This is the accessible text file for GAO report number GAO-03-1028 entitled 'Information Technology: Departmental Leadership Crucial to Success of Investment Reforms at Interior' which was released on September 12, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Subcommittee on Interior and Related Agencies, Committee on Appropriations, House of Representatives: September 2003: Information Technology: Departmental Leadership Crucial to Success of Investment Reforms at Interior: [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-1028] GAO-03- 1028: GAO Highlights: Highlights of GAO-03-1028, a report to Chairman and Ranking Minority Member of the Subcommittee on Interior and Related Agencies, House Committee on Appropriations Why GAO Did This Study: The Department of the Interior is responsible for diverse and complex missions ranging from managing America’s public lands, mineral and water resources, and wildlife to providing satellite data to the military and scientific communities. To fulfill these responsibilities, Interior invests over $850 million annually—about 6 percent of its total annual budget—in communications and computing projects and systems. Interior’s Office of the Secretary and its Chief Information Officer (CIO) are responsible for overseeing processes for managing these investments to ensure that funds are expended in the most cost-effective way in support of the agency’s mission needs. GAO was asked to evaluate (1) departmental capabilities for managing the agency’s information technology (IT) investments and (2) the department’s actions and plans to improve these capabilities. What GAO Found: The Department of the Interior has limited capability to manage its IT investments. Based on GAO’s IT Investment Management (ITIM) Framework, which measures the maturity of an organization’s investment management processes, the department is carrying out few of the activities that support critical foundational processes (see table below). As an initial step to improve its investment management capability, the department has issued a Capital Planning and Investment Control Guide, which describes its approach to IT investment management. However, it has thus far implemented few of the processes described in its own guide. In addition, it has yet to develop an adequate approach to identify existing projects and systems. In order to ensure strong investment management at all levels, the department has also specified a requirement for certifying bureau-level investment processes, but certification has not yet begun. Finally, in order to strengthen the CIO’s ability to manage IT investments at all levels, the Secretary of the Interior has issued an order establishing the authority of the bureau-level CIOs; however, the order has not been fully implemented. In order to improve investment management processes, an organization needs to develop and implement a coherent plan, supported by senior management, which defines and prioritizes enhancements to its investment processes. While Interior has undertaken a number of initiatives designed to improve its investment management processes, the department has not yet developed a unified, comprehensive plan to achieve its objective of establishing effective investment management processes, nor has it committed the resources to successfully implement the necessary reforms. Without a well-defined process improvement plan and controls for implementing it, Interior will continue to be challenged in its ability to make informed and prudent investment decisions. What GAO Recommends: To strengthen the department’s investment management capability, GAO recommends that the Secretary of the Interior direct Interior’s CIO to develop and implement a plan aimed at addressing the weaknesses discussed in this report, including a timetable and specific milestones for implementation of appropriate investment management processes at all levels of the agency. In commenting on a draft of this report, Interior concurred with GAO’s recommendations. www.gao.gov/cgi-bin/getrpt?GAO-03-1028. To view the full product, including the scope and methodology, click on the link above. For more information, contact Linda Koontz at (202) 512-6240 or koontzl@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Scope and Methodology: Interior's Capacity to Effectively Manage IT Investments Is Limited: Department's Efforts to Improve Investment Management Processes and Oversight Are Fragmented and Inadequate: Conclusions: Recommendations: Agency Comments and Our Evaluation: Appendixes: Appendix I: Bureau Missions, Functions, and IT Investments: Appendix II: Comments from the Department of the Interior: Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Acknowledgments: Tables Tables: Table 1: Stage 2 Critical Processes--Building the Investment Foundation: Table 2: Status of Stage 2 Critical Processes: Table 3: Investment Board Operation: Table 4: IT Project and System Identification: Table 5: IT Project Oversight: Table 6: Business Needs Identification: Table 7: Proposal Selection: Table 8: Stage 3 Critical Processes--Developing a Complete Investment Portfolio: Table 9: Status of Stage 3 Critical Processes: Figures: Figure 1: Interior's Organizational Structure: Figure 2: The Five Stages of Maturity within ITIM: Abbreviations: ALMRS: Automated Land and Mineral Record System: BIA: Bureau of Indian Affairs: BLM: Bureau of Land Management: CIO: Chief Information Officer: CPIC: Capital Planning and Investment Control: IT: Information Technology: ITIM: Information Technology Investment Management: MMS: Minerals Management Service: NBC: National Business Center: NPS: National Park Service: OCIO: Office of Chief Information Officer: OIG: Office of the Inspector General: OMB: Office of Management and Budget: OSM: Office of Surface Mining Reclamation and Enforcement: PMB: Policy, Management and Budget: SAIC: Science Applications International Corporation: TAAMS: Trust Asset and Accounting Management System: USBR: United States Bureau of Reclamation: USFWS: United States Fish and Wildlife Service: USGS: United States Geological Survey: Letter September 12, 2003: The Honorable Charles H. Taylor Chairman The Honorable Norman D. Dicks Ranking Minority Member Subcommittee on Interior and Related Agencies Committee on Appropriations House of Representatives: The Department of the Interior is responsible for diverse and complex missions ranging from managing America's public lands, mineral and water resources, and wildlife to providing satellite data to the military and scientific communities. To fulfill these responsibilities, Interior invests over $850 million annually--about 6 percent of its total annual budgetary resources--in communications and computing projects and systems. The Secretary of the Interior and Interior's Chief Information Officer (CIO) are responsible for overseeing processes for managing these investments at all levels of the organization to ensure that funds are expended in the most cost- effective way in support of the agency's mission needs. This report is one of two in response to your request that we evaluate the Department of the Interior's information technology investment management capabilities.[Footnote 1] As agreed with your offices, our objectives were to evaluate (1) departmental capabilities for managing the agency's information technology (IT) investments, including its ability to effectively oversee bureau processes, and (2) the department's actions and plans to improve these capabilities. Results in Brief: The Department of the Interior has limited capacity to effectively manage its planned and ongoing IT investments. Over the past few years, Interior has undertaken several initiatives to better understand its current capabilities and to implement the organizational processes required for the department to exercise its responsibility to select, control, and evaluate IT investments. For example, the department has issued a Capital Planning and Investment Control (CPIC) Guide, which describes its approach to IT investment management. In addition, in order to support the implementation of effective investment management practices throughout the department, the Secretary has issued an order aligning bureau CIOs with the department CIO and specifying that the bureau CIOs will have authority over IT expenditures within their bureaus. This order acknowledges that effective bureau processes are necessary to support effective investment management throughout the department. However, efforts to implement the CPIC Guide and the secretarial order have not moved forward as specified in implementing memoranda. Interior has much to accomplish before it can have confidence that its mix of IT investments best meets its mission and business needs. * The first step toward establishing effective investment management is to put in place foundational, project-level control and selection processes. Interior has implemented few of these processes. While the CPIC Guide describes the approach Interior intends to take, and the department-level boards have begun operating, few other key practices have been instituted at this time. Until processes are established that enable executives to select and oversee investments using reliable information, they cannot be assured that they are consistently selecting and managing IT investments that meet Interior's needs and priorities. * The second major step toward effective investment management is to continually assess proposed and ongoing projects as an integrated and competing portfolio of investment options. Interior officials acknowledge that the agency has made little progress in managing investments as a complete portfolio. As a result, Interior executives are unable to adequately assess the relative merits of investment proposals and make trade-offs among options. Interior has undertaken a number of initiatives designed to improve its investment management processes; however, it has not coordinated these efforts, nor has it assigned the resources to effectively carry them out. Without a well-defined process improvement plan and controls for implementing it, it is unlikely that the agency will establish a mature investment management capability. As a result, Interior will continue to be challenged in its ability to make informed and prudent investment decisions in managing its IT investments to meet its mission objectives. To strengthen the department's investment management capability, we are making a number of recommendations aimed at addressing the weaknesses discussed in this report. In addition, we are recommending that the department develop and implement a plan that includes (1) provisions to improve investment management practices agencywide and (2) a timetable and milestones for certifying bureau CPIC processes and for implementing the secretarial order aligning CIO authorities and responsibilities. In commenting on a draft of this report, the Department of the Interior concurred with our recommendations and identified actions that it plans to take to improve IT investment management processes throughout the department. Among other things, the department stated that it intends to develop and implement a comprehensive plan, approved by its senior investment decision-making board, to address specific weaknesses that we identified in its foundational investment management practices and to move to strengthen the role of the CIO in oversight and resource allocation. Background: Interior Has Diverse Missions and IT Investments: The Department of the Interior, created by Congress in 1849, is a multitiered organization that currently employs approximately 70,000 people in about 2,400 locations throughout the United States. The Secretary of the Interior heads the agency, which comprises approximately 30 offices and committees and eight bureaus. Five Assistant Secretaries support the Secretary of the Interior at the department level. One of these is responsible for Policy, Management and Budget. The others are responsible for mission-related matters including Land and Minerals Management, Indian Affairs, Fish and Wildlife and Parks, and Water and Science. At the next level of the organization, eight bureaus,[Footnote 2] aligned with these Assistant Secretaries, are responsible for achieving Interior's diverse missions. Interior's missions include managing approximately 500 million acres of land--about one-fifth of the total U.S. land mass--and about 1.8 billion acres of the Outer Continental Shelf; fulfilling the government's trust responsibility to American Indians and Alaska Natives; conserving and protecting fish and wildlife; offering recreational opportunities; managing the National Park System; providing stewardship of energy and mineral resources; fostering the sound use of land and water resources; helping with the management of the National Fire Plan; ensuring the reclamation and restoration of surface mining sites; and providing scientific information on resource, natural hazard, and earth science issues. Figure 1 shows how Interior is organized. Figure 1: Interior's Organizational Structure: [See PDF for image] [End of figure] Information technology (IT) investments play a vital role in Interior's ability to fulfill its missions. Given the diversity of these missions and operating environments, the character of these investments also varies substantially. For example, the department uses a land mobile radio infrastructure to support geographically dispersed public safety and protection missions. These missions include law enforcement on federal and tribal lands, urban and wildland firefighting, seismic monitoring, wildlife tracking management of national parks, and water reclamation activities. In contrast, Interior's Minerals Management Service owns systems that track oil and gas production on public lands and maintains records on royalties that are due to the federal government and to American Indian tribes. Interior's bureaus and associated program offices propose, fund, and manage these kinds of investments, while certain departmental offices--such as the Offices of Financial Management and Personnel Policy--propose and manage other systems that support administrative functions. Interior's National Business Center is responsible for managing and operating departmental information systems on a fee-for-service basis and for providing other kinds of administrative support, such as facilities management. In fiscal year 2003, Interior invested over $850 million in IT--about 6 percent of its total budget. While the Secretary of the Interior has the ultimate responsibility for managing these investments--including overseeing and guiding the development, management, and use of information resources and information technology throughout the department--Interior's CIO is responsible for providing leadership and oversight for IT investment management processes throughout the agency. To that end, Interior's CIO serves as the chair of the department's IT Management Council, which oversees "major" investments in IT.