Information Technology: OPM Needs to Adopt Key Practices in Modernizing Legacy Financial System
Fast Facts
The Office of Personnel Management's outdated and struggling Federal Financial System helps manage over $1 trillion in assets to support over 8 million federal employees and retirees. In FY 2017, OPM began a program to replace the system.
OPM has completed several phases of the replacement effort. However, estimated costs have increased by $13.4 million to $71.9 million, and several phases are delayed.
While OPM adopted some leading practices—particularly those for ensuring that systems are built to specifications—it hasn't adopted others for estimating costs and schedule or ensuring cybersecurity. Our recommendations address this.
Highlights
What GAO Found
The U.S. Office of Personnel Management (OPM) has completed several phases of its effort to modernize its Trust Funds Federal Financial System (FFS). Among other activities, OPM defined the project's charter, selected a service provider, and gathered requirements. However, as shown below, OPM had to extend the planned completion date of two upcoming milestones by 1 year to October 2022 and October 2023. These milestones focus on the transition to the shared service provider and the new system. In addition, OPM increased the estimated cost of project development and implementation by $13.4 million to $71.9 million.
Status of the Office of Personnel Management's (OPM) Financial System Modernization
Phase |
Completed or planned completion date |
Assessment, Readiness, and Selection |
Completed September 2018 |
Engagement Phase 1 |
Completed February 2020 |
Engagement Phase 2 |
Completed September 2020 |
Migration Release 1 |
Planned completion by October 2022 (originally estimated to be completed in October 2021) |
Migration Release 2 |
Planned completion by October 2023 (originally estimated to be completed in October 2022) |
Legend:
_____ = milestones that have been completed
Source: GAO analysis of OPM's documentation and interviews. | GAO-22-104206
OPM attributed the delay to a variety of reasons, including poor documentation and insufficient staff expertise regarding the legacy system.
OPM partially implemented key practices for using a shared service provider. Specifically, while OPM performed risk assessments of the modernization, the assessments were not comprehensive or did not accurately reflect the risks the program was facing. Specifically, while OPM performed recommended assessments of the modernization, it did not address all known risks. For example, the risk assessment during Engagement Phase 2 did not reflect that OPM had not defined service level agreements for operations and maintenance; applicable guidance considers this omission a high risk at this stage. Further, while OPM conducted recommended reviews at the conclusion of each phase, in two cases the agency moved forward on the modernization without meeting defined exit criteria.
In addition, while OPM fully adopted leading information technology (IT) management practices for requirements management, it did not do so for cost and schedule estimation, and cybersecurity. Specifically:
- OPM did not fully adopt best practices for developing program cost and schedule estimates. As a result, its estimates were not reliable.
- OPM adopted one key cybersecurity practice for systems engineering and partially adopted four other practices. For example, although OPM had identified security expectations for the migration phase, the agency had not defined the level of service to be supplied by the shared service provider. Following these practices help ensure that security requirements and needs are addressed throughout the life cycle of the system.
Until the agency fully implements appropriate practices, OPM increases the risk that the program will incur schedule delays, cost overruns, unmet performance targets, and cybersecurity shortfalls.
Why GAO Did This Study
OPM's legacy financial system, FFS, helps manage over $1 trillion in combined assets and supports over 8 million federal employees and retirees. However, according to OPM, FFS is outdated and consists of unsupported software. In fiscal year 2017, OPM created the Trust Funds Modernization (TFM) Program to replace FFS. In 2019, the agency selected a shared service provider to provide the replacement system.
The House report accompanying the Consolidated Appropriations Act, 2020 included a provision for GAO to examine OPM's effort to modernize and replace FFS. This report (1) describes the status of OPM's effort to modernize and replace FFS; (2) evaluates the progress OPM has made in implementing key modernization practices for using a shared service provider; and (3) determines to what extent the TFM program has adopted leading practices for requirements management, cost and schedule estimation, and cybersecurity. To do so, GAO analyzed relevant TFM program documentation; assessed documentation against key modernization practices; and compared the program's requirements management, cost and schedule estimation, and cybersecurity to leading practices. GAO also interviewed OPM officials.
