GAO-09-662T, Social Security Administration: Effective Information Technology Management Essential for Data Center Initiative


This is the accessible text file for GAO report number GAO-09-662T 
entitled 'Social Security Administration: Effective Information 
Technology Management Essential for Data Center Initiative' which was 
released on April 28, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Testimony: 

Before the Subcommittee on Social Security, Committee on Ways and 
Means, House of Representatives: 

For Release on Delivery: 
Expected at 2:00 p.m. EDT:
Tuesday, April 28, 2009: 

Social Security Administration: 

Effective Information Technology Management Essential for Data Center 
Initiative: 

Statement of Valerie C. Melvin, Director: 
Information Management and Human Capital Issues: 

GAO-09-662T: 

GAO Highlights: 

Highlights of GAO-09-662T, a testimony before the Subcommittee on 
Social Security, Committee on Ways and Means, House of Representatives. 

Why GAO Did This Study: 

The American Recovery and Reinvestment Act of 2009 (Recovery Act) 
provides resources to the Social Security Administration (SSA) to help 
replace its National Computer Center. This data center, which is 30 
years old, houses the backbone of the agency’s automated operations, 
which are critical to providing benefits to nearly 55 million people, 
issuing Social Security cards, and maintaining earnings records. The 
act makes $500 million available to SSA for the replacement of its 
National Computer Center and associated information technology (IT) 
costs. 

In this testimony, GAO was asked to comment on key IT management 
capabilities that will be important to the success of SSA’s data center 
initiative. 

To do so, GAO relied on previously published products, including 
frameworks that it has developed for analyzing IT management areas. GAO 
has not performed a detailed examination of SSA’s plans for this 
initiative, so it is not commenting on the agency’s progress or making 
recommendations. 

What GAO Found: 

For an effort as central to SSA’s mission as its planned new data 
center, effective practices in key IT management areas are essential. 
For example: 

* Effective strategic planning helps an agency set priorities and 
decide how best to coordinate activities to achieve its goals. For 
example, a strategic plan identifying interdependencies among 
modernization project activities helps ensure that these are understood 
and managed, so that projects—and thus system solutions—are effectively 
integrated. Given that the new data center is to form the backbone of 
SSA’s automated operations, it is important that the agency identify 
goals, resources, and dependencies in the context of its strategic 
vision. 

* An agency’s enterprise architecture describes both its operations and 
the technology used to carry them out. A blueprint for organizational 
change, an architecture is defined in models that describe (in business 
and technology terms) an entity’s current operation and planned future 
operation, as well as a plan for transitioning from one to the other. 
An enterprise architecture can help optimize SSA’s data center 
initiative by ensuring that its planning and implementation take full 
account of the business and technology environment. 

* For IT investment management, an agency should follow a portfolio-
based approach in which investments are selected, controlled, and 
monitored from an agencywide perspective. By helping to allocate 
resources effectively, robust investment management processes can help 
SSA meet the accountability requirements and align with the goals of 
the Recovery Act. For example, projects funded under the act are to 
avoid unnecessary delays and cost overruns and are to achieve specific 
program outcomes. Investment management is aimed at precisely such 
goals: for example, accurate cost estimating (an important aspect of 
investment management) provides a sound basis for establishing a 
baseline to formulate budgets and measure program performance. Further, 
the act emphasizes energy efficiency—also a major concern for data 
centers, which have high power and cooling requirements. Investment 
management tools are important for evaluating the most cost-effective 
approaches to energy efficiency. 

* Finally, information security should be considered throughout the 
planning, development, and implementation of the data center. Security 
is vital for any organization that depends on information systems and 
networks to carry out its mission—especially for government agencies 
like SSA, where maintaining the public’s trust is essential. One part 
of information security management is contingency and continuity of 
operations planning—vital for a data center that is to be the backbone 
of SSA’s operations and service delivery. Data centers are vulnerable 
to a variety of service disruptions, including accidental file 
deletions, network failures, systems malfunctions, and disasters. 
Accordingly, it is necessary to define plans governing how information 
will be processed, retrieved, and protected in the event of minor 
interruptions or a full-blown disaster. 

