High-Risk Series: Information Management and Technology (Letter Report,
02/01/97, GAO/HR-97-9).

GAO reviewed the information system development and modernization
efforts at the Internal Revenue Service (IRS), the Federal Aviation
Administration (FAA), the Department of Defense (DOD), and the National
Weather Service (NWS), focusing on the agencies' problems meeting cost,
schedule, and performance goals.

GAO found that: (1) information systems are now integral to nearly every
aspect of over $1.5 trillion in annual federal government operations and
spending, yet, despite years of experience in developing systems,
agencies across government continue to have chronic problems harnessing
the full potential of information technology to improve performance, cut
costs, and enhance responsiveness to the public; (2) during the past 6
years, agencies have obligated over $145 billion building up and
maintaining their information technology infrastructure, but the
benefits from this vast expenditure have frequently been disappointing;
(3) this poor return on information technology investments has also left
the Congress and executive branch severely handicapped by the lack of
reliable data for measuring the costs and results of agency operations
and making well-informed decisions; (4) recognizing the urgent need for
improvement, the 104th Congress passed the Paperwork Reduction Act of
1995 and the Clinger-Cohen Act of 1996; (5) together, these acts direct
agencies to implement a framework of modern technology management based
on practices followed by leading public-sector and private-sector
organizations that have successfully used technology to dramatically
improve performance and meet strategic goals; (6) these management
practices provide proven, practical methods for addressing the federal
government's information management problems, maximizing benefits from
technology spending, and controlling the risks of system acquisition and
development efforts; (7) the challenge now is for agencies to apply this
framework to their own technology efforts; (8) the importance of quickly
implementing these reforms is emphasized by the fact that all four
multibillion-dollar information technology efforts listed in GAO's 1995
High-Risk Series remain at high risk of being late, running over cost,
and/or falling short of promised benefits; (9) they are the Internal
Revenue Service's Tax Systems Modernization, the Federal Aviation
Administration's Air Traffic Control modernization, the Department of
Defense's Corporate Information Management initiative, and the National
Weather Service's modernization; (10) each of these continues to suffer
from one or more problems, such as unsound investment control, poor
project management, and ongoing technical weaknesses--areas specifically
addressed by the new legislation; and (11) two new high-risk areas that*

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  HR-97-9
     TITLE:  High-Risk Series: Information Management and Technology
      DATE:  02/01/97
   SUBJECT:  Cost control
             Information resources management
             Computer security
             Data integrity
             ADP procurement
             Risk management
             Agency missions
             Systems design
             Systems conversions
             Strategic information systems planning
IDENTIFIER:  High Risk Series 1997
             IRS Tax System Modernization Program
             FAA Air Traffic Control Modernization Program
             NWS Modernization Program
             DOD Corporate Information Management Initiative
             IRS Compliance 2000 Initiative
             GAO High Risk Program
             FAA Advanced Automation System
             CIM
             DOD Defense Entitlement Eligibility Report System
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                    <info@www.gao.gov>                        **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


High-Risk Series

February 1997

INFORMATION MANAGEMENT AND
TECHNOLOGY

GAO/HR-97-9

Information Management


Abbreviations
=============================================================== ABBREV

  ATC - air traffic control
  CIM - Corporate Information Management
  CIO - Chief Information Officer
  DEERS - Defense Entitlement Eligibility Report System
  DPS - Document Processing System
  FAA - Federal Aviation Administration
  FY - fiscal year
  IRS - Internal Revenue Service
  NWS - National Weather Service
  OMB - Office of Management and Budget
  PRA - Paperwork Reduction Act
  SEI - Software Engineering Institute
  TSM - Tax Systems Modernization

Letter
=============================================================== LETTER



February 1997

The President of the Senate
The Speaker of the House of Representatives

In 1990, the General Accounting Office began a special effort to
review and report on the federal program areas its work identified as
high risk because of vulnerabilities to waste, fraud, abuse, and
mismanagement.  This effort, which was supported by the Senate
Committee on Governmental Affairs and the House Committee on
Government Reform and Oversight, brought a much-needed focus on
problems that were costing the government billions of dollars. 

In December 1992, GAO issued a series of reports on the fundamental
causes of problems in high-risk areas, and in a second series in
February 1995, it reported on the status of efforts to improve those
areas.  This, GAO's third series of reports, provides the current
status of designated high-risk areas. 

This report focuses on major, multibillion dollar information system
development and modernization efforts at the Internal Revenue
Service, the Federal Aviation Administration, the Department of
Defense, and the National Weather Service.  These efforts are having
serious trouble meeting cost, schedule, and/or performance goals. 
Such problems are all too common in federal automation projects. 
Agencies have obligated over $145 billion during the past 6 years
building, buying, and maintaining computer systems and networks.  Yet
this vast investment has yielded poor returns in reducing federal
operating costs, improving performance, supporting sound financial
management, achieving mission results, and providing quality service
to the American public. 

In addition, we discuss two governmentwide information management
issues.  The first is information security.  Despite the sensitivity
and criticality of federal information systems, they are not being
adequately protected from unauthorized access.  The second issue
involves the need to change computer systems so that they can
accommodate dates after the year 1999.  Unless corrected, computer
programs that use dates to perform calculations, comparisons, and
sorting may generate incorrect results when working with the years
2000 and beyond. 

As dependence on computers grows and new high-risk areas emerge,
federal agencies need to adopt modern practices to correct underlying
management problems that impede effective system development and
operations.  In reviewing technology budget proposals, the 105th
Congress should determine whether agencies are implementing recently
enacted reform legislation--the Paperwork Reduction Act of 1995 and
the Clinger-Cohen Act of 1996.  This legislation, which incorporates
best practices of successful organizations, is designed to strengthen
executive leadership in information management and institute sound
capital investment decision-making for maximizing the potential
benefits from information systems. 

Copies of this report series are being sent to the President, the
congressional leadership, all other Members of the Congress, the
Director of the Office of Management and Budget, and the heads of
major departments and agencies. 

James F.  Hinchman
Acting Comptroller General
 of the United States


OVERVIEW
============================================================ Chapter 0

The federal government's dependence on computer systems, networks,
and electronic records to carry out its work continues to accelerate. 
Information systems are now integral to nearly every aspect of over
$1.5 trillion in annual federal government operations and
spending--from national defense and air traffic control to revenue
collection and benefit payments.  Yet, despite years of experience in
developing systems, agencies across government continue to have
chronic problems harnessing the full potential of information
technology to improve performance, cut costs, and enhance
responsiveness to the public. 


   THE PROBLEM
---------------------------------------------------------- Chapter 0:1

During the past 6 years, agencies have obligated over $145 billion
building up and maintaining their information technology
infrastructure.  The benefits from this vast expenditure, however,
have frequently been disappointing.  GAO reports and congressional
hearings have chronicled numerous system development efforts that
suffered from multimillion dollar cost overruns, schedule slippages
measured in years, and dismal mission-related results.  At the same
time, the public has become accustomed to high levels of quality and
service from leading private sector organizations.  They are
increasingly frustrated by the fact that they cannot get comparable
performance from their national government. 

This poor return on information technology investments has also left
the Congress and executive branch severely handicapped by the lack of
reliable data for measuring the costs and results of agency
operations and making well-informed decisions.  For instance,
agencies are still a long way from demonstrating the most basic
fiscal accountability to the public--such as passing the test of an
independent audit--largely due to inadequate financial management and
accounting systems. 


   PROGRESS TO DATE
---------------------------------------------------------- Chapter 0:2

Recognizing the urgent need for improvement, the 104th Congress
passed landmark reforms in information technology management.  The
Paperwork Reduction Act of 1995 is the overarching statute dealing
with the acquisition and management of information
resources--including information technology--by federal agencies.  It
emphasizes that agencies need to acquire and apply such resources to
effectively support the accomplishment of agency missions and the
delivery of services to the public.  The Clinger-Cohen Act of 1996
repeats this theme and elaborates on requirements for agencies to
follow when acquiring information technology. 

