Information Technology: FDA Has Taken Steps to Address Challenges but Needs a Comprehensive Strategic Plan
Highlights
What GAO Found
As of September 2015, the Food and Drug Administration (FDA), an agency within the Department of Health and Human Services (HHS), had developed and released a new information technology (IT) strategic plan, entitled Information Technology Strategic Plan, Version 1.0 . The plan, according to the agency's Chief Information Officer (CIO), was developed to help FDA's Office of Information Management and Technology (OIMT) address business challenges facing the agency through the implementation of IT. The plan describes the current state of the agency's IT environment, along with OIMT's mission, vision, and the objectives of three strategic themes—quality service, security, and efficiency. The plan also defines performance measures and initiatives intended to support the office's strategic themes.
Nevertheless, the plan lacks key elements that GAO previously recommended be included in a comprehensive strategy to align with the agency-wide mission and goals, and allow the plan to be used for managing IT investments to more effectively address business challenges. For example, FDA's IT strategic plan does not align with strategic priorities and goals that the agency defined for 2014 through 2018. Further, it does not identify results-oriented goals and performance measures and milestones, or targets for measuring the extent to which outcomes of IT initiatives support FDA's ability to achieve agency-wide goals and objectives; strategies that the governing IT organization will use to support agency-wide goals and objectives; and key IT initiatives and interdependencies to be managed. The agency's CIO stated that this version of the strategic plan was developed to address challenges related to processes, technologies, roles, functions, and capabilities for improving the operations of OIMT, which has the responsibility for managing IT. However, FDA has not yet defined schedules or milestones for managing and completing the development and implementation of future versions of the plan that would reflect actions intended to address the agency-wide mission and goals. Until FDA incorporates these key elements of comprehensive IT strategic planning into its plan and fully implements the plan, it will lack critical information needed to align information resources with business strategies and investment decisions, and be hindered in determining whether outcomes of its IT initiatives are succeeding in supporting agency-wide goals.
FDA has made progress in implementing GAO's prior IT-related recommendations. Although it has not yet developed a comprehensive IT strategic plan, the agency has improved enterprise architecture development and IT human capital planning by implementing four of nine prior recommendations. FDA implemented two recommendations to develop an IT systems inventory that can be used to help manage IT investments and to improve information-sharing capabilities of one of its centers, and took steps toward implementing the remaining two recommendations related to improvements in scheduling and monitoring progress of a key IT modernization initiative. However, the agency did not complete all actions needed to implement these two recommendations. Specifically, it did not develop project schedules or conduct IT project monitoring in accordance with best practices. FDA's continued efforts to implement the remaining recommendations are critical to assuring that the agency's ability to manage IT investments and resources will meet its overall mission and goals.
Why GAO Did This Study
IT systems are critical to FDA's ability to achieve its mission. GAO previously reported on limitations in a number of FDA's key IT areas, including data availability and quality, information infrastructure, the ability to use technology to improve regulatory effectiveness, and investment management. GAO recommended FDA take actions to address these limitations, including the development of a comprehensive IT strategic plan to provide direction for modernizing the agency's IT environment.
The Food and Drug Administration Safety and Innovation Act of 2012 included a provision for GAO to report on FDA's progress regarding an IT strategic plan and implementation of GAO's prior recommendations. This report provides an assessment of the (1) status of FDA's efforts to develop and implement an IT strategic plan that includes results-oriented goals, activities, milestones, and performance measures; and (2) extent to which FDA has addressed GAO's prior IT-related recommendations.
To do so, GAO assessed the agency's 2015 IT strategic plan against best practices for IT management. GAO also reviewed supporting documents regarding FDA's actions on prior recommendations.