These capabilities will be important in helping to ensure that SSA’s 
data center effort is successful and effectively uses Recovery Act 
funds. 

View [hyperlink, http://www.gao.gov/products/GAO-09-662T] or key 
components. For more information, contact Valerie Melvin at (202) 512-
6304 or melvinv@gao.gov. 

[End of section] 

Mr. Chairman and Members of the Subcommittee: 

I am pleased to be here today to comment on the efforts of the Social 
Security Administration (SSA) to use resources provided by the American 
Recovery and Reinvestment Act of 2009 (Recovery Act) to replace its 
National Computer Center. Among its provisions, the act makes $500 
million available to SSA for the replacement of the center and 
associated information technology (IT) costs. This data center, which 
is 30 years old, houses the backbone of the agency's automated 
operations, which are critical to providing benefits to nearly 55 
million people, issuing Social Security cards, and maintaining earnings 
records. 

SSA has stated that it needs to replace the facility to provide more 
current processing capabilities and support the current and growing 
requirements of a 24-hour a day, 7-day a week electronic service 
delivery operation. The agency has decided that building a new facility 
will allow it to address limitations in the current facility, such as 
power supply and grid problems, as well as the presence of aging water 
pipes running in the same area as the equipment wiring. At the same 
time, the agency plans to move to more modern database technology to 
replace current systems, which still contain about 36 million lines of 
COBOL code - a programming language that is generally viewed as 
obsolete by the computer industry. 

To date, we have not performed a detailed examination of SSA's plans 
for this initiative; however, by all indications, this effort is 
expected to be a significant undertaking. Accordingly, its success will 
depend on how effectively the agency plans and manages the initiative-
-from inception through delivery. Although IT investments can improve 
organizational performance, they can also become risky, costly, 
unproductive ventures that do not yield intended results. As we have 
described in numerous reports and testimonies, federal IT projects too 
frequently incur cost overruns and schedule slippages.[Footnote 1] 

Our research into IT management best practices and our evaluations of 
agency IT management performance have identified essential and 
complementary management disciplines that agencies can use to guide 
their efforts on major IT endeavors. These are related to key issues 
specific to data centers--identified by other research--that can affect 
efforts to construct or modernize these facilities. At your request, my 
testimony today summarizes selected key management capabilities that 
will be important to the success of SSA's data center initiative, and 
ties these capabilities to issues associated specifically with data 
centers, as well as to meeting the requirements of the Recovery Act. 

In developing this testimony, we relied on previously published 
products, including frameworks that we have developed for analyzing IT 
management areas.[Footnote 2] We also consulted published literature on 
data center construction issues and considerations. We conducted our 
work in support of this testimony in April 2009. 

Background: 

SSA projects that its current data center will not be adequate to 
support the demands of its growing workload. In fiscal year 2008, SSA's 
benefit programs provided a combined total of approximately $650 
billion to nearly 55 million beneficiaries.[Footnote 3] According to 
the agency, the number of beneficiaries is estimated to increase 
substantially over the next decade. In addition, SSA's systems contain 
large volumes of medical information, which is used in processing 
disability claims. About 15 million people are receiving federal 
disability payments, and SSA has been contending with backlogs in 
processing disability claims. 

According to SSA officials, the agency plans to use a large portion of 
the $1 billion in funding that it was allocated by the Recovery Act 
primarily to help build a large-scale data center and to develop new 
software to reduce the backlog of disability claims. The act provides 
$500 million from the stimulus package for data center expenses, 
[Footnote 4] of which $350 million is slated for the building 
infrastructure and part of the remaining funding for IT-related 
upgrades. This is not the entire projected cost: SSA has indicated that 
it needs a total of about $800 million to fund a new IT infrastructure, 
including the new data center--the physical building, power and cooling 
infrastructure, IT hardware, and systems applications.[Footnote 5] 

The Recovery Act's goals, among other things, include creating or 
saving more than 3.5 million jobs over the next two years and 
encouraging renewable energy and energy conservation. According to the 
Office of Management and Budget (OMB), the act's requirements include 
unprecedented levels of transparency, oversight, and accountability for 
various aspects of Recovery Act planning and implementation. These 
requirements are intended to ensure, among other things, that: 

* funds are awarded and distributed in a prompt, fair, and reasonable 
manner; 

* the recipients and uses of all funds are transparent to the public, 
and the public benefits of these funds are reported clearly, 
accurately, and in a timely manner; 

* funds are used for authorized purposes and instances of fraud, waste, 
error, and abuse are mitigated; 

* projects funded under the act avoid unnecessary delays and cost 
overruns; and; 

* program goals are achieved, including specific program outcomes and 
improved results on broader economic indicators. 

