Information Technology Management
Census Bureau Has Implemented Many Key Practices, but Additional Actions Are Needed
Gao ID: GAO-05-661 June 16, 2005
The Census Bureau's mission is to serve as the leading source of high quality data about the American people and the economy. This information is used to determine congressional and state legislative districts and to distribute hundreds of billions of dollars in federal funds each year. Information technology (IT) plays a critical role in the bureau's ability to carry out its missions by supporting data collection, analysis, and dissemination activities. In the past, the bureau has experienced problems with the development, acquisition, and implementation of IT systems. GAO was asked to (1) provide an IT profile of the Census Bureau, including an overview of information technology management and plans for the 2010 decennial census and (2) evaluate the adequacy of the bureau's IT policies, procedures, and practices in the areas of investment management, system development/management, enterprise architecture management, information security, and human capital.
The Census Bureau has a decentralized approach to IT management. The chief information officer is responsible for establishing policy and strategies and shares responsibility for implementing policies and managing systems and staff with the associate directors for different bureau program areas. In its 5-year strategic IT plan, the bureau identified 10 major investments that are currently estimated to total about $4 billion through 2009. Three of the bureau's 10 major investments--estimated to cost $2.7 billion--are expected to support the 2010 decennial census. For example, the bureau plans to invest about $1.8 billion in the 2010 Testing, Evaluation, and Systems Design program--an effort to redesign procedures and increase the use of automation planned for the 2010 decennial census through a multiyear effort of planning, development, and testing. The bureau has developed policies and procedures and initiated key practices in many of the areas that are important to successfully managing IT, including investment management, system development/management, enterprise architecture management, information security, and human capital management. However, many of these practices are not fully and consistently performed. For example, in the IT investment management area, the bureau has established executive-level investment boards, but it lacks written procedures outlining how the investment boards are to operate and ensuring a consistent and repeatable approach to investment management and decision making. As a result of this and other weaknesses, the bureau is at increased risk of not adequately managing major IT investments and is more likely to experience cost and schedule overruns and performance shortfalls. Because the bureau plans to spend billions of dollars on information technology to prepare for the 2010 decennial census, building in sound IT practices now is more critical than ever.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-05-661, Information Technology Management: Census Bureau Has Implemented Many Key Practices, but Additional Actions Are Needed
This is the accessible text file for GAO report number GAO-05-661
entitled 'Information Technology Management: Census Bureau Has
Implemented Many Key Practices, but Additional Actions Are Needed'
which was released on July 18, 2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
June 2005:
Information Technology Management:
Census Bureau Has Implemented Many Key Practices, but Additional
Actions Are Needed:
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-661]:
GAO Highlights:
Highlights of GAO-05-661, a report to congressional requesters:
Why GAO Did This Study:
The Census Bureau's mission is to serve as the leading source of high
quality data about the American people and the economy. This
information is used to determine congressional and state legislative
districts and to distribute hundreds of billions of dollars in federal
funds each year. Information technology (IT) plays a critical role in
the bureau's ability to carry out its missions by supporting data
collection, analysis, and dissemination activities. In the past, the
bureau has experienced problems with the development, acquisition, and
implementation of IT systems. GAO was asked to (1) provide an IT
profile of the Census Bureau, including an overview of information
technology management and plans for the 2010 decennial census and (2)
evaluate the adequacy of the bureau's IT policies, procedures, and
practices in the areas of investment management, system
development/management, enterprise architecture management, information
security, and human capital.
What GAO Found:
The Census Bureau has a decentralized approach to IT management. The
chief information officer is responsible for establishing policy and
strategies and shares responsibility for implementing policies and
managing systems and staff with the associate directors for different
bureau program areas. In its 5-year strategic IT plan, the bureau
identified 10 major investments that are currently estimated to total
about $4 billion through 2009. Three of the bureau's 10 major
investments--estimated to cost $2.7 billion--are expected to support
the 2010 decennial census. For example, the bureau plans to invest
about $1.8 billion in the 2010 Testing, Evaluation, and Systems Design
program--an effort to redesign procedures and increase the use of
automation planned for the 2010 decennial census through a multiyear
effort of planning, development, and testing.
The bureau has developed policies and procedures and initiated key
practices in many of the areas that are important to successfully
managing IT, including investment management, system
development/management, enterprise architecture management, information
security, and human capital management. However, many of these
practices are not fully and consistently performed (see figure). For
example, in the IT investment management area, the bureau has
established executive-level investment boards, but it lacks written
procedures outlining how the investment boards are to operate and
ensuring a consistent and repeatable approach to investment management
and decision making. As a result of this and other weaknesses, the
bureau is at increased risk of not adequately managing major IT
investments and is more likely to experience cost and schedule overruns
and performance shortfalls. Because the bureau plans to spend billions
of dollars on information technology to prepare for the 2010 decennial
census, building in sound IT practices now is more critical than ever.
Number of Key Information Technology Management Activities Implemented:
Information Technology Management Area: IT Investment Management[A];
Incomplete or obsolete policies and procedures; ad hoc practices: 0;
Policies or procedures for key functions; only selected practices in
place: 4;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards: 1.
Information Technology Management Area: System
Development/Management[A];
Incomplete or obsolete policies and procedures; ad hoc practices: 1;
Policies or procedures for key functions; only selected practices in
place: 7;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards: 0.
Information Technology Management Area: Enterprise Architecture
Management[A];
Incomplete or obsolete policies and procedures; ad hoc practices: 0;
Policies or procedures for key functions; only selected practices in
place: 2;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards: 14.
Information Technology Management Area: Information Security;
Incomplete or obsolete policies and procedures; ad hoc practices: 0;
Policies or procedures for key functions; only selected practices in
place: 5;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards: 2.
Information Technology Management Area: IT Human Capital;
Incomplete or obsolete policies and procedures; ad hoc practices: 0;
Policies or procedures for key functions; only selected practices in
place: 3;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards: 1.
Total: Incomplete or obsolete policies and procedures; ad hoc
practices: 1;
Policies or procedures for key functions; only selected practices in
place: 21;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards: 18.
Source: GAO.
[A] Denotes areas assessed at less than full maturity within a maturity
framework.
[End of table]
What GAO Recommends:
GAO is making recommendations to the Secretary of Commerce to improve
the bureau's ability to effectively manage IT by addressing weaknesses
found in each of the management areas GAO reviewed. In written comments
on a draft of this report, Commerce agreed with GAO's recommendations
and noted that the bureau has already begun improvements.
www.gao.gov/cgi-bin/getrpt?GAO-05-661.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact David A. Powner at (202)
512-9286 or pownerd@gao.gov.
[End of section]
Contents:
Letter:
Recommendations:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Briefing Slides:
Appendix II: Comments from the Department of Commerce:
Appendix III: GAO Contact and Staff Acknowledgments:
Related Products by GAO and the Department of Commerce's Inspector
General:
Letter June 16, 2005:
The Honorable Tom Davis:
Chairman:
Committee on Government Reform:
House of Representatives:
The Honorable Michael R. Turner:
Chairman:
Subcommittee on Federalism and the Census:
Committee on Government Reform:
House of Representatives:
The Honorable Adam H. Putnam:
House of Representatives:
The Census Bureau's mission is to serve as the leading source of high-
quality data about the American people and the economy. These data are
used to determine congressional and state legislative districts and to
distribute hundreds of billions of dollars in federal funds each year.
Also, federal agencies use census data to evaluate the effectiveness of
government programs, while businesses use census data to target new
services and products and to tailor existing ones to demographic
changes. Information technology (IT) plays a critical role in the
bureau's ability to carry out its missions by supporting data
collection, analysis, and dissemination activities throughout the
organization.
The bureau is currently planning the decennial census--the nation's
oldest and most comprehensive source of population and housing
information. The bureau estimates that the 2010 decennial census will
cost $11.3 billion, including $2.7 billion for IT investments. Because
the bureau has experienced problems with the development, acquisition,
and implementation of systems in preparing for past censuses, you
requested that we examine whether it is employing effective information
technology management practices. Our objectives were to (1) provide an
IT profile of the Census Bureau, including an overview of information
technology management and plans for the 2010 decennial census and (2)
evaluate the adequacy of the bureau's IT policies, procedures, and
practices in the areas of investment management, system
development/management, enterprise architecture management, information
security, and human capital.
To provide an overview of the bureau's information technology
management, we assessed its documentation, including IT operational and
strategic plans, and we interviewed bureau officials to identify
management roles and responsibilities, organization, staffing, and
investments. To evaluate the adequacy of the bureau's information
technology management, we reviewed the bureau's policies and procedures
in each of five key IT areas--investment management, system
development/management, enterprise architecture management, information
security, and human capital--and we compared them against applicable
laws, federal guidelines, and industry standards. We also reviewed
selected projects, to determine whether the bureau's practices were
consistent with its own policies and procedures as well as with
industry standards. More detailed descriptions of the scope and
methodology for each of the five IT areas are provided in the segments
of this briefing that address each area. We performed our work at the
Department of Commerce in Washington, D.C., and at Census Bureau
headquarters, in Suitland, Maryland, from August 2004 to February 2005,
in accordance with generally accepted government auditing standards.
In mid-April 2005, we provided a detailed briefing to your subcommittee
and committee staffs on the results of this work. The briefing slides
are included in appendix I. The purpose of this letter is to formally
publish the briefing slides and to officially transmit our
recommendations to the Secretary of Commerce.
In brief, we reported that the bureau has a decentralized approach to
IT management. The chief information officer is responsible for
establishing policy and strategies and shares responsibility for
implementing policies and managing systems and staff with the associate
directors for different bureau program areas. In its 5-year strategic
IT plan, the bureau identifies 10 major investments that are currently
estimated to cost about $4 billion through 2009. Three of the bureau's
10 major investments--estimated to cost $2.7 billion--are expected to
support the 2010 decennial census. For example, the bureau plans to
invest $1.8 billion in the 2010 Testing, Evaluation, and Systems Design
program--an effort to redesign procedures and increase the use of
automation planned for the 2010 decennial census through a multiyear
effort of planning, development, and testing.