[Footnote 3] About 2,255 of Interior's staff of about 70,000 are classified as IT professionals. Thirty-four staff provided direct support to the CIO in the department's Office of the CIO during fiscal year 2003. Appendix I provides additional information about each bureau's missions, functions, staffing, and total expenditures on IT for fiscal year 2003. Reviews Identified Need for Improving IT Investment Management: Prior reviews of IT projects performed at Interior over the past decade--by GAO and the Office of Management and Budget (OMB) as well as Interior's Office of the Inspector General (OIG)--have revealed significant weaknesses in IT investment management practices at both the department and the bureau levels. Over the last several years, we have issued a series of reports on Interior's major IT investments and associated management practices. In April and July of 1999, we reported that Interior had not followed sound management practices in the early stages of its effort to acquire the Trust Asset and Accounting Management System,[Footnote 4] a system designed to manage Indian assets and land records. We also reported that, as a result of poor planning, Interior could not ensure that the system would meet financial management needs cost effectively or mitigate system development risks adequately. In September 2000, we reported that Interior still needed to address significant remaining risks.[Footnote 5] Among other things, we recommended that Interior take steps to strengthen its software development and acquisition processes and that it regularly assess the progress being made in implementing this system. Between 1995 and 2001, we reported on Interior's efforts to acquire a land and mineral case processing system called Automated Land and Mineral Record System(ALMRS)/Modernization and raised concerns about the Bureau of Land Management's (BLM) and the prime contractor's abilities to complete, integrate, and test the new software system and complete the current schedule.[Footnote 6] Among other things, we recommended that BLM take steps to strengthen its IT investment management processes and systems acquisition capabilities. ALMRS was terminated in 1999, but many of the management weaknesses we had identified remained. In 2000 and 2001, we reported that BLM had been working to implement our recommendations, and we further recommended that BLM develop a plan to integrate all of the corrective actions necessary to implement our recommendations and establish a schedule for completing them. In August 2002, Interior's OIG reported that the department did not have a process to ensure that IT capital investments or projects focused on departmental mission objectives or federal government goals and initiatives--principally because of its decentralized approach to IT investment management.[Footnote 7] The OIG further stated that only 20 investment projects--representing over 24 percent of the total--were subject to departmental review and approval in fiscal years 2002 and 2003 through submission of capital asset plans. Therefore, about $1 billion in Interior IT investment projects were not subject to department-level review and approval during those 2 years. Consistent with these reports, OMB reported in the President's fiscal year 2003 budget that Interior was putting large sums of public funds at high risk for failure and that it had not complied with applicable legislative requirements that were established in the Paperwork Reduction Act of 1995 and the Clinger-Cohen Act of 1996.[Footnote 8] OMB also reported that the department had not been able to adequately identify major projects within its IT portfolio or to demonstrate through adequate business cases the need for all of the major projects that it did identify. In addition, out of the 23 federal agencies included in the fiscal year 2003 budget supplemental document entitled Performance Information for Major IT Investments, the Department of the Interior was one of only two agencies that were unable to provide the type of information on the actual performance of their IT investments. In the Presidentís fiscal year 2004 budget, OMB reported that Interior had made significant strides toward more fully identifying its IT investments and strengthening the business cases that it developed for major IT projects, although 20 of its 35 initial submissions remained on OMB's at-risk list.[Footnote 9] Information Technology Investment Management Maturity Framework: Our IT Investment Management (ITIM) maturity framework,[Footnote 10] issued in May 2000, is a useful tool that can help Interior to improve its IT investment management capabilities. The ITIM framework can be used to determine both the status of an agency's current IT investment management capabilities and what additional steps need to be taken to put more effective processes in place. The ITIM framework establishes a hierarchical set of five maturity stages. Each stage builds upon the lower stages and represents increased capabilities toward achieving both stable and effective (and thus mature) IT investment management processes. Except for the first stage--which largely reflects ad hoc, undefined, and undisciplined decision and oversight processes--each maturity stage is composed of critical processes that are essential to satisfying the requirements of that stage. These critical processes are defined by key practices that include organizational commitments (e.g., policies and procedures), prerequisites (e.g., resource allocation), and activities (e.g., implementing procedures). Key practices are the specific conditions that must be in place and tasks that must be performed for an organization to effectively implement the necessary critical processes. Figure 2 shows the five ITIM stages and a brief description of each stage. Figure 2: The Five Stages of Maturity within ITIM: [See PDF for image] [End of figure] While the ITIM framework defines critical processes and key practices in general terms, our work at multitiered organizations, such as the Postal Service and the Department of Justice,[Footnote 11] showed that specific roles and responsibilities may vary by organizational tier. For example, in such organizations, department-level management has overall responsibility for a process, while component-level management is responsible for ensuring that applicable requirements defined by the department are met and that operational units such as program offices take primary responsibility for performing the day-to-day activities that are described by ITIM, in accordance with management expectations. In such an environment, the presence of well-established and managed processes at lower levels of the organization can provide a level of assurance to the department concerning the quality and reliability of proposals for new investments, information reported on the actual performance of projects, and budget requests. In an agency like Interior, in which organizations at different levels execute various aspects of IT investment management, it is essential that top agency management establish and oversee processes throughout the agency to ensure that effective investment management practices are being adhered to. Over the past decade, Congress has enacted a series of laws that require centralized management and performance reporting to ensure that agencies can demonstrate that they are making the best funding decisions to support their mission needs. The Clinger-Cohen Act of 1996 specifically requires that the head of each agency designate a CIO to implement a process that maximizes the value and assesses and manages the risk of IT investments. Under the Clinger-Cohen Act, the Department of the Interior's CIO has the ultimate responsibility for ensuring the cost-effectiveness of decisions made by program managers to expend funds on IT in support of the agency's mission needs. Therefore, even though individual bureaus have CIOs or similar officers, the department's CIO must monitor and evaluate the performance of its IT investment portfolio as a whole and report to the Secretary on compliance with applicable laws and policies. Scope and Methodology: To determine the department's capabilities for managing its information technology (IT) investments, including its ability to effectively oversee bureau processes, we used several different criteria. To evaluate the underlying investment management processes we used our Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, Exposure Draft (ITIM Framework).[Footnote 12] We applied the framework as it is described in the exposure draft, except that we used a revised version of the IT Asset Inventory critical process, called IT Project and System Identification, after discussion with departmental officials at the beginning of this engagement. This revised critical process has been used in our evaluations since June 2001. At the start of our evaluation, we requested that the department conduct a self-assessment using the ITIM as criteria. Using this self-assessment and the supporting documentation as a starting point, we worked with Interior officials to further support their conclusions. Based on the department's acknowledgement that it had only executed two of the key practices in Stage 3, we did not independently assess the capabilities at this stage or at Stages 4 and 5 of the framework. In our evaluation, an ITIM key practice was rated as "executed" only when we found sufficient evidence that the practice was already in place at the time of the review. We rated all other key practices as "not executed.": To gain additional insight into the department's ability to oversee its components' IT investment management processes, we reviewed documentation and conducted interviews on the department's efforts to put the necessary management structures in place, whether the department had clearly defined what was expected of the bureaus, and whether it held the bureaus accountable to the necessary standards. In order to evaluate the success of the department's oversight activities, we also assessed the capabilities of Interior's components. To determine the capabilities of the components, we collected documentation describing bureau CPIC and investment management processes and spoke with responsible officials at eight bureaus (the Bureau of Indian Affairs, the Bureau of Land Management, the Bureau of Reclamation, the Minerals Management Service, the National Park Service, the Office of Surface Mining Reclamation and Enforcement, the U.S. Fish and Wildlife Service, and the U.S. Geological Survey) and the National Business Center. To assess Interior's plans for improving its IT investment management processes--including oversight of bureau processes--and to identify potential barriers to their implementation, we obtained and evaluated documents showing what management actions had been taken and what initiatives had been planned by the department. In addition, we interviewed officials in the Offices of Acquisition and Property Management, Budget, and the Chief Information Officer. We conducted our work at Interior's headquarters offices in Washington, D.C; bureaus headquarters offices in Arlington, Virginia; Reston, Virginia; and Lakewood, Colorado; and at the National Business Center in Englewood, Colorado, from November 2002 through July 2003, in accordance with generally accepted government auditing standards. Interior's Capacity to Effectively Manage IT Investments Is Limited: In order to have the capabilities to effectively manage IT investments, a department should (1) have basic, project-level control and selection practices in place and (2) manage its projects as a portfolio of investments, treating them as an integrated package of competing investment options and pursuing those that best meet the department's strategic goals, objectives, and mission. These practices may be executed at various organizational levels of the agency--including the bureau level--although overall responsibility for their success remains at the department level. The Department of the Interior is executing only 7 of the 38 key practices that are required by the ITIM framework to establish a foundation for IT investment management and only 2 of the 38 key practices required to manage investments as a portfolio. In addition, the department's ability to oversee the successful implementation and execution of the required practices is limited, although a number of initiatives have been undertaken to address this issue. However, efforts to implement the reform initiatives have not moved forward as specified in implementing memoranda.