Attention to Key IT Management Areas Will Help SSA in Its Data Center 
Initiative: 

An effort as central to SSA's ability to carry out its mission as its 
planned new data center requires effective IT management. As our 
research and experience at federal agencies has shown, 
institutionalizing a set of interrelated IT management capabilities is 
key to an agency's success in modernizing its IT systems. These 
capabilities include, but are not limited to: 

* strategic planning to describe an organization's goals, the 
strategies it will use to achieve desired results, and performance 
measures; 

* developing and using an agencywide enterprise architecture, or 
modernization blueprint, to guide and constrain IT investments; 

* establishing and following a portfolio-based approach to investment 
management; and; 

* implementing information security management that ensures the 
integrity and availability of information. 

The Congress has recognized in legislation the importance of these and 
other IT management controls,[Footnote 6] and OMB has issued guidance. 
[Footnote 7] We have observed that without these types of capabilities, 
organizations increase the risk that system modernization projects will 
(1) experience cost, schedule, and performance shortfalls and (2) lead 
to systems that are redundant and overlap. They also risk not achieving 
such aims as increased interoperability and effective information 
sharing. As a result, technology may not effectively and efficiently 
support agency mission performance and help realize strategic mission 
outcomes and goals. 

All these management capabilities have particular relevance to the data 
center initiative. 

* IT strategic planning. A foundation for effective modernization, 
strategic planning is vital to create an agency's IT vision or roadmap 
and help align its information resources with its business strategies 
and investment decisions. An IT strategic plan, which might include the 
mission of the agency, key business processes, IT challenges, and 
guiding principles, is important to enable an agency to consider the 
resources, including human, infrastructure, and funding, that are 
needed to manage, support, and pay for projects. For example, a 
strategic plan that identifies interdependencies within and across 
modernization projects helps ensure that these are understood and 
managed, so that projects--and thus system solutions--are effectively 
integrated. Given that the new data center is to form the backbone of 
SSA's automated operations, it is important that the agency identify 
goals, resources, and dependencies in the context of its strategic 
vision. 

* Enterprise architecture. An enterprise architecture consists of 
models that describe (in both business and technology terms) how an 
entity operates today and how it intends to operate in the future; it 
also includes a plan for transitioning to this future state. More 
specifically, it describes the enterprise in logical terms (such as 
interrelated business processes and business rules, information needs 
and flows, and work locations and users) as well as in technical terms 
(such as hardware, software, data, communications, and security 
attributes and performance standards). It provides these perspectives 
both for the enterprise's current environment and for its target 
environment, as well as a transition plan for moving from one to the 
other. In short, it is a blueprint for organizational change. Using an 
enterprise architecture is important to help avoid developing 
operations and systems that are duplicative, not well integrated, 
unnecessarily costly to maintain and interface, and ineffective in 
supporting mission goals. 

Like an IT strategic plan (with which an enterprise architecture should 
be closely aligned), an enterprise architecture is an important tool to 
help SSA ensure that its data center initiative is successful. Using an 
enterprise architecture will help the agency ensure that the planning 
and implementation of the initiative take full account of the business 
and technology environment in which the data center and its systems are 
to operate. 

* IT investment management. An agency should establish and follow a 
portfolio-based approach to investment management in which IT 
investments are selected, controlled, and monitored from an agencywide 
perspective. In this way, investment decisions are linked to an 
organization's strategic objectives and business plans. Such an 
approach helps ensure that agencies allocate their resources 
effectively.[Footnote 8] 

In 2008, we evaluated SSA's investment management approach and found 
that it was largely consistent with leading investment management 
practices.[Footnote 9] SSA had established most practices needed to 
manage its projects as investments; however it had not applied its 
process to all of its investments. For example, SSA had not applied its 
investment management process to a major portion of its IT budget. We 
recommended that for full accountability, SSA should manage its full IT 
development and acquisitions budget through its investment management 
board. We also made several recommendations for improving the 
evaluation of completed projects, including the use of quantitative 
measures of project success. 