The bureau has developed policies and procedures and has initiated key
practices in many of the areas that are important to successfully
managing IT--including investment management, system
development/management, enterprise architecture management, information
security, and human capital management. However, many of these
practices are not fully and consistently performed. For example, in the
IT investment management area, the bureau has established executive-
level investment boards, but it lacks written procedures outlining how
the investment boards are to operate and ensuring a consistent and
repeatable approach to investment management and decision making. As a
result of this and other weaknesses we found, the bureau is at
increased risk of not adequately managing major IT investments and is
therefore more likely to experience the cost and schedule overruns and
performance shortfalls that plague other major IT investments and
acquisitions. Because the bureau plans to spend billions of dollars on
information technology to prepare for the 2010 decennial census,
building in sound IT practices now is more critical than ever.
Recommendations:
To improve the Census Bureau's ability to effectively manage
information technology, we are making 13 recommendations to the
Secretary of Commerce to direct the bureau to address weaknesses we
found in each of the IT management areas.
To strengthen the bureau's ability to manage IT investments, we
recommend that the Secretary of Commerce direct the bureau to:
* develop written procedures to guide its IT investment boards'
operations and use these procedures to ensure consistent investment
management and decision-making practices,
* develop well-defined and disciplined written procedures that outline
the process for selecting new IT proposals and reselecting ongoing
investments and use these procedures in investment decision making,
* develop and implement defined criteria and documented policies and
procedures for monitoring the progress of all IT projects and systems,
and:
* create a comprehensive repository that collects investment
information that is up to date and accessible to decision makers.
To strengthen agencywide system development and management
capabilities, we recommend that the Secretary of Commerce direct the
bureau to institutionalize a process improvement initiative, such as
the Capability Maturity Model Integration framework, and establish
goals for projects to reach successive capability levels in selected
process areas, including project planning, project monitoring and
control, requirements management, process and product quality
assurance, configuration management, measurements and analysis,
verification, and risk management.
To support the bureau in its efforts to develop and implement an
effective enterprise architecture (EA), we recommend that the Secretary
of Commerce direct the bureau to:
* determine an adequate level of resources to accomplish planned EA
activities in order to ensure continued improvements to the bureau's EA
model and:
* establish a written policy endorsing and enforcing the bureau's
enterprise architecture.
To improve information security, we recommend that the Secretary of
Commerce direct the bureau to:
* establish milestones for identifying staff with special security
training needs and developing an effective training program for them;
* establish milestones for identifying system penetration tools to aid
network access security and for testing network controls using these
tools; and:
* monitor progress against these milestones and the milestones that
have already been established to address weaknesses in risk
assessments, information system security controls, and oversight
management tools, in order to ensure that these activities are
completed in a timely manner.
To improve the bureau's ability to manage its IT workforce, we
recommend that the Secretary of Commerce direct the bureau to:
* annually assess IT knowledge and skills to determine whether they
meet current requirements and:
* use the planned gap analysis to identify workforce strategies to fill
skills gaps and then evaluate these strategies to determine their
effectiveness in improving human capital management.
Agency Comments and Our Evaluation:
We received comments on a draft of this report from the Department of
Commerce (see app. II). In these comments, the Acting Deputy Secretary
of Commerce stated that the agency agrees with our recommendations and
that our findings are accurate, but noted that the report did not
acknowledge steps that the Census Bureau is taking to address the
report's findings and other IT issues. In particular, the deputy
secretary noted that the bureau is taking a very proactive and
aggressive movement toward change and that it is in the process of
introducing a corporate IT environment--which is expected to lead to
improvements in IT management. Commerce also commented that only 1 of
40 activities we evaluated was found to be incomplete or obsolete.
The bureau's steps to act on our recommendations should put it in a
better position to manage information technology in the future.
However, it is important to note that while only 1 of 40 activities was
rated as incomplete or obsolete, there were 21 other activities that
did not have key policies and/or practices in place. For example, while
we found that the bureau collects information about IT projects, it
does not have a comprehensive and consistent repository of IT
investment information that provides decision makers with data for
evaluating the impacts and opportunities created by IT investments. We
plan to assess the bureau's recent, ongoing, and planned steps to
improve its IT management practices as part of our follow-up on open
recommendations.
As agreed with your offices, unless you publicly announce the contents
of this report earlier, we plan no further distribution of it until 30
days from the report date. At that time, we will send copies of this
report to interested congressional committees, the Secretary of
Commerce, and other interested parties. In addition, this report will
be available at no charge on GAO's Web site at [Hyperlink,
http://www.gao.gov].
If you have any questions on matters discussed in this report, please
contact me at (202) 512-9286 or [Hyperlink, pownerd@gao.gov]. Contact
points for our Offices of Congressional Relations and Public Affairs
may be found on the last page of this report. GAO staff who made major
contributions to this report are listed in appendix III.
Signed by:
David A. Powner:
Director, Information Technology Management:
[End of section]
Appendixes:
Appendix I: Briefing Slides:
Census Bureau Information Technology Management:
Briefing for the Subcommittee on Federalism and the Census:
Committee on Government Reform:
House of Representatives:
April 20, 2005:
Purpose and Outline:
Purpose:
* To provide an overview and our analysis of the Census Bureau's
information technology (IT) management:
Outline:
* Objectives;
* Scope and Methodology;
* Results in Brief;
* Background;
* Census Bureau's IT Profile-Overview and Plans;
* Census Bureau's IT Policies, Procedures, and Practices;
* IT Investment Management;
* System Development/Management;
* Enterprise Architecture Management;
* Information Security;
* IT Human Capital;
* Agency Comments:
GAO Objectives:
* To provide an IT profile of the Census Bureau, including an overview
of information technology management and IT plans for the 2010
decennial census:
To evaluate the adequacy of the bureau's IT policies, procedures, and
practices in the areas of investment management, system
development/management, enterprise architecture management, information
security, and human capital:
Scope and Methodology:
* To identify the bureau's IT profile, we assessed agency
documentation, including IT operational and strategic plans, and we
interviewed bureau officials to determine IT management roles and
responsibilities, organization, staffing, and investments.
* We analyzed GAO's and the Department of Commerce's Inspector
General's reports to identify past IT management issues that affected
the 2000 census, and we reviewed bureau documentation and interviewed
agency officials to determine plans for IT systems during the 2010
decennial census.
* To evaluate the adequacy of the bureau's IT management, we reviewed
the bureau's IT policies and procedures for investment management,
system development/management, enterprise architecture management,
information security, and human capital, and we compared them with
applicable laws and regulations, federal guidelines, and industry
standards. More detailed descriptions of the scope and methodology for
each of the five IT areas is provided in the segments of this briefing
that address each area.
* We reviewed selected IT projects to determine whether practices
complied with the agency's policies and procedures, federal guidance,
and industry standards, and we sought work products documenting these
practices, where applicable. Given the importance of IT to the
decennial census effort, we selected projects that support decennial
census activities.
* We conducted this review at the Department of Commerce in Washington,
D.C. and at Census Bureau headquarters in Suitland, Maryland. We
conducted our work from August 2004 through February 2005, in
accordance with generally accepted government auditing standards.
Results in Brief:
The Census Bureau has a decentralized approach to IT management. The
Information Technology directorate, led by the Chief Information
Officer, is responsible for establishing IT policy and strategies,
while multiple program directorates are responsible for implementing
policies and managing IT systems and staff.
The bureau's 5-year strategic plan identifies 10 major IT investments
that are currently estimated to cost about $4 billion through 2009, of
which three investments support the reengineering of the 2010 decennial
census. The bureau is reengineering its approach to IT support for the
decennial census and plans to test new technologies and systems in 2006
and 2008.
The bureau has established policies or procedures and initiated key
practices in many of the areas that are important to successfully
managing IT, including investment management, system development and
management, enterprise architecture management, information security,
and human capital management. However, many of the key practices are
not fully and consistently performed. As a result, the bureau is at
increased risk of not adequately managing major IT investments and is
more likely to experience the cost and schedule overruns and
performance shortfalls that plague other major IT investments and
acquisitions.
Since the bureau plans to spend billions of dollars on information
technology to prepare for the 2010 decennial census, building in sound
IT practices now is more critical than ever.
In order to improve the bureau's ability to effectively manage IT
investments, we are making recommendations to the Secretary of Commerce
to direct the Census Bureau to address weaknesses we found in each of
the IT management areas.
In commenting on a draft of this briefing, Census Bureau officials,
including the Chief Information Officer, the Comptroller, and the Chief
of the Information Systems Support and Review Office, stated that they
agreed with our findings and recommendations.
Background:
Census Bureau's Mission and Core Activities:
The bureau's mission is to serve as the leading source of high quality
data about the nation's people and economy. Core activities include:
* conducting decennial, economic, and government censuses;
* conducting demographic and economic surveys;
* managing international demographic and socioeconomic databases and
providing technical advisory services to foreign governments; and
* performing other activities such as producing official population
estimates and projections.
Public and private decision makers use census population and
socioeconomic data for various purposes. For example, decennial census
data are used to determine congressional and state legislative
districts and to distribute hundreds of billions of dollars of federal
funds each year. Also, federal agencies use census data to evaluate the
effectiveness of established programs, while businesses use census data
to target new services and products and to tailor existing ones to
demographic changes.
IT plays a critical role in the bureau's ability to carry out its
missions, supporting data collection, analysis, and dissemination
throughout the organization.
Background:
Census Bureau Organization:
The bureau is a large and complex organization. A conceptual view of
the agency includes three core organizations, two auxiliary
organizations that provide guidance and operational support for the
core organizations, and three support organizations that provide
administrative and technical support for the entire bureau. Each of
these organizations is headed by an associate director who reports to
the Deputy Director of the Census Bureau.
[See PDF for image]
[End of figure]
Background:
The Bureau's Decennial Census:
The bureau's decennial census is the nation's oldest and most
comprehensive source of population and housing information.
Conducting a decennial census involves:
* identifying and correcting addresses for all known living quarters in
the United States,
* sending questionnaires to housing units,
* following up with non-respondents through personal interviews,
* trying to identify people with non-traditional living arrangements,
* managing a voluminous workforce that is responsible for follow-up
activities,
* collecting census data using questionnaires, phone calls, and
personal interviews,
* summarizing and tabulating census data, and:
* disseminating analytical results from the census to the public.
Background:
IT Issues Affected the 2000 Census:
Information technology is critical to a successful decennial census. We
and Commerce's Inspector General have reported on several issues that
arose as the bureau developed and used IT systems for the 2000 census.
[NOTE 1] These issues included:
* untimely and inaccurate management information,
* lack of mature and effective software and systems development
processes,
* inadequate testing of key systems,
* inadequate security controls, and:
* insufficient number of experienced staff to manage expensive and
complex system projects.