Together, these acts direct agencies to implement a framework of
modern technology management--one based on practices followed by
leading public-sector and private-sector organizations that have
successfully used technology to dramatically improve performance and
meet strategic goals. 

Among their many provisions, the reforms emphasize involving senior
executives in information management decisions, appointing qualified
senior-level Chief Information Officers, establishing appropriate
agencywide technology standards, imposing much-needed discipline over
technology spending, redesigning inefficient work processes, and
using performance measures to assess technology's contribution in
achieving mission results for the American people. 

These management practices provide proven, practical methods for
addressing the federal government's information management problems,
maximizing benefits from technology spending, and controlling the
risks of system acquisition and development efforts.  The challenge
now is for agencies to apply this framework to their own technology
efforts, particularly those with questionable returns, high risks,
and high costs. 

The importance of quickly implementing these reforms is emphasized by
the fact that all four multibillion-dollar information technology
efforts listed in our 1995 High-Risk Series\1

remain at high risk of being late, running over cost, and/or falling
short of promised benefits.  They are (1) the Internal Revenue
Service's (IRS) Tax Systems Modernization, (2) the Federal Aviation
Administration's (FAA) Air Traffic Control modernization, (3) the
Department of Defense's Corporate Information Management initiative,
and (4) the National Weather Service's (NWS) modernization.  Each of
these continues to suffer from one or more problems, such as unsound
investment control, poor project management, and ongoing technical
weaknesses--areas specifically addressed by the new legislation. 
Corrective measures are underway on many fronts, but our prior
recommendations have not yet been fully implemented. 

Along with these four agency-specific efforts, we are including two
new high-risk areas that touch virtually every major aspect of
government operations.  The first is information security.  Despite
the sensitivity and criticality of federal information systems, they
are not being adequately protected from unauthorized access. 
Security weaknesses abound, creating serious pervasive risks for the
federal government, such as potential disclosure of sensitive data,
loss of assets worth billions of dollars due to fraud, and disruption
of critical operations. 

The second area involves the need for computer systems to be changed
to accommodate dates beyond the year 1999.  This "year 2000" problem
stems from the common practice of abbreviating years by their last
two digits.  Computer systems could interpret "00" as the year 1900
instead of the year 2000, "01" as 1901, and so on.  The resulting
miscalculations involving dates and the computation of elapsed time
could cascade through all kinds of activities, such as loans,
mortgages, pensions, tax records, and benefit payments.  Federal
agencies need to take steps quickly to assess and correct this
problem before time runs out. 


--------------------
\1 GAO High-Risk Series, An Overview (GAO/HR-95-1, Feb.  1995). 


   OUTLOOK FOR THE FUTURE
---------------------------------------------------------- Chapter 0:3

Will the picture be any different in another 2 years?  A great deal
depends on leadership by agency heads, their Chief Information
Officers, and senior program executives. 

Agencies need to establish goals for using information technology to
enhance the productivity, efficiency, and effectiveness of their
operations.  Progress toward these goals should be measured and
reported in annual budget submissions.  In addition, agencies need to
improve work processes used to carry out programs, develop and
implement an integrated agencywide technology architecture, and
strengthen their staffs' capabilities to manage information
resources, deal with emerging technology issues, and develop needed
systems.  Each agency must also establish a structured process for
selecting, controlling, and evaluating their capital investments in
technology in order to maximize mission-related benefits and control
risks. 

The Congress also will need to be vigilant in overseeing agencies'
information technology investments and project management.  The
recently enacted reforms could easily dissipate unless congressional
committees use the full range of their budget, appropriations, and
oversight functions to hold agency leaders accountable for
implementing them promptly. 

The Congress should assure itself that agency heads are working to
identify strengths and weaknesses in their information management
practices.  Congressional committees should expect agencies to
provide hard data on how technology spending is being used to improve
mission performance and reduce operating costs.  And there should be
clear evidence that each agency has implemented a sound technology
investment control process.  The Congress should also see to it that
the Office of Management and Budget (OMB) is carrying out its
critical role in guiding the agencies in implementing investment
reforms and that OMB is enforcing accountability for achieving
improvements through the executive branch budget process. 


HIGH-RISK SYSTEM DEVELOPMENT AND
MODERNIZATION EFFORTS
============================================================ Chapter 1

Our 1995 High-Risk Series included four multibillion-dollar
modernization efforts that were having serious trouble meeting their
cost, schedule, and/or performance goals.\1 In our ongoing work, we
have continued to make specific recommendations for mitigating risks
in areas such as investment control, system development, and
technical infrastructure.  These agencies have made some progress. 
Still, the level of improvement has not yet been enough to bring the
problems under control.  After 2 years, all four remain on our
high-risk list. 


--------------------
\1 GAO/HR-95-1, Feb.  1995. 


   IRS' TAX SYSTEMS MODERNIZATION
---------------------------------------------------------- Chapter 1:1

Over the last decade, IRS has been attempting to overhaul its
timeworn, paper-intensive approach to tax return processing.  In
1995, we identified serious management and technical weaknesses in
the modernization program that jeopardize its successful completion,
recommended many actions to fix the problems, and added IRS'
modernization to our high-risk list.  Since then, IRS and Treasury
have together taken several steps to implement our recommendations,
but much remains to be done.  At stake is the over $3 billion that
IRS has spent or obligated on this modernization since 1986, as well
as any additional funds that IRS plans to spend on modernization. 

In July 1995,\2

we reported that IRS (1) did not have a comprehensive business
strategy to cost effectively reduce paper tax return filings and (2)
had not yet fully developed and put in place the requisite
management, software development, and technical infrastructure
necessary to successfully implement its ambitious, world-class
modernization.  We also reported that IRS lacked an overall systems
architecture, or blueprint, to guide the modernization's development
and evolution. 

At that time, we made over a dozen recommendations to the IRS
Commissioner to address these weaknesses.  Collectively, the
recommendations called for IRS to (1) formulate a comprehensive
business strategy for maximizing electronic filings, (2) improve its
strategic information management by implementing a process for
selecting, prioritizing, controlling, and evaluating the progress and
performance of all major information systems and investments, (3)
implement disciplined, consistent procedures for software
requirements management, quality assurance, configuration management,
and project planning and tracking, and (4) complete and enforce an
integrated systems architecture and security and data architectures. 
IRS agreed to implement our recommendations. 

In May 1996, Treasury reported to the House and Senate Appropriations
Committees on steps under way and planned to exert greater management
oversight of IRS' modernization efforts.\3 For example, it
established a Modernization Management Board as the primary review
and decision-making body for modernization and for policy and
strategic direction.  In addition, Treasury scaled back the overall
size of the modernization by approximately $2 billion and is working
with IRS to obtain additional contractor help to accomplish the
modernization. 

Pursuant to congressional direction, we assessed IRS' actions to
correct its management and technical weaknesses, as delineated in
Treasury's report on tax systems modernization.  We reported in June
and September 1996 that IRS had initiated many activities to improve
its modernization efforts but had not yet fully implemented any of
our recommendations.  Consequently, in order to minimize the risk
attached to continued investment in systems modernization, we
suggested to the Congress that it consider limiting modernization
funding exclusively to cost-effective efforts that (1) support
ongoing operations and maintenance, (2) correct IRS' pervasive
management and technical weaknesses, (3) are small, represent low
technical risk, and can be delivered quickly, and (4) involve
deploying already developed and fully tested systems that have proven
business value and are not premature given the lack of a completed
architecture. 