Going forward, ensuring that best practices in investment management 
are applied to the data center initiative will help the agency 
effectively use funds appropriated under the Recovery Act. For example, 
projects funded under the act are to avoid unnecessary delays and cost 
overruns and are to achieve specific program outcomes and improved 
results on broader economic indicators. Robust investment management 
controls are important tools for achieving these goals. For example, 
developing accurate cost estimates--an important aspect of investment 
management--helps an agency evaluate resource requirements and 
increases the probability of program success. We have issued a cost 
estimating guide[Footnote 10] that provides best practices that 
agencies can use for developing and managing program cost estimates 
that are comprehensive, well-documented, accurate, and credible, and 
that provide management with a sound basis for establishing a baseline 
to formulate budgets and measure program performance. The guide also 
covers the use of earned value management (EVM), a technique for 
comparing the value of work accomplished in a given period with the 
value of the work expected.[Footnote 11] EVM metrics can alert program 
managers to potential problems sooner than tracking expenditures alone. 

Finally, the Recovery Act emphasizes the importance of energy 
efficiency and green building projects. Applying rigorous investment 
management controls to the planning and implementation of the data 
center design will help SSA determine the optimal approach to aligning 
its initiative with these goals. Because of the large power 
requirements and the heat generated by the equipment housed in data 
centers, efficient power and cooling are major concerns, particularly 
in light of evolving technology and increasing demand for information. 
To optimize their power and cooling requirements, agencies need to 
quantify cooling requirements and model these into data center designs. 
Such considerations affect the choice of locations for a new data 
center, facility requirements, and even floor space designs. Ways to 
improve energy efficiencies in data center facilities could include 
such cost-effective practices as reducing the need for artificial light 
by maximizing the use of natural light and insulating buildings more 
efficiently. For example, installing green (planted) roofs can insulate 
facilities and at the same time absorb carbon dioxide. 

* Information security. For any organization that depends on 
information systems and computer networks to carry out its mission or 
business, information security is a critical consideration. It is 
especially important for government agencies like SSA, where 
maintaining the public's trust is essential. Information security 
covers a wide range of controls, including general controls that apply 
across information systems (such as access controls and contingency 
planning) and business process application-specific controls to ensure 
the completeness, accuracy, validity, confidentiality, and availability 
of data.[Footnote 12] 

For the data center initiative, security planning and management will 
be important from the earliest stages of the project through the whole 
life cycle. In today's environment, in which security threats are both 
domestic and international, operational and physical security is 
required to sustain the safety and reliability of the data center's 
services on a day-to-day basis. An agency needs to have well- 
established security polices and practices in place and provide 
periodic assessments to ensure that the information and the facility 
are protected. Organizations must design and implement controls to 
detect and prevent unauthorized access to computer resources (e.g., 
data, programs, equipment, and facilities), thereby protecting them 
from unauthorized disclosure, modification, and loss. Specific access 
controls could include means to verify personnel identification and 
authorization. 

Further, because a data center is the backbone of an organization's 
operations and service delivery, continuity of operations is a key 
concern. Data centers need to be designed with the ability to 
efficiently provide consistent processing of operations. Even slight 
disruptions in power can adversely affect service delivery. Data 
centers are vulnerable to a variety of service disruptions, including 
accidental file deletions, network failures, systems malfunctions, and 
disasters. In the design of a data center, continuity of operations 
needs to be addressed at every level--including applications, systems, 
and businesses. An agency needs to articulate, in a well defined plan, 
how it will process, retrieve, and protect electronically maintained 
information in the event of minor interruptions or a full-blown 
disaster. Disaster recovery plans should address all aspects of the 
recovery, including where to move personnel and how to maintain the 
business operations. Agency leaders need to prioritize business 
recovery procedures and to highlight the potential issues in such areas 
as application availability, data retention, speed of recovery, and 
network availability. 

