectively integrating and sharing data among key systems. To do this, GAO reviewed information on key FDA systems and interviewed agency officials to determine the status of systems and the effectiveness of key IT management practices, as well as data sharing among key systems.
Recommendations
GAO is recommending that FDA develop a comprehensive inventory of its IT systems, develop an integrated master schedule for a major modernization effort, and assess information needs to identify opportunities for greater sharing. In commenting on a draft of this report, HHS neither agreed nor disagreed with the recommendations but stated that FDA has taken actions to address many of the issues in the report.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Food and Drug Administration | To help ensure the success of FDA's modernization efforts, the Commissioner of FDA should direct the CIO to take immediate steps to identify all of FDA's IT systems and develop an inventory that includes information describing each system, such as costs, system function or purpose, and status information, and incorporate use of the system portfolio into the agency's IT investment management process. |
In March 2012 , we reported that the Food and Drug Administration (FDA) did not have a comprehensive inventory of its systems that provided critical information needed to effectively assess its information technology (IT) portfolio , such as the cost, function, purpose, and status of each system in use by the agency. Such an assessment is needed to ensure that agencies develop and implement systems that provide capabilities to support business needs and priorities. Accordingly, we recommended that the agency take immediate steps to identify all of its IT systems and develop an inventory that includes the detailed information needed to describe each system, then incorporate use of the inventory into the agency's IT investment management process. In response to our recommendation, the agency developed a comprehensive system inventory, which included the critical information identified in our recommendation. Specifically, the inventory, which FDA provided to us in May 2015, identified the key IT systems in use by the agency and their related costs, functions, purpose, and status, including whether the systems were being developed or operated and maintained, and the effective date the system became operational. In June 2015, the agency issued a procedure for maintaining the inventory, which will help ensure that the agency consistently updates the inventory. Further, the agency incorporated use of the inventory into its IT investment management process. For example, we reported in December 2015 that agency had demonstrated how they use the inventory to evaluate systems that may need modifications, identify system retirement dates, and develop a capabilities-based IT investment portfolio that maps the functionality provided by each systems to specific business needs of the agency. By taking these actions, FDA will have the information needed to more effectively assess its IT portfolio and ensure that it is investing in IT systems that provide the capabilities needed to meet agencywide needs and priorities.
|
| Food and Drug Administration | To help ensure the success of FDA's modernization efforts, the Commissioner of FDA should direct the CIO to, in completing the assessment of Mission Accomplishments and Regulatory Compliance Services (MARCS), develop an integrated master schedule (IMS) that (1) identifies which legacy systems will be replaced and when; (2) identifies all current and future tasks to be performed by contractors and FDA; and (3) defines and incorporates information reflecting resources and critical dependencies. |
According to FDA officials, the agency conducted a review of the Mission Accomplishments and Regulatory Compliance Services (MARCS) program in September 2020 to assess its progress towards modernizing its systems. FDA recognized several issues within the program and, after management review, decided to halt further work on the MARCS program. Instead, the agency initiated two other programs, the System for Inspections, Recalls, Compliance and Enforcement (SIRCE) and FDA Import Operations (IMPORTS) where certain legacy components, such as data sharing services, have been decommissioned. As a result of the MARCS program being discontinued, we are closing this recommendation as not implemented. However, according to FDA, the agency has adopted a methodology and implemented an integrated master schedule for SIRCE and IMPORTS that includes GAO's best practices for scheduling management. While SIRCE and IMPORTS was not included in our 2012 review, including GAO best practices for scheduling management in modernization efforts is a positive step in ensuring their success.
|
| Food and Drug Administration | To help ensure the success of FDA's modernization efforts, the Commissioner of FDA should direct the CIO to monitor progress of MARCS against the integrated master schedule IMS. |
In 2018, we confirmed that FDA, in response to our recommendation, monitored progress of MARCS against the IMS. More specifically, FDA created a scorecard and schedule health check criteria and used these to assess the health of multiple schedules related to the MARCS program. According to FDA, the staff conducting the assessment shared and discussed the results of the schedule assessments and needed schedule improvements with appropriate management. As a result of this action, FDA is better positioned to gauge progress on the entire project and evaluate the effect of changes to individual tasks on the project as a whole.
|
| Food and Drug Administration | To help ensure the success of FDA's modernization efforts, the Commissioner of FDA should direct the CIO to assess information-sharing needs and capabilities of the Center for Food Safety and Applied Nutrition (CFSAN) to identify potential areas of improvements needed to achieve more efficient information sharing among databases and develop a plan for implementing these improvements. |
In commenting on the report, the Department of Health and Human Services neither agreed nor disagreed with our recommendations. In responding to this recommendation, FDA officials provided plans for determining information sharing needs for the Center for Food Safety and Applied Nutrition, including the Office of Foods and Veterinary Medicine Data Management Strategy and Roadmap and the Food Safety and Modernization Act Information Technology Roadmap. These roadmaps include assessments of areas needing information sharing improvements, identify databases that store the information, and include steps and milestones for making improvements to capabilities for sharing information among the databases. By implementing these plans, FDA should be better positioned to ensure more efficient access to and sharing of key information supporting its mission, thus improving the outcomes of the agency's modernization efforts.
|