To help oversee IRS' modernization, the Congress in the fiscal year
1997 Omnibus Consolidated Appropriations Act\4 directed IRS to (1)
submit by December 1, 1996, a schedule for transferring a majority of
its modernization development and deployment to contractors by July
31, 1997, and (2) establish a schedule by February 1, 1997, for
implementing our recommendations by October 1, 1997.  In its
conference report on the act, the Congress directed the Secretary of
the Treasury to (1) provide quarterly reports on the status of IRS'
corrective actions and modernization spending\5 and (2) submit by May
15, 1997, a technical architecture for the modernization that has
been approved by Treasury's Modernization Management Board. 
Additionally, the Board was directed to prepare a request for
proposals by July 31, 1997, to acquire a prime contractor to manage
modernization deployment and implementation. 

IRS has continued to take steps to address our recommendations and
respond to congressional direction.  For example, IRS hired a new
Chief Information Officer.  It also created an investment review
board to select, control, and evaluate its information technology
investments.  Thus far, the board has reevaluated and terminated
selected major modernization development projects, such as the
Document Processing System (DPS). 

Additionally, IRS (1) provided a November 26, 1996, report to the
Congress that set forth IRS' strategic plan and schedule for shifting
modernization development and deployment to contractors, (2) is
finalizing a comprehensive strategy to maximize electronic filing
that is scheduled for completion in early 1997, and (3) is updating
its system development life cycle methodology and working across
various IRS organizations to define disciplined processes for
software requirements management, quality assurance, configuration
management, and project planning and tracking.  Additionally, IRS is
developing a technical architecture for the modernization and plans
to provide this to the Congress by May 15, 1997.  Further, IRS is
preparing a schedule for implementing our recommendations and plans
to provide it to the Congress in February 1997. 

While we recognize IRS' and Treasury's actions to address these
problems, we remain concerned.  Much remains to be done to fully
implement essential improvements.  Increasing the use of contractors,
for example, will not automatically increase the likelihood of
successful modernization because IRS does not have the technical
capability needed to manage all of its current contractors.  As a
case in point, IRS' Cyberfile--a system development effort led by
contractors to enable taxpayers to personally prepare and file their
tax returns electronically--exhibited many undisciplined software
acquisition practices as well as inadequate financial and management
controls.  Eventually, IRS canceled the Cyberfile project after
spending over $17 million and without fielding any of the system's
promised capabilities.  Therefore, if IRS is to use additional
contractors effectively, it will have to first strengthen and improve
its ability to manage those contractors. 

In addition, IRS needs to continue to make concerted, sustained
efforts to fully implement our recommendations and respond
effectively to the requirements outlined by the Congress.  It will
take both management commitment and technical discipline for IRS to
do this effectively.  Accordingly, we plan to continue assessing IRS'
progress in its critical endeavor to modernize. 


--------------------
\2 Tax Systems Modernization:  Management and Technical Weaknesses
Must Be Corrected If Modernization Is to Succeed (GAO/AIMD-95-156,
July 26, 1995). 

\3 Report to House and Senate Appropriations Committees:  Progress
Report on IRS's Management and Implementation of Tax Systems
Modernization, Department of the Treasury, May 6, 1996. 

\4 P.L.  104-208, Sept.  30, 1996. 

\5 H.R.  Report No.  863, 104th Cong., 2d sess.  (1996).  The
Congress also included the requirement that Treasury provide a
milestone schedule for developing and implementing all modernization
projects in Treasury's fiscal year 1996 appropriations act (P.L. 
104-52, Nov.  19, 1995). 


   FAA'S AIR TRAFFIC CONTROL
   MODERNIZATION
---------------------------------------------------------- Chapter 1:2

Faced with rapidly growing air traffic volumes and aging air traffic
control equipment, the FAA in 1981 initiated an ambitious air traffic
control (ATC) modernization program.  This effort, which is expected
to cost $34 billion through fiscal year 2003, mostly involves
investments in a multitude of software-intensive computer systems. 

Over the past 15 years, the modernization program has experienced
cost overruns, schedule delays, and performance shortfalls of large
proportions--particularly in the $7.6 billion former centerpiece of
the modernization known as the Advanced Automation System, which FAA
restructured in 1994.  The acquisition of that system failed because
FAA did not recognize the technical complexity of the effort,
realistically estimate the resources required, adequately oversee its
contractors' activities, or effectively control system
requirements.\6 With $11 billion planned to be spent on the ATC
program from fiscal years 1998 through 2003, and billions more surely
to follow, it is critical that FAA overcome the weaknesses that
threaten this effort. 

To its credit, FAA has made progress in acquiring an interim
replacement for its outage-plagued system that processes data into
displayable images on controllers' screens.\7

Although key acquisition milestones, events, and risks remain, FAA is
currently on track to deliver promised capabilities ahead of schedule
and within budget.  Further, when we recommended that two risks
associated with system testing--contention for human test resources
and test baseline configuration change control--be formally managed,
FAA officials agreed to do so. 

Still, serious problems remain.  The many systems comprising the
modernization effort have long proceeded without the benefit of a
complete systems architecture, or overall blueprint, to guide
development and evolution.\8 The result has been unnecessarily higher
spending to buy, integrate, and maintain hardware and software.  For
example, the number of application programming languages used on
existing systems has been left unchecked, growing to 53.  This has
needlessly increased software maintenance costs and hindered software
reuse among systems.  We have recommended that FAA develop and
enforce a complete systems architecture and implement a management
structure for doing so that is similar to the Chief Information
Officers provisions of the Clinger-Cohen Act of 1996. 

Exacerbating the modernization's problems is unreliable cost
information--both future estimates of costs and accumulations of
actual costs.\9 According to the Clinger-Cohen Act of 1996, the
selection of information technology investments should be based on
competing projects' estimated costs, benefits, and risks.  To
effectively manage these investments, their actual cost performance
must be measured against their cost estimates.  However, FAA lacks
the adequate cost estimating processes and cost accounting practices
needed to do so, leaving it at risk of making ill-informed decisions
on critical multimillion, even billion, dollar air traffic control
systems.  We recommended that FAA institutionalize defined processes
for estimating projects' cost, and develop and implement a managerial
cost accounting capability. 

FAA must also address problems in its organizational culture, which
does not reflect a strong enough commitment to mission focus,
accountability, coordination, and adaptability.\10 For example,
project officials established unrealistic cost estimates in order to
obtain funding and suppressed news about setbacks in order to avoid
heightened managerial oversight.  Without strong leadership to
promote the desired organizational behavior, the modernization
effort's problems will be difficult to overcome.  We recommended that
FAA develop a comprehensive strategy for addressing this issue. 

To further pinpoint the root causes of FAA's modernization problems,
we have a review underway to determine whether FAA's software
acquisition capability is sufficiently mature to successfully
modernize the highly complex, real-time ATC system. 


--------------------
\6 Advanced Automation System:  Implications of Problems and Recent
Changes (GAO/T-RCED-94-188, Apr.  13, 1994). 

\7 Air Traffic Control:  Good Progress on Interim Replacement for
Outage-Plagued System, but Risks Can Be Further Reduced
(GAO/AIMD-97-2, Oct.  17, 1996). 

\8 Air Traffic Control:  Complete and Enforced Architecture Needed
for FAA Systems Modernization (GAO/AIMD-97-30, Feb.  3, 1997). 

\9 Air Traffic Control:  Improved Cost Information Needed to Make
Billion Dollar Modernization Investment Decisions (GAO/AIMD-97-20,
Jan.  22, 1997). 

\10 Aviation Acquisition:  A Comprehensive Strategy Is Needed for
Cultural Change at FAA (GAO/RCED-96-159, Aug.  22, 1996). 


   DEFENSE'S CORPORATE INFORMATION
   MANAGEMENT INITIATIVE
---------------------------------------------------------- Chapter 1:3

The Department of Defense's Corporate Information Management (CIM)
initiative, started in 1989, was expected to save billions of dollars
by streamlining operations and implementing standard information
systems supporting such important business areas as supply
distribution, materiel management, personnel, finance, and
transportation.  However, 8 years after beginning CIM, and after
spending about $20 billion, Defense's savings goal has not been met
because the Department has not yet implemented sound management
practices. 

