Transcription of GAO-15-315 Library of Congress: Strong Leadership Needed ...
1 < Strong >Library Strong > OF congress Strong < Strong >Leadership Strong > < Strong >Needed Strong > to Address Serious Information Technology Management Weaknesses Report to Congressional Committees March 2015 < Strong >GAO-15-315 Strong > United States Government Accountability Office United States Government Accountability Office Highlights of < Strong >GAO-15-315 Strong > , a report to congressional committees March 2015 < Strong >Library Strong > OF congress Strong < Strong >Leadership Strong > < Strong >Needed Strong > to Address Serious Information Technology Management Weaknesses Why GAO Did This Study The < Strong >Library Strong > of congress is the world s largest < Strong >Library Strong > , whose mission is to make its resources available and useful to congress and the American public. In carrying out its mission, the < Strong >Library Strong > increasingly relies on IT systems, particularly in light of the ways that digital technology has changed the way information is created, shared, and preserved.
2 The House Appropriations Committee report accompanying the 2015 legislative branch appropriations bill required GAO to conduct a review of IT management at the < Strong >Library Strong > . GAO s objectives focused on the extent to which the < Strong >Library Strong > has established and implemented key IT practices and requirements in, among other areas: (1) strategic planning, (2) governance and investment management, (3) information security and privacy, (4) service management, and (5) < Strong >Leadership Strong > . To carry out its work, GAO reviewed < Strong >Library Strong > regulations, policies, procedures, plans, and other relevant documentation for each area and interviewed key < Strong >Library Strong > officials. What GAO Recommends GAO is recommending that the < Strong >Library Strong > expeditiously hire a permanent CIO.
3 GAO is also making 30 other recommendations to the < Strong >Library Strong > aimed at establishing and implementing key IT management practices. The < Strong >Library Strong > generally agreed with GAO s recommendations and described planned and ongoing actions to address them. What GAO Found The < Strong >Library Strong > of congress has established policies and procedures for managing its information technology (IT) resources, but significant weaknesses across several areas have hindered their effectiveness: Strategic planning: The < Strong >Library Strong > does not have an IT strategic plan that is aligned with the overall agency strategic plan and establishes goals, measures, and strategies. This leaves the < Strong >Library Strong > without a clear direction for its use of IT.
4 Investment management: Although the < Strong >Library Strong > obligated at least $119 million on IT for fiscal year 2014, it is not effectively managing its investments. To its credit, the < Strong >Library Strong > has established structures for managing IT investments including a review board and a process for selecting investments. However, the board does not review all key investments, and its roles and responsibilities are not always clearly defined. Additionally, the < Strong >Library Strong > does not have a complete process for tracking its IT spending or an accurate inventory of its assets. For example, while the inventory identifies over 18,000 computers currently in use, officials stated that the < Strong >Library Strong > has fewer than 6,500.
5 Until the < Strong >Library Strong > addresses these weaknesses, its ability to make informed decisions will be impaired. Information security and privacy: The < Strong >Library Strong > assigned roles and responsibilities and developed policies and procedures for securing its information and systems. However, its implementation of key security and privacy management controls was uneven. For example, the < Strong >Library Strong > s system inventory did not include all key systems. Additionally, the < Strong >Library Strong > did not always fully define and test security controls for its systems, remediate weaknesses in a timely manner, and assess the risks to the privacy of personal information in its systems. Such deficiencies also contributed to weaknesses in technical security controls, putting the < Strong >Library Strong > s systems and information at risk of compromise.
6 Service management: The < Strong >Library Strong > s Information Technology Services (ITS) division is primarily responsible for providing IT services to the agency s operating units. While ITS has catalogued these services, it has not fully developed agreements with the other units specifying expected levels of performance. Further, the other units were often not satisfied with these services, which has contributed to them independently pursuing their own IT activities. This in turn has resulted in units purchasing unnecessary hardware and software, maintaining separate e-mail environments, and managing overlapping or duplicative IT activities. < Strong >Leadership Strong > : The < Strong >Library Strong > does not have the < Strong >Leadership Strong > < Strong >Needed Strong > to address these IT management weaknesses.