Both we and the Inspector General have made a series of recommendations
to address these issues, and the bureau has initiated efforts to
address them.
IT Profile Overview and Plans:
IT Roles and Responsibilities:
The bureau's Associate Director for Information Technology-who is also
the Chief Information Officer (CIO)-and the other associate directors
share key responsibilities for IT management.
The CIO is responsible for bureauwide IT technical support and
leadership, including:
* managing the investment management process to ensure that all IT
investments support desired mission outcomes;
* establishing standards for system development and management of IT
projects;
* defining and directing enterprise architecture development, education
and compliance; and:
* ensuring the information security of systems and networks.
* The Associate Director for Administration, who is also the Chief
Financial Officer, is responsible for providing bureauwide
administrative and financial management for the agency, including
conducting human capital strategic planning for IT and other personnel.
* The associate directors for the other organizations are responsible
for managing system acquisitions and IT staff to support their programs
and goals.
IT Profile Overview and Plans:
IT Staffing:
As of February 2005, the bureau reported having about 1,100 IT staff in
its approximately 12,000-person workforce. These staff are spread
throughout the bureau, to support the bureau's organizations as
follows:
[See PDF for image]--graphic text:
Pie chart with eight items.
Information Technology/Chief Information Officer: 23%;
Economic Programs: 23%;
Decennial Census: 13%;
Demographic Programs: 13%;
Administration/Chief Financial Officer: 8%;
Others (including the Director's Office and Communications): 3%;
Methodology and Standards: 2%.
Source: GAO analysis based on U.S. Census Bureau data.
[End of figure]
The bureau also has about 500 on-site contractor staff who perform a
variety of activities, including systems design and programming,
systems integration, studies, and analyses.
IT Profile Overview and Plans:
IT Investments:
In its 2004-2009 strategic IT plan, the bureau identified 10 major IT
investments that are currently estimated to total about $4 billion.
Investment Name: American Community Survey;
Description: an initiative to survey households on a monthly basis,
provide annual tabulations, and thereby eliminate the long form from
the 2010 decennial census;
Estimated Total Life Cycle Costs (in millions): $324.00.
Investment Name: Master Address File/Topologically Integrated
Geographic Encoding & Referencing (MAF/TIGER) system enhancement
program;
Description: an effort to modernize the MAF/TIGER systems to support
the 2010 census and its associated testing activities;
Estimated Total Life Cycle Costs (in millions): $535.50.
Investment Name: 2010 Testing, Evaluation, and Systems Design;
Description: an integrated set of tasks oriented toward developing an
IT architecture to enable the bureau to conduct a reengineered, short-
form only decennial census in 2010;
includes identifying the conceptual components of specific systems,
testing operations during 2004 and 2006 tests and then defining the
functional requirements for specific systems that will be implemented
in the 2008 dress rehearsal and the 2010 census;
Estimated Total Life Cycle Costs (in millions): $1,813.30.
Investment Name: Automated Export Trade Statistics System;
Description: a system that supports expedited monthly statistics on
international trade, remedies shortcomings in export statistics, and
helps to control the export of weapons or other hazardous items that
could be a threat to our national security or the public welfare;
Estimated Total Life Cycle Costs (in millions): $42.50.
Investment Name: Data Access and Dissemination System; [NOTE 2]
Description: a system that provides portal access to the largest and
most popular census data sets;
Estimated Total Life Cycle Costs (in millions): $265.90.
Investment Name: Demographic Statistics IT Support Systems;
Description: systems that account for and provide tools for managing
the costs associated with the demographic surveys division‘s IT
infrastructure maintenance;
Estimated Total Life Cycle Costs (in millions): $123.00.
Investment Name: Economic Census, Government Census, and Surveys;
Description: a project to provide statistical programs that count and
profile U.S. businesses and government organizations;
Estimated Total Life Cycle Costs (in millions): $462.50.
Investment Name: E-Government;
Description: an initiative to support e-government services by letting
businesses file electronically in any current economic survey;
Estimated Total Life Cycle Costs (in millions): $17.10.
Investment Name: Field Support Systems;
Description: an initiative that involves developing, testing, and
maintaining automated systems for data collection, tracking, and
training for the critical current survey programs and for maintaining
IT infrastructure for field headquarters and twelve regional offices;
Estimated Total Life Cycle Costs (in millions): $246.00.
Investment Name: Geographic Support Systems;
Description: systems that provide the integrated and automated computer-
based geographic support that is crucial to all censuses and household
surveys;
Estimated Total Life Cycle Costs (in millions): $175.00.
[End of table]
IT Profile Overview and Plans:
Plans for 2010 Decennial Systems:
Three of the 10 major IT investments in the bureau's strategic IT plan
(comprising $2.7 billion, or 67 percent, of the $4 billion in planned
IT investments) are expected to support the reengineering of the 2010
decennial census:
* American Community Survey:
* MAF/TIGER Enhancement Program:
* 2010 Testing, Evaluation, and Systems Design:
The bureau is reengineering the 2010 decennial census by changing
procedures, increasing the use of automation, and using new
technologies. These initiatives are expected to lead to a simpler
decennial census which is more efficient and cost effective, provides
richer information, improves coverage accuracy, and reduces operational
risk.
Key elements of this reengineering include:
* moving away from using the long form during the decennial census (by
substituting the American Community Survey in its place),
* improving the accuracy and reliability of address data (via MAF/TIGER
Enhancements), and:
* redesigning procedures and increasing the use of automation planned
for the 2010 decennial census through a multiyear effort of planning,
development, testing, revision, and retesting (via the 2010 Testing,
Evaluation, and Systems Design program).
More specifically, the 2010 Testing, Evaluation, and Systems Design
program includes the following:
Field data collection activities:
* exploring improved integration and automation of field data
collection activities, including new technologies such as hand-held
computers;
* awarding a contract to design and develop field data collection
processes and systems by April 2006; the cost of this contract, called
the Field Data Collection Automation program, has not yet been
finalized.
Public response activities:
* identifying new approaches to providing assistance to the public and
capturing census data from telephone, paper, and internet sources;
* awarding a contract by October 2005 to develop a system for providing
assistance to the public and capturing data; according to bureau
officials, this contract, called the Decennial Response Integration
System, is estimated to cost over $669 million through 2013.
The 2010 Testing, Evaluation, and Systems Design program also includes
a series of tests in the years leading up to the decennial census.
2004: The bureau tested critical field operations using systems under
conditions similar to those that will be used during the decennial
census. In particular, the agency studied the feasibility of using hand
held mobile computing devices equipped with Global Positioning System
capability to conduct nonresponse follow-up operations. We recently
reported on lessons learned during this test. [NOTE 3]
2006: The bureau plans to test the methodology and functions of the
integration of systems that will be needed to carry out the
reengineered census, focusing on efforts to automate nonresponse follow-
up activities and on initiatives to update the address list.
2008: The bureau plans to conduct a final operational test of the
entire complement of methodological, procedural, and systems
innovations for the 2010 decennial census.
IT Policies, Procedures, and Practices:
IT Areas Evaluated:
To evaluate IT management, we focused on five key areas that encompass
major IT functions and are recognized by public and private entities as
having substantial influence on the effectiveness of IT operations:
* IT investment management processes and practices are used to select,
control, and evaluate investments in order to help ensure that they
increase business value and mission performance. In 2004, we issued a
framework for assessing federal agencies' IT investment management
practices. [NOTE 4] This framework identifies critical processes for
making successful IT investments; it is organized into five
increasingly mature stages. The framework's five maturity stages
represent steps toward achieving a stable and mature IT investment
process. By determining the current stage of maturity of an
organization, managers are better able to identify specific steps that
would contribute to improving IT management.
* System development/management capabilities help organizations
acquire, develop, and manage information systems and technology
successfully-that is, they help reduce the risk of cost overruns,
schedule delays, and performance shortfalls. The Software Engineering
Institute has established a framework for organizations to use to
assess and improve system management capabilities in different process
areas, such as project planning, project monitoring and control,
requirements management, configuration management, and risk management.
By determining a project's or organization's current capabilities,
managers can identify steps for improving the processes that can
contribute to successful project results.
* Effective use of an enterprise architecture (EA), or a modernization
blueprint, is a trademark of successful public and private
organizations. An EA connects an organization's strategic plan with
program and system solutions by providing the fundamental information
details needed to guide and constrain investments in a consistent,
coordinated, and integrated fashion-thereby improving interoperability
and reducing duplicative efforts. As such, it should provide a clear
and comprehensive view of an entity, including descriptions of the
entity's current or "as is" environment, its target or "to be"
environment, and a capital investment road map for transitioning from
the current to the target environment. In 2003, we updated our
framework for assessing and improving an organization's EA management.
[NOTE 5]
* Information security helps protect the integrity, confidentiality,
and availability of an agency's data and systems by reducing the risks
of tampering, unauthorized intrusions and disclosures, and serious
disruptions of operations. Information security activities include
conducting risk assessments, promoting awareness and training,
implementing controls, performing evaluations, and providing
centralized coordination and oversight of all security activities.
* IT human capital management helps provide employees with the
appropriate knowledge and skills to effectively execute critical IT
functions. Key processes for human capital management involve assessing
IT knowledge and skills requirements, inventorying existing staff's
knowledge and skills and assessing them against requirements,
developing strategies and plans to fill any gaps between requirements
and existing staffing, and evaluating and reporting on progress in
filling any gaps in knowledge and skills.
IT Policies, Procedures, and Practices:
Evaluation Indicators:
In evaluating the five key IT areas at the Census Bureau, we assessed
applicable policies, procedures, and practices. We use three broad
indicators to depict our results:
[See PDF for graphic representations, accessible text descriptions
provided below]
A blank circle indicates that policies and procedures do not exist or
are obsolete or incomplete and that practices are not performed at all
or are performed on a predominantly ad hoc basis.
A half circle indicates that policies or procedures facilitate key
functions and that selected key practices have been performed, while
others remain to be implemented.
A solid circle indicates that policies and procedures are current and
comprehensive for key functions and that practices adhere to policies,
procedures, and generally accepted standards.
For each of the five key IT areas we reviewed, we selected indicators
based on our judgment of the current state of Census policies,
procedures, and practices.
IT Policies, Procedures, and Practices:
Evaluation Summary:
IT Investment Management*: Instituting the investment board; Policies
or procedures for key functions; only selected practices in place.