We have made numerous recommendations for improving the Department's
management of CIM, including (1) better linking system modernization
projects to business process improvement efforts, (2) establishing
plans, performance measures, and clearly defined roles and
responsibilities for implementing CIM, (3) improving controls over
information technology investments, and (4) not initiating system
improvement projects without sound economic and technical
analyses.\11

But Defense has yet to successfully implement these recommendations. 
Instead, it continues to spend billions of dollars on system
migration projects with little sound analytical justification.\12
Rather than relying on a rigorous decision-making process for
information technology investments--as used in leading private and
public sector organizations that we studied--Defense is making system
migration decisions without

  -- appropriately analyzing costs, benefits, and technical risks;

  -- establishing realistic project schedules; or

  -- considering how business process improvements could affect
     technology investments. 

Further, in some cases, Defense has denied its own decisionmakers the
opportunity to evaluate the progress of technology investments over
time by forgoing its established oversight process. 

Not surprisingly, the results of Defense's major technology
investments have been meager.  For example, in the transportation
area, it has made some investments that are likely to result in a
negative return on investment.  For materiel management, it has
abandoned its system modernization strategy after spending over $700
million.  For depot maintenance, Defense expects to spend over $1
billion to develop a standard system that will achieve less than 2.3
percent in reduced operational costs over a 10-year period. 

The Department estimates that additional spending on system migration
projects between now and the year 2000 will total more than $11
billion.  As part of its Clinger-Cohen Act implementation efforts,
the Department is establishing a framework for better managing this
investment using its planning, programming, and budgeting system. 
While a step in the right direction, this initiative is just
beginning.  We have ongoing and planned work--including reviews of
the Department's system modernization strategy and investment
controls--aimed at helping Defense managers make well-informed
business decisions based on an accurate picture of the costs of
technology investments, their related benefits, and an appreciation
for how they fit into the Department's long-term and short-term
goals. 


--------------------
\11 Defense Management:  Stronger Support Needed for Corporate
Information Management Initiative to Succeed (GAO/AIMD/NSIAD-94-101,
April 12, 1994); Defense Management:  Selection of Depot Maintenance
Standard System Not Based on Sufficient Analyses (GAO/AIMD-95-110,
July 13, 1995); Defense Transportation:  Migration Systems Selected
Without Adequate Analysis (GAO/AIMD-96-81, August 29, 1996); and
Defense IRM:  Critical Risks Facing New Material Management Strategy
(GAO/AIMD-96-109, September 6, 1996). 

\12 A migration system is an automated information system which
replaces several systems that perform similar functions. 


   NATIONAL WEATHER SERVICE'S
   MODERNIZATION
---------------------------------------------------------- Chapter 1:4

NWS decided almost 15 years ago to leverage the power of information
technology to "do more with less." Promising better weather forecasts
and downsized operations, NWS has been acquiring new observing
systems--such as radars, satellites, and ground-based sensors--as
well as powerful forecaster workstations, at a combined cost of about
$4.5 billion.  Although NWS acknowledges that key problems confront
the new systems, it has found that the new radars and satellites have
improved forecasts and warnings.  How successful NWS will ultimately
be in this endeavor, however, partly depends on how quickly it can
address several key problems that we have identified. 

Although the development and deployment of the observing systems
associated with NWS' modernization are nearing completion, unresolved
issues remain concerning the observing systems' operational
effectiveness and efficient maintenance.  To illustrate, we reported
that the new radars are not always up and running when severe weather
is threatening,\13 and that the ground-based sensors fall short of
performance and user expectations, particularly when the weather is
active.\14

We recommended that NWS correct shortfalls in radar performance and
define and prioritize all ground-based sensor corrections needed to
meet user needs.  NWS addressed some of our radar and ground-based
sensor performance concerns, but others remain.  Also, we recently
reported that NWS has not managed this massive investment through
sound decision-making processes.\15 For instance, NWS lacks a means
by which to ensure that systems provide promised returns on
investments.  Currently, only the radars have had their benefits
analyzed.  In addition, the sizable staff reductions that the
modernization promised will not be realized.  For example, we
reported in 1995 that NWS originally planned to reduce staff by 21
percent, but now the goal has been scaled back to 8 percent.\16 NWS
attributes the reduced goal primarily to needing more staff than
originally envisioned to operate new systems and to unanticipated
requirements that were beyond NWS' control. 

Further, the centerpiece of the modernization--the forecaster
workstations that will integrate observing systems' data and support
forecaster decision-making--is far from providing all promised
capabilities, for several reasons.  These workstations have been
delayed and become more expensive because of design problems and
management shortcomings.  In addition, workstation development
continues without all the technical process capabilities advocated by
the Software Engineering Institute (SEI), although NWS did improve
some of its capabilities based on our recommendation to do so.\17
Also, NWS has not demonstrated that all proposed capabilities will
result in mission improvements, thereby increasing the risk that
spending will be wasted on unneeded system capabilities.\18

In 1996, we made several recommendations that, if implemented, will
strengthen NWS' ability to manage the acquisition of these
workstations.  Specifically, we recommended that NWS

  -- validate all workstation requirements on the basis of mission
     impact,

  -- improve its process to test software,

  -- establish a software quality assurance program, and

  -- obtain an independent cost assessment since NWS does not have
     reliable project cost information.\19

As we reported in our 1995 high-risk series, the modernization and
evolution of this major systems initiative has long begged for a
guiding systems architecture.  NWS has acknowledged that this
technical blueprint is needed and is currently developing one to
address our March 1994 recommendation to do so.  In the meantime,
however, NWS will continue to incur higher system development and
maintenance costs and reduced performance until the systems
architecture is developed and enforced.\20


--------------------
\13 Weather Forecasting:  Radar Availability Requirements Not Being
Met (GAO/AIMD-95-132, May 31, 1995) and Weather Forecasting:  Radars
Far Superior to Predecessors, but Location and Availability Questions
Remain (GAO/T-AIMD-96-2, Oct.  17, 1995). 

\14 Weather Forecasting:  Unmet Needs and Unknown Costs Warrant
Reassessment of Observing System Plans (GAO/AIMD-95-81, April 21,
1995). 

\15 Information Technology Investment:  Agencies Can Improve
Performance, Reduce Costs, and Minimize Risks (GAO/AIMD-96-64, Sept. 
30, 1996). 

\16 Weather Service Modernization Staffing (GAO/AIMD-95-239R, Sept. 
26, 1995). 

\17 Weather Forecasting:  Improvements Needed in Laboratory Software
Development Processes (GAO/AIMD-95-24, Dec.  14, 1994).  SEI, part of
Carnegie Mellon University, has developed generally recognized
standards for gauging an organization's ability to develop or acquire
software. 

\18 Weather Forecasting:  NWS Has Not Demonstrated that New
Processing System Will Improve Mission Effectiveness (GAO/AIMD-96-29,
Feb.  29, 1996).  Weather Forecasting:  New Processing System Faces
Uncertainties and Risks (GAO/T-AIMD-96-47, Feb.  29, 1996). 

\19 Weather Forecasting:  Recommendations to Address New Weather
Processing Systems Development Risks (GAO/AIMD-96-74, May 13, 1996). 

\20 Weather Forecasting:  Systems Architecture Needed for National
Weather Service Modernization (GAO/AIMD-94-28, Mar.  11, 1994). 


GOVERNMENTWIDE HIGH-RISK ISSUES
============================================================ Chapter 2

One sign of the federal government's growing dependence on
information technology is the emergence of high-risk issues that are
critical to operations at all agencies.  This year, we are
designating two governmentwide information management issues as high
risk:  information security and the Year 2000 problem.  These issues
require not only agency-specific actions, but also cooperative
efforts among the executive branch and the Congress to manage risks
and develop solutions. 