Recommendations
GAO is making five recommendations to OPM to improve its effort. OPM concurred with two recommendations, partially concurred with two, and did not concur with one. GAO maintains the recommendations as discussed in this report are warranted.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of Personnel Management | The Director of OPM should direct the CFO to ensure that the FFS-R project conducts a comprehensive M3 risk assessment and defines and meets exit criteria for the Migration phase Release 1 and Release 2 tollgates before proceeding to the next phase of the modernization. (Recommendation 1) |
The agency partially agreed with this recommendation and at the time of our report stated that it did not believe that a risk assessment would be a prudent use of resources. In April 2023, OPM provided updates on its efforts to conduct M3 Risk assessments and define and meet exit criteria for the FFS-R Migration Phase Releases 1 and 2. Specifically, OPM noted that an M3 risk assessment was not conducted for Release 1. In addition, OPM provided documentation such as their product readiness review showing defined exit criteria that has been met for its Release 1 tollgate review. However, officials also noted that they are in the planning phase for Release 2 and could not provide an update regarding this recommendation for that release. We will continue to monitor OPM's actions to address this recommendation.
|
Office of Personnel Management | The Director of OPM should direct the CFO to ensure that the TFM program develops cost estimates using best practices described in GAO's Cost Estimating and Assessment Guide. (Recommendation 2) |
The agency partially agreed with this recommendation and at the time of our report noted that its cost estimate is based on another entity's cost estimate. In April 2023, OPM noted that its FFS-R modernization Release 2 cost estimate was being developed in consultation with GAO's cost guide but was expected to be completed at the end of the planning phase in June 2023. In February 2024, OPM provided cost estimate information. When we complete our analysis of that, we will update the recommendation status, as needed. We will continue to monitor the implementation of this recommendation.
|
Office of Personnel Management | The Director of OPM should direct the CFO to ensure that the TFM program updates the TFM schedule using best practices described in GAO's Schedule Assessment Guide, in particular, by addressing those schedule characteristics that were not substantially or fully met. (Recommendation 3) |
The agency agreed with this recommendation. As of January 2024, OPM told us that they have taken additional actions to address the three schedule characteristics and related best practices that were partially met. OPM stated that scheduling best practices were applied to its TFM program schedule, and they provided the OPM's updated program schedule estimate for the TFM Program including Release 1 of the FFS-R modernization project. Based on our review, while OPM completed the activities in the schedule provided, we could not assess whether best practices in GAO's schedule guide were used to address the characteristics that were not substantially or fully met. In addition, OPM reported that Release 2 of the project is in development. We will continue to monitor OPM's actions to address this recommendation.
|
Office of Personnel Management | The Director of OPM should direct the CFO to ensure that interagency agreements, including service level agreements, identify how security requirements will be conducted and the level of services, including cybersecurity, that will be provided. (Recommendation 4) |
The agency agreed with this recommendation. In June 2023, OPM provided documentation of its interagency and service level agreements for Release 1 of the FFS-R project. According to the service level selected, ARC will provide the infrastructure, platform, and software as a service while OPM performs and manages the transactional processes. The agreement identified ARC's responsibility with its compliance with cybersecurity practices, to include the completion of security assessment and authorization, annual continuous monitoring and testing, and tracking training. However, it did not identify cybersecurity requirements or how it would follow industry practices. OPM noted that they were unable to provide a service level agreement for Release 2 of the FFS-R project because they were in the planning phase, but that modifications to the service level agreement would be made if needed. We will continue to monitor OPM's actions to address this recommendation.
|
Office of Personnel Management | The Director of OPM should direct the CFO to ensure that the OCIO and TFM Program Management Office have identified and acquired sufficient systems and cybersecurity experts to adequately staff the TFM program, including the FFS-R project. (Recommendation 5) |
The agency did not agree with this recommendation. Even so, in June 2023, OPM provided an update on their staffing efforts. Specifically, officials noted that the CFO worked with the OCIO in ensuring cybersecurity expertise and system support was identified and provided for security related activities of the TFM program, including the FFS-R project. Agency officials reported that the OCIO used a staffing model of budget and critical needs for cyber and performance measures to ensure there are enough cybersecurity experts staffed to the TFM program and projects. However, the agency did not identify the number of systems and cybersecurity experts staffed to the various activities related to the TFM program, including the FFS-R projects. Further, we reviewed the project's January 2023 risk register which showed the risk of a lack of OCIO resources as an open risk. We will continue to monitor the implementation of this recommendation.
|