Same Problems, New Day

ot all information management challenges are created equal. Mark Day, the deputy chief information officer for technology at the Environmental Protection Agency, says his agency -which counts among its "partners" universities, American Indian tribes, state governments and industries-has a more complicated information management mission than, for example, the Social Security Administration, which has a more clearly delineated mission and a firmer grasp on what its stakeholders and clients need.

EPA collects reams of environmental data-on everything from air quality to pesticide levels-from a range of regulatory agencies and businesses. EPA must disseminate that information to those groups and to the public. At any given time, the demand for EPA's information could be high or low. The agency's approach to information management still is evolving, Day says. But Day's explanation of why it's more difficult for an agency such as EPA to manage information and implement electronic government programs-which involve sharing information among agencies and constituents-isn't likely to satisfy the Bush administration. The Office of Management and Budget is on a mission to hold agencies accountable for failing to have effective management controls over their information technology investments and the way in which those systems handle data.

The Bush administration has budgeted about $52 billion for information technology in fiscal 2003, not including spending by intelligence agencies. That is an increase of more than 15 percent over projected spending for 2002. The IT budget focuses on Bush's three key priorities: homeland security, the anti-terrorism campaign and stimulating the economy. The president's fiscal 2003 budget documents also say, "IT spending should focus on efforts that make the federal government citizen-centered and results-oriented." To that end, Mark Forman, OMB's associate director for information technology and electronic government, has decided to fund five e-government initiatives intended to improve productivity at various agencies. Electronic government is one of the five key elements of Bush's management agenda.

OMB says the government hasn't gotten enough bang for the billions of bucks it invests in information technology, and that federal spending hasn't led to the kinds of improvements in productivity or quality of service that private companies have seen in recent years as they've modernized their technology systems. To correct those inequities, OMB now will review agencies' information technology investments and base funding decisions on how well agencies are able to:

• Fix management problems and take advantage of new e-government capabilities.
• Stop duplicative technology investments.
• Base technology purchases on business plans.
• Develop "enterprise architecture" plans that link technologies' capabilities to business plans.
• Measure technology performance.
• Address information security gaps.

In addition to improving information technology management, the administration and agency managers have placed new emphasis on information security since the Sept. 11 terrorist attacks. While many agency information managers once saw better security as a luxury, they now see it as a must-have. In October, at the annual meeting of the Industry Advisory Council (a coalition of government technology contractors), a roomful of top technology officials from a range of agencies gathered with industry leaders to discuss government's priorities for technology in the coming year. The officials unanimously agreed that information security had to be at the top of the list, and everyone present concurred that it hadn't been there before.

But just because government leaders now recognize the need for better information security doesn't mean change will come all at once. A January report by the Computer Science and Telecommunications Board of the National Research Council, which advises the federal government on science and technology issues, sums up the regrettable state of the nation's information security policy: "The unfortunate reality is that relative to the magnitude of the threat, our ability and willingness to deal with the threat has, on balance, changed for the worse." The report includes recommendations for shoring up information security and protecting the nation's critical infrastructure similar to those made by the NRC a decade ago. But, the report laments, the council's recommendations weren't heeded and, as a result, they need a second look.

In response to these not-so-new threats, the Bush administration appointed Richard Clarke, a former National Security Council staffer, to be special adviser to the president on cyberspace security. Just as infrastructure protection and information security have been debated for the past decade, the administration's overall priorities for information management seek to address the same problems that agency information managers, industry officials and researchers long have said are keeping government from better managing its information technology investments.

The state of information management at the six agencies reviewed in this year's Federal Performance Report mirrors the problems and achievements across government. The Social Security Administration won its A for taking great pains to ensure its employees are getting the most out of the agency's information systems and for being a leader in online customer services. SSA also conducted an audit of its critical information infrastructure to account for all assets in order of their importance to the agency's mission. The Federal Aviation Administration's B reflects the link between FAA information resources planning and the overall strategic plan, but acknowledges that there is insufficient communication across the agency.