   INFORMATION SECURITY
---------------------------------------------------------- Chapter 2:1

Malicious attacks on computer systems are an increasing threat to our
national welfare.  We rely heavily on interconnected systems to
control critical functions, such as communications, financial
services, transportation, and utilities.  Though greater use of
interconnected systems promises significant benefits in improved
business and government operations, such systems are much more
vulnerable to anonymous intruders, who may manipulate data to commit
fraud, obtain sensitive information, or severely disrupt operations. 

At the federal level, system interconnectivity, combined with poor
security management, is putting billions of dollars worth of assets
at risk of loss and vast amounts of sensitive data at risk of
unauthorized disclosure.  In addition, the increasing reliance on
networked systems and electronic records has elevated concerns that
critical federal operations are vulnerable to serious disruption. 
This is because automated systems and electronic records are fast
replacing manual procedures and paper documents, which in many cases
are no longer available as "backup" if automated systems fail. 
Further, although such disruption could be precipitated by natural
disasters or accidents, there is evidence that some organizations are
developing strategies and tools for conducting premeditated attacks
on information systems. 

Many federal operations that rely on computer networks are attractive
targets for individuals or organizations with malicious intentions. 
Examples include law enforcement, import entry processing, various
financial transactions, payroll, defense operational plans,
electronic benefit payments, and electronically submitted medicare
claims. 

Despite their sensitivity and criticality, federal systems and data
are not being adequately protected.  Since June 1993, we have issued
over 30 reports describing serious information security weaknesses at
major federal agencies. 

For example, in May 1996, we reported that tests at the Department of
Defense showed that Defense systems may have experienced as many as
250,000 attacks during 1995, that about 64 percent of attacks were
successful at gaining access, and that only a small percentage of
these attacks were detected.\1 In September 1996, we reported that,
during the previous 2 years, serious information security control
weaknesses had been reported for 10 of the 15 largest federal
agencies.\2 For half of these agencies, the weaknesses had been
reported repeatedly for 5 years or longer.  Several of our most
disturbing reports on information security are for limited official
use and, therefore, cannot be discussed here because of the risk that
unscrupulous individuals may attempt to exploit reported weaknesses. 

Many of the federal information security weaknesses and causal
factors reported over the last few years were identified as a direct
result of the annual financial statement audits initiated under the
Chief Financial Officers Act of 1990.  Although these audits pertain
primarily to financial management systems, they generally include a
review of computer-based controls that affect a significant portion
of an agency's broader operations. 

In addition to describing information security weaknesses, our
reports contain dozens of recommendations to individual agencies for
improvement.  Agencies have acted on many of these recommendations,
and, in early 1996, OMB issued updated guidance to agencies on the
security of federal automated information resources.  However,
several underlying factors need to be addressed to help ensure that
federal agencies adequately protect their systems and data on a
continuing basis.  These factors include: 

  -- insufficient awareness and understanding of information security
     risks among senior agency officials,

  -- poorly designed and implemented security programs that do not
     adequately monitor controls or proactively address risk,

  -- a shortage of personnel with the technical expertise needed to
     manage controls in today's sophisticated information technology
     environment, and

  -- limited oversight of agency practices at a governmentwide level. 

In light of the increasing importance of information security and the
pattern of widespread problems that has emerged, stronger central
leadership is needed.  Our previously cited September 1996 report\3
concluded that OMB needs to play a more proactive role in promoting
awareness and in monitoring agency practices--a role that was
recently reemphasized in the PRA and Clinger-Cohen Act.  In
particular, we recommended that OMB engage assistance from private
contractors and others with appropriate expertise to assist in
monitoring agency information security programs.  Also, as chair of
the Chief Information Officers Council, OMB should encourage council
members to adopt information security as one of their top priorities
and develop a strategic plan for addressing the root causes of agency
security problems.  Such a plan could include

  -- developing information on existing and emerging information
     security risks,

  -- establishing a program for reviewing the adequacy of individual
     agency security programs using interagency teams of reviewers,
     and

  -- developing or identifying training and certification programs
     that could be shared among agencies. 

OMB reported in December 1996 that it has begun efforts to improve
its oversight of federal agencies' activities in information security
by holding a training session for program examiners to increase their
understanding of this management issue and its implications.  In
addition, the CIO Council has included information security as one of
its priorities.  However, at present, it is too early to assess the
adequacy of OMB's or the Council's response to our concerns. 


--------------------
\1 Information Security:  Computer Attacks at Department of Defense
Pose Increasing Risks (GAO/AIMD-96-84, May 22, 1996); Information
Security:  Computer Attacks at Department of Defense Pose Increasing
Risks (GAO/T-AIMD-96-92, May 22, 1996); and Information Security: 
Computer Hacker Information Available on the Internet
(GAO/T-AIMD-96-108, June 5, 1996). 

\2 Information Security:  Opportunities for Improved OMB Oversight of
Agency Practices (GAO/AIMD-96-110, Sept.  24, 1996). 

\3 GAO/AIMD-96-110, Sept.  24, 1996. 


   THE YEAR 2000 PROBLEM
---------------------------------------------------------- Chapter 2:2

At 12:01 on New Year's morning of the year 2000, many computer
systems could either fail to run or malfunction--thereby producing
inaccurate results--simply because the equipment and software were
not designed to accommodate the change of date to the new millennium. 

The Year 2000 problem is rooted in the way dates are recorded and
computed in many computer systems.  For the past several decades,
systems have typically used two digits to represent the year, such as
"97" representing 1997, in order to conserve on electronic data
storage and reduce operating costs.  With this two-digit format,
however, the year 2000 is indistinguishable from 1900, 2001 from
1901, and so on.  As a result of this ambiguity, system or
application programs that use dates to perform calculations,
comparisons, or sorting may generate incorrect results when working
with years after 1999. 

Unless this problem is resolved ahead of time, widespread operational
and financial impacts could affect federal, state, and local
governments; foreign governments; and private-sector organizations
worldwide.  At the federal level, scenarios like these are possible: 

  -- IRS' tax systems could be unable to process returns, which in
     turn could jeopardize the collection of revenue and the entire
     tax processing system. 

  -- Payments to veterans with service-connected disabilities could
     be severely delayed because Veterans Affairs' compensation and
     pension system either halts or produces checks that are so
     erroneous that the system must be shut down and the checks
     processed manually. 

  -- Social Security Administration's disability insurance process
     could experience major disruptions because the interface with
     various state systems fails, thereby causing delays and
     interruptions in disability payments to citizens. 

  -- Federal systems used to track student education loans could
     produce erroneous information on loan status, such as indicating
     that an unpaid loan had been satisfied. 

While the date issue will reach a crescendo at the end of the
century, date-related problems have been manifesting themselves for
some time.  For example, the Defense Department had medical benefits
computational problems in 1980 with its Defense Entitlement
Eligibility Report System (DEERS).  Had the system not been
corrected, people who were 45 years old, or younger, would have been
erroneously terminated from receiving their entitlement benefits. 

Other problems are just beginning to show up.  Recently, a Defense
Logistics Agency system marked 3-year contracts as delinquent even
though they had not yet been let.  Defense has also uncovered
date-related problems in its Space Defense Operations Center
involving a system that supports its Integrated Tactical Warning and
Attack Assessment community.  Testing revealed 10 date-related
discrepancies that would have caused a significant operational
impact. 

Other federal agencies face similar operational risks and impacts. 
Resolving the date problem will involve extensive, resource-intensive
efforts due to the large scale of many federal systems and the
numerous dependencies and interactions they often have with systems
of both private-sector organizations and state agencies. 

To complicate matters further, many government computer systems were
originally designed and developed 20 to 25 years ago, are poorly
documented, and use a wide variety of computer languages--many of
which are old or obsolete.  The systems consist of tens or hundreds
of computer programs, each with thousands, tens of thousands, or even
millions of lines of code, which must be examined for date problems. 
Moreover, the government's computer systems, like private sector
systems, have numerous components--hardware, firmware, operating
systems, communications applications, and database software--that are
affected by the date problem. 