[Footnote 13] Until Interior successfully implements stable investment management practices throughout the department, it will lack essential management controls over its IT investments, and it will be unable to ensure that the mix of investments it is pursuing is the best to meet the department's strategic goals, objectives, and mission. Department Demonstrates Few Capabilities for IT Investment Management: At the ITIM framework's Stage 2 level of maturity, an organization has attained repeatable, successful investment control processes and basic selection processes at the project level. Through these processes, the organization can identify expectation gaps early and take appropriate steps to address them. According to the ITIM framework, critical processes at Stage 2 include (1) defining investment board operations, (2) collecting information about existing investments, (3) developing project-level investment control processes, (4) identifying the business needs for each IT project, and (5) developing a basic process for selecting new IT proposals. Table 1 describes the purpose for each of the Stage 2 critical processes. Table 1: Stage 2 Critical Processes--Building the Investment Foundation: Critical process: IT investment board operation; Description: To define and establish the governing board(s) responsible for selecting, controlling, and evaluating investments. Critical process: IT project oversight; Description: To regularly determine each IT project's progress toward cost and schedule milestones, using established criteria, and to take corrective actions when milestones are not achieved. Critical process: IT project and system identification; Description: To create and maintain an IT project and system inventory to assist in managerial decision making. Critical process: Business needs; identification; Description: To ensure that each IT program and project supports the organization's business needs and meets users' needs. Critical process: Proposal selection; Description: To ensure that an established, structured process is used to select new IT proposals. Source: GAO. [End of table] In a multitiered organization like Interior, the department is responsible for providing leadership and oversight for foundational critical processes by ensuring that written policies and procedures are established, repositories of information are created that support IT investment decision making, resources are allocated, responsibilities are assigned, and all of the activities are properly carried out where they may be most effectively executed. In such an organization, the CIO is specifically responsible for ensuring that the organization is effectively managing its IT investments at every level. If Interior's bureaus do not have investment management processes in place that adequately support the department's investment management process, its CIO must take action to ensure that the department is expending funds on IT investments that will fulfill its mission needs. The department is executing 7 of the 38 key practices associated with Stage 2 critical processes (or about 18 percent), primarily as a result of issuing the IT and Construction Capital Planning and Investment Control (CPIC) Guide in December 2002 and assigning responsibility for IT investment management functions to three oversight boards. Among other things, the CPIC Guide clearly describes the structure of the department's IT investment review boards and how authority is to be aligned among bureau-and department-level boards; it assigns responsibility to the boards for its proposal selection process. However, the department has not executed most of the crucial key practices at the Stage 2 level. For example, information about the expected and actual cost and schedule for Interior's IT projects, which could form the basis for selection decisions, is not being provided to the investment review boards. In addition, the department has few capabilities for overseeing IT projects and ensuring that business needs are adequately identified. Finally, in July 2003 Interior had not yet implemented most of the investment management processes that it describes in its CPIC Guide, and thus the members of its boards lacked direct experience in the execution of ITIM critical processes. Table 2 summarizes the status of the department's Stage 2 critical processes, showing how many associated key practices the agency has executed. The department's actions toward implementing each of the critical processes are discussed in the sections that follow. Table 2: Status of Stage 2 Critical Processes: Critical process: IT investment board operation; Key practices executed: 2; Total required by critical process: 6; Percentage of key practices executed: 33. Critical process: IT project and system identification; Key practices executed: 0; Total required by critical process: 7; Percentage of key practices executed: 0. Critical process: IT project oversight; Key practices executed: 1; Total required by critical process: 11; Percentage of key practices executed: 9. Critical process: Business needs identification; Key practices executed: 2; Total required by critical process: 8; Percentage of key practices executed: 25. Critical process: Proposal selection; Key practices executed: 2; Total required by critical process: 6; Percentage of key practices executed: 33. Critical process: Cumulative; Key practices executed: 7; Total required by critical process: 38; Percentage of key practices executed: 18. Source: GAO. [End of table] Boards Are Operating but Have Limited Experience: To help ensure executive management accountability and adequate oversight for IT capital planning and investment decisions, an organization should establish a governing board or boards with responsibility for selecting, controlling, and evaluating IT investments. According to the ITIM framework, effective operation of an IT investment board requires, among other things, that (1) board members have both IT and business knowledge, (2) board members understand the investment board's policies and procedures and exhibit core competencies in using the agency's IT investment policies and procedures, (3) the organization's executives and line managers support and carry out board decisions, (4) the organization develop organization-specific process guidance that includes policies and procedures to direct the board's operations, and (5) the investment board operates according to written policies and procedures. (The full list of key practices is provided later in table 3.): The department is executing two of the six key practices needed for its IT investment boards to operate effectively, as specified in the ITIM framework. Interior's new CPIC Guide provides a conceptual framework for the operation of IT investment boards and a description of a five- phase investment process. It also specifies the membership of Interior's IT investment boards in a way that should ensure the integration of technical and business knowledge as well as the appointment of senior-level executives to the boards. In its new CPIC Guide, Interior provides a conceptual overview of the department-and bureau-level review boards that are now responsible for overseeing IT investments. At the department level, these boards and their decision thresholds include the following: * the Management Excellence Council, which is responsible for validating recommendations made to it by the Management Initiatives Team on IT investments; * the Management Initiatives Team, which is responsible for reviewing, evaluating, and approving investments that are expected to cost $35 million or more, and other investments that are otherwise considered to be major; and: * the IT Management Council, which is responsible for reviewing, evaluating, and approving IT investments that are expected to cost between $5 million and $35 million. The Management Excellence Council, chaired by the Secretary of the Interior and comprising Assistant Secretaries and bureau heads, was created to provide leadership, direction, and accountability in meeting the administration's goals and to provide overall direction for and oversight of the department's management reform activities. Its IT investment management activities include validating the Management Initiatives Team's recommendations and recommending strategic investments for the Secretary's approval. The Management Initiatives Team, chaired by the Assistant Secretary for Policy, Management and Budget and comprising Deputy Assistant Secretaries and Deputy Bureau Directors, was established to support the Management Excellence Council in its broad activities. In the context of IT investment management, the Management Initiatives Team's responsibilities include articulating investment strategy, validating scoring by the IT Management Council, and resolving duplication of effort. The IT Management Council, chartered in the CPIC Guide, is cochaired by the department CIO and a rotating cochair who is elected by IT Management Council annually; it is composed of the bureau CIOs and representatives from several departmental offices. The IT Management Council is responsible for scoring potential investments against a predetermined set of criteria, maintaining the planning process and the investment portfolio, and identifying duplication of effort. The department has taken steps to ensure that investment boards are established at the bureau level also. For example, Interior's CPIC Guide requires that investment review boards be established by each of its bureaus to provide oversight for IT investments that are funded by Interior. This multilayered review of investments is designed to increase the likelihood that Interior's IT investments will meet mission needs. However, at the time that we concluded our work in July 2003, the department could not assert that board members exhibited core competencies in using the IT investment approach because department level boards had very limited experience with IT proposal selection processes. Until the department implements an effective IT investment board process that is well established and understood throughout the agency, executives cannot be adequately assured that decisions made by the boards are being well supported and carried out by its executives and line managers or that each board is operating according to established policies and procedures. Table 3 summarizes our ratings for each key practice and the specific evidence that supports the ratings. Table 3: Investment Board Operation: Type of practice: Organizational commitments; Key practice: 1. An organization-specific IT investment process guide is created to direct each board's operations; Rating: Executed; Summary of evidence: The department issued a Capital Planning and Investment Control Guide (CPIC) Guide in December 2002 that defined department-and bureau-level IT investment boards and specified their authorities, procedures, membership, roles, and responsibilities. Key practice: 2. Organization executives and line managers support and carry out IT investment board decisions; Rating: Not executed; Summary of evidence: The CPIC Guide describes a number of controls or processes for ensuring that executives and line managers carry out the decisions of the IT investment boards. These include entry and exit criteria for five investment management phases defined in the CPIC Guide and a description of how CPIC and budget processes are to be linked. However, at the time of our review these boards had limited experience and their activities focused on OMB budget reporting. Type of practice: Prerequisites; Key practice: 1. Adequate resources are provided for operating each IT investment board; Rating: Not executed; Summary of evidence: The department indicated in its self- assessment that this key practice had not been executed. Key practice: 2. Board members understand the investment board's policies and procedures and exhibit core competencies in using the IT investment approach through training, education, or experience; Rating: Not executed; Summary of evidence: The department's IT investment boards are composed of departmental and bureau office executives who are capable of making investment board decisions. However, at the time of this review, Interior's department-level boards had limited experience with the processes described in its new CPIC Guide. Type of practice: Activities; Key practice: 1. Each IT investment board is created and defined with board membership integrating both IT and business knowledge; Rating: Executed; Summary of evidence: Interior has three department-level IT investment boards, including the IT Management Council, the Management Initiatives Team, and the Management Excellence Council. The IT Management Council reviews IT investments from a technical perspective for all three boards, and its members include both IT and business representatives. The Management Initiatives Team includes representatives from the bureaus, as well as the department's Offices of the Chief Information Officer, Financial Management, and Planning and Performance Management. Finally, the Management Excellence Council is made up of Assistant Secretaries responsible for Interior's programs and the heads of its bureaus. Key practice: 2. Each IT investment board operates according to written policies and procedures in the organization-specific IT investment process guide; Rating: Not executed; Summary of evidence: Although the department issued a CPIC Guide in December 2002 that contains written policies and procedures for the organization's IT investment management process, Interior's IT investment boards had not yet fully implemented these at the time of this review. Source: GAO. [End of table] No Project and System Inventory Exists to Support Investment Decision Making: Agency boards, managers, and staff at all levels who are responsible for decisions about IT investment management must have at their disposal information about existing investments as well as new ones that are being proposed. Besides the fundamental business justification for each of the individual investments, decision makers must also consider the interaction of each continuing or proposed project with other projects that comprise the agency's overall IT environment. In addition, opportunities to consolidate projects or systems and avoid redundant investments may be found when proposals are evaluated in this context. The information that could be used in this analysis includes current and planned system functions, physical location, organizational owners, and how funds are being expended toward acquiring, maintaining, and deploying these assets. A project and system inventory can take many forms and does not have to be centrally located or consolidated. The guiding principles for developing the inventory are that the information maintained should be both accessible--located where it is of the most value to investment decision makers--and relevant to the management processes and decisions that are being made. In multitiered organizations, information from an IT project