7 For example, the agency s chief information officer (CIO) position does not have adequate authority over or oversight of the < Strong >Library Strong > s IT. Additionally, the < Strong >Library Strong > has not had a permanent CIO since 2012 and has had five temporary CIOs in the interim. In January 2015, at the conclusion of GAO s review, officials stated that that the < Strong >Library Strong > plans to draft an IT strategic plan within 90 days and hire a permanent CIO. If it follows through on these plans, the < Strong >Library Strong > will be in a stronger position to address its IT management weaknesses and more effectively support its mission. View < Strong >GAO-15-315 Strong > . For more information, contact Joel C. Willemssen at (202)
8 512-6253 or Page i < Strong >GAO-15-315 Strong > < Strong >Library Strong > of congress IT Management Letter 1 Background 4 < Strong >Library Strong > s Approach to IT Lacks Key Planning Practices to Effectively Guide Efforts 21 < Strong >Library Strong > Is Not Effectively Managing the Selection and Oversight of IT Investments 27 < Strong >Library Strong > of congress Has Not Fully Established and Implemented Key IT Acquisition Practices 38 Security and Privacy Weaknesses Threaten Information and Systems That Support the < Strong >Library Strong > s Mission 49 < Strong >Library Strong > Has Not Ensured That IT Services Are Supporting Organizational Needs, Resulting in Inconsistent Satisfaction with Services and Duplicative or Overlapping Efforts 73 < Strong >Library Strong > Lacks Strong < Strong >Leadership Strong > < Strong >Needed Strong > to Address Its IT Management Weaknesses 89 Conclusions 94 Recommendations 96 Agency Comments and Our Evaluation 100 Appendix I Objectives, Scope, and Methodology 102 Appendix II Comments from the < Strong >Library Strong > of congress 123 Appendix III GAO Contact and Staff Acknowledgments 127 Tables Table 1: Information Technology Staff at the < Strong >Library Strong > of congress , as of September 2014 11 Table 2: Information Technology-Related Spending at the < Strong >Library Strong > of congress , Fiscal Year 2014 Obligations 12 Table 3.
9 GAO Summary Assessment of ITS s Cost-Estimating Guidance 44 Table 4: GAO Summary Assessment of ITS s Scheduling Guidance 47 Table 5: POA&M Status for Selected Systems, as of December 2014 60 Contents Page ii < Strong >GAO-15-315 Strong > < Strong >Library Strong > of congress IT Management Table 6: ITS Customer Satisfaction Survey Results 78 Table 7: Examples of Key Commodity IT Purchased by Individual Service Units in the Past 3 Years 82 Table 8: IT Activities Performed by < Strong >Library Strong > Service Units 84 Table 9: IT Staff Salaries by Service Unit, Fiscal Year 2014 86 Figure Figure 1: Simplified < Strong >Library Strong > of congress Organizational Chart 7 Page iii < Strong >GAO-15-315 Strong > < Strong >Library Strong > of congress IT Management Abbreviations CIO chief information officer CISO chief information security officer CMMI-ACQ Capability Maturity Model Integration for Acquisition CRS Congressional Research Service eCO Electronic Copyright Office FAME Facility and Asset Management Enterprise FITARA Federal Information Technology Acquisition Reform Act FEDLINK Federal < Strong >Library Strong > and Information Network FIPS Federal Information Processing Standards FISMA Federal Information Security Management Act of 2002 IG inspector general IT information
10 Technology ITS Information Technology Services ITSC IT Steering Committee LCR < Strong >Library Strong > of congress Regulation NIST National Institute of Standards and Technology NLS National < Strong >Library Strong > Service for the Blind and Physically Handicapped OSEP Office of Security and Emergency Preparedness OSI Office of Strategic Initiatives OSO Office of Support Operations PICS/NIOSS Production Information & Control System/NLS Integrated Operations Support System PII personally identifiable information POA&M plan of action and milestones SEI Software Engineering Institute SP Special Publication SLA service-level agreement SYMIN II System Management Information Network II This is a work of the government and is not subject to copyright protection in the United States.