The Environmental Protection Agency's C recognizes EPA's gains over the past four years in collecting environmental data from state regulators and other reporting organizations. It also reflects EPA's success in developing an extensive and content-rich Web site to get that environmental data out to the public. However, EPA's reliance on those outside groups for the bulk of its data is problematic, since the information often is incorrect, arrives late and lacks consistency. Though the IRS has undertaken a massive agencywide overhaul and upgrade of its information technology systems, it received a C for information management. All projects in that upgrade undergo rigorous review. The agency has made good progress in advancing the online service components of its plan, boosting electronic filing capabilities that allowed 35.4 million taxpayers to file online in 2000. But despite those successes, the Treasury Department's inspector general for tax administration found the upgrade has suffered significant cost overruns and delays. The IRS also is running outmoded hardware. Seventy percent of the agency's personal computers cannot run available software.

The Centers for Medicare and Medicaid Services' C reflects the agency's failure to set standards to ensure clear communication between the agency and the insurers that handle payments for health care providers. What's more, the data that CMS relies on so heavily is reported inconsistently by those insurance carriers. CMS also depends heavily on nearly 100 mission-critical computer systems that all are badly in need of updates. On the upside, CMS has taken steps to begin a dialogue with physicians about reducing paperwork and to discuss regulatory issues.

The Immigration and Naturalization Service's D reflects the lack of an agencywide blueprint of information technology assets. Blunders in visa processing after Sept. 11 showed that INS has no dependable information management program. Communication has broken down within the agency, and INS lacks the ability to determine whether information is reaching appropriate parties in a timely manner. INS also has failed to adequately use information technology when tracking cases.

Most of this year's agencies face information management dilemmas that have been years in the making and beset other agencies, as well. They are neither unique nor unsolvable.

Immigration and Naturalization Service

In March, six months after the Sept. 11 attacks, the agency came under heavy fire from members of Congress and President Bush for tardy notices that two alleged terrorists, Mohamed Atta and Marwan Alshehhi, had been approved for student visas. The notices went to the Florida flight school where law enforcement officials believe the two men learned how to fly commercial airliners into the twin towers of the World Trade Center.

Even before the student visa blunder, there was ample evidence that INS had an inadequate information management plan. INS lacks a centralized and automated processing system to keep track of applications for H-1B visas, which are issued to foreigners temporarily employed in specialized occupations in the United States. INS employees still process applications for those visas by hand and say INS badly needs an automated system. Congress has authorized the INS to use the processing fees from H-1B visas to improve the agency's technology systems.

The agency also has stepped up its monitoring of foreign students in the United States after it was discovered that some of the alleged Sept. 11 terrorists were in the country on student visas. Background-check companies and even bounty hunters have sought contracts with INS to help the agency keep tabs on these visitors.

Information sharing eludes the agency. The INS electronic fingerprint records system, IDENT, is only now being linked to the FBI's fingerprint system. The two were built at roughly the same time, yet without collaboration between the two agencies.

For the past four years, INS has struggled to implement a biometric identification card program at the Mexican border. Were it fully operational, the program could serve as a foundation for the agency's homeland security role. Since 1998, the agency has issued to Mexican citizens 5 million border-crossing cards encoded with biometric information. The cards allow bearers to travel up to 25 miles into the United States for up to three days per visit. However, the biometric capabilities of the cards are useless because the agency never has installed the systems to read them. Instead, border-crossing guards visually match a picture on the card to the holder. INS spokeswoman Kimberly Weissman says the system is only partially deployed because OMB denied INS' fiscal 2001 budget request to fund the readers. However, some observers close to the project are skeptical about INS' commitment to biometrics.

The government has missed a critical opportunity by not installing the card readers, says Paul Collier, executive director of the Biometric Foundation in Washington, which sponsors research on biometric technology. "The use of biometrics in the border entry application process would significantly augment security when compared to current lookout list systems," he told the Senate Judiciary Subcommittee on Technology, Terrorism and Government Information in October.

However, the agency is taking steps in the right direction, observers and law enforcement officials say. Besides linking its fingerprint database with the FBI's, INS will load its immigrant absconder list, which contains the names of individuals who have overstayed their visas and are trying to evade law enforcement officials, into the FBI's National Crime Information Center, a massive database of criminal records that federal, state and local law enforcement agencies can access.