Given that every federal agency is at risk of system failures, the
104th Congress held hearings to determine the severity of the problem
and the progress that agencies were making to deal with it.  For
instance, in April 1996, the House Government Reform and Oversight
Committee surveyed 24 departments and agencies.  They found that only
9 had developed plans for addressing the problem. 

With the year 2000 less than 3 years away, much work must be done,
and done quickly.  Ensuring that systems are Year 2000 compliant
represents the widest-scale system and software conversion effort
ever attempted.  Agencies must immediately assess their Year 2000
risk exposure, and plan and budget for achieving Year 2000 compliance
for all of their mission critical systems.  This will involve
identifying and analyzing mission-critical computer systems,
developing date conversion strategies and plans, and dedicating
sufficient resources to convert the computer systems by early 1999 in
order to allow 1 year for additional testing and error correction. 
Agencies will also need to develop contingency plans for those
systems that they are unable to change in time. 

In 1995, OMB formed an interagency working group on the year 2000
issue, which is now under the President's recently established Chief
Information Officers Council.  The basic federal strategy for
resolving the year 2000 problem relies on Chief Information Officers
to raise management awareness of the problem at their agencies, and
then direct work to assess the scope of the changes needed, renovate
the systems that need to be changed, test the changed systems, and
then implement them.  OMB is currently working with agencies to
establish time frames for completing these steps.  Regulatory action
has also been taken to assist agencies in acquiring information
products and systems that are already year 2000 compliant, whenever
possible. 

We are currently working with the Congress and the executive branch
to identify specific recommendations for resolving the Year 2000
problem.  In this regard, we plan to review efforts at the Department
of Defense, IRS, the Social Security Administration, FAA, Veterans
Affairs, and the Health Care Financing Administration.  In addition,
we are developing a set of audit templates for use by the audit
community and agencies to identify their risk areas. 


FURTHER ACTION NEEDED
============================================================ Chapter 3

The high-risk system development and modernization problems described
above are common across the government--and have been for many years. 
A broad set of solutions is needed to help agencies prevent high
risks and maximize the benefits of technology for improving
performance and reducing costs.  Similarly, there is a need to
strengthen federal agencies' ability to effectively address emerging
technology issues and problems on a governmentwide basis. 

To improve this situation, we have worked closely with the Congress
since our 1995 high-risk report to fundamentally revamp and modernize
federal information management practices.  Our study of leading
public and private sector organizations showed how they applied an
integrated set of management practices to create the information
technology infrastructures they needed to dramatically improve their
performance and achieve mission goals.\1 These practices provide
federal agencies with essential lessons on how to overcome the root
causes of their chronic information management problems. 

The 104th Congress used these lessons to create the first significant
reforms in information technology management in over a decade:  the
1995 PRA and the Clinger-Cohen Act of 1996.\2 These laws, discussed
below, focus sharply on building a foundation for sustained
improvement by (1) establishing strong agency-level leadership in
technology issues and (2) implementing sound processes for approving
and managing investments in technology. 


--------------------
\1 Executive Guide:  Improving Mission Performance Through Strategic
Information Management and Technology--Learning from Leading
Organizations (GAO/AIMD-94-115, May 1994). 

\2 The Omnibus Consolidated Appropriations Act, 1997, renamed both
the Federal Acquisition Reform Act of 1996 and the Information
Technology Management Reform Act of 1996 as the "Clinger-Cohen Act of
1996."


   STRONG AGENCY LEADERSHIP IN
   INFORMATION MANAGEMENT IS
   CRITICAL
---------------------------------------------------------- Chapter 3:1

Senior executives in the successful organizations we studied were
personally committed to improving the management of technology. 
Agency leaders likewise must recognize the urgent need to improve
their agencies' information management practices and create and
maintain the momentum for implementing reform. 

Both PRA and the Clinger-Cohen Act make agency heads directly
responsible for effective information management.  Among their key
duties, agency heads are to

  -- establish goals for improving the use of information technology
     in enhancing the productivity, efficiency, and effectiveness of
     agency operations and service to the public;

  -- measure the actual performance and contribution of technology in
     supporting agency programs; and

  -- include with their agencies' OMB budget submission a report on
     the progress being made in meeting operational improvement goals
     through the use of technology. 

In short, rather than leaving technology issues to mid-level
specialists, agency heads must incorporate strategic information
management into an executive-level general management framework--one
that incorporates the agency's budget process and a set of solid
performance measures. 

To help them carry out these new responsibilities, the heads of
agencies are to designate a Chief Information Officer (CIO).  The CIO
is to be much more than a senior technology manager.  As a top-level
executive reporting directly to the agency head, the CIO is
responsible for achieving mission results through technology by

  -- working with the agency head and senior managers on effective
     information management to achieve the agency's strategic
     performance goals;

  -- promoting improvements to work processes used to carry out
     programs;

  -- increasing the value of the agency's information resources by
     developing and implementing an integrated agencywide technology
     architecture; and

  -- strengthening the agency's knowledge, skills, and capabilities
     to effectively manage information resources, deal with emerging
     technology issues, and develop needed systems. 

As we learned from appointments to the Chief Financial Officer
positions, getting the right people in place will make a real
difference in implementing lasting management reforms.  The reforms
simply will not work without qualified, effective leadership.  OMB is
monitoring the agencies' CIO appointments at 28 federal agencies and
has found mixed progress.  According to OMB, as of November 1996,
many agencies had CIOs or acting CIOs who had limited operational and
technical experience, unclear roles, additional duties besides
information resources management, and/or did not report directly to
the agency head.  OMB is continuing to evaluate these situations as
agencies take further actions. 

Along with the top executives and CIOs, program managers have
critical leadership responsibilities for information management.  In
successful organizations we studied, managers work with the CIOs to
define information needs for their programs and develop strategies,
systems, and capabilities to meet those needs.  The reform
legislation calls for program officials to take ownership of
technology projects and be held accountable for their results.  This
represents a major shift away from the common practice of delegating
system development projects to technical specialists. 


   CONTROLLING INVESTMENTS IN
   INFORMATION TECHNOLOGY
---------------------------------------------------------- Chapter 3:2

A key practice identified in our study of leading organizations is
that they manage information technology projects as investments.  Top
executives periodically assess all major projects--proposed, under
development, and operational--then prioritize them and make funding
decisions based on factors such as cost, risk, return on investment,
and support of mission-related outcomes.  Once projects are selected
for funding, executives monitor them continually, taking quick
actions to resolve development problems and mitigate risks.  After a
project is implemented, executives evaluate actual versus expected
results and revise their investment management process based on
lessons learned. 

PRA and the Clinger-Cohen Act incorporate these features into new
requirements on how technology-related projects are to be selected
and managed.  The heads of agencies are to design and implement a
structure for maximizing the value and managing the risk of
technology investments, including

  -- establishing a process to select, control, and evaluate
     information technology investments using quantitative and
     qualitative criteria and data;

  -- modernizing inefficient administrative and mission-related work
     processes before making significant technology investments to
     support them;

  -- mitigating the risks of acquiring large, complex systems by
     building them in a modular fashion; and

  -- monitoring project progress and performance using up-to-date
     data. 

Current federal practices fall far short of these expectations.  For
example, in our report on the technology investment practices at five
federal agencies, only one had defined decision criteria for cost,
risk, and return.\3 In the absence of such information, investment
decisions were disproportionately based on subjective, qualitative
factors.  Generally, data on a project's cost, schedule, risks, and
returns were not documented, defined, or kept current, and in many
cases was not used to make investment decisions.  Instead, agencies
focused on justifying funding for new technology projects rather than
managing all projects as a portfolio of competing investments.  Once
a project was approved, the agency exerted little effort to ensure
that information on it was kept accurate and up to date.  Rarely were
data used to manage a project's progress throughout its life cycle. 