IT Investment Management*: Meeting business needs;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
IT Investment Management*: Selecting an investment;
Policies or procedures for key functions; only selected practices in
place.
IT Investment Management*: Providing investment oversight;
Policies or procedures for key functions; only selected practices in
place.
IT Investment Management*: Capturing investment information;
Policies or procedures for key functions; only selected practices in
place.
System Development/Management*: Project planning;
Policies or procedures for key functions; only selected practices in
place.
System Development/Management*: Project monitoring and control;
Policies or procedures for key functions; only selected practices in
place.
System Development/Management*: Requirements management;
Policies or procedures for key functions; only selected practices in
place.
System Development/Management*: Process and product quality assurance;
Policies or procedures for key functions; only selected practices in
place.
System Development/Management*: Configuration management;
Policies or procedures for key functions; only selected practices in
place.
System Development/Management*: Measurement and analysis;
Incomplete or obsolete policies and procedures; ad hoc practices.
System Development/Management*: Verification;
Policies or procedures for key functions; only selected practices in
place.
System Development/Management*: Risk management;
Policies or procedures for key functions; only selected practices in
place.
Enterprise Architecture Management*: Adequate resources exist;
Policies or procedures for key functions; only selected practices in
place.
Enterprise Architecture Management*: Agency is aware of EA;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
Enterprise Architecture Management*: Chief architect exists;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
Enterprise Architecture Management*: EA is developed using a framework,
methodology, and tool;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
Enterprise Architecture Management*: EA key descriptions will address
security;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
Enterprise Architecture Management*: EA plans call for ’as is“ and ’to
be“ environments and a sequencing plan;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
Enterprise Architecture Management*: EA plans call for key
descriptions;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
Enterprise Architecture Management*: EA plans call for key descriptions
to address security;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
Enterprise Architecture Management*: EA plans call for metrics;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
Enterprise Architecture Management*: EA products are under
configuration management;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
Enterprise Architecture Management*: EA products include key
descriptions;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
Enterprise Architecture Management*: EA products will describe ’as is“
and ’to be“ environments and a sequencing plan;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
Enterprise Architecture Management*: Enterprise committee approves EA;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
Enterprise Architecture Management*: Policy for EA development exists;
Policies or procedures for key functions; only selected practices in
place.
Enterprise Architecture Management*: Program office for EA exists;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
Enterprise Architecture Management*: Progress is measured and reported;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
Information Security: Risk assessment;
Policies or procedures for key functions; only selected practices in
place.
Information Security: Controls--Network access;
Policies or procedures for key functions; only selected practices in
place.
Information Security: Controls--Information systems;
Policies or procedures for key functions; only selected practices in
place.
Information Security: Awareness and training;
Policies or procedures for key functions; only selected practices in
place.
Information Security: Controls--Physical security;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
Information Security: Evaluation;
Policies or procedures for key functions; only selected practices in
place.
Information Security: Central management;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
IT Human Capital: Requirements;
Policies or procedures for key functions; only selected practices in
place.
IT Human Capital: Workforce strategies and plans;
Policies or procedures for key functions; only selected practices in
place.
IT Human Capital: Inventory;
Comprehensive, current policies and procedures; practices adhere to
policies, procedures, and generally accepted standards.
IT Human Capital: Progress evaluation;
Policies or procedures for key functions; only selected practices in
place.
* Denotes areas assessed at less than full maturity within a maturity
framework.
[End of table]
IT Policies, Procedures, and Practices:
IT Investment Management-Overview:
IT investment management provides a framework for implementing the
processes that are critical to the effective selection, control, and
evaluation of a portfolio of IT investments. The maturity stages,
listed below, represent steps toward achieving a stable and mature IT
investment management process.
Project-centricity increases from Stage 1 to Stage 5:
Maturity Stage 1: Creating Investment Awareness;
Description: Ad hoc, unstructured, and unpredictable investment
processes characterize the investment process. There is generally
little relationship between the success or failure of one project and
the success or failure of another project.
Maturity Stage 2: Building the Investment Foundation;
Description: Basic selection capabilities are being driven by the
development of project selection criteria, including benefit and risk
criteria, and an awareness of organizational priorities when
identifying projects for funding.
Maturity Stage 3: Developing a Complete Investment Portfolio;
Description: The organization has developed a well-defined IT
investment portfolio using an investment process that has sound
selection criteria and maintains mature, evolving, and integrated
selection, control, and evaluation processes.
Maturity Stage 4: Improving the Investment Process;
Description: The organization is focused on evaluation techniques to
improve its IT investment processes and portfolio(s) while maintaining
mature selection and control techniques.
Maturity Stage 5: Leveraging IT for Strategic Outcomes;
Description: The organization has mastered the selection, control, and
evaluation processes and now seeks to shape its strategic outcomes by
benchmarking its IT investment processes relative to other "best-in-
class" organizations.
Source: GAO.
[End of table]
Critical processes in stages 1 and 2 include:
Stage 1:
* IT spending without disciplined investment processes-characterizes
organizations that are not yet involved in ITIIVI activities:
Stage 2:
* Instituting the investment board-entails creating and defining the
membership and guiding policies, operations, roles, responsibilities,
and authorities for one or more IT investment boards within the
organization.
* Meeting business needs-entails ensuring that IT projects and systems
support the organizations business needs and meet users' needs. It
involves identifying business and users needs for each IT project, and
having users participate in project management throughout the projects
life cycle.
* Selecting an investment-entails ensuring that a well-defined and
disciplined process be used to select new IT proposals and reselect
ongoing investments.
* Providing investment oversight-entails monitoring the progress of all
IT projects and systems relative to cost, schedule, risk, and benefit
expectations and taking corrective action when these expectations are
not being met.
* Capturing investment information-involves identifying IT assets and
creating a comprehensive repository of investment information for
decision makers to use to evaluate the impacts and opportunities
created by proposed (or continuing) IT investments.
IT Policies, Procedures, and Practices:
IT Investment Management--Review:
We evaluated the bureau's IT investment management using GAO's guide,
Information Technology Investment Management: A Framework for Assessing
and Improving Process Maturity. [NOTE 6]
We reviewed the bureau's current IT investment management practices. We
also evaluated the investment processes used on the Data Access and
Dissemination System and Field Support Systems.
We assessed the bureau's investment processes at maturity stage 2. We
did not evaluate maturity stage 1 because it is characterized by a lack
of processes, and the bureau has passed that stage. We also did not
evaluate maturity stages 3, 4, or 5 because bureau officials reported
that they are working to achieve maturity stage 2 and had not yet
implemented critical processes associated with the higher maturity
stages.
IT Policies, Procedures, and Practices:
IT Investment Management-Evaluation:
Activity (Critical process): Instituting the investment board ;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau‘s Operating Committee and IT Governing Board
(ITGB) serve as enterprisewide executive-level IT investment boards.
The Operating Committee provides business direction and leadership,
while the ITGB approves and oversees the implementation of the Census
Bureau‘s IT investment management process and makes recommendations to
the committee about each IT investment. However, the bureau lacks
written procedures outlining the IT investment boards‘ operations and
ensuring consistent investment management and decision-making
practices.
Activity (Critical process): Meeting business needs;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: The bureau has a process for ensuring that its investments
support its business needs. Business needs and specific users are
clearly identified for IT projects. Projects supporting key initiatives
can be traced to strategic objectives. Identified users participate in
project management during the project's life cycle.
Activity (Critical process): Selecting an investment;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: New and ongoing IT projects are selected and reselected
during the general budget cycle. The Operating Committee, ITGB and ad
hoc investment review subgroups ensure that the selection process is
compliant with OMB Exhibit 300 requirements. However, the bureau does
not have organizationwide policies to ensure that a well-defined and
disciplined process is used to select new IT proposals and reselect
ongoing investments.
Activity (Critical process): Providing investment oversight;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: Investment oversight is provided through the Operating
Committee, ITGB, and ad hoc investment review subgroups. Investment
information is provided and reviewed annually, quarterly, and weekly.
However, the bureau lacks written policies and procedures for
monitoring the progress of all IT projects and systems.
Activity (Critical process): Capturing investment information;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau identifies and collects information about IT
projects and systems through OMB Exhibit 300s, IT Business Plans, and
shared network drives. However, the agency does not have a
comprehensive and consistent repository of IT investment information
that provides decision makers with data for evaluating the impacts and
opportunities created by proposed (or continuing) IT investments.
[End of table]
IT Policies, Procedures, and Practices:
IT Investment Management-Impact of Weaknesses:
Taking steps to improve the shortfalls listed above is important for
the following reasons:
* Without written procedures, the bureau lacks assurance that the IT
investment boards will provide investment management oversight and
decision making in a consistent and repeatable manner.
* Without a well-defined and disciplined organizationwide policy for
selecting new IT proposals and reselecting ongoing investments, the
bureau cannot ensure that it is selecting and funding the IT
investments that best result in mission-focused benefits.
* Without defined criteria and documented policies and procedures for
monitoring the progress of all IT projects and systems, the bureau
lacks assurance that consistent and appropriate actions will be taken
when cost, schedule, and performance expectations are not met.
* Without a comprehensive repository of up-to-date investment
information, the bureau cannot ensure that decision makers have the
information they need to effectively manage the organization's IT
investments.
IT Policies, Procedures, and Practices:
IT Investment Management--Conclusions and Recommendations:
The Census Bureau has initiated basic IT investment management
processes, but much remains to be done. Specifically, the bureau lacks
a comprehensive, consistent, and repeatable approach to IT investment
management. Until it develops and implements such an approach, the
bureau cannot ensure that it is effectively and efficiently managing
million and billion dollar investments in IT.
To strengthen its ability to manage IT investments, we recommend that
the Secretary of Commerce direct the bureau to:
* develop written procedures to guide its IT investment boards'
operations and use these procedures to ensure consistent investment
management and decision-making practices,
* develop well-defined and disciplined written procedures that outline
the process for selecting new IT proposals and reselecting ongoing
investments and use these procedures in investment decision making,
* develop and implement defined criteria and documented policies and
procedures for monitoring the progress of all IT projects and systems,
and
* create a comprehensive repository that collects investment
information that is up to date and accessible to decision makers.
IT Policies, Procedures, and Practices:
System Development/Management-Overview:
Many organizations rely on software-intensive systems to perform their
missions. The quality of this software and these systems is governed
largely by the quality of the processes involved in acquiring,
developing, managing, and maintaining them. Carnegie Mellon
University's Software Engineering Institute (SEI), recognized for its
expertise in software and system processes, has developed the
Capability Maturity ModeIR Integration (CMMISM) [NOTE 7] model and a
CMMI appraisal methodology to evaluate, improve, and manage system and
software development and engineering processes.