and system inventory should be accessible and relevant to the decision processes of boards at all levels of the organization that are responsible for ITIM activities. An IT project and system inventory is also essential to successfully implementing certain other critical processes, including IT Project Oversight and Proposal Selection, and developing a comprehensive IT investment portfolio. According to the ITIM framework,[Footnote 14] organizations at the Stage 2 level of maturity allocate adequate resources for tracking IT projects and systems, designate responsibility for managing the project and system identification process, and develop related written policies and procedures. Resources required for this purpose typically include managerial attention to the process; staff; supporting tools, such as an inventory database; inventory reporting, updating, and query tools; and a method for communicating inventory changes to affected parties. Stage 2 organizations also maintain information on their IT projects and systems in one or more inventories according to written procedures, recording changes in data as required, and maintaining historical records. Access to this information is provided on demand to decision makers and other affected parties. (The full list of key practices is provided in table 4.): However, the department is not executing any of the seven key practices in this critical process. It does not have any written standards or existing repositories of information on Interior's IT investments that meet ITIM standards, and it has not assigned responsibility or allocated resources for this purpose. In April 2003, departmental officials indicated that they are planning to use the Exhibit 53 report they prepared for OMB as their IT project and system inventory. However, according to the same officials, the current Exhibit 53 report for Interior does not constitute a comprehensive list of its IT investments. Moreover, this report does not include information on actual project cost and schedule or other information needed to support IT investment decisions. Developing an adequate project and system inventory has only recently become a priority at Interior. As a result, Interior's IT investment boards do not currently have the information they need to make well- informed decisions regarding selecting, controlling, and evaluating investment decisions. Without information from such an inventory, the department-and bureau-level boards cannot ensure that duplication among existing and proposed IT investments is eliminated. In addition, the boards cannot compare actual project performance with expectations and determine whether corrective actions should be taken. Table 4 summarizes our ratings for each key practice. Table 4: IT Project and System Identification: Type of practice: Organizational commitments; Key practice: 1. The organization has written policies and procedures for identifying its IT projects and systems and collecting, in an inventory, information about the IT projects and systems that is relevant to the investment management process; Rating: Not executed; Summary of evidence: The department indicated that it plans to use its Exhibit 53 report to OMB as its IT project and system inventory. While the Exhibit 53 is designed to list all of Interior's IT projects and systems, this report does not contain sufficient information to constitute an IT project and system inventory as described by the ITIM framework. Therefore, any of the department's current policies and procedures on the Exhibit 53 do not meet the requirements of this key practice. Key practice: 2. An official is assigned responsibility for managing the IT project and system identification process and ensuring that the inventory meets the needs of the investment management process; Rating: Not executed; Summary of evidence: Although the department has assigned responsibility for preparing the Exhibit 53 to the Office of the Budget, the Exhibit 53 does not provide sufficient information to support the investment management process as described in the ITIM framework. Type of practice: Prerequisite; Key practice: 1. Adequate resources are provided for identifying IT projects and systems and collecting relevant information into an inventory; Rating: Not executed; Summary of evidence: The department indicated in its self-assessment that this key practice had not been executed. Type of practice: Activities; Key practice: 1. The organization's IT projects and systems are identified, and specific information about them is collected in an inventory; Rating: Not executed; Summary of evidence: The department indicated in its self-assessment that it intends to merge several inventories of IT projects and systems into the Exhibit 53 in order to develop a comprehensive list of investments. However, the Exhibit 53 does not include all of the kinds of information that are required to support IT investment management decisions. Key practice: 2. Changes to IT projects and systems are identified, and change information is maintained in the inventory; Rating: Not executed; Summary of evidence: The department does not have an adequate inventory in which changes to information on IT projects and systems can be identified. Key practice: 3. Information from the inventory is available on demand to decision makers and other affected parties; Rating: Not executed; Summary of evidence: The department plans to use the Exhibit 53 as its investment inventory, but this document does not include the necessary information to constitute an adequate IT project and system inventory, according to the ITIM framework. Key practice: 4. The IT project and system inventory and its information records are maintained to contribute to future investment selections and assessments; Rating: Not executed; Summary of evidence: The department does not maintain an IT project and system inventory with records that could contribute to future IT investment board decisions. Source: GAO. [End of table] Department Lacks Fundamental Capabilities for IT Project Oversight: According to the ITIM framework, effective project oversight requires, among other things, (1) having written policies and procedures for project management; (2) developing and maintaining an approved management plan for each IT project; (3) having written policies and procedures for oversight of IT projects; (4) making up-to-date cost and schedule data for each project available to the oversight boards; (5) reviewing each project's performance by regularly comparing actual cost and schedule data to expectations; (6) ensuring that corrective actions for each under-performing project are documented, agreed to, implemented, and tracked until the desired outcome is achieved; and (7) using information from the IT projects and systems inventory. (The complete list of key practices is provided in table 5.) For all IT projects, performance reviews should be conducted at least at each major life cycle milestone. In an organization such as Interior, it is essential that the department provide leadership and oversight of IT project management even though the day-to-day management of IT investments may be handled by bureau-level staff and the National Business Center. The department is executing 1 of the 11 key practices in this critical process by operating department-level IT investment boards. However, the other 10 key practices are not being executed, such as those requiring the development of written policies and procedures for project management or management oversight of IT projects. Moreover, the department currently has no consistent way of knowing the extent to which project management plans are being developed, approved, maintained, and reviewed. As a result, the department has no mechanisms for ensuring that up-to-date information on actual costs and schedule are being provided to the IT investment boards. Finally, Interior lacks an IT projects and systems inventory to capture performance information that can be used by its boards in the investment decision process. According to Interior officials, the department is not executing many of the key practices for Stage 2 IT project oversight because it currently relies on the bureaus to perform these management functions. However, since the department has not developed policies and procedures for the bureaus to follow in conducting IT project oversight, Interior is running the risk that under performing projects will not be reported to the appropriate IT investment board. In the absence of effective board oversight, Interior executives do not have adequate assurance that projects are being developed on schedule and within budget. Table 5 summarizes our ratings for each key practice and the evidence that supports the ratings. Table 5: IT Project Oversight: Type of practice: Organizational commitments; Key practice: 1. The organization has written policies and procedures for IT project management; Rating: Not executed; Summary of evidence: The department has not developed any written policies and procedures for IT project management. Key practice: 2. The organization has written policies and procedures for management oversight of IT projects; Rating: Not executed; Summary of evidence: The department has not developed any written policies and procedures for management oversight of IT projects. Type of practice: Prerequisites; Key practice: 1. Adequate resources are provided to assist the board(s) in overseeing IT projects; Rating: Not executed; Summary of evidence: The department indicated in its self-assessment that this key practice had not been executed. Key practice: 2. Each IT project has and maintains an approved project management plan that includes cost and schedule controls; Rating: Not executed; Summary of evidence: The department does not have any guidance or requirements for developing, approving, or maintaining IT project plans to ensure that these exist and that they include cost and schedule controls. The department also lacks a reporting mechanism to determine which existing IT projects may now have such a plan. Key practice: 3. An IT investment board is operating; Rating: Executed; Summary of evidence: The department's IT Management Council, Management Initiatives Team, and Management Excellence Council began operating in support of the new CPIC processes in July 2002 and reviewing Exhibit 300 reports for IT investments during the fiscal year 2004 budget formulation process. Key practice: 4. Information from the IT project and system inventory is used by the IT investment board as applicable; Rating: Not executed; Summary of evidence: The department does not have an IT project and system inventory. Type of practice: Activities; Key practice: 1. Each project's up-to- date cost and schedule data are provided to the appropriate IT investment board; Rating: Not executed; Summary of evidence: Up-to- date cost and schedule data for all IT investments had not been provided to the department's boards at the time of our review. The boards did, however, receive information on major investments shown in the Exhibit 300 reports that are prepared annually for OMB. Key practice: 2. Using established criteria, the IT investment board oversees each IT project's performance regularly by comparing actual cost and schedule data to expectations; Rating: Not executed; Summary of evidence: At the time of our review, Interior's IT investment boards did not oversee the performance of all IT projects because information on actual cost and schedule for some investments was not available for review. Key practice: 3. The IT investment board performs special reviews of projects that have not met predetermined performance standards; Rating: Not executed; Summary of evidence: At the time of our review, Interior's department-level IT investment boards had not performed special reviews of any IT projects. Key practice: 4. Appropriate corrective actions for each under- performing project are defined, documented, and agreed to by the IT investment board and the project manager; Rating: Not executed; Summary of evidence: Since the department level boards had not conducted reviews of IT project performance, corrective actions had not been defined. Key practice: 5. Corrective actions are implemented and tracked until the desired outcome is achieved; Rating: Not executed; Summary of evidence: Corrective actions for underperforming IT projects had not been defined by department-level IT investment boards at the time of our review. Source: GAO. [End of table] Department Is Not Able to Clearly Link IT Investments to Business Needs: Defining business needs for each project helps to ensure that projects support the organization's mission goals and meet users' needs. This critical process creates the link between the organization's business objectives and its IT management strategy. According to our ITIM framework, effectively identifying business needs requires, among other things, (1) defining the organization's business needs or stated mission goals, (2) identifying users for each project who will participate in the project's development and implementation, (3) training IT staff adequately in identifying business needs, and (4) defining business needs for each project. (The complete list of key practices is provided in table 6.): The department is responsible for providing leadership and oversight for the identification and documentation of business needs for IT investments by issuing written guidance for this critical process and executing the associated key practices. However, given that knowledge of the actual business needs of Interior's departmental offices and programs resides in the sponsors of IT investments, much of the work of identifying business processes must necessarily be performed at those levels of the organization. The department is executing two of the eight key practices for this critical process by defining mission goals in strategic planning documents and by ensuring that appropriately trained individuals identify the needs for its IT projects. However, the department is not executing the remaining key practices, such as those that involve ensuring that adequate resources are being provided and identifying all of its IT projects and systems