Internal Revenue Service

"The IRS must replace nearly its entire inventory of computer applications and convert its data on every taxpayer to new systems," says the agency's 2000 modernization report. "This is a vast, complex and risky undertaking that will require many years to accomplish." In the meantime, IRS employees toil with frustrating computer systems. For instance, an IRS revenue officer might have to visit four different computer terminals to gather the information needed to handle a taxpayer's case because that individual's tax data might be housed in four unconnected systems. Because the magnetic tape containing taxpayer files is sequential, taxpayer accounts are updated only once a week and it takes three days to complete an update. Thus, a taxpayer might call the IRS with a correction to his account that won't be recorded in the main file for as long as two weeks. During that time, the taxpayer might continue to receive automatically generated notices about the needed correction.

Operators at the IRS' customer call centers try to assist the public with tax-related questions, but last year they gave inaccurate answers to questions about tax laws and regulations 24 percent of the time, according to the IRS Oversight Board's annual report. Operators provided accurate information to callers about their individual accounts only 69 percent of the time.

Callers spent more time on hold last year than they did in 2000, the General Accounting Office found in a December 2001 report (GAO-02-212). Taxpayers waited in phone queues an average of 36 seconds longer during the 2001 tax filing season than during the previous season. The agency also failed to meet its 2001 performance requirements for correctly answering taxpayers' questions. IRS officials say the most common calls seek information about when refund checks are going to be mailed or deposited. The IRS planned to unveil on April 15 a feature allowing people to check the status of their refunds online. The change would have marked a welcome success in the long-term modernization of the agency's computer systems. But the IRS missed the deadline.

In a June 2001 report (GAO-01-716), GAO found that IRS hadn't implemented a sufficiently defined "architecture," or overall structure, to guide modernization projects and keep them under control. "Acquiring modernized systems before having the requisite management capacity in place increases the risk of cost, schedule, and performance shortfalls," auditors wrote.

Since then, IRS officials and the contractor team led by El Segundo, Calif.-based Computer Sciences Corp. have completed an extensive tracking system that lays out schedules for each of the dozens of projects included in the modernization-which when combined require the IRS and its contractors to complete some 30,000 pre-planned steps by 2007. Any project delay, such as the setback of the online refund feature, creates an automatic alert that explains to modernization leaders the impact of the delay on the project and on related projects. Before any significant change to a project can be made, it must first be submitted to a central group that considers the impact of the change on all other IT systems. In a war room in CSC's New Carrollton, Md., facility, modernization leaders keep an eye on all the moving parts. The officials involved call the modernization the most complex civilian technology effort ever undertaken.

Centers for Medicare and Medicaid Services

Medicare's major information systems are out of date, GAO found, and many of them are unable to share information with each other. CMS plans to modernize as many of the systems as it can while still keeping critical systems running, Christoph says. GAO was unsparing in its criticism. "The agency's [modernization] blueprint documenting its existing and planned IT environments, also known as its enterprise architecture, is missing essential detail in critical parts, including well-documented business functions, information flows, and data models," the report said.

Outdated and outmoded forms of technology also hamper CMS. For example, claims histories for individual Medicare beneficiaries are still housed on magnetic tape, Christoph says. An employee who wants to retrieve someone's file might have to search through the entire string of tape to find it.

Making changes at CMS is no easier than finding patient records. When Congress asks the agency to test a proposed change in the way Medicare payments are processed, CMS spends three to five months just writing a program to run the test, says Christoph. The agency has spent three years working with IBM to build a national claims history that would cut the time it takes to write those programs to one week, but it still hasn't been launched. Regulations stemming from the 1996 Health Insurance Portability and Accountability Act, which set strict requirements for the security of patient information transmitted online, have forced CMS to negotiate yet another set of information management obstacles. The agency has to craft rules to ensure the confidentiality and security of all patient information transmitted electronically.

But just how much money it will take to get 50 contractors' systems in compliance is anyone's guess. One senior agency official says that a CMS survey assessing contractors' security needs showed that getting them all up to the law's standards would take $100 million. However, the official reports CMS conducted a similar pricing survey for its year 2000 modernization work, trying to find out what the Blue Cross Blue Shield providers needed to prevent a massive system crash as computers' internal clocks rolled over on Dec. 31, 1999. Individual responses ranged from just $20,000 to more than $1 million per company. In the end, CMS spent $450 million on the 50 contractors for Y2K upgrades. That wide difference between expected and actual cost leads the official to believe that the $100 million estimate for the security upgrades is way off.

Environmental Protection Agency

GAO reviewed the information sharing plan in a February report (GAO-01-232) and lauded EPA for taking actions to make electronic reporting available to the companies and entities it regulates. The report praised EPA for developing standards for exchanging electronic information among organizations, creating user-friendly Web-based reporting forms and developing a "central data exchange facility" that gives regulated entities a one-stop point of entry for submitting data. The agency has a central Office of Environmental Information that coordinates information collection and dissemination activities. The office also develops integrated and standardized means of collecting environmental data.

EPA officials estimate that these standardization initiatives could cut time and paperwork costs by 20 percent for regulated organizations. That would allow EPA and state and local agencies to save millions of dollars in processing costs and reduce errors in data entry, officials say.

The agency also operates a Web site called Envirofacts that offers users a single point of access to environmental data. Visitors can access information from EPA databases on air quality, chemicals, grants and funding, hazardous waste and toxic releases, and drinking water quality. The site is "really at its infancy," says Day. "We're making great strides." But the Bush administration has restricted access as part of its anti-terrorism campaign. Only EPA contractors, the military, federal employees and state agency officials will have full access to the site, which might contain information the administration deems sensitive. Public access will be limited, and contractors and state officials must be sponsored by an EPA manager if they are to gain access.

The GAO report lauded the EPA for its information collection and dissemination efforts, but OMB gave EPA's e-government initiatives a yellow light for caution in the fiscal 2003 budget. Inadequate information technology capital asset planning, cost control and performance targets kept EPA from receiving the budget office's unconditional blessing of a green light. EPA did get credit for upgrading its regulatory database and making that information more widely available.

Federal Aviation Administration

The agency reports that 25 percent of all domestic flights in 2000 were canceled, delayed or diverted due to increased traffic in the skies. FAA launched an air traffic control modernization program more than 20 years ago to address issues such as facilities improvements and upgrades to technology in air traffic controllers' workstations. However, amid budget constraints and heavier air travel, "the improvements expected from this modernization program have fallen short," Gerald Dillingham, GAO's director of physical infrastructure issues, told the Senate Commerce, Science and Transportation Aviation Subcommittee in May 2001.

"While FAA has installed new equipment to provide the necessary platform for fielding modern technologies to improve efficiency, this effort has experienced cost, schedule and performance problems," Dillingham said.

The agency plans to implement a system known as "free flight" that would give pilots in the air greater control over their own flight plans, thereby reducing the burden on air traffic controllers. But officials fear the difficulty of integrating technologies that allow real-time information-sharing between airlines and air traffic controllers with the existing air traffic control systems will slow the modernization program. To achieve the agency's goals, Dillingham said FAA would have to implement performance-based metrics and address the looming human capital crisis that will hit the agency as waves of air traffic controllers reach retirement age in the next five to 10 years.

FAA Administrator Jane Garvey has pushed the agency to modernize its information systems piece-by-piece, rather than trying to tackle the problem all at once. The agency has modernized some internal networks at air traffic control centers that handle planes between destinations, officials report. However, some centers still rely on slips of paper moved between air traffic controllers to monitor aircraft. Officials say most centers have developed some internal networking capabilities on their own to facilitate this process. CIO Daniel Mehan says he wants to develop a set of common technology standards across the agency. But the work of the CIO's office remains largely focused on policy, observers say, while the technology modernization program remains stymied by a lack of resources. Some observers argue that the unwillingness of air traffic controllers to change in the past was as much to blame for FAA's poor record of managing information systems as were tight budgets. The unions