The CMMI model and appraisal methodology provide a logical framework
for measuring and improving key processes that are needed for achieving
high-quality software and systems. The model can help an organization
set process improvement objectives and priorities and to improve its
processes. SEI has found that organizations that implement such process
improvements can achieve better project cost and schedule performance
and develop higher quality products.
The CMMI appraisal methodology calls for assessing up to 25 different
process areas-clusters of related activities such as project planning,
requirements management, and quality assurance-by determining whether
key practices have been implemented and whether overarching goals have
been satisfied.
Successful implementation of these practices and satisfaction of these
goals result in the achievement of successive capability levels. CMMI
capability levels range from 0 to 5. Level 0 means the process is
either not performed or is only partially performed; level 1 means the
basic process is performed; level 2 means the process is managed; level
3 means the process is defined throughout the organization; level 4
means the process is quantitatively managed; and level 5 means the
process is optimized.
To evaluate system development/management capabilities, we appraised
two projects, the Decennial Master Address File pilot and the Master
Address File/Topologically Integrated Geographic Encoding and
Referencing system redesign.
We applied the CMMI model and its related appraisal methodology. Our
appraisers were all SEI-trained software and information systems
specialists. We evaluated the projects' processes at capability level
2, because bureau officials had set a goal of achieving level 2. In
conjunction with project officials, we selected eight core process
areas that are critical to sound program management:
* project planning;
* configuration management;
* project monitoring and control;
* measurements and analysis [NOTE 8];
* requirements management;
* verification;
* process and product quality assurance;
* risk management.
The process areas we evaluated address key aspects of system
development/management.
* Project planning: The purpose of this process area is to establish
and maintain plans that define the project activities. This process
area involves developing and maintaining a plan, interacting with
stakeholders, and obtaining commitment to the plan.
* Project monitoring and control: The purpose of this process area is
to provide an understanding of the project's progress, so that
appropriate corrective actions can be taken if actual performance
deviates significantly from the plan. Key activities include monitoring
the project, communicating status, taking corrective action, and
determining progress.
* Requirements management: The purpose of this process area is to
manage the product components and to identify inconsistencies among
requirements and the project's plans and work products. This process
area includes managing all technical and nontechnical requirements and
any changes to these requirements as they evolve.
* Process and product quality assurance: The purpose of this process
area is to provide staff and management with objective insights into
processes and associated work products. This includes the objective
evaluation of project processes and products against approved
descriptions and standards. Through quality assurance, the project team
is able to identify and document noncompliance issues and provide
appropriate feedback to project staff.
* Configuration management: The purpose of configuration management is
to establish and maintain the integrity of work products. This process
area includes both the functional processes used to establish and track
work product changes and the technical systems used to manage these
changes. Through configuration management, accurate status information
and data are provided to developers, end users, and customers.
* Measurements and analysis: The purpose of this process area is to
develop and sustain a measurement capability that is used to support
management information needs. This process area includes identifying
measures, performing data collection, analysis, and storage of the
measures, and reporting these values. This process allows users to
objectively plan and estimate project activities and to identify and
resolve potential issues.
* Verification: The purpose of verification is to ensure that selected
work products meet specified requirements. This process area involves
preparing for and performing tests and identifying corrective actions.
Verification of work products substantially increases the likelihood
that the product will meet the customer, product, and product-component
requirements.
* Risk management: The purpose of this process area is to identify
potential problems before they occur, so that risk-handling activities
may be planned and invoked as needed across the life of the product or
project in order to mitigate adverse impacts on achieving objectives.
Early and aggressive detection of risk is important, because it is
typically easier, less costly, and less disruptive to make changes and
correct work efforts during the early phases of the project.
Activity (Critical process): Project planning;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau's Software Development and Maintenance policy
addresses project planning. One of the project teams we evaluated
performed all and the other performed most of the practices associated
with this process, including establishing a work breakdown structure
and a project plan. However, one project team did not fully implement
other practices, including establishing a budget or maintaining its
schedule.
Activity (Critical process): Project monitoring and control;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau's policy addresses project monitoring and control.
Both project teams performed many of the practices associated with this
process, including monitoring commitments against plans and
periodically reviewing the project's progress. However, these projects
did not fully implement other practices. For example, one project team
did not adequately manage corrective actions to closure and neither
project team adequately evaluated adherence to the process.
Activity (Critical process): Requirements management;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau's policy addresses requirements management. Both
project teams performed many of the practices associated with this
process, including managing changes to requirements. However, these
project teams did not fully implement other practices. For example, one
team did not monitor and control the process, and the other did not
adequately evaluate adherence to the overall requirements management
process.
Activity (Critical process): Process and product quality assurance;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau's policy addresses process and product quality
assurance. Both project teams performed many of the practices
associated with this process, including resolving noncompliance issues
and maintaining records of quality assurance activities. However, these
project teams did not fully implement other practices. For example, one
team did not adequately monitor and control the process, and the other
did not adequately evaluate adherence to the quality assurance process.
Activity (Critical process): Configuration management;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau's policy addresses configuration management. One
of the project teams performed all and the other performed most of the
practices associated with this process, including creating baselines
and tracking change requests. However, one project team did not fully
implement other practices, such as objectively evaluating adherence to
the configuration management process.
Activity (Critical process): Measurement and analysis;
Assessment: Incomplete or obsolete policies and procedures; ad hoc
practices;
Comments: The bureau's policy does not address measurement and
analysis, but the organization governing one of the projects
established a measurement and analysis policy. However, neither project
team implemented the majority of measurement and analysis practices,
including storing and analyzing measurement data.
Activity (Critical process): Verification;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau's policy addresses verification, and both project
teams performed practices associated with this process, including
conducting peer reviews. However, these project teams did not perform
other practices. For example, one of the project teams did not
adequately monitor and control the process, and neither team defined
its verification environment.
Activity (Critical process): Risk management;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau's policy does not address risk management, but the
organization governing one of the project teams implemented a risk
management policy and the other project team had risk management
procedures in place. Additionally, both teams performed many of the
practices associated with this process, including identifying,
evaluating, and categorizing risks. However, these project teams did
not implement other practices; for example, neither team fully
monitored and controlled the risk management process.
[End of table]
IT Policies, Procedures, and Practices:
System Development/Management--Impact of Weaknesses:
Taking steps to improve the shortfalls listed above is important for
the following reasons:
* Without an adequate project planning process, the bureau lacks
assurance that reasonable plans and tools for managing projects-
including project life-cycle phases and schedules-have been developed
and are in use.
* Without an adequate project monitoring and control process, the
bureau lacks assurance that management can effectively monitor
projects' actual progress and take appropriate corrective action if
performance deviates significantly from plans.
* Without an adequate requirements management process, the bureau
cannot ensure that it will be able to identify inconsistencies between
requirements and plans, increasing the likelihood that products will
not meet customer needs.
* Without an adequate process and product quality assurance process,
the Bureau cannot ensure that it will be able to provide staff and
management with objective insight into processes throughout the
project's life cycle.
Further:
* Without an adequate configuration management process, the bureau
cannot ensure the integrity of plans and other work products throughout
a project's life cycle.
* Without an adequate measurement and analysis process, the bureau
cannot ensure that project information provided to management is
measured, analyzed, and recorded so that management can effectively
monitor actual performance and take appropriate corrective actions.
* Without an adequate verification process, the bureau cannot ensure
that products will be built to meet the customer and product
requirements, increasing the likelihood that products will not meet
customer needs.
* Without an adequate risk management process, the bureau cannot ensure
that risks are identified, analyzed, tracked, and mitigated. Therefore,
potential problems are more likely to become actual problems and have
adverse effects on objectives.
IT Policies, Procedures, and Practices:
System Development/Management--Conclusions and Recommendations:
Individual project teams within the bureau have taken the initiative to
improve their system development and management processes but have not
yet fully implemented many of the key practices that make up a sound
project management process. Unless the bureau adopts a consistent
approach to improving system development and management processes,
project teams will continue to manage systems in an ad hoc manner and
risk the cost overruns, schedule slippages, and performance shortfalls
that plague other government system development projects.
To strengthen agencywide system development and management
capabilities, we recommend that the Secretary of Commerce direct the
bureau to institutionalize a process improvement initiative, such as
the CMMI maturity framework, and establish goals for projects to reach
successive capability levels in selected process areas, including:
* project planning;
* configuration management;
* project monitoring and control;
* measurements and analysis;
* requirements management;
* verification;
* process and product quality assurance;
* risk management.
IT Policies, Procedures, and Practices:
Enterprise Architecture Management-Overview:
An enterprise architecture (EA) serves as a blueprint to guide and
constrain systems modernization efforts. The maturity stages listed
below represent incremental steps toward advancing an organization's
ability to manage the development, maintenance, and implementation of
an EA.
Stage 1: Creating EA awareness:
The organization is becoming aware of the value of an EA, but has not
yet established the management foundation needed to develop one.
Stage 2: Building the EA management foundation:
The organization moves from basic awareness to building the foundation
for effectively managing the development, maintenance, and
implementation of an EA.
Stage 3: Developing EA products:
The organization moves from building the EA management foundation to
developing EA products.
Stage 4: Completing EA products:
The organization moves from developing to completing EA products.
Stage 5: Leveraging the EA for managing change:
The organization uses EA products to guide and constrain investment
decisions in a way that effectively supports achievement of business
and systems modernization.
Stage 1: Creating EA awareness;
Core Element: Agency is aware of EA.
Stage 2: Building the EA management foundation;
Core Element: Adequate resources exist.
Stage 2: Building the EA management foundation;
Core Element: Committee or group representing the enterprise is
responsible for directing, overseeing, or approving EA.
Stage 2: Building the EA management foundation;
Core Element: Program office responsible for EA development and
maintenance exists.
Stage 2: Building the EA management foundation;
Core Element: Chief architect exists.
Stage 2: Building the EA management foundation;
Core Element: EA is being developed using a framework, methodology, and
automated tool.
Stage 2: Building the EA management foundation;
Core Element: EA plans call for describing the ’as is“ environment, the
’to be“ environment, and a sequencing plan.
Stage 2: Building the EA management foundation;
Core Element: EA plans call for describing the enterprise in terms of
business, performance, information/data, application/service, and
technology.