in an inventory. As a result, the department could not identify specific users and business needs for all of Interior's IT investments at the time of our review. In April 2003, the department provided training in linking projects to Interior's IT strategic plan, but written policies and procedures for business needs identification have not been formalized. Also, the Exhibit 300 reports on IT investments that the department produces for OMB in support of the President's budget--and which it identifies as the mechanism for capturing business needs--are not required for nonmajor IT investments. Because nonmajor projects comprised approximately 67 percent of Interior's projects and 45 percent of its total IT expenditures in fiscal year 2003, business needs were not captured for many of Interior's projects. The department was also unable to demonstrate that identified users participated in project management throughout a project's life cycle. Office of Chief Information Officer (OCIO) officials explained that the department has not provided oversight of the process of identifying business needs, because it has historically relied on its IT investment sponsors to determine the business needs of the investments. However, until the department provides adequate leadership and oversight for this critical process that is well established and understood throughout the agency, executives cannot be adequately assured that sponsors of IT investments are consistently and objectively identifying user needs and linking investment proposals to the agency's strategic goals. Table 6 summarizes our ratings for each key practice and the evidence that supports the ratings. Table 6: Business Needs Identification: Type of practice: Organizational commitment; Key practice: 1. The organization has written policies and procedures for identifying the business needs (and the associated users) of each IT project; Rating: Not executed; Summary of evidence: Written policies and procedures for identifying business needs have not been formally approved, although training has been initiated which includes identifying business needs for major projects, to familiarize individuals with the preparation of OMB Exhibit 300s. Type of practice: Prerequisites; Key practice: 1. Adequate resources are provided for identifying business needs and associated users; Rating: Not executed; Summary of evidence: The department indicated in its self-assessment that this key practice had not been executed. Key practice: 2. The organization has defined business needs or stated mission goals; Rating: Executed; Summary of evidence: The department issued a Strategic Plan for FY 2000-2005 and a draft Strategic Plan for FY 2003-2008. Both of these documents contain information on Interior's stated mission goals and business needs. Key practice: 3. IT staff are trained in business needs identification; Rating: Executed; Summary of evidence: Since individuals responsible for identifying business needs and preparing Exhibit 300 reports work in departmental and bureau offices that sponsor IT investments, their work experience gives them sufficient knowledge regarding the business needs of those units. In addition, the department has provided supplemental training in business needs identification for major projects. Key practice: 4. IT projects and systems are identified in the IT project and system inventory; Rating: Not executed; Summary of evidence: The department indicated in its self-assessment that this key practice had not been executed. The department does not have an IT project and system inventory. Type of practice: Activities; Key practice: 1. The business needs for each IT project are clearly identified and defined; Rating: Not executed; Summary of evidence: Business needs are identified for major projects in Exhibit 300 reports that are prepared annually for OMB. However, these reports are not prepared for nonmajor IT investments. Key practice: 2. Specific users are identified for each IT project; Rating: Not executed; Summary of evidence: Exhibit 300 reports include a section for identifying users of IT systems. However, these are not prepared for nonmajor IT investments. Key practice: 3. Identified users participate in project management throughout a project's life cycle; Rating: Type of practiceRating: Not executed; Summary of evidence: Type of practiceSummary of evidence: The department indicated in its self- assessment that this key practice had not been executed. In addition, the department lacks written policies and procedures for IT project management that could help ensure that users participate in project management throughout a project's life cycle. Source: GAO. [End of table] Selection Process Is Established, but Boards Lack Implementation Experience: Selecting new IT proposals requires an established and structured process to ensure informed decision making and management accountability. According to our ITIM framework, this critical process requires, among other things, (1) making funding decisions for new IT proposals according to an established process, (2) providing adequate resources for proposal selection activities, (3) using an established proposal selection process, (4) analyzing and ranking new IT proposals according to established selection criteria--including cost and schedule criteria--and (5) designating an official to manage the proposal selection process. While initial selection decisions may be made at the bureau level, the department should have in place clear, established criteria for selection and guidance regarding the structure and content of IT proposals. (The complete list of key practices is provided in table 7.): The department is executing two of the six key practices for this critical process by identifying the IT Management Council cochairs as the responsible authorities for the proposal selection process and by using the CPIC Guide's funding process to make decisions on IT proposals. These achievements notwithstanding, the department has yet to implement most key practices--such as using established criteria to analyze each investment and prioritizing these investments accordingly. The CPIC Guide does contain requirements that address several of the objectives of the critical process for proposal selection, such as establishing a consistent approach to assessing the costs and benefits of proposed investments and developing clear performance expectations with quantifiable performance measures. If implemented, the CPIC Guide would satisfy many of the requirements of the key practices in this critical process. Until now, the department has focused on other aspects of its IT investment management process, such as the review of OMB Exhibit 300s for each major project, without using the selection criteria that are defined in the CPIC Guide. Moreover, while fundamental processes for proposal selection are described in the CPIC Guide, these had not been fully implemented at the time of our review. In the meantime, Interior's bureaus have retained responsibility for selecting IT investments--without benefit of departmental review. Until the department implements the key practices described in the ITIM framework, and they are well established and understood throughout the agency, Interior cannot be adequately assured that it is consistently and objectively developing and selecting proposals that best meet the needs and priorities of the agency. Table 7 summarizes our ratings for the proposal selection critical process. Table 7: Proposal Selection: Type of practice: Organizational commitments; Key practice: 1. Executives and managers follow an established selection process; Rating: Not executed; Summary of evidence: The department's CPIC Guide established a selection process for IT investments. However, because the department only began implementing this process in 2002, to formulate its request for fiscal year 2004 funding, executives and managers have not yet fully implemented the selection process. Key practice: 2. An official is designated to manage the proposal selection process; Rating: Executed; Summary of evidence: The department's self-assessment states that the cochairs of the IT Management Council review board are designated as the responsible officials for the proposal selection process. Type of practice: Prerequisite; Key practice: 1. Adequate resources are provided for proposal selection activities; Rating: Not executed; Summary of evidence: The department indicated in its self-assessment that this key practice had not been executed. Type of practice: Activities; Key practice: 1. The organization uses a structured process to develop new IT proposals; Rating: Not executed; Summary of evidence: The department's CPIC Guide established a structured process for developing IT proposals. However, the department had not implemented this process at the time of our review. Key practice: 2. Executives analyze and prioritize new IT proposals according to established selection criteria; Rating: Not executed; Summary of evidence: The department's CPIC Guide established criteria for prioritizing IT proposals. However, the department had not used these criteria to prioritize new IT proposals at the time of our review. Key practice: 3. Executives make funding decisions for new IT proposals according to an established process; Rating: Executed; Summary of evidence: The department's CPIC Guide established a process for making funding decisions for IT proposals, which the department used in its 2004 budget formulation process. Source: GAO. [End of table] Department Is Not Managing Interior IT Investments as a Portfolio: An IT investment portfolio is an integrated, agencywide collection of investments that are assessed and managed collectively based on common criteria. Managing investments within the context of such a portfolio is a conscious, continuous, and proactive approach to expending limited resources on an organization's competing initiatives in light of the relative benefits expected from these investments. Taking an agencywide perspective enables an organization to consider its investments comprehensively, so that collectively the investments optimally address the organization's missions, strategic goals, and objectives. Managing IT investments with a portfolio approach also allows an organization to determine priorities and make decisions about which projects to fund based on analyses of the relative organizational value and risks of all projects, including projects that are proposed, under development, and in operation. According to the ITIM framework, Stage 3 maturity includes (1) defining portfolio selection criteria, (2) engaging in project-level investment analysis, (3) developing a complete portfolio based on the investment analysis, (4) maintaining oversight over the investment performance of the portfolio, and (5) aligning the authority of the IT investment boards. Table 8 summarizes the purposes of each of the critical processes in Stage 3. Table 8: Stage 3 Critical Processes--Developing a Complete Investment Portfolio: Critical process: Authority alignment of IT investment boards; Description: To ensure that IT investments are selected and managed by the appropriate investment board. Critical process: Portfolio selection criteria definition; Description: To ensure that the organization develops and maintains IT portfolio selection criteria that support its mission, organizational strategies, and business priorities. Critical process: Investment analysis; Description: To ensure that all IT investments are consistently analyzed and prioritized according to the organization's portfolio selection criteria. Critical process: Portfolio development; Description: To ensure that an optimal IT investment portfolio with manageable risks and returns is selected and funded. Critical process: Portfolio performance oversight; Description: To ensure that each IT investment portfolio achieves its cost, benefit, schedule, and risk expectations. Source: GAO. [End of table] The department provided evidence that it is executing 2 of the 38 key practices for Stage 3 by establishing and maintaining in its CPIC Guide written policies and procedures and associated criteria for aligning the decision-making authority of its IT investment review boards. In its self-assessment, Interior did not claim to be fully executing any other Stage 3 key practices. At the time of our review, the department's efforts to implement ITIM were in the initial stages, since the CPIC Guide had been issued in December 2002. Moreover, OCIO efforts at IT management reform had to compete for resources with other ongoing priorities. Until now, Interior has focused its improvement activities in the preselect and select phases described by its CPIC Guide. Until the department fully implements the foundational critical processes in Stage 2 and then the critical processes for portfolio management in Stage 3, it will lack the capability to consider Interior's investments in a comprehensive manner and determine whether it has the mix of IT investments that best meet the agency's mission needs and priorities. Table 9 summarizes the status of the department's Stage 3 critical processes, showing how many associated key practices the agency has executed. Table 9: Status of Stage 3 Critical Processes: Critical process: Authority alignment of IT investment boards; Key practices executed: 2; Total required by critical process: 7; Percentage of key practices executed: 29. Critical process: Portfolio selection criteria definition; Key practices executed: 0; Total required by critical process: 6; Percentage of key practices executed: 0. Critical process: Investment analysis; Key practices executed: 0; Total required by critical process: 7; Percentage of key practices executed: 0. Critical process: Portfolio development; Key practices executed: 0; Total required by critical process: 9; Percentage of key practices executed: 0. Critical process: Portfolio performance oversight; Key practices executed: 0; Total required by critical process: 9; Percentage of key practices executed: 0. Critical process: Cumulative; Key practices executed: 2; Total required by critical process: 38; Percentage of key practices executed: 5. Source: GAO. [End of table] Department Has Limited Ability to Oversee IT Investments in the Bureaus: The ability of a department-level CIO to effectively oversee IT investment management processes throughout the agency depends on the existence of appropriate management structures with adequate authorities and sufficient guidance. To its credit, Interior has taken several crucial initial steps to make this possible; it conducted a study of existing organizational structures, issued a secretarial order providing broad authorities to its CIOs, and issued a capital planning and investment control guide that provided a conceptual framework for improvements to the IT investment management process. However, Interior's CIO has taken limited action to ensure that the secretarial order was implemented and that other required improvements to the process were made. The department had envisioned a certification process through which it would hold bureaus accountable for improving their investment management capabilities, but it has yet to implement this concept. Until sound management structures and a certification process are in place, the department's ability to oversee the bureaus' practices for investment management will be limited. Department and Bureau CIOs Are Not Positioned to Provide Leadership for IT Investment Processes: Under the Clinger-Cohen Act of 1996, the CIO of each agency is responsible for effectively managing all of the agency's IT resources.