Under the new legislation, OMB has significant leadership
responsibility in directing agencies to implement investment reforms. 
In our information technology investment report, cited above, we
recommended that OMB develop guidance for agencies on implementing a
technology investment decision-making process, including advising
agencies on the minimum quality standards for data used to assess
cost, benefit, and risks.  We also recommended that OMB ensure that
agencies' investment control processes are in compliance with such
guidance by assessing their strengths and weaknesses, and developing
remedial actions and timetables for any needed improvements. 


--------------------
\3 Information Technology Investment:  Agencies Can Improve
Performance, Reduce Costs, and Minimize Risks (GAO/AIMD-96-64, Sept. 
30, 1996). 


   STRONG CONGRESSIONAL OVERSIGHT
   IS ESSENTIAL TO SUCCESSFUL
   REFORM
---------------------------------------------------------- Chapter 3:3

Controlling and preventing high risks will depend largely on how well
federal agencies implement PRA and the Clinger-Cohen Act.  From our
past experience with the implementation of the Chief Financial
Officers Act, for which important progress has been made, we know
that the early days following the passage of reform legislation are
telling.  The level of interest shown by the 105th Congress in
driving and overseeing the implementation of the reforms will send a
strong signal to the agencies that they should move vigorously to
implement them.  Congressional oversight should focus on progress
being made in the following four areas. 

(1) Executive Accountability:  The Congress should assure itself that
agency heads are educating their agencies about the reforms and
putting in place the management structure to implement them.  Agency
heads should currently be devoting time, talent, and resources to
analyzing the strengths and weaknesses of their information
management practices.  Our own experience in assisting agencies with
such self-assessments has identified many fundamental problems that
must be quickly addressed, such as poor performance measures, vaguely
defined customer needs, and weak integration of technology investment
into the planning, budgeting, and evaluation processes. 

Members of Congress should expect agency heads to provide hard
numbers and facts on their information technology spending and how it
is being used to improve mission performance.  As noted earlier, the
reform legislation requires annual reports by agency heads to OMB on
the program performance benefits achieved from capital investments in
information technology and how these benefits relate to the
achievement of the agency's goals.  Probing discussions of these
reports should be a regular feature of congressional budget,
appropriations, and oversight hearings. 

(2) CIO responsibilities:  The Congress should closely monitor the
progress that agency heads are making in appointing well-qualified
CIOs who have sound expertise, practical experience, and proven track
records in information technology and strategic management. 

Each CIO should be positioned as a senior management partner,
reporting directly to the agency head.  In addition to strong
sponsorship from agency heads, CIOs need active support from other
senior executives in setting up effective information management
practices that meet the intent of the reform legislation.  CIO
responsibilities should focus sharply on strategic information
management issues, and not be burdened with other activities, such as
administrative services, personnel, and contracting--as has often
happened in the past.  Similarly, the CIO and Chief Financial Officer
positions should not be combined under one person, since the problems
associated with financial and information management are very
significant and require full-time attention by separate individuals
with appropriate talent, skills, and experience in each area. 

The Congress should expect to see CIOs making clear progress in
defining and implementing information management policies,
guidelines, and standards consistent with the reform legislation. 
They should be establishing a sound information technology
architecture at their agencies to provide a framework for integrating
current and new systems.  And they should be active in identifying
the technical skills and capabilities that their agencies need to
acquire and manage information resources in a disciplined manner to
better control risk and achieve desired outcomes.  Ultimately, these
actions should result in measurable improvements in mission
performance. 

(3) Interagency Actions:  Building on the agency-level CIO positions
established under the reform legislation, the President has
established a CIO Council to develop recommendations on
governmentwide information technology policies, procedures, and
standards.  This Council will be a critical test of the efficacy of
CIOs in taking concerted action to address and control governmentwide
technology risks.  Initially, the Congress should focus on the
Council's progress in promoting effective federal technology
investment reforms at their agencies and dealing with the
governmentwide information security and Year 2000 issues. 

(4) Investment Oversight and OMB Leadership:  Given the federal
government's long-standing record of poor investments in information
technology, a much higher level of oversight should be applied to
agencies' investment management processes and the actual results
achieved.  The Congress should closely monitor how well agencies are
institutionalizing processes to select, control, and evaluate their
technology projects.  By now, heads of agencies should be well on
their way to defining and implementing the elements of an investment
decision-making process called for by the legislation.  One measure
of progress is to review the effectiveness of agencies' actions in
bringing under control the high-risk modernization efforts described
in this report. 

As part of this oversight effort, the Congress should also assess the
effectiveness of OMB's leadership in two areas: 

  -- establishing guidance and policies for agencies to follow in
     implementing the investment reforms and

  -- evaluating the results of agency technology investments and
     enforcing accountability for results through the executive
     branch budget process. 

In the first area, OMB has been proactive in drafting new policies
and procedures to assist agencies in establishing technology
investment decision-making processes.  For example, OMB has issued a
guide on evaluating information technology investments for use by its
own staff and the agencies.\4 It is important that OMB continue to
clearly define expectations for agencies and for itself in this key
area. 

As for OMB's oversight of agency technology portfolios, we
recommended in our previously cited technology investment report that
OMB

  -- develop recommendations for the President's budget on funding
     levels for technology projects that take account of an agency's
     track record in delivering performance improvements from
     technology investments and

  -- develop an approach for determining whether OMB itself is having
     an impact on reducing the risk or increasing the returns on
     agency information technology investments. 

To its credit, OMB issued an October 25, 1996, memorandum to heads of
executive departments and agencies laying out decision criteria that
OMB will use in evaluating major information system investments
proposed for funding under the President's fiscal year 1998 budget. 
The criteria strongly reinforce the provisions of the reform
legislation.  In the memorandum, OMB states that as a general
presumption, it will recommend new and continued funding only for
those major system investments that satisfy these criteria. 

OMB's effectiveness will depend greatly on its ability to marshall
the resources and expertise that its staff needs to produce sound
evaluations of agencies' technology investment portfolios.  Given
existing workloads and the resilience of the OMB culture, OMB will
have little impact on the quality of technology investment
decision-making without a determined effort to build the necessary
assessment skills. 

Finally, as part of its review of the budget proposals for FY 1998,
the Congress should look for clear evidence that the soundness of an
agency's investment process, along with its track record in achieving
performance improvements from technology, is being considered in
executive branch funding requests for information systems. 


--------------------
\4 Evaluating Information Technology Investments:  A Practical Guide,
version 1.0 (S/N 041-001-00460-2, Nov.  1, 1995). 


RELATED GAO REPORTS
=========================================================== Appendix 4


   STRATEGIC INFORMATION
   MANAGEMENT
--------------------------------------------------------- Appendix 4:1

Information Technology Investment:  Agencies Can Improve Performance,
Reduce Costs, and Minimize Risks (GAO/AIMD-96-64, Sept.  30, 1996). 

NASA Chief Information Officer:  Opportunities to Strengthen
Information Resources Management (GAO/AIMD-96-78, Aug.  15, 1996). 

Information Management Reform:  Effective Implementation Is Essential
for Improving Federal Performance (GAO/T-AIMD-96-132, July 17, 1996). 

Government Reform:  Using Reengineering and Technology to Improve
Government Performance (GAO/T-OCG-95-2, Feb.  2, 1995). 

Executive Guide:  Improving Mission Performance Through Strategic
Information Management and Technology (GAO/AIMD-94-115, May 1994). 


   INTERNAL REVENUE SERVICE
--------------------------------------------------------- Appendix 4:2

Tax Systems Modernization:  Actions Underway But Management and
Technical Weaknesses Not Yet Corrected (GAO/T-AIMD-96-165, Sept.  10,
1996). 

IRS Operations:  Critical Need to Continue Improving Core Business
Practices (GAO/T-AIMD/GGD-96-188, Sept.  10, 1996). 

Internal Revenue Service:  Business Operations Need Continued
Improvement (GAO/AIMD/GGD-96-152, Sept.  9, 1996). 

Tax Systems Modernization:  Cyberfile Project Was Poorly Planned and
Managed (GAO/AIMD-96-140, Aug.  26, 1996). 

Tax Systems Modernization:  Actions Underway But IRS Has Not Yet
Corrected Management and Technical Weaknesses (GAO/AIMD-96-106, June
7, 1996). 

Tax Systems Modernization:  Management and Technical Weaknesses Must
Be Corrected If Modernization Is To Succeed (GAO/AIMD-95-156, July
26, 1995). 

IRS Automation:  Controlling Electronic Filing Fraud and Improper
Access to Taxpayer Data (GAO/T-AIMD/GGD-94-183, July 19, 1994). 

Tax Systems Modernization:  Automated Underreporter Project Shows
Need for Human Resource Planning (GAO/GGD-94-159, July 8, 1994). 

Tax Systems Modernization:  Status of Planning and Technical
Foundation (GAO/T-AIMD-GGD-94-104, March 2, 1994). 


   FAA AIR TRAFFIC CONTROL
   MODERNIZATION
--------------------------------------------------------- Appendix 4:3

Air Traffic Control:  Complete and Enforced Architecture Needed for
FAA Systems Modernization (GAO/AIMD-97-30, Feb.  3, 1997). 

Air Traffic Control:  Improved Cost Information Needed to Make
Billion Dollar Modernization Investment Decisions (GAO/AIMD-97-20,
Jan.  22, 1997). 

Air Traffic Control:  Good Progress on Interim Replacement for
Outage-Plagued System, but Risks Can Be Further Reduced
(GAO/AIMD-97-2, Oct.  17, 1996). 

Aviation Acquisition:  A Comprehensive Strategy Is Needed for
Cultural Change at FAA (GAO/RCED-96-159, Aug.  22, 1996). 

Air Traffic Control:  Status of FAA's Modernization Program
(GAO/RCED-95-175FS, May 26, 1995). 

Advanced Automation System:  Implications of Problems and Recent
Changes (GAO/T-RCED-94-188, Apr.  13, 1994). 


   DEFENSE CORPORATE INFORMATION
   MANAGEMENT
--------------------------------------------------------- Appendix 4:4

Defense IRM:  Strategy Needed for Logistics Information Technology
Improvement Efforts (GAO/AIMD-97-6, Nov.  14, 1996). 

DOD Accounting Systems:  Efforts to Improve Systems for Navy Need
Overall Structure (GAO/AIMD-96-99, Sept.  30, 1996). 

Defense IRM:  Critical Risks Facing New Materiel Management Strategy
(GAO/AIMD-96-109, Sept.  6, 1996). 

Defense Transportation:  Migration Systems Selected Without Adequate
Analysis (GAO/AIMD-96-81, Aug.  29, 1996). 

Defense Management:  Selection of Depot Maintenance Standard System
Not Based on Sufficient Analyses (GAO/AIMD-95-110, July 13, 1995). 

Defense Management:  Impediments Jeopardize Logistics Corporate
Information Management (GAO/NSIAD-95-28, Oct.  21, 1994). 

Defense Management:  Stronger Support Needed for Corporate
Information Management Initiative to Succeed (GAO/AIMD/NSIAD-94-101,
April 12, 1994). 


   NATIONAL WEATHER SERVICE
   MODERNIZATION
--------------------------------------------------------- Appendix 4:5

NOAA Satellites (GAO/AIMD-96-141R, Sept.  13, 1996). 

Weather Forecasting:  Recommendations to Address New Weather
Processing System Development Risks (GAO/AIMD-96-74, May 13, 1996). 

Weather Forecasting:  New Processing System Faces Uncertainties and
Risks (GAO/T-AIMD-96-47, Feb.  29, 1996). 

Weather Forecasting:  NWS Has Not Demonstrated That New Processing
System Will Improve Mission Effectiveness (GAO/AIMD-96-29, Feb.  29,
1996). 

Weather Forecasting:  Radars Far Superior to Predecessors, but
Location and Availability Questions Remain (GAO/T-AIMD-96-2, Oct. 
17, 1995). 

Weather Service Modernization Staffing (GAO/AIMD-95-239R, Sept.  26,
1995). 

Weather Forecasting:  Radar Availability Requirements Not Being Met
(GAO/AIMD-95-132, May 31, 1995). 

Weather Forecasting:  Unmet Needs and Unknown Costs Warrant
Reassessment of Observing System Plans (GAO/AIMD-95-81, April 21,
1995). 

Weather Service Modernization Questions (GAO/AIMD-95-106R, March 10,
1995). 

Weather Service Modernization:  Despite Progress, Significant
Problems and Risks Remain (GAO/T-AIMD-95-87, Feb.  21, 1995). 

Meteorological Satellites (GAO/NSIAD-95-87R, Feb.  6, 1995). 

Weather Forecasting:  Improvements Needed in Laboratory Software
Development Processes (GAO/AIMD-95-24, Dec.  14, 1994). 

Weather Forecasting:  Systems Architecture Needed for National
Weather Service Modernization (GAO/AIMD-94-28, March 11, 1994). 

Weather Forecasting:  Important Issues on Automated Weather
Processing System Need Resolution (GAO/IMTEC-93-12BR, Jan.  6, 1993). 


   INFORMATION SECURITY
--------------------------------------------------------- Appendix 4:6

Information Security:  Opportunities for Improved OMB Oversight of
Agency Practices (GAO/AIMD-96-110, Sept.  24, 1996). 

Financial Audit:  Examination of IRS' Fiscal Year 1995 Financial
Statements (GAO/AIMD-96-101, July 11, 1996). 

Information Security:  Computer Hacker Information Available on
Internet (GAO/T-AIMD-96-108, June 5, 1996). 

Information Security:  Computer Attacks at Department of Defense Pose
Increasing Risks (GAO/AIMD-96-84, May 22, 1996). 

Information Security:  Computer Attacks at Department of Defense Pose
Increasing Risks (GAO/T-AIMD-96-92, May 22, 1996). 

Security Weaknesses at IRS' Cyberfile Data Center (GAO/AIMD-96-85R,
May 9, 1996). 

Financial Audit:  Federal Family Education Loan Program's Financial
Statements for Fiscal Years 1994 and 1993 (GAO/AIMD-96-22, Feb.  26,
1996). 

Department of Energy:  Procedures Lacking To Protect Computerized
Data (GAO/AIMD-95-118, June 5, 1995). 

Information Superhighway:  An Overview of Technology Challenges
(GAO/AIMD-95-23, Jan.  23, 1995). 

Financial Audit:  Examination of Customs' Fiscal Year 1993 Financial
Statements (GAO/AIMD-94-119, June 15, 1994). 

HUD Information Resources:  Strategic Focus and Improved Management
Controls Needed (GAO/AIMD-94-34, April 14, 1994). 

IRS Information Systems:  Weaknesses Increase Risk of Fraud and
Impair Reliability of Management Information (GAO/AIMD-93-34, Sept. 
22, 1993). 


1997 HIGH-RISK SERIES
=========================================================== Appendix 5

An Overview (GAO/HR-97-1)

Quick Reference Guide (GAO/HR-97-2)

Defense Financial Management (GAO/HR-97-3)

Defense Contract Management (GAO/HR-97-4)

Defense Inventory Management (GAO/HR-97-5)

Defense Weapon Systems Acquisition (GAO/HR-97-6)

Defense Infrastructure (GAO/HR-97-7)

IRS Management (GAO/HR-97-8)

Information Management and Technology (GAO/HR-97-9)

Medicare (GAO/HR-97-10)

Student Financial Aid (GAO/HR-97-11)

Department of Housing and Urban Development (GAO/HR-97-12)

Department of Energy Contract Management (GAO/HR-97-13)

Superfund Program Management (GAO/HR-97-14)























The entire series of 14 high-risk reports can be ordered using the
order number GAO/HR-97-20SET. 


*** End of document. ***