The Office of Personnel Management’s inspector general said in a new report that the agency’s plan to update its information technology infrastructure fails to account for the total costs and does not include key budget and security information.
OPM’s most recent IT modernization plan was submitted to the OIG in December 2017 after an initial attempt to upgrade the technology infrastructure failed in the wake of the 2015 data breach. The report comes on the heels of an unfavorable cybersecurity audit by the OIG in November.
The Consolidated Appropriations Act of 2017 allocated $11 million to OPM to fund the new modernization plan, but required the agency’s director to submit a plan that included a series of budget planning details — including Office of Management and Budget capital planning requirements, Department of Homeland Security and National Institute of Standards and Technology security requirements and other details — in order to get the money.
But the OIG report said that modernization plans developed by current and former chief information officers were woefully short of the conditions laid out in the funding bill. OPM has had three CIOs since August 2017: Dave DeVries retired that month and Rob Leahy served as acting CIO until David Garcia was hired in October.
“It was also obvious that the OCIO had not done the work necessary to support a well-developed, comprehensive IT capital budgeting modernization plan, as our previous audit reports discussed in 2015,” the report said. “The final plan provided to our office in December 2017, while incorporating some positive elements, does not meet any of the requirements outlined in the Appropriations Act. It also made clear that OPM still does not have a fully developed modernization strategy.”
The report said that while OPM had developed a slate of initiatives to update its IT infrastructure, it contained no financial analysis of what it would cost to complete them.
The plan also failed to include OMB Circular A-11, part 7’s capital planning and investment control requirements, which directs agencies to analyze alternative options as well as develop a lifecycle cost estimate and submit a business case to OMB.
The CIO’s office provided additional business case information to the OIG, outlining a plan to migrate its infrastructure to a mainframe shared-service provider, which it said would save $10 million annually.
But while OPM’s business case estimates placed the lifecycle costs at $2 million and said it would be completed in fiscal 2018, the OIG cited the CIO’s market research and said the cost could be more than $50 million and last several years.
“This example seems to demonstrate that the OCIO may not understand the [Capital Planning and Investment Control] process, especially considering that this is the one area in which it has done much of the work that would be required to support this investment,” the report said.
OPM officials told the OIG that they were unable to develop a full modernization strategy “because of an overall lack of governance and consistent enterprise architecture in the agency,” and that they would be using the $11 million to implement the structures needed to establish a baseline for the plan.
But the report notes that a near ceaseless turnover in the CIO — there have been six CIOs since June 2015 — and a decentralized IT organizational structure continue to plague its efforts at modernization.
The OIG offered four recommendations, including:
- That OPM establish baseline governance and enterprise architecture improvements to assist the execution of a successful IT modernization strategy.
- That OPM’s CIO focus its spending priorities on establishing the necessary governance and enterprise architecture improvements, including an enterprise IT program management office and an enterprise architecture program management office.
- That OPM develop a comprehensive IT modernization strategy with input from the appropriate stakeholders and convene an Integrated Project Team, as required by OMB Circular A-11, Part 7, to manage the overall modernization program and ensure that proper CPIC processes are followed.
- That the OPM Director ensure that the CIO has the appropriate level of control over the IT acquisition and budgeting process across all of OPM.
The OPM CIO concurred with all four recommendations.