[Footnote 15] To comply with the act, Interior's CIO is responsible for ensuring that the bureaus are implementing effective investment management processes that are appropriately aligned with the department's processes. Our report on Maximizing the Success of Chief Information Officers[Footnote 16] describes the principles of successful CIO management in leading organizations. In such organizations, the CIO has been positioned for success, having been assigned clearly defined roles, responsibilities, and accountabilities. Because Interior has multiple levels of IT investment management authority, it is especially critical that the roles, responsibilities, and accountabilities of all the CIOs be clearly defined. In 2002, Interior contracted with Science Applications International Corporation (SAIC) to study the department and bureau CIO organizations and determine whether it was in compliance with the requirements of the Clinger-Cohen Act. SAIC concluded that, in the current environment, Interior's CIO did not have adequate power--or the leverage of a formal structure with clear lines of authority and control of resources--to carry out its responsibilities under the act. The study pointed to a general lack of authority and resource control at the bureau level as well, which further inhibited the CIO's ability to function. According to SAIC, in most of the bureaus, the CIOs lacked the authority to effect change among their subordinate IT staff and decision areas because they cannot allocate or withdraw funds and do not control hiring, training, or performance appraisals. On the basis of these findings, SAIC recommended that Interior establish formal lines of authority from the department's CIO to the bureau CIOs and to IT staff at lower levels. On the basis of the SAIC study, and because of its desire to comply with the Clinger-Cohen Act, Interior issued Secretarial Order 3244,[Footnote 17] which acknowledged that authority and control over management of IT resources had not been fully established or coordinated in the department, resulting in significant variability among bureaus and offices in implementing IT functions and setting funding priorities. To rectify this situation, the order provides broad authorities to all of Interior's CIOs. Among other things, the order requires all bureaus[Footnote 18]to standardize their IT functional areas to achieve continuity of responsibility and accountability throughout the department. Specifically, the order calls for establishing a function described as technology management, which encompasses IT investment management.[Footnote 19] The order assigns approval authority and management responsibility for all IT assets to bureau CIOs. On the basis of the order, every Interior organization with 5,000 or more employees must have a separate CIO position at the Senior Executive Service level. The individual in this position must be a fully participating member of the executive leadership/management teams and must report to the Deputy Director or Director of the bureau. For any office that reports directly to the Secretary or the Deputy Secretary of the Interior, the department's CIO will serve as the CIO if those offices have not designated one. Consistent with the Clinger-Cohen Act, the order states that the department's CIO is responsible for approving all IT expenditures. Interior's CIO issued specific direction to the bureaus in November 2002 and in January 2003, indicating how to implement Secretarial Order 3244 and establishing a process for monthly status reporting, which was to begin on January 31, 2003. However, at the time of our review, only two bureaus had provided the required monthly status reports, and none of the bureaus had fully implemented the order. This lack of responsiveness is consistent with concerns described in the SAIC report that Interior's CIO currently lacks adequate support from bureau CIOs to ensure that departmental efforts at improving IT investment management will be effectively implemented. Department Does Not Follow Through with Certification of the Bureaus' IT Investment Management Processes: According to the Clinger-Cohen Act and Interior's own CPIC Guide, the department should take steps to ensure that Interior's bureaus implement effective capital planning and investment control processes. To execute this responsibility according to project management best practices, the department should clearly define its expectations for these processes and then hold the bureaus accountable to the standards it has established. At the time of our review, the department had specified initial expectations for the bureaus' processes. On January 15, 2003, the department CIO issued a memorandum that called for the bureaus to immediately begin implementing more formal IT processes, using the CPIC Guide. The department held training sessions in which bureaus were informed that the Exhibit 300s they provide to the department for review as part of the annual budget formulation process must first be reviewed by their own IT investment review boards. The department emphasized during these sessions that the bureaus should work on making their Exhibit 53 reports on IT investments more complete and reliable. Although the Exhibit 53 reports do not include adequate information for IT investment management purposes--according to the ITIM framework-- improving the reports will bring Interior one step closer to identifying and tracking IT projects and systems. This is a critical aspect of the investment management process that will provide better visibility of all IT projects to the department. Despite this initial instruction on its expectations, the department has yet to fully implement a certification process through which it can hold bureaus accountable for their IT investment management processes. With the issuance of its CPIC Guide in December 2002, the department began to define some criteria for certification of these processes. The guide states that, at a minimum, a bureau's investment review board must maintain a documented description or charter outlining the bureau's CPIC process and the roles and responsibilities of the board, the bureau offices, and any other entities that are involved in CPIC. In addition, the guide outlines other departmental expectations--such as six steps that need to be accomplished in the short term, along with establishing a bureau-level investment review board--but it does not explicitly state whether these are required for certification. During our interviews with staff from Interior's IT Portfolio Management Division, officials confirmed that the certification process is still only a concept at Interior and that it has not been well defined. More specifically, the department has not established a date for the certification to begin or specified what corrective action will be taken if a bureau fails to be certified. Implementation of an effective certification process will provide the department with a mechanism for ensuring that the bureaus are operating in a manner that is consistent with the policies and procedures it establishes for ITIM key practices. Departmental officials confirmed that at the time of our review, OCIO efforts were concentrated on providing training for the preparation of bureau Exhibit 300 reports, discussed above, rather than on implementing the CPIC Guide's provisions for a certification process. Until the department focuses resources on defining and enforcing standards for certifying bureau processes, the risk is high that bureaus may implement IT investment management processes that do not sufficiently support the departmental investment management process. Only by institutionalizing effective processes at both the department and the bureau levels can Interior ensure that it is optimizing its investments in IT and effectively assessing and managing the risks of these investments. Department's Efforts to Improve Investment Management Processes and Oversight Are Fragmented and Inadequate: Achieving successful reform of IT management requires an organization to develop a complete and well-prioritized plan for systematically correcting weaknesses in its existing capabilities. To properly focus and target this plan, an organization should first fully identify and assess current strengths and weaknesses (i.e., create an investment management capability baseline). As we have previously reported,[Footnote 20] this plan should, at a minimum, (1) specify measurable goals, objectives, milestones, and needed resources and (2) clearly assign responsibility and accountability for accomplishing well-defined tasks. The plan should also be documented and approved by agency leadership. In implementing such a plan, it is important that the organization measure and report progress against planned commitments and take appropriate corrective action to address deviations. In order to develop a focus for its reform efforts, Interior has made several attempts to document existing conditions and identify weaknesses in its organization. Between 2001 and 2003, OCIO hired three different contractors to perform studies of existing IT projects and systems, organizational reporting relationships and functions, and IT investment management practices. The META Group performed the first study, after which the SAIC study, described earlier, was completed to assess the earlier results. G&B Solutions was then contracted to further elaborate and validate the earlier work, focusing on technical solutions and CIO authorities. In a separate effort in 2002, the department directed the bureaus to rate themselves in a number of areas that correspond to areas evaluated by OMB in the budget process. Further, on January 15, 2003, OCIO issued a memorandum that required bureaus to submit descriptions of their capital planning and investment control processes and IT investment board charters and to perform self- assessments of their IT investment management capabilities. However, the effectiveness of this particular effort was limited because no specific instructions were given on how to perform the self- assessments; this will lead to difficulties in comparing results across bureaus. The Department of the Interior has indicated that it intends to create a comprehensive reform plan with target goals and measurement criteria, but this plan has not been fully developed. In November 2002, the department created a Program Management Office to implement IT management reforms by pulling together various improvement efforts and prioritizing them. However, as of July 2003, the Program Management Office did not have a formal charter or a budget, and its manager did not have a clearly defined role. In addition, this individual's attention was being diverted away from issues of IT investment management to address other concerns, such as Interior's court-ordered efforts to resolve issues with the Indian Trust Fund and related information security problems. The lack of clear accountability and responsibility for improvement efforts that an office such as this would have provided has resulted in initiatives that are not well integrated and do not support a unified plan. For example, no steps have been taken to integrate the requirements of Secretarial Order 3244 for CIO organizations with the bureau certification process established in the CPIC Guide. In addition, the multiple efforts to develop an understanding of current conditions and identify weaknesses in the existing organization, described above, have not yielded a coherent view, despite the expenditure of considerable resources. Without committing to a plan that allows it to systematically prioritize, sequence, and evaluate improvement efforts, Interior jeopardizes its ability to establish mature investment processes, which include selection and control capabilities that would result in greater certainty about the outcomes of future IT investments. Conclusions: The Department of the Interior lacks most of the fundamental IT investment management practices necessary to effectively and efficiently manage its IT resources. Only by effectively and efficiently managing these resources can the department gain opportunities to further leverage its IT investments and make better allocation decisions among many investment alternatives. Recent moves by senior executives to define an IT investment management approach-- and to align the IT investment decision review process with the CIOs at both the department and bureau levels--demonstrate Interior's realization that reform is necessary. Nonetheless, the department still finds itself without many of the capabilities it needs to ensure that Interior's mix of IT investments best meets the agency's mission and business priorities. Interior's ability to guide and oversee investment practices throughout the agency is