Stage 2: Building the EA management foundation;
Core Element: EA plans call for business, performance,
information/data, application/service, and technology descriptions to
address security.
Stage 2: Building the EA management foundation;
Core Element: EA plans call for developing metrics for measuring EA
progress, quality, compliance, and return on investment.
Stage 3: Developing EA products;
Core Element: Written and approved organization policy exists for EA
development.
Stage 3: Developing EA products;
Core Element: EA products are under configuration management.
Stage 3: Developing EA products;
Core Element: EA products describe or will describe the enterprise‘s
business, performance, information/data, application/service, and the
technology that supports them.
Stage 3: Developing EA products;
Core Element: EA products describe or will describe the ’as is“
environment, the ’to be“ environment, and a sequencing plan.
Stage 3: Developing EA products;
Core Element: Business, performance, information/data,
application/service, and technology descriptions address or will
address security.
Stage 3: Developing EA products;
Core Element: Progress against EA plans is measured and reported.
Stage 4: Completing EA products (includes all elements from stage 3);
Core Element: Written and approved organization policy exists for EA
maintenance.
Stage 4: Completing EA products (includes all elements from stage 3);
Core Element: EA products and management processes undergo independent
verification and validation.
Stage 4: Completing EA products (includes all elements from stage 3);
Core Element: EA products describe the ’As Is“ environment, the ’To Be“
environment, and a sequencing plan.
Stage 4: Completing EA products (includes all elements from stage 3);
Core Element: EA products describe the enterprise‘s business,
performance, information/data, application/service, and the technology
that supports them.
Stage 4: Completing EA products (includes all elements from stage 3);
Core Element: Business, performance, information/data,
application/service, and technology descriptions address security.
Stage 4: Completing EA products (includes all elements from stage 3);
Core Element: Organization chief information officer has approved
current version of EA.
Stage 4: Completing EA products (includes all elements from stage 3);
Core Element: Committee or group representing the enterprise or the
investment review board has approved current version of EA.
Stage 4: Completing EA products (includes all elements from stage 3);
Core Element: Quality of EA products is measured and reported.
Stage 5: Leveraging the EA for managing (includes all elements from
stage 4);
Core Element: Written and approved policy exists for IT investment
compliance with EA.
Stage 5: Leveraging the EA for managing (includes all elements from
stage 4);
Core Element: Process exists to formally manage EA change.
Stage 5: Leveraging the EA for managing (includes all elements from
stage 4);
Core Element: EA is integral component of IT investment management
process.
Stage 5: Leveraging the EA for managing (includes all elements from
stage 4);
Core Element: EA products are periodically updated.
Stage 5: Leveraging the EA for managing (includes all elements from
stage 4);
Core Element: IT investments comply with EA.
Stage 5: Leveraging the EA for managing (includes all elements from
stage 4);
Core Element: Organization head has approved current version of EA.
Stage 5: Leveraging the EA for managing (includes all elements from
stage 4);
Core Element: Return on EA investment is measured and reported.
Stage 5: Leveraging the EA for managing (includes all elements from
stage 4);
Core Element: Compliance with EA is measured and reported.
[End of table]
We evaluated the bureau's policies and management of its IT enterprise
architecture using GAO's EA assessment guide. [NOTE 9] We assessed the
Bureau's enterprise architecture at maturity stages 1, 2, and 3.
We did not evaluate maturity stages 4 or 5 because bureau officials
reported that they had not yet implemented all of the core elements for
these stages. However, they noted that they had begun to implement some
of the core elements in these advanced maturity stages.
IT Policies, Procedures, and Practices:
Enterprise Architecture Management-Evaluation:
Activity (Critical process): Agency is aware of EA;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: The bureau is aware of enterprise architecture concepts.
Activity (Critical process): Adequate resources exist;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau provides funding for personnel, consultants, and
tools to support its enterprise architecture, but this funding varies
from year to year and, according to the Chief Architect, can fall below
the level needed to accomplish project goals.
Activity (Critical process): Committee of group representing the
enterprise is responsible for directing, overseeing, or approving EA;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: The bureau has established a committee (chaired by the CIO)
to direct, oversee, and approve its enterprise architecture effort.
Activity (Critical process): Program office responsible for EA
development and maintenance exists;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: The bureau has established a program office with
responsibility for developing and maintaining the enterprise:
Activity (Critical process): Chief architect exists;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: The bureau has a chief architect for its enterprise
architecture.
Activity (Critical process): EA is being developed using a framework,
methodology, and automated tool;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: The bureau is developing its EA using a framework, a
methodology, methodology, and an automated tool.
Activity (Critical process): EA plans call for describing the ’as is“
environment, the ’to be“ environment, and a sequencing plan;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: Bureau EA plans call for describing the "as is" environment,
the "to be" environment, and a sequencing plan.
Activity (Critical process): EA plans call for describing the
enterprise in terms of business, performance, information/data,
application/service, and technology;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: Bureau EA plans call for describing the enterprise in terms
of business, performance, information, applications, and technology
infrastructure.
Activity (Critical process): EA plans call for business, performance,
information/data, application/service, and technology descriptions to
address security;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: Bureau EA plans call for business, performance, information,
application, and technology descriptions to address security.
Activity (Critical process): EA plans call for developing metrics for
measuring EA progress, quality, compliance, and return on investment;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: Bureau plans call for developing metrics for measuring EA
progress, quality, compliance, and return on investment.
Activity (Critical process): Written and approved organization policy
exists for EA development;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau has a detailed business plan guiding its EA
development, which is approved by the Chief Information Officer.
However, it does not yet have a policy for EA development that is
signed by the Bureau director.
Activity (Critical process): EA products are under configuration
management;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: Bureau EA products are under configuration management.
Activity (Critical process): EA products describe or will describe the
enterprise‘s business, performance, information/data,
application/service, and the technology that supports them;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: Bureau EA products describe the enterprise's business,
information, applications, and technology infrastructure. The Bureau
plans for future EA products to describe the enterprise's performance.
Activity (Critical process): EA products describe or will describe the
’as is“ environment, the ’to be“ environment, and a sequencing plan;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: Bureau EA products describe the "as is" and the "to be"
environments and will describe the sequencing plan.
Activity (Critical process): Business, performance, information/data,
application/service, and technology descriptions address or will
address security;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: The bureau's EA business, information, application, and
technology descriptions address security, and efforts are under way to
continue to integrate security with the enterprise architecture. The
bureau plans for future EA products that describe the enterprise's
performance to address security.
Activity (Critical process): Progress against EA plans is measured and
reported;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: The bureau measures and reports on its progress against its
EA plans.
[End of table]
IT Policies, Procedures, and Practices:
Enterprise Architecture Management--Impact of Weaknesses:
Taking steps to improve the two EA shortfalls described above is
important for the following reasons:
* Without adequate resources, the bureau's EA office will not be able
to accomplish its goals of expanding and improving the architecture.
* Without a written policy endorsing the EA, the bureau may not be able
to get the support it needs to fully implement the EA and to realize
its benefits. A written policy could lead to enhanced support for the
EA and increased use and benefits throughout the agency. Based on our
experience in reviewing other agencies, not having an effective
architecture program can be attributable to limited senior management
understanding and commitment and to cultural resistance to using an
architecture. The result can be an inability to implement modernized
systems in a way that minimizes overlap and duplication and maximizes
integration and mission support.
IT Policies, Procedures, and Practices:
Enterprise Architecture Management Conclusions and Recommendations:
The bureau has made important progress in managing its enterprise
architecture program and has identified critical next steps to further
expand, use, and achieve benefits from its architecture. However, the
EA initiative lacks the senior management commitment-both in terms of
resources and policy endorsement-that it needs to be truly effective.
Unless the bureau demonstrates this senior level commitment, the EA
initiative will likely be limited in how much progress it can continue
to make.
To support the agency in its efforts to develop and implement an
effective enterprise architecture, we recommend that the Secretary of
Commerce direct the bureau to:
* determine an adequate level of resources to accomplish planned EA
activities in order to ensure continued improvements to the bureau's EA
model and:
* establish a written policy endorsing and enforcing the bureau's
enterprise architecture.
IT Policies, Procedures, and Practices:
Information Security-Overview:
Information security protects an organization's computer-supported
resources and assets. Such protection ensures the integrity,
appropriate confidentiality, and availability of an organization's data
and systems. Integrity means that data have not been altered or
destroyed in an unauthorized manner. Confidentiality means that
information is not made available or disclosed to unauthorized
individuals, entities, or processes. Availability means that data will
be accessible or usable upon demand by an authorized entity.
Key activities for managing information security risks include:
* Risk assessment-identifying security threats and vulnerabilities to
information assets and operational capabilities, ranking risk
exposures, and identifying cost-effective controls;
* Awareness and training-promoting awareness of security risks and
educating users about security policies and procedures, as well as
providing security training to staff;
* Controls-implementing the controls necessary to deal with identified
risks to information systems, physical facilities, and networks, in
order to protect them;
* Evaluation-monitoring the effectiveness of controls and awareness
activities through periodic evaluation;
* Central management-coordinating security activities through a
centralized group.
Information security is of special importance to the Census Bureau
because under law, with certain limited exceptions, the bureau must
protect from disclosure the data it collects about individuals and
establishments. [NOTE 10] Specifically, the bureau may not disclose or
publish any private information that identifies an individual or
establishment.
We evaluated the bureau's policies and procedures on information
security by comparing them to the requirements in the Federal
Information Security Management Act of 2002 [NOTE 11] and to guidelines
issued by OMB and the National Institute of Standards and Technology.
We assessed selected bureau systems' security plans, risk assessments,
and certification and accreditation packages. We interviewed bureau and
Commerce security officials on security policies and practices. We also
analyzed reports on the bureau's information security program by the
Department of Commerce's Office of the Inspector General.
Activity (Critical process): Risk assessment;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau‘s security policy calls for system owners to
conduct risk assessments on all major applications in an effort to
identify and manage threats, vulnerabilities, and risks. The bureau
reported that these risk assessments were completed by December 2003.
However, in early 2004, the bureau revised its risk assessment policy
to address documentation weaknesses that had been identified by the
Inspector General, and it instructed system owners to reassess their
systems. The bureau‘s Information Security Chief plans to work with
system owners to improve their risk assessments, as part of an effort
to improve certification and accreditation (C&A) packages by September
2005.