In summary, given the projected increase in beneficiaries and the 
exceptional volume of medical data processed, these IT management 
capabilities will be imperative for SSA to follow as it pursues the 
complex data center initiative. 

Mr. Chairman, this completes my prepared statement. I would be pleased 
to respond to any questions you or other Members of the Subcommittee 
may have. 

GAO Contact and Staff Acknowledgments: 

If you should have any questions about this statement, please contact 
me at (202) 512-6304 or by e-mail at melvinv@gao.gov. Other individuals 
who made key contributions to this statement are Barbara Collier, 
Christie Motley, and Melissa Schermerhorn. 

[End of section] 

Footnotes: 

[1] For example, GAO, Information Technology: Agencies Need to 
Establish Comprehensive Policies to Address Changes to Projects' Cost, 
Schedule, and Performance Goals, [hyperlink, 
http://www.gao.gov/products/GAO-08-925] (Washington, D.C.: July 31, 
2008); DOD Business Systems Modernization: Progress in Establishing 
Corporate Management Controls Needs to Be Replicated Within Military 
Departments, [hyperlink, http://www.gao.gov/products/GAO-08-705] 
(Washington, D.C.: May 15, 2008); and Environmental Satellites: Polar-
Orbiting Satellite Acquisition Faces Delays, Decisions Needed on 
Whether and How to Ensure Climate Data Continuity, [hyperlink, 
http://www.gao.gov/products/GAO-08-518] (Washington, D.C.: May 16, 
2008). 

[2] GAO, Information Technology Investment Management: A Framework for 
Assessing and Improving Process Maturity (Version 1.1), [hyperlink, 
http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: March 
2004); and Information Technology: A Framework for Assessing and 
Improving Enterprise Architecture Management (Version 1.1), [hyperlink, 
http://www.gao.gov/products/GAO-03-584G] (Washington, D.C.: Apr. 1, 
2003). 

[3] SSA provides financial assistance to eligible individuals though 
three major benefits programs: Old-Age and Survivors Insurance provides 
benefits to retired workers and their families and to survivors of 
deceased workers. Disability Insurance provides benefits to eligible 
workers who have qualifying disabilities, and their eligible family 
members. Supplemental Security Income provides income for aged, blind, 
or disabled individuals with limited income and resources. 

[4] The remaining $500 million is to be used for processing disability 
and retirement workloads, including IT acquisitions. 

[5] The new data center is in addition to an estimated $72 million 
backup facility that is being constructed in Durham, North Carolina. 

[6] The Clinger-Cohen Act of 1996 (40 U.S.C. §§11101-11703) for 
example, provides a framework for effective IT management that includes 
systems integration planning, human capital management, and investment 
management. In addition, the Paperwork Reduction Act (44 U.S.C. §§3501- 
3521, Pub. L. 104-13, May 22, 1995) requires that agencies have 
strategic plans for their information resource management. Software 
Engineering Institute, CMMI for Acquisition, Version 1.2, CMU/SEI-2007- 
TR-017 (Pittsburgh, PA: November 2007). 

[7] For guidance on integrated IT modernization planning and investment 
management, see OMB, Management of Federal Information Resources, 
Circular A-130 (Washington, D.C., Nov. 28, 2000) and Planning, 
Budgeting, Acquisition, and Management of Capital Assets, Circular A- 
11, Part 7 (Washington, D.C., July 2003). 

[8] [hyperlink, http://www.gao.gov/products/GAO-04-394G]. 

[9] GAO, Information Technology: SSA Has Taken Key Steps for Managing 
Its Investments, but Needs to Strengthen Oversight and Fully Define 
Policies and Procedures, [hyperlink, 
http://www.gao.gov/products/GAO-08-1020] (Washington, D.C.: Sept. 12, 
2008). 

[10] GAO, GAO Cost Estimating and Assessment Guide: Best Practices for 
Developing and Managing Capital Program Costs, [hyperlink, 
http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 2009). 

[11] OMB requires agencies to use EVM in their performance-based 
management systems for the parts of an investment in which development 
effort is required or system improvements are under way. 

[12] GAO, Federal Information Systems Controls Audit Manual (FISCAM), 
[hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, D.C.: 
February 2009). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: