GAO-15-315 Library of Congress: Strong Leadership Needed ...

1 < Strong >LibraryStrong > OF congress Strong < Strong >LeadershipStrong > < Strong >NeededStrong > to Address Serious Information Technology Management Weaknesses Report to Congressional Committees March 2015 < Strong >GAO-15-315Strong > United States Government Accountability Office United States Government Accountability Office Highlights of < Strong >GAO-15-315Strong > , a report to congressional committees March 2015 < Strong >LibraryStrong > OF congress Strong < Strong >LeadershipStrong > < Strong >NeededStrong > to Address Serious Information Technology Management Weaknesses Why GAO Did This Study The < Strong >LibraryStrong > of congress is the world s largest < Strong >LibraryStrong > , whose mission is to make its resources available and useful to congress and the American public. In carrying out its mission, the < Strong >LibraryStrong > increasingly relies on IT systems, particularly in light of the ways that digital technology has changed the way information is created, shared, and preserved.

2 The House Appropriations Committee report accompanying the 2015 legislative branch appropriations bill required GAO to conduct a review of IT management at the < Strong >LibraryStrong > . GAO s objectives focused on the extent to which the < Strong >LibraryStrong > has established and implemented key IT practices and requirements in, among other areas: (1) strategic planning, (2) governance and investment management, (3) information security and privacy, (4) service management, and (5) < Strong >LeadershipStrong > . To carry out its work, GAO reviewed < Strong >LibraryStrong > regulations, policies, procedures, plans, and other relevant documentation for each area and interviewed key < Strong >LibraryStrong > officials. What GAO Recommends GAO is recommending that the < Strong >LibraryStrong > expeditiously hire a permanent CIO.

3 GAO is also making 30 other recommendations to the < Strong >LibraryStrong > aimed at establishing and implementing key IT management practices. The < Strong >LibraryStrong > generally agreed with GAO s recommendations and described planned and ongoing actions to address them. What GAO Found The < Strong >LibraryStrong > of congress has established policies and procedures for managing its information technology (IT) resources, but significant weaknesses across several areas have hindered their effectiveness: Strategic planning: The < Strong >LibraryStrong > does not have an IT strategic plan that is aligned with the overall agency strategic plan and establishes goals, measures, and strategies. This leaves the < Strong >LibraryStrong > without a clear direction for its use of IT.

4 Investment management: Although the < Strong >LibraryStrong > obligated at least $119 million on IT for fiscal year 2014, it is not effectively managing its investments. To its credit, the < Strong >LibraryStrong > has established structures for managing IT investments including a review board and a process for selecting investments. However, the board does not review all key investments, and its roles and responsibilities are not always clearly defined. Additionally, the < Strong >LibraryStrong > does not have a complete process for tracking its IT spending or an accurate inventory of its assets. For example, while the inventory identifies over 18,000 computers currently in use, officials stated that the < Strong >LibraryStrong > has fewer than 6,500.

5 Until the < Strong >LibraryStrong > addresses these weaknesses, its ability to make informed decisions will be impaired. Information security and privacy: The < Strong >LibraryStrong > assigned roles and responsibilities and developed policies and procedures for securing its information and systems. However, its implementation of key security and privacy management controls was uneven. For example, the < Strong >LibraryStrong > s system inventory did not include all key systems. Additionally, the < Strong >LibraryStrong > did not always fully define and test security controls for its systems, remediate weaknesses in a timely manner, and assess the risks to the privacy of personal information in its systems. Such deficiencies also contributed to weaknesses in technical security controls, putting the < Strong >LibraryStrong > s systems and information at risk of compromise.

6 Service management: The < Strong >LibraryStrong > s Information Technology Services (ITS) division is primarily responsible for providing IT services to the agency s operating units. While ITS has catalogued these services, it has not fully developed agreements with the other units specifying expected levels of performance. Further, the other units were often not satisfied with these services, which has contributed to them independently pursuing their own IT activities. This in turn has resulted in units purchasing unnecessary hardware and software, maintaining separate e-mail environments, and managing overlapping or duplicative IT activities. < Strong >LeadershipStrong > : The < Strong >LibraryStrong > does not have the < Strong >LeadershipStrong > < Strong >NeededStrong > to address these IT management weaknesses.

7 For example, the agency s chief information officer (CIO) position does not have adequate authority over or oversight of the < Strong >LibraryStrong > s IT. Additionally, the < Strong >LibraryStrong > has not had a permanent CIO since 2012 and has had five temporary CIOs in the interim. In January 2015, at the conclusion of GAO s review, officials stated that that the < Strong >LibraryStrong > plans to draft an IT strategic plan within 90 days and hire a permanent CIO. If it follows through on these plans, the < Strong >LibraryStrong > will be in a stronger position to address its IT management weaknesses and more effectively support its mission. View < Strong >GAO-15-315Strong > . For more information, contact Joel C. Willemssen at (202)

8 512-6253 or Page i < Strong >GAO-15-315Strong > < Strong >LibraryStrong > of congress IT Management Letter 1 Background 4 < Strong >LibraryStrong > s Approach to IT Lacks Key Planning Practices to Effectively Guide Efforts 21 < Strong >LibraryStrong > Is Not Effectively Managing the Selection and Oversight of IT Investments 27 < Strong >LibraryStrong > of congress Has Not Fully Established and Implemented Key IT Acquisition Practices 38 Security and Privacy Weaknesses Threaten Information and Systems That Support the < Strong >LibraryStrong > s Mission 49 < Strong >LibraryStrong > Has Not Ensured That IT Services Are Supporting Organizational Needs, Resulting in Inconsistent Satisfaction with Services and Duplicative or Overlapping Efforts 73 < Strong >LibraryStrong > Lacks Strong < Strong >LeadershipStrong > < Strong >NeededStrong > to Address Its IT Management Weaknesses 89 Conclusions 94 Recommendations 96 Agency Comments and Our Evaluation 100 Appendix I Objectives, Scope, and Methodology 102 Appendix II Comments from the < Strong >LibraryStrong > of congress 123 Appendix III GAO Contact and Staff Acknowledgments 127 Tables Table 1: Information Technology Staff at the < Strong >LibraryStrong > of congress , as of September 2014 11 Table 2: Information Technology-Related Spending at the < Strong >LibraryStrong > of congress , Fiscal Year 2014 Obligations 12 Table 3.

9 GAO Summary Assessment of ITS s Cost-Estimating Guidance 44 Table 4: GAO Summary Assessment of ITS s Scheduling Guidance 47 Table 5: POA&M Status for Selected Systems, as of December 2014 60 Contents Page ii < Strong >GAO-15-315Strong > < Strong >LibraryStrong > of congress IT Management Table 6: ITS Customer Satisfaction Survey Results 78 Table 7: Examples of Key Commodity IT Purchased by Individual Service Units in the Past 3 Years 82 Table 8: IT Activities Performed by < Strong >LibraryStrong > Service Units 84 Table 9: IT Staff Salaries by Service Unit, Fiscal Year 2014 86 Figure Figure 1: Simplified < Strong >LibraryStrong > of congress Organizational Chart 7 Page iii < Strong >GAO-15-315Strong > < Strong >LibraryStrong > of congress IT Management Abbreviations CIO chief information officer CISO chief information security officer CMMI-ACQ Capability Maturity Model Integration for Acquisition CRS Congressional Research Service eCO Electronic Copyright Office FAME Facility and Asset Management Enterprise FITARA Federal Information Technology Acquisition Reform Act FEDLINK Federal < Strong >LibraryStrong > and Information Network FIPS Federal Information Processing Standards FISMA Federal Information Security Management Act of 2002 IG inspector general IT information

10 Technology ITS Information Technology Services ITSC IT Steering Committee LCR < Strong >LibraryStrong > of congress Regulation NIST National Institute of Standards and Technology NLS National < Strong >LibraryStrong > Service for the Blind and Physically Handicapped OSEP Office of Security and Emergency Preparedness OSI Office of Strategic Initiatives OSO Office of Support Operations PICS/NIOSS Production Information & Control System/NLS Integrated Operations Support System PII personally identifiable information POA&M plan of action and milestones SEI Software Engineering Institute SP Special Publication SLA service-level agreement SYMIN II System Management Information Network II This is a work of the government and is not subject to copyright protection in the United States.