It’s an old story that’s always new. The government has trouble acquiring information technology on budget and according to what it hopes to accomplish. When a project starts to go off the rails, the agency simply rebases it, hoping to stick to the new baseline. For the latest chapter, Federal Drive with Tom Temin spoke to the director of information technology acquisition management at the Government Accountability Office, Carol Harris.
Insight by LookingGlass: Federal technology experts provide insight into how agencies are approaching cybersecurity in the new virtual climate in this exclusive executive briefing.
Tom Temin: Mrs. Harris, good to have you back.
Carol Harris: Hi Tom, great to be here.
Tom Temin: So you have the latest list of 16 projects of major mission critical import, and that are fairly expensive, that are in high risk situation or in danger of going off the rails. Is there any theme here that characterizes what causes these issues to occur in these particular projects?
Carol Harris: The study that we just released was done on behalf of the House Committee on Oversight and Reform and its Subcommittee on government operations. And they asked us to identify the top essential mission critical IT acquisitions across the government, and to determine their key attributes. So while some of them may be in trouble, in fact, the majority of them are considered high risk — they represent the top most important acquisitions in government at this time. These are systems that are defined as national security systems or that process any information that’s a loss, misuse, or unauthorized access, would have a debilitating impact on the mission of the agency. And so we identified the top 16, they do have a significant impact on our country’s national security interests, such as those that support terrorism related screening foreign relations, including those that collect and record information on foreign students and exchange visitors the economy, including those that process taxes and public health, such as those intended to provide universal health care records. And so what we found in looking at these 16 were quite interesting. The majority of them when you look at the rebase lines, as you mentioned at the top, the majority of them did rebase line. And sometimes your baselines can be for legitimate reasons like a change in objectives or funding stream, but they can also be used to mask costs and schedule overruns. And the majority reported delays in defining the cost schedule and scope. Roughly half of them reported technical challenges, while another half reported a change in development approach. So we were finding some trouble as a result of technical issues. Other areas that we looked at when we examine the 16 include the lifecycle cost. While it’s not fair to compare the estimates across these acquisitions, because they do vary greatly, depending on their scope and complexity. There were 13 that actually expect potential cost savings or avoidance after deployment. Due to a number of factors, six reported that they will be turning off multiple legacy systems, which is good because that is a significant problem across the government. In looking at it, there were two that will be using cloud capabilities, and three citing the elimination of physical paper processing.
Tom Temin: Beyond that, though, there is a huge range of technologies here. I’m looking at two of them, for example. One is the customer account data engine, the CADE, at the Treasury Department, and they’re still dealing with code that was installed many, many years ago. On the other end is the automatic dependent surveillance broadcast from the FAA under DOT, under the transportation department, which is a whole new technology, it’s related to an entirely new technology for how planes are controlled. So you’ve got some new functions and old functions. So in that sense, they are all over the map.
Carol Harris: Certainly they are all over the map. But one of the common themes that we’ve seen for the majority, including those two that you mentioned, are that the majority are utilizing incremental development approaches, such as agile software development. And that’s a good thing, because that’s one of the significant ways to avoid these monolithic IT programs that last 5, 10 plus years, ultimately deploying a system that just is obsolete and not working for the agency’s mission. And so it is very encouraging to see the big emphasis on the incremental development. We did see a combination of solutions being used, including customized software either being developed in house or by contractors, the use of COTS and open source software — so it was a mixture there as well. But the very encouraging to see the incremental development approach.
Tom Temin: One I wanted to ask you about was the 2020 decennial census under the Department of Commerce, the Census Bureau. It’s kind of late in the game there for that one to be saved I guess. They’re just about to enter the data processing stage, which I guess it’s not really where the danger lies. So what’s the latest there?
Carol Harris: As far as the 2020 census systems is concerned, it has been identified as high risk by GAO since the 2017 GAO high risk list came out. So it’s been on our radar for some time. As far as its next steps, it’s really ensuring that they have the adequate information security controls in place. The ones that we have identified through our recent reports, as well as ensuring that they have the proper oversight controls in place. We’ve identified multiple weaknesses there. And so ensuring that our recommendations are effectively implemented is crucial for the 2020 census systems.
Tom Temin: And what about the Veterans Affairs electronic health record monetization system, which is closely parallel to the Defense Department’s own health care management systems modernization — they’re using the same roughly underlying technology, both taking somewhat different acquisition approaches to them though.
Carol Harris: Yes. And so we actually have ongoing work on the VA, electronic health records modernization initiative. There are two things there. The first is, yes they are utilizing the same solution as DoD, and so ensuring the interoperability, ensuring the coordination there is really important, so that’s something that we are watching, and that’s something we, you know, we’ll be paying close attention to. And then the second piece is ensuring that they have strong oversight capabilities in ensuring that change management controls are properly being implemented there, because it’s going to be a significant change to their business model for delivering health care services. So that aspect, we’ve actually just recently issued a report there and identified multiple recommendations for the department to improve upon, as well as in the actual acquisition of the technology as well, ensuring that the data migration from the legacy to the new systems are being done in a secure and proper way, as well as ensuring that they have proper internal controls to ensure that the mistakes of the past — they’ve had three failed efforts in the past, that those are not repeated. So ensuring that requirements management and the prioritization of system requirements are done well.
Tom Temin: Looking at the big picture, there is in recent years, something called the Federal Information Technology Acquisition Reform Act, or FITARA. And agencies have scorecards and report cards on all of that every year. But do you see evidence that FITARA has had some effect on the efficacy of the acquisition of IT systems in recent years?
Carol Harris: Absolutely. I’ll give you examples. When you look at the scorecard, software licenses management across the government has significantly improved. When our report came out in 2014, only 2 of 24 agencies had comprehensive inventories, and now the majority, all but one, have comprehensive inventories, that’s a significant change. And you can see that in the increased improvements in these IT acquisitions, as well as consolidating data centers and the move to the cloud. Many of the 16 are utilizing cloud based solutions. and that’s a good thing in terms of agencies are reporting that they expect cost savings associated with that. So those are clear indications that FITARA is working, it’s being implemented. And we’re seeing it in the resulting IT acquisitions. They are improving.
Tom Temin: When you discuss these particular projects with the agencies, do they generally concur with what the issues are both good and bad?
Carol Harris: Yes, they do. And that’s definitely a very positive sign, because they’ve been very open to the findings that we’ve identified. And in this particular study, we had really good cooperation from them. The bulk of the information was self reported. And so we really worked with them to understand the issues, and they were very forthcoming about the issues. So it certainly is a positive sign.
Tom Temin: So even though these are in danger, some of them of missing their cost and schedules — sounds like there’s some reason for optimism that the government on the whole is inching toward a better place from, say, 25 years ago.
Carol Harris: Absolutely. I mean, these are the top 16 acquisitions in the federal government. They are the most complex, they’re the most difficult. So it makes sense that the majority of them are on a high risk list. And I will say that the transparency associated with the risks and the issues with these programs have increased over what we’ve seen even a decade ago, and so that’s a very positive step in that direction, because we certainly don’t want agencies to be hiding these problems so that when they fail it’s a surprise to everybody. That’s the exact outcome that we want to avoid. So when we can identify issues early, that allows the proper corrective actions to be taken place to minimize the cost overruns and schedule delays and so forth.
Tom Temin: Carol Harris is Director of Information Technology Acquisition Management at the Government Accountability Office. As always, thanks so much for joining me.
Carol Harris: Thanks Tom.