limited by its lack of mature investment management processes. The department has recognized that it needs to oversee bureau activities, and it has begun to establish the authority of bureau CIOs to manage IT investments and to implement certification of standard investment processes in the bureaus. However, until the department is able to ensure mature investment management capabilities at all levels, its ability to wisely select and effectively manage IT investments will be limited. Interior's success in resolving the weaknesses described in this report will depend on the department's ability to plan and execute the implementation of robust investment management and related practices throughout the agency. However, the department's efforts have suffered from a lack of unified planning, clear implementation guidance, supporting resources, and follow-up on requirements that have been established by the CIO. Until the department develops a comprehensive plan, supported by top management, that delineates performance expectations for process improvements, Interior's prospects will remain limited for successfully developing the management capabilities that are necessary to make prudent decisions that maximize the benefits and minimize the risks of its IT investments. Recommendations: To strengthen Interior's capabilities for IT investment management and address the weaknesses discussed in this report, we recommend that the Secretary of the Interior direct Interior's CIO to do the following: * Develop a unified, comprehensive plan for implementing departmentwide improvements to the IT investment management process that are based on the Stage 2 and Stage 3 critical processes of our ITIM framework. * Ensure that the plan focuses first on the weaknesses that this report identifies in the Stage 2 critical processes, before addressing those associated with higher stages of ITIM maturity, because Stage 2 processes collectively provide the foundation for building a mature IT investment management process. Specifically: * Establish a timetable for the IT Management Council, Management Initiatives Team, and Management Excellence Council to begin operating according to the guidance described in the CPIC Guide. * Develop and issue policies and procedures to guide the IT project oversight as described by our ITIM framework, including the review of actual performance information against expected performance by the investment boards and the implementation of corrective actions when performance falls below acceptable levels. Implement these policies and procedures to accomplish the purpose of project oversight. * Develop and issue policies and procedures to guide the project and system identification processes as described by the ITIM framework, including the specification of information required by the investment management process, the sources of such information, and the methods for collecting and retaining this information. Implement these policies and procedures to accomplish the purpose of IT project and system identification. * Develop and issue policies and procedures to guide the identification of business needs as described by the ITIM framework, including the identification of business needs for all projects and the inclusion of users in project management throughout a project's life cycle. Implement these policies and procedures to accomplish the purpose of identifying business needs. * Establish a timetable for implementing IT proposal selection as described by Interior's CPIC Guide. * Ensure that the plan next focuses on Stage 3 critical processes, which are necessary for portfolio management, because, along with the Stage 2 foundational processes, these processes are necessary for effective management of IT investments. * To further strengthen the department's ability to oversee bureau investment management processes so that it may ensure that investment management is effectively carried out throughout the organization, the plan should also: * establish a timetable and specific implementation milestones for Secretarial Order 3244, and: * describe acceptable criteria for certification of bureau CPIC processes and establish a time frame for the certification of these processes at all bureaus. * Ensure that the plan establishes a baseline of the agency's capabilities, specifies measurable goals and time frames, and establishes review milestones. * Establish a well-defined management structure for directing and controlling the unified plan with clear authority and responsibility. * Ensure that the Management Excellence Council, which holds responsibility for department management reform activities, approves the plan. * Implement the approved plan and report on progress made against the plan's goals and time frames to the Secretary of the Interior every 6 months. Agency Comments and Our Evaluation: The Department of the Interior's Assistant Secretary for Policy, Management and Budget provided written comments on a draft of this report (reprinted in appendix II). In these comments, the Department of the Interior concurred with our recommendations and identified actions that it plans to take to improve IT investment management processes throughout the department. Specifically, it intends to leverage lessons learned in BLM's implementation of the ITIM framework to accelerate the maturing of department practices. It also intends to develop and implement a comprehensive plan, approved by the Management Excellence Council, to address specific weaknesses that we identified in its foundational investment management practices and to move to full implementation of Secretarial Order 3244. In response to the department's comments, we removed all descriptions of national critical infrastructure or Trust. In its comments the department also provided us with additional information that reflects the ongoing progress it is making in implementing more mature investment management practices. As we have described in this report, Interior's progress has been evident and is ongoing. In particular, the establishment of the ITMC and the release of the CPIC Guide have provided an organizational point of focus and a set of procedures to guide IT investment management. This has enabled the department to begin to implement new practices with a departmentwide scope. The information the department provided to us in its comments on the completed evaluation reflects the continuing implementation of plans described in this report. We strongly support this ongoing progress, and we will reflect the successful execution of key practices in following up on our recommendations. : We are sending copies of this report to interested committees of Congress, to the Secretary of the Department of the Interior, and to the Chief Information Officer of the Department of the Interior. Copies will be made available to others upon request. In addition, the report will be made available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov.] http://www.gao.gov. If you have any questions regarding this report, please contact me at 202-512-6240 or at [Hyperlink, koontzl@gao.gov]. Additional GAO contact and staff acknowledgments are listed in appendix III. Linda D. Koontz Director, Information Management Issues: Signed by Linda D. Koontz: [End of section] Appendixes: Appendix I: Bureau Missions, Functions, and IT Investments: Dollars in millions. Bureau of Indian Affairs (BIA); Mission: To fulfill BIA's trust responsibilities and promote self-determination on behalf of Tribal Governments, American Indians, and Alaska Natives; IT Investments FY 2003[A]: $32.6; Budget authority FY 2003[B]: $2,252.0; FTEs FY 2003 estimate: 9,667; Description: BIA provides federal services to approximately 1.4 million American Indians and Alaska Natives who are members of 562 federally recognized tribes in the 48 contiguous United States and in Alaska. The bureau administers 43,450,267 acres of tribally owned land, 11,000,000 acres of individually owned land, and 443,000 acres of federally owned land held in trust status. The bureau's mission is to promote and support tribes on their future path through self-determination and to reduce administration by the bureau in nontrust areas. Bureau of Land Management (BLM); Mission: To sustain the health, diversity, and productivity of the public lands for the use and enjoyment of present and future generations; IT Investments FY 2003[A]: $88.2; Budget authority FY 2003[B]: $1,660.0; FTEs FY 2003 estimate: 10,739; Description: BLM administers over 264 million surface acres of public land, about one-eighth of the land in the U.S., and approximately 700 million acres of federal subsurface mineral estate. Most of these lands are in the West and Alaska, and they are dominated by extensive grasslands, forests, high mountains, arctic tundra, and deserts. BLM is responsible for the management and use of a variety of resources on these lands, including energy and minerals, timber, forage, wild horse and burro populations, fish and wildlife habitat, recreation sites, wilderness areas, and archeological and historical sites. BLM balances the goals of providing opportunities for environmentally responsible recreation and commercial activities; preserving natural and cultural heritage resources; reducing threats to public health, safety, and property; providing land, resource, and title information; providing economic and technical assistance to Indian tribes and island communities; understanding and planning for the condition and use of the public lands; and restoring at-risk resources and maintaining functioning systems. U.S. Fish and Wildlife Service (USFWS); Mission: To work with others to conserve, protect, and enhance fish, wildlife, plants and their habitats for the continuing benefit of the American people; IT Investments FY 2003[A]: $3.5; Budget authority FY 2003[B]: $1,281.0; FTEs FY 2003 estimate: 8,928; Description: USFWS is the primary federal agency responsible for the protection, conservation, and renewal of fish, wildlife, plants, and their habitats. It manages migratory bird populations, restores interjurisdictional fisheries, conserves and restores wildlife habitat, administers the Endangered Species Act, and assists foreign governments with their conservation efforts. USFWS oversees the Federal Aid in Fish and Wildlife Restoration Programs, which distribute hundreds of millions of dollars earned from excise taxes on fishing and hunting equipment to state fish and wildlife agencies. USFWS is the steward for nearly 93 million acres of public lands, including 529 refuges of the National Wildlife Refuge System, and it manages 67 national fish hatcheries for the restoration of the nation's fishery resources. USFWS also works closely with partnership activities for assisting voluntary habitat development and fostering aquatic conservation for fish and wildlife habitat on nonfederal lands. Minerals Management Service (MMS); Mission: To manage the mineral resources on the Outer Continental Shelf in an environmentally sound and safe manner and to timely collect, verify, and distribute mineral revenues from federal and Indian lands; IT Investments FY 2003[A]: $29.6; Budget authority FY 2003[B]: $170.0; FTEs FY 2003 estimate: 1,747; Description: MMS manages the nation's natural gas, oil, and other mineral resources on the Outer Continental Shelf. The agency also collects, accounts for, and disburses more than $5 billion per year in revenues from federal offshore mineral leases and from onshore mineral leases on federal and Indian lands. MMS includes two major programs, Offshore Minerals Management and Minerals Revenue Management. Offshore Minerals Management manages the mineral resources on the Outer Continental Shelf and has three regions: Alaska, the Gulf of Mexico, and the Pacific. Minerals Revenue Management collects, accounts for, and distributes revenues associated with mineral production from leased federal and Indian lands. National Park Service (NPS); Mission: To preserve unimpaired the natural and cultural resources and values of the national park system for the enjoyment, education, and inspiration of this and future generations. The Park Service cooperates with partners to extend the benefits of natural and cultural resource conservation and outdoor recreation throughout this country and the world; IT Investments FY 2003[A]: $36.3; Budget authority FY 2003[B]: $2,354.0; FTEs FY 2003 estimate: 20,369; Description: NPS manages 379 parks and various historic preservation, conservation and recreation programs, and hosts 287 million visitors annually. The National Park System encompasses approximately 83.6 million acres in over three hundred areas, of which more than 4.3 million acres remain in private ownership. There are three principal categories used in classification: natural areas, historical areas, and recreational areas. NPS's four goal categories are to preserve park resources; to provide for the public enjoyment and visitors' experience of parks; to strengthen and preserve natural and cultural resources and enhance recreational opportunities managed by partners; and to ensure organizational effectiveness in supporting NPS's mission. Office of Surface Mining (OSM); Mission: To carry out the requirements of the Surface Mining Control and Reclamation Act in cooperation with states and tribes; IT Investments FY 2003[A]: $1.3; Budget authority FY 2003[B]: $279.0; FTEs FY 2003 estimate: 630; Description: OSM is the lead federal agency for carrying out the mandates of the Surface Mining Control and Reclamation Act, whose goal is to protect society and the environment from the adverse effects of surface coal mining operations. OSM's mission goal of Environmental Restoration addresses mining that occurred prior to the passage of Surface Mining Control and Reclamation Act in 1977, while its goal of Environmental Protection addresses mining since 1977. Environmental Restoration is accomplished through the Abandoned Mine Land Program, whose main purpose is to restore a safe and clean environment. As part of this, the Appalachian Clean Streams Initiative supports local efforts to eliminate environmental and economic impacts of acid mine drainage from abandoned coal mines. Environmental Protection focuses on current