Recommendations
GAO recommends that FDA define schedules and milestones for incorporating into its IT strategic plan elements that align with the agency's mission and business strategies, and fully implement the plan. HHS agreed with the recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Food and Drug Administration | To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, goals, and objectives, the Commissioner of FDA should require the CIO to establish schedules and milestones for completing a version of an IT strategic plan that incorporates elements to align the plan's strategies with agency-wide priorities; includes results-oriented goals and performance measures that support the agency's mission, along with targets for measuring the extent to which outcomes of IT initiatives support FDA's ability to achieve agency-wide goals and objectives; identifies key IT initiatives that support the agency's goals; and describes interdependencies among the initiatives. |
In December 2015, we reported that the Food and Drug Administration (FDA) within the Department of Health and Human Services (HHS) had developed and released a new information technology (IT) strategic plan. The plan, according to the agency's Chief Information Officer (CIO), was developed to help FDA's Office of Information Management and Technology (OIMT) address business challenges facing the agency through the implementation of IT. However, the plan lacked key elements that GAO previously recommended be included in a comprehensive strategy to align with the agency-wide mission and goals, and allow the plan to be used for managing IT investments to more effectively address business challenges. For example, FDA's IT strategic plan did not align with strategic priorities and goals that the agency defined for 2014 through 2018. In addition, it did not identify results-oriented goals and performance measures and milestones, or targets for measuring the extent to which outcomes of IT initiatives support FDA's ability to achieve agency-wide goals and objectives; strategies that the governing IT organization would use to support agency-wide goals and objectives; and key IT initiatives and interdependencies to be managed. Further, we reported that FDA had not defined schedules or milestones for managing and completing the development and implementation of future versions of the plan that would reflect actions intended to address the agency-wide mission and goals. To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, we recommended that the Commissioner of FDA require the CIO to define schedules and milestones for incorporating into its IT strategic plan elements that align with the agency's mission and business strategies, and fully implement the plan. In response to our recommendation, FDA's CIO updated its IT strategic plan in 2016 and incorporated elements to align the plan's strategies with agency-wide priorities to be achieved through 2018. Specifically, the plan included result-oriented goals and performance measures that supported the agency's mission. For example, in order to support FDA's mission of promoting and protecting the public health more securely and efficiently, one of the result-oriented goals defined in the IT strategic plan was to ensure that the security, reliability, and accuracy of the agency's systems. To measure progress toward achieving this goal, FDA targeted outcomes of IT initiatives to meet 100% compliance of key regulations and mandates by the end of fiscal year 2018. The plan also identifies key IT initiatives that support the agency's goals and describes the interdependencies among these initiatives. For example, the plan includes a matrix that identifies the initiatives and maps them to FDA goals and objectives. For example, FDA's IT initiative, "enhancing cybersecurity compliance and oversight by strengthening the FDA's Cybersecurity Program to conduct highly effective incident response and decrease the overall security risks to sensitive FDA information" is aligned with FDA's goal to "reduce the risks in the manufacturing, production, and distribution of FDA-regulated products." In another example, FDA's IT initiative "improving the delivery of service by developing a master data management strategy to handle business data and data requirements" is aligned with FDA's goal for "promoting better informed decisions about the use of FDA-regulated products by improving patient and providers access to benefit risk information about the products". By incorporating such elements into its IT strategic plan, the agency will be in a position to better align information resources with business strategies and investment decisions, and ensure that outcomes of its IT initiatives support agency-wide goals.
|
Food and Drug Administration | To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, goals, and objectives, the Commissioner of FDA should require the CIO to implement the plan to ensure that expected outcomes of the agency's key IT initiatives are achieved. |
In December 2015, we reported that the Food and Drug Administration (FDA) within the Department of Health and Human Services (HHS) had developed and released an information technology (IT) strategic plan for fiscal years 2012 through 2016 that was intended to define the path to modernizing the agency's IT infrastructure. However, at the time of our review, the plan was not used by the Chief Information Officer (CIO), as intended, to manage and measure the outcomes of activities to support the agency's mission, goals, and objectives. As a result, we recommended that the Commissioner of FDA require the CIO to implement the strategic plan to ensure that expected outcomes of the agency's key IT initiatives are achieved. In August 2020, we verified that FDA developed a work plan that identified key IT initiatives to help ensure that the status of the initiatives are tracked to completion and that the expected outcomes of the initiatives are achieved. According to agency officials, FDA's Office of Information Management and Technology (OIMT) reviews the status of the initiatives each week at weekly project management meetings and the plan is updated on a weekly basis. For example, the workplan was updated to note that all subordinate employees completed annual privacy training by September 30, 2017. In another example, FDA completed the planning tasks of providing all of its employees and managers with a system for processing human resource applications by September 26, 2017. By developing and monitoring the key IT initiatives in the work plan, the agency is better positioned to achieve the expected outcomes for its IT initiatives.
|