Activity (Critical process): Awareness and training;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau‘s policy calls for general security training for
all employees and contractors and for more specialized security
training tailored to certain job descriptions. The bureau has
implemented multiple security awareness and training programs. However,
the bureau does not yet have a program in place for identifying
employees who need specialized security training or for providing this
training.
Activity (Critical process): Controls--information system and security;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau‘s policy requires system owners to assess systems
risks, address any identified weaknesses, and obtain system
certification and accreditation (C&A). The bureau completed C&A
packages for many of its systems, but the Inspector General recently
reported that selected systems‘ C&A packages were incomplete and
inaccurate. The Information Security Chief plans to recertify and
accredit Bureau systems by the end of September 2005.
Activity (Critical process): Controls--physical security;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: The Department of Commerce manages the physical security of
the bureau‘s facilities. Commerce‘s security policy calls for facility
managers to conduct periodic risk assessments of their facilities to
identify vulnerabilities and corresponding countermeasures. The
Commerce office of security tracks completion of these risk assessments
and closure of all countermeasures. Currently, all 47 bureau facilities
are up to date on required risk assessments.
Activity (Critical process): Controls--network access;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau‘s security policy calls for system owners to
identify network and logical access controls and the security office
and system owners use network scanning tools to identify potential
system vulnerabilities. However, in September 2004, the Inspector
General reported that some systems‘ testing and verification of network
security controls was inadequate. A security official advised us that
they are planning to address network access issues by procuring
additional system penetration tools in order to better test systems.
However, the security office does not have an estimated timeframe for
completing this activity.
Activity (Critical process): Evaluation;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau‘s IT security office is responsible for overseeing
systems security; it uses a database to track the status of systems‘
certification and accreditation and to track any deficiencies
(including network and system control weaknesses) until they are
closed. However, this database does not effectively track all of the
key information needed to effectively oversee security controls and
does not allow for effective version control. To assist in managing
system documentation, the security office plans to migrate to a new
security oversight management tool by September 2005.
Activity (Critical process): Central management;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: The bureau‘s Information Technology Security Office, within
the Office of the Chief Information Officer (CIO), is the central
management office with responsibility for information security policies
and procedures. This office is responsible for ensuring that IT
security procedures, standards, and guidance are implemented, while the
CIO approves policy. The Chief of Information Security also coordinates
with other Bureau directorates to ensure that security policies are
enforced. This office coordinates efforts with Commerce‘s Office of
Security at the Census Bureau, which is responsible for physical and
personnel security.
[End of table]
IT Policies, Procedures, and Practices:
Information Security-Conclusions and Recommendations:
The bureau has policies and processes in place to manage information
security, but important steps for ensuring that systems are secure
remain to be carried out. Until the bureau completes these system
security initiatives, it cannot ensure that information, systems, and
networks are adequately protected from disclosure or attack.
In order to improve information security, we recommend that the
Secretary of Commerce direct the bureau to:
* establish milestones for:
* identifying staff with special security training needs and developing
an effective training program for them,
* identifying system penetration tools to aid network access security
and testing network controls using these tools, and:
* monitor progress against these milestones and the milestones that
have already been established to address weaknesses in risk
assessments, information system security controls, and oversight
management tools, to ensure that these activities are completed in a
timely manner.
IT Policies, Procedures, and Practices:
IT Human Capital-Overview:
Human capital centers on viewing people as assets whose value to an
organization can be enhanced by investing in them. As the value of
people increases, so does the performance capacity of the organization-
and therefore its value to clients and other stakeholders.
According to the Clinger-Cohen Act of 1996, to maintain and enhance the
capabilities of IT staff, an organization should conduct four basic
activities:
* Requirements-annually assess the knowledge and skills that an agency
needs to effectively perform its IT operations to support its mission
and goals:
* Inventory-determine the knowledge and skills of current IT staff to
identify gaps in needed capabilities:
* Workforce strategies and plans-develop strategies and implement plans
for hiring, training, and professional development to fill any gap
between requirements and current staffing:
* Progress evaluation-evaluate the progress made in improving IT human
capital capability, and use the results of these evaluations to
continuously improve the organization's human capital strategies:
We compared the bureau's policies and procedures for IT human capital
to the Clinger-Cohen Act [NOTE l2] and to our guide, Human Capital: A
Self-Assessment Checklist for Agency Leaders. [NOTE 13] We reviewed IT
human capital practices in the areas of skills and knowledge
requirements, skills and knowledge inventories, workforce strategies,
and progress evaluations.
IT Policies, Procedures, and Practices:
IT Human Capital-Evaluation:
Activity (Critical process): Requirements;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: In 2000, the bureau‘s Human Capital Office and program area
directorates identified requirements, including knowledge and skills,
that its IT staff need to perform their responsibilities. However, the
bureau has not reassessed its requirements to ensure that it identifies
any new knowledge and skills it needs, such as skills supporting e-
government initiatives.
Activity (Critical process): Inventory;
Assessment: Comprehensive, current policies and procedures; practices
adhere to policies, procedures, and generally accepted standards;
Comments: Commerce‘s CIO maintains an inventory of IT staff skills. In
2004, about 85 percent of the bureau‘s IT staff participated in an IT
workforce assessment survey and reported on whether they had skills in
97 different IT areas. By April 2005, Commerce plans to make available
a target-setting tool that the bureau can use to develop ’what-if“
scenarios. This tool will allow the bureau to identify both projected
and desired future states of its IT workforce and to formulate a ’gap
analysis.“
Activity (Critical process): Workforce strategies and plans;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau has procedures that address gaps in its IT
workforce. In practice, the bureau addresses gaps through recruiting,
retention, and professional development programs. For example, the
bureau offers special pay incentives to IT specialists, and staff can
complete IT courses to improve their skills. However, the bureau has
not completed a skills gap analysis and therefore has not developed
strategies to fill any identified gaps.
Activity (Critical process): Progress evaluation;
Assessment: Policies or procedures for key functions; only selected
practices in place;
Comments: The bureau annually evaluates its progress in human capital
management planning, workforce development, and succession planning.
However, because the bureau has not yet identified IT skills gaps or
developed strategies to fill these gaps (as noted above), it is not yet
able to evaluate the effectiveness of its strategies.
[End of table]
IT Policies, Procedures, and Practices:
IT Human Capital-Impact of Weaknesses:
Taking steps to improve the shortfalls listed above is important for
the following reasons:
* Until the bureau regularly assesses its IT requirements, it risks not
identifying needed skills and knowledge in its IT workforce.
* Until the bureau completes a gap analysis, it lacks assurance that it
is optimizing the use of its current IT workforce and therefore is
unable to implement workforce strategies to fill any identified gaps.
As a result, the bureau is at increased risk that it lacks the trained
staff it needs to fulfill its mission objectives.
IT Policies, Procedures, and Practices:
IT Human Capital-Conclusions and Recommendations:
The Census Bureau has implemented steps to manage its IT human capital,
but more remains to be done to update requirements for IT skills and
knowledge and to develop and implement strategies for filling any skill
gaps. Until the bureau completes these activities, it is at increased
risk that it will not have the skills it needs to effectively develop
and manage its million-and billion-dollar investments in information
systems and technology.
In order to improve the bureau's ability to manage its IT workforce, we
recommend that the Secretary of Commerce direct the bureau to:
* annually assess IT knowledge and skills to determine whether they
meet current requirements, and:
* use the planned gap analysis to identify workforce strategies to fill
skills gaps and then evaluate these strategies to determine their
effectiveness in improving human capital management.
Agency Comments:
In commenting on a draft of this briefing, Census Bureau officials,
including the Chief Information Officer, Comptroller, and Chief,
Information System Support and Review Office, stated that the bureau
concurs with our findings and our recommendations.
[1] See attachment for a list of relevant reports by us and by the
Inspector General.
[2] Bureau officials stated that they are evaluating whether to extend
the Data Access and Dissemination System through the 2010 census or to
acquire a new capability, called the Integrated Dissemination System.
The cost, schedule, and scope of the Integrated Dissemination System
have not yet been determined.
[3] GAO, 2010 CENSUS: Basic Design Has Potential, but Remaining
Challenges Need Prompt Resolution, GAO-05-9 (Washington, D.C.: January
12, 2005).
[4] GAO, Information Technology Investment Management: A Framework for
Assessing and Improving Process Maturity (Version 1.1), GAO-04-394G
(Washington, D.C.: March 2004).
[5] U. S. GAO, Information Technology. A Framework for Assessing and
Improving Enterprise Architecture Management (Version 1.1), GAO-03-584G
(Washington, D.C.: April 2003).
[6] GAO, Information Technology Investment Management: A Framework for
Assessing and Improving Process Maturity (Version 1.1), GAO-04-394G
(Washington, D.C.: March 2004).
[7] CMM is registered in the U.S. Patent and Trademark Office by
Carnegie Mellon University. CMMI is a service mark of the Carnegie
Mellon University.
[8] We did not perform a full appraisal of measurement and analysis on
the Decennial Master Address File project because project officials
reported that they had not yet implemented this process area.
[9] GAO-03-548G.
[10] U.S. Code, Title 13, Section 9.
[11] Federal Information Security Management Act of 2002, Title III, E-
Government Act of 2002, P.L. 107-347, Dec. 17, 2002.
[12] Clinger-Cohen Act of 1996, 40 U.S.C. 11101-11704.
[13] U.S. GAO, Human Capital. A Self-Assessment Checklist for Agency
Leaders, GAO/OCG-00-14G (Washington, D.C.: September 2000).
[End of slide presentation]
[End of section]
Appendix II: Comments from the Department of Commerce:
THE DEPUTY SECRETARY OF COMMERCE:
Washington, D.C. 20230:
May 27, 2005:
Ms. Colleen M. Phillips:
Assistant Director:
Information Technology Issues:
U.S. Government Accountability Office:
Washington, DC 20548:
Dear Ms. Phillips:
The U.S. Department of Commerce appreciates the opportunity to comment
on the U.S. Government Accountability Office draft report entitled
Information Technology Management: Census Bureau Has Implemented Many
Key Practices, But Additional Actions Are Needed (GAO-05-661). I
enclose the Department's comments on this report.
Sincerely,
Signed by:
David A. Sampson:
(Acting):
Enclosure:
U.S. Department of Commerce:
Comments on the U.S. Government Accountability Office Draft Report
Entitled "Information Technology Management: Census Bureau Has
Implemented Many Key Practices, But Additional Actions Are Needed" GAO-
05-661:
Comments on Conclusions:
We agree with the draft report that the U.S. Census Bureau has
developed policies and initiated key practices in many areas that are
important to successfully manage information technology. These
practices include investment management, system development/management,
enterprise architecture management, information security, and human
capital management.