coal mining and is accomplished with the Surface Mining Program, which oversees 4.4 million acres of surface coal mines in 26 states and on the lands of three Indian tribes. The principal means of delivering environmental protection is through 24 primacy states that receive federal grant funding. U.S. Bureau of Reclamation (USBR); Mission: To manage, develop, and protect water and related resources in an environmentally and economically sound manner in the interest of the American public; IT Investments FY 2003[A]: $9.8; Budget authority FY 2003[B]: $855.0; FTEs FY 2003 estimate: 5,628; Description: USBR has developed and manages a limited natural water supply in the 17 western states. USBR works to meet the increasing water demands while protecting the environment and the public's investment. USBR has 348 reservoirs with a total storage capacity of 245 million acre-feet of water, 58 hydroelectric power plants, and over 300 recreation sites. USBR is the nation's second largest producer of hydroelectric power in the western United States, generating more than 40 billion kilowatt hours of energy annually. USBR is the nation's largest water wholesaler; its water usage includes irrigation for one out of every five western farmers (140,000)--about 10 million acres of irrigated land; 10 trillion gallons of municipal, rural, and industrial water for over 31 million people; habitat support for wildlife refuges, migratory waterfowl, fish, and threatened and endangered species; and irrigation projects and potable water supplies for Indian tribes. USBR provides flood control benefits and drought contingency planning and assistance, and it provides water-based recreation activities for about 90 million visitors a year. U.S. Geological Survey (USGS); Mission: The USGS serves the nation by providing reliable scientific information to describe and understand the Earth; minimize loss of life and property from natural disasters; manage water, biological, energy, and mineral resources; and enhance and protect our quality of life; IT Investments FY 2003[A]: $198.6; Budget authority FY 2003[B]: $867.0; FTEs FY 2003 estimate: 9,397; Description: USGS is the nation's principal natural science and information agency. USGS conducts research, monitoring, and assessments to contribute to understanding the natural world--lands, water, and biological resources. USGS provides reliable, impartial information in the form of maps, data, and reports containing analyses and interpretations of water, energy, mineral and biological resources, land surfaces, marine environments, geologic structures, natural hazards, and dynamic processes of the Earth; this information is used to understand, respond to, and plan for changes in the environment. USGS describes, documents, and gains understanding of natural hazards and their risks through the study of earthquakes, volcanoes, landslides, geomagnetic field changes, floods, droughts, coastal erosion, tsunamis, wild land fire, and wildlife disease. Environmental and natural resources activities deal with physical, chemical, biological, and geological processes in nature and the impact of human actions on natural systems through studies including data collection, long-term assessments, ecosystems analysis, and the forecasting of future changes. Total; IT Investments FY 2003[A]: $399.9; Budget authority FY 2003[B]: $9,718.0; FTEs FY 2003 estimate: 67,105. Source: Department of the Interior (data), GAO (presentation). [A] Department of the Interior's Exhibit 53, Agency IT Investment Portfolio for fiscal year 2003. [B] Department of the Interior, Fiscal Year 2004: The Interior Budget in Brief. [End of table] [End of section] Appendix II: Comments from the Department of the Interior: THE ASSOCIATE DEPUTY SECRETARY OF THE INTERIOR WASHINGTON, D.C. 20240: AUG 27 2003: MEMORANDUM: To: Managing Director: Information and Technology Team: From: Assistant Secretary: Policy, Management and Budget: Subject: Interior Response to the Draft General Accounting Office (GAO) Report - "Information Technology, Departmental Leadership Crucial to Success on Investment Reform at Interior" (GAO-03-1028). Thank you for the opportunity to review the GAO draft report entitled, "Information Technology, Departmental Leadership Crucial to Success on Investment Reform at Interior" (GAO-03-1028). In the report, GAO acknowledges that Interior has taken decisive steps over the past year toward improving management of information technology (IT) resources. Noted accomplishments include implementation of a capital planning and investment control (CPIC) management process, the issuance of the CPIC guide, and establishment and operation of IT investment review boards at both the bureau and department levels. Other achievements include the issuance of a Secretarial Order to establish the authority of the bureau-level Chief Information Officers. Within Interior, the Bureau of Land Management (BLM) aligned resources and authority to implement GAO recommendations, resulting in BLM reaching Stage 2 of the IT investment management (ITIM) framework in 3 years. As reported in the GAO draft report entitled, "BLM, Plan Needed to Sustain Progress in Establishing IT Investment Management Capabilities" (GAO-03-1025), BLM established most of the Stage 2 Key Practices and initiated efforts to manage its investments as a portfolio. Using this proven methodology, the Department is leveraging the lessons from BLM implementation of the ITIM framework to progress more rapidly toward Stage 2. In order to continue the strong progress Interior has made in the past year, the report recommends strengthening the oversight and resource allocation role of the Chief Information Officer, directing resources to implementation, and integrating ongoing and future ITIM improvement initiatives. This is to be accomplished through the development and implementation of a comprehensive plan, approved by the Management Excellence Council, covering specific weaknesses in Stage 2 of the ITIM framework, full implementation of the Secretarial Order, and progress toward Stage 3. The plan is to include baselines, performance measures and a defined management structure. Interior concurs with these recommendations. In some areas the report does not sufficiently recognize progress Interior has made toward implementing the ITIM framework. The earlier self-assessment indicated that many key practices had not yet been fully executed. To the extent GAO based their assessment on the earlier incomplete information, Interior provides the attached supplemental information. The Department requests reconsideration of the ratings for the key practices addressed in the attachment. Interior is also continuing to provide information to the GAO ITIM self-assessment team, which would be valuable in documenting progress. Interior requests deletion in the final report of any description of national critical infrastructure or Trust systems, as this could potentially cause security concerns. Interior appreciates GAO's review of ITIM implementation to date, and the opportunity to provide comments and additional information. The combination of this report and the Department's self-assessments serve as a baseline to establish management processes to maximize the effectiveness of IT expenditures. Interior will use this report to baseline and incorporate metrics, time frames, and review milestones in its improvement plan. Finally, Interior will push forward in ensuring bureau compliance with the Capital Planning and Investment Control (CPIC) Guide, and the Secretarial Order. For additional information please contact W. Hord Tipton at 202-208- 6194. Attachment: [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact : Lester Diamond, (202) 512-7957, [Hyperlink, diamondl@gao.gov] diamondl@gao.gov: Acknowledgments: In addition to the individual named above, William G. Barrick, Joanne Fiorino, Peggy A. Hegg, Alison Jacobs, Mary Beth McClanahan, and Nik Rapelje made key contributions to this report. (310356): FOOTNOTES [1] U.S. General Accounting Office, Bureau of Land Management: Plan Needed to Sustain Progress in Establishing IT Investment Management Capabilities, GAO-03-1025 (Washington, D.C. Sept. 12, 2003). [2] Interior uses the term "bureau" to refer to bureaus and offices and, in some instances, to its departmental offices. [3] Major information technology investments include those with total life cycle costs greater than $35 million; financial systems with a life cycle cost greater than $500,000; multiple bureau and/or agency projects; investments mandated by legislation or executive order or identified by the Secretary as critical; those reported as major on Exhibit 53 reports submitted to OMB; those requiring a common infrastructure investment; department strategic-and mandatory-use systems; those that differ significantly from or affect department infrastructure, architecture, or standards and guidelines; high risk investments as determined by OMB, GAO, Congress and/or the CIO; investments that directly support the President's Management Agenda items of "high executive visibility;" and those that are related to electronic government or that use E-business technologies. [4] U.S. General Accounting Office, Indian Trust Funds: Interior Lacks Assurance That Trust Improvement Plan Will Be Effective, GAO/AIMD-99-53 (Washington, D.C. Apr. 28, 1999) and U.S. General Accounting Office, Indian Trust Funds: Challenges Facing Interior's Implementation of New Trust Asset and Accounting Management System, GAO/T-AIMD-99-238 (Washington, D.C. July 14, 1999). [5] U.S. General Accounting Office, Indian Trust Funds: Improvements Made in Acquisition of New Asset and Accounting System But Significant Risks Remain, GAO/AIMD-00-259 (Washington, D.C. Sept. 15, 2000). [6] U.S. General Accounting Office, Land Management Systems: Progress and Risks in Developing BLM's Land and Mineral Record System, GAO/AIMD- 95-180 (Washington, D.C. Aug. 31, 1995); U.S. General Accounting Office, Land Management Systems: BLM Faces Risks in Completing the Automated Land and Mineral Records System, GAO/AIMD-97-42 (Washington, D.C. Mar. 19, 1997); U.S. General Accounting Office, Land Management Systems: Information on BLM's Automated Land and Mineral Record System Release 2 Project, GAO/AIMD-97-109R (Washington, D.C. June 6, 1997); U.S. General Accounting Office, Land Management Systems: Major Software Development Does Not Meet BLM's Business Needs, GAO/AIMD-99-135 (Washington, D.C. Apr. 30, 1999); U.S. General Accounting Office, Land Management Systems: Status of BLM's Actions to Improve Information Technology Management, GAO/AIMD-00-67 (Washington, D.C. Feb. 24, 2000); and U.S. General Accounting Office, Land Management Systems: BLM's Actions to Improve Information Technology Management, GAO-01-282 (Washington, D.C. Feb. 27, 2001). [7] U.S. Department of the Interior, Advisory Report, Developing the Department of the Interior's Information Technology Capital Investment Process: A Framework for Action, No. 2002-I-0038, August 2002. [8] The Paperwork Reduction Act of 1995 requires each agency to define its information needs and develop strategies, systems, and capabilities to support programs and to improve productivity, efficiency, and effectiveness. The Clinger-Cohen Act requires agencies to link IT investments to agency accomplishments and establish a process to select, manage, and control IT investments. [9] Office of Management and Budget, Analytical Perspectives Budget of the United States Government, Fiscal Year 2004. [10] U.S. General Accounting Office, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity (Exposure Draft), GAO/AIMD-10.1.23 (Washington, D.C. May 2000). [11] U.S. General Accounting Office, United States Postal Service: Opportunities to Strengthen IT Investment Management Capabilities, GAO- 03-3 (Washington, D.C. Oct. 15, 2002) and U.S. General Accounting Office, Information Technology: Justice Plans to Improve Oversight of Agency Projects, GAO-03-135 (Washington, D.C. Nov. 22, 2002). [12] U.S. General Accounting Office, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity (Exposure Draft), GAO/AIMD-10.1.23 (Washington, D.C. May 2000). [13] U.S. Department of the Interior, "Follow-on Guidance on Implementation of Secretarial Order Requirements," Memorandum from W. Hord Tipton (Jan. 31, 2003) and U.S. Department of the Interior, "Capital Asset Investment Management Clarification," Memorandum from P. Lynn Scarlett (Mar. 13, 2003). [14] For this critical process, we used a revised version of the IT Asset Inventory critical process included in the Exposure Draft of the ITIM framework. We discussed the revision with departmental officials at the start of this engagement, and they agreed to use it as the basis for our review of Interior's IT investment management capabilities. [15] The fiscal year 1997 Omnibus Consolidated Appropriations Act, Pub. L. 104-208, renamed both Divisions D and E of the 1996 DOD Authorization Act, Pub. L. 104-106, the Clinger-Cohen Act of 1996. [16] U.S. General Accounting Office, Maximizing the Success of Chief Information Officers: Learning From Leading Organizations, GAO-01-376G (Washington, D.C. Mar. 1, 2001). [17] U.S. Department of the Interior, Standardization of Information Technology Functions and Establishment of Funding Authorities, Office of the Secretary Order No. 3244 (Washington, D.C. Nov. 12, 2002). [18] For purposes of this order, "bureaus and offices" refers collectively to the bureaus of the department, the Secretarial Offices, and the immediate offices of the Secretary and the Deputy Secretary. [19] Secretarial Order 3244 requires that each bureau CIO organization include the following IT management functions: technology, security, information management, telecommunications, inventory and asset management, strategic planning, project management, and IT career and skills management. Technology management is defined to include enterprise architecture, capital planning and investment control processes, and IT acquisition. [20] U.S. General Accounting Office, Information Technology: DLA Needs to Strengthen Its Investment Management Capability, GAO-02-314 (Washington, D.C. Mar. 15, 2002). GAO's Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: