In December 2014, Congress enacted the Federal Information Technology Acquisition Reform Act (FITARA), which was intended to improve covered agencies’ acquisitions of IT. FITARA also provided an opportunity to strengthen the authority of CIOs to provide needed direction and oversight of agencies’ IT budgets.
GAO was asked to review whether CIOs’ IT budgeting practices are consistent with FITARA and the Office of Management and Budget’s (OMB) implementing guidance. A GAO report published November 13 addresses the extent to which selected federal agencies established policies and procedures that address IT budgeting requirements, how they demonstrated that they had developed fiscal year 2017 IT budgets for sampled investments consistent with FITARA and OMB guidance, and how they had implemented processes to ensure that annual IT budgets are informed by reliable cost information.
GAO selected four departments to review. These departments had the two highest and the two lowest average initial self assessment scores of compliance with OMB’s FITARA guidance, as well as a fiscal year 2017 IT budget of at least $1 billion. Within each of the departments, GAO also selected the component agencies with the largest fiscal year 2017 IT budget. For each selected department and component agency, GAO reviewed relevant IT budget policies and procedures, analyzed a sample of major and non-major investment proposals against key OMB requirements, and determined whether selected departments captured government labor costs, among other things.
The departments GAO reviewed – the Departments of Energy (DOE), Health and Human Services (HHS), Justice (DOJ), and the Treasury (Treasury) – took steps to establish policies and procedures that align with eight selected OMB requirements intended to implement IT acquisition reform legislation and to provide the CIO with visibility into and oversight over the IT budget. For example, of the eight OMB requirements, all four departments had established policies and procedures related to the level of detail with which IT resources are to be described in order to inform the CIO during the planning and budgeting processes. Agencies varied, however, as to how fully they had established policies and procedures related to some other OMB requirements, and none of the four departments had yet established procedures for ensuring that the CIO had reviewed whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request.
Where the departments had not fully established policies and procedures, it was due, in part, to having not addressed in their FITARA implementation and delegation plans how they intended to implement the OMB requirements. GAO says that until departments develop comprehensive policies and procedures that address IT budgeting requirements established by OMB, they risk inconsistently applying requirements that are intended to facilitate the CIO’s oversight and approval of the IT budget.
Departments varied in the extent to which they could demonstrate implementation of key IT budgeting requirements when developing fiscal year 2017 funding requests for sampled investments. Specifically, while DOJ demonstrated that it had fully implemented the selected requirements for the majority of the investments GAO sampled, HHS and Treasury partially demonstrated implementation for a majority of the sampled investments, and DOE could not demonstrate implementation for the majority of the sampled investments. For example, DOE, HHS, and Treasury were not able to fully show that their CIOs had reviewed whether estimates of IT resources included in the budget request were appropriate for two of their respective departments’ largest fiscal year 2017 IT investments. Departments often could not demonstrate that they had implemented selected IT budgeting requirements at the investment level because they had not established comprehensive policies and procedures that required them to do so. As a result, departments could not show that CIOs were sufficiently involved in planning fiscal year 2017 IT expenditures at the individual investment level.
GAO also found that all four selected departments lacked quality assurance processes for ensuring their IT budgets were informed by reliable cost information. Specifically, the selected departments did not have IT capital planning processes for ensuring government labor costs have been accurately reported, aligning contract costs with IT investments, and utilizing budget object class data to capture all IT programs. This resulted in billions of dollars in requested IT expenditures without departments having comprehensive information to support those requests, and nearly $4.6 billion in IT contract spending that was not explicitly aligned with investments in selected departments’ IT portfolios. GAO says this was due to a lack of processes for periodically reviewing data quality and estimation methods for government labor estimates, as well as a lack of mechanisms to cross-walk IT spending data in their procurement and accounting systems with investment data in their IT portfolio management systems.
In August 2017, OMB developed a new approach of using a standard set of categories to group IT spending that, if properly implemented, has the potential to provide departments and CIOs enhanced visibility into IT costs across the portfolio. Nevertheless, until departments establish processes for assessing or otherwise ensuring the quality of relevant IT cost data used to inform their IT budgets, department CIOs will have less assurance that their budget includes appropriate and comprehensive estimates of IT resources.
GAO is making 43 recommendations to the eight selected departments and component agencies to address gaps in their IT budgeting policies and procedures, demonstrate implementation of OMB requirements, and establish procedures to ensure IT budgets are informed by reliable cost information.