This post first appeared on GAO Reports. Read the original article.
What GAO Found
The Department of Homeland Security (DHS) has fully implemented 28 of the 31 selected Federal Information Technology (IT) Acquisition Reform Act (FITARA) action plans; however, as of December 2016, DHS did not fulfill all aspects of 3 action plans. For example, one action plan is to use an updated process for reviewing troubled programs to provide support to such programs; however, DHS has not finalized its policy for this process. Until DHS ensures that these 3 plans are implemented, it will lack assurance that it is fulfilling FITARA’s goals.
DHS faces challenges in implementing certain FITARA provisions:
Chief Information Officer (CIO) approval of contracts and agreements. FITARA requires, among other things, the agency CIO to review and approve IT contracts and agreements associated with major investments (e.g., high cost) prior to award. However, the CIO did not participate in the approval of any of the 48 contracts in GAO’s sample associated with major investments. While DHS has made improvements to its review process, until the Office of the CIO determines how to increase its review of contracts and agreements, the CIO will continue to have limited visibility into planned IT expenditures.
CIO evaluation of risk. DHS’s Office of the CIO was conducting risk evaluations of major IT investments and updating the ratings on the Office of Management and Budget’s (OMB) public website known as the IT Dashboard, as required by FITARA. However, in October 2016, DHS changed its process for evaluating 30 of DHS’s 93 major IT investments and, as a result, the CIO is no longer primarily responsible for the evaluations or associated risk ratings that are publicly reported for these investments. Instead, multiple DHS organizations and officials are to evaluate these investments and the CIO’s assessment only accounts for about 18 percent of the total score. Further, while under the old process, DHS’s CIO was responsible for assessing these 30 investments against criteria that OMB guidance stated CIOs may use, under the new process, the CIO is only to assess these investments against one of OMB’s criteria (see table below). This process change challenges the CIO’s ability to publicly report risk ratings.
Change in Responsibility for Conducting Chief Information Officer (CIO) Risk Evaluations that Are Reported to the Information Technology (IT) Dashboard for 30 Major IT Investments
Office of Management and Budget evaluation criteria |
Primary office responsible under old process |
Primary organization or official responsible under new process |
Risk management |
CIO |
Program Accountability and Risk Management, CIO, Chief Financial Officer, and Director of Test and Evaluation |
Requirements management |
CIO |
Joint Requirements Council; Office of Systems Engineering; Director of Test and Evaluation |
Contractor oversight |
CIO |
Chief Procurement Officer |
Historical performance |
CIO |
Not assessed by DHS under new process |
Human capital |
CIO |
Program Accountability and Risk Management |
Other factors |
CIO |
CIO and any organization or official responsible for assessing any other factor in the evaluation |
Source: GAO analysis of DHS documentation. | GAO-17-284.
Until DHS addresses these challenges, the goal of FITARA to elevate the role of the department CIO in acquisition management will not be fully realized.
Why GAO Did This Study
In 2014, Congress enacted IT reform legislation, referred to as FITARA, which includes provisions related to seven areas of IT acquisition management. In 2015, OMB released FITARA implementation guidance that outlined agency CIO responsibilities and required agencies to develop action plans for implementing the guidance.
This report examines, among other things, the extent to which DHS has implemented selected action plans and the key challenges that DHS has faced in implementing selected FITARA provisions.
To do so, GAO analyzed DHS’s efforts to implement a sample of 31 of 109 action plans that DHS had reported as complete and that described later-stage implementation steps. To determine challenges, GAO analyzed and compared DHS documentation, including a random sample of IT-related contracts and agreements, to selected FITARA provisions to identify gaps between what was required by FITARA and what DHS had implemented. These provisions required, among other things, significant coordination between DHS headquarters and five components.
What GAO Recommends
GAO is making 7 recommendations to DHS to ensure that it fully and effectively implements FITARA. Among other things, GAO recommends that DHS fully implement the action plans and address challenges related to CIO contract approval and evaluation of risk. DHS concurred with all 7 recommendations and provided estimated completion dates for implementing each of them.
For more information, contact Carol C. Harris at (202) 512-4456 or HarrisCC@gao.gov.