The report's findings, while accurate, do not acknowledge a number of
steps being taken at the Census Bureau to more broadly address the
report's findings and other unrelated Information Technology (IT)
issues. The "Highlights" section of the Government Accountability
Office (GAO) report begins by stating "The bureau has a decentralized
approach to IT management. " This is correct and has been the
management approach at the Census Bureau for a long time. However, what
is not mentioned in the report and is of critical importance to
improvement is the very proactive and aggressive movement in the Census
Bureau toward change. We are in the process of introducing a corporate
IT environment-one that will affect the Census Bureau operationally as
well as organizationally. We anticipate the improvements we will
experience over time from this undertaking will strengthen an already
solid IT operation and further improve upon our audit performance.
Also, the report did not clarify the system development/management
perspective. For instance, of 40 information technology management
areas assessed by GAO for system development/management, only one area-
measurements and analysis-was found to be incomplete or obsolete. What
was not acknowledged was that the Census Bureau was being assessed
while in transition from the older SW-CMM standard (measurements and
analysis is embedded in the processes) to the new CMMI standard
(measurements and analysis is a stand-alone process) used by GAO.
Overall, we realize that improvements can be made and that additional
actions are needed to accomplish improvements to our management of
information technology. These additional actions are shown in the
recommendations that follow.
Comments on Recommendations for Executive Action:
"To strengthen the bureau's ability manage IT investments, we recommend
that the Secretary of Commerce direct the bureau to:
* develop written procedures to guide its IT investment boards'
operations and use these procedures to ensure consistent investment
management and decision-making practices;
* develop well-defined and disciplined written procedures that outline
the process for selecting new IT proposals and reselecting ongoing
investments and use these procedures in investment decision making;
* develop and implement defined criteria and documented policies and
procedures for monitoring the progress of all IT projects and systems;
and:
* create a comprehensive repository that collects investment
information that is up to date and accessible to decision makers."
The Census Bureau concurs with the recommendation.
"To strengthen agencywide system development and management
capabilities, we recommend that the Secretary of Commerce direct the
bureau to institutionalize a process improvement initiative, such as
the Capability Maturity Model Integration framework, and establish
goals for projects to reach successive capability levels in selected
process areas, including project planning, project monitoring and
control, requirements management, process and product quality
assurance, configuration management, measurements and analysis,
verification, and risk management."
The Census Bureau concurs with the recommendation. The Census Bureau
will continue its transition from the SW-CMM standard to the new CMMI
standard bureauwide to strengthen its system development and management
capabilities.
"To support the bureau in its efforts to develop and implement an
effective enterprise architecture (EA), we recommend that the Secretary
of Commerce direct the bureau to:
* determine an adequate level of resources to accomplish planned EA
activities in order to ensure continued improvements to the bureau's EA
model; and:
* establish a written policy endorsing and enforcing the bureau's
enterprise architecture."
The Census Bureau concurs with the recommendation.
"To improve information security, we recommend that the Secretary of
Commerce direct the bureau to:
* establish milestones for identifying staff with special security
training needs and developing an effective training program for them;
* establish milestones for identifying system penetration tools to aid
network access security and for testing network controls using these
tools; and:
* monitor progress against these milestones and the milestones that
have already been established to address weaknesses in risk
assessments, information system security controls, and oversight
management tools, in order to ensure that these activities are
completed in a timely manner."
The Census Bureau concurs with the recommendation.
"In order to improve the bureau's ability to manage its IT workforce,
we recommend that the Secretary of Commerce direct the bureau to:
* annually assess IT knowledge and skills to determine whether they
meet current requirements; and:
* use the planned gap analysis to identify workforce strategies to fill
skills gaps and then evaluate these strategies to determine their
effectiveness in improving human capital management."
The Census Bureau concurs with the recommendation.
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
David A. Powner, (202) 512-9286 or [Hyperlink, pownerd@gao.gov].
Acknowledgments:
In addition to the person named above, John Dale, Lester Diamond,
Joanne Fiorino, Mark Fostek, Tonia Johnson, Deborah Lott, Teresa Neven,
Tammi Nguyen, Madhav Panwar, Colleen Phillips, Cynthia Scott, Karl
Seifert, Niti Tandon, Teresa Tucker, and Michael Virga made key
contributions to this report.
[End of section]
Related Products by GAO and the Department of Commerce's Inspector
General:
GAO Products:
2010 Census: Basic Design Has Potential, but Remaining Challenges Need
Prompt Resolution.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-09].
Washington, D.C.: January 12, 2005.
Data Quality: Census Bureau Needs to Accelerate Efforts to Develop and
Implement Data Quality Review Standards.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-86]
Washington, D.C.: November 17, 2004.
Census 2000: Design Choices Contributed to Inaccuracies in Coverage
Evaluation Estimates.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-71]
Washington, D.C.: November 12, 2004.
American Community Survey: Key Unresolved Issues.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-82]
Washington, D.C.: October 8, 2004.
2010 Census: Counting Americans Overseas as Part of the Decennial
Census Would Not Be Cost-Effective.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-898]
Washington, D.C.: August 19, 2004.
2010 Census: Overseas Enumeration Test Raises Need for Clear Policy
Direction.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-470]
Washington, D.C.: May 21, 2004.
2010 Census: Cost and Design Issues Need to Be Addressed Soon.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-37]
Washington, D.C.: January 15, 2004.
Decennial Census: Lessons Learned for Locating and Counting Migrant and
Seasonal Farm Workers.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-605]
Washington, D.C.: July 3, 2003.
Decennial Census: Methods for Collecting and Reporting Hispanic
Subgroup Data Need Refinement.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-228]
Washington, D.C.: January 17, 2003.
Decennial Census: Methods for Collecting and Reporting Data on the
Homeless and Others Without Conventional Housing Need Refinement.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-227]
Washington, D.C.: January 17, 2003.
2000 Census: Lessons Learned for Planning a More Cost-Effective 2010
Census.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-40]
Washington, D.C.: October 31, 2002.
The American Community Survey: Accuracy and Timeliness Issues.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-956R]
Washington, D.C.: September 30, 2002.
2000 Census: Refinements to Full Count Review Program Could Improve
Future Data Quality.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-562]
Washington, D.C.: July 3, 2002.
2000 Census: Coverage Evaluation Matching Implemented as Planned, but
Census Bureau Should Evaluate Lessons Learned.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-297]
Washington, D.C.: March 14, 2002.
2000 Census: Best Practices and Lessons Learned for More Cost-Effective
Nonresponse Follow-up.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-196]
Washington, D.C.: February 11, 2002.
2000 Census: Coverage Evaluation Interviewing Overcame Challenges, but
Further Research Needed.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-26]
Washington, D.C.: December 31, 2001.
2000 Census: Analysis of Fiscal Year 2000 Budget and Internal Control
Weaknesses at the U.S. Census Bureau.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-30]
Washington, D.C.: December 28, 2001.
2000 Census: Significant Increase in Cost Per Housing Unit Compared to
1990 Census.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-31]
Washington, D.C.: December 11, 2001.
2000 Census: Better Productivity Data Needed for Future Planning and
Budgeting.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-4]
Washington, D.C.: October 4, 2001.
2000 Census: Review of Partnership Program Highlights Best Practices
for Future Operations.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-579]
Washington, D.C.: August 20, 2001.
Decennial Censuses: Historical Data on Enumerator Productivity Are
Limited.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-208R]
Washington, D.C.: January 5, 2001.
2000 Census: Headquarters Processing System Status and Risks.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-1]
Washington, D.C.: October 17, 2000.
2000 Census: Update on Data Capture Operations and Systems. AIMD-00-
324R. Washington, D.C.: September 29, 2000.
2000 Census: Status of Nonresponse Follow-up and Key Operations. T-
GGD/AIMD-00-164. Washington, D.C.: May 11, 2000.
2000 Census: New Data Capture System Progress and Risks. AIMD-00-61.
Washington, D.C.: February 4, 2000.
2000 Census: Contingency Planning Needed to Address Risks That Pose a
Threat to a Successful Census. GGD-00-6. Washington, D.C.: December 14,
1999.
Inspector General Reports:
Improving Our Measure of America: What the 2004 Census Test Can Teach
Us in Planning for the 2010 Decennial Census, OIG-16949-1, (Washington,
D.C.: September 2004).
Weaknesses in Census Bureau's Certification and Accreditation Process
Leave Security of Critical Information Systems in Question, OSE-16519,
(Washington, D.C.: August 2004).
MAF/TIGER Redesign Project Needs Management Improvements to Meet Its
Decennial Goals and Cost Objective, OSE-15725, (Washington, D.C.:
September 2003).
Selected Aspects of Census 2000 Accuracy and Coverage Evaluation Need
Improvements Before 2010, IG-14226, (Washington, D.C.: March 2002).
Improving Our Measure of America: What Census 2000 Can Teach Us in
Planning for 2010, OIG-14431, (Washington, D.C.: Spring 2002).
Actions to Address the Impact on the Accuracy and Coverage Evaluation
of Suspected Duplicate Persons in the 2000 Decennial Census, OSE-13812,
(Washington, D.C.: March 2001).
A Better Strategy Is Needed for Managing the Nation's Master Address
File, OSE-12065, (Washington, D.C.: September 2000).
Telephone Questionnaire Assistance Contract Needs Administration and
Surveillance Plan, OSE-12376, (Washington, D.C.: August 2000).
PAMS/ADAMS Should Provide Adequate Support for the Decennial Census,
but Software Practices Need Improvement, ESD-11684, (Washington, D.C.:
March 2000).
Improvements Needed in Multiple Response Resolution to Ensure Accurate,
Timely Processing for the 2000 Decennial Census, OSE-10711,
(Washington, D.C.: September l999).
Dress Rehearsal Quality Check Survey Experience Indicates Improvements
Needed for 2000 Decennial, ESD-11449, (Washington, D.C.: September
l999).
Method for Archiving 2000 Decennial Data and Procedures for Disposing
of Questionnaires Should Be Finalized, OSE-10758, (Washington, D.C.:
September 1999).
Headquarters Information Processing Systems for 2000 Decennial Census
Require Technical and Management Plans and Procedures, OSE-10034,
(Washington, D.C.: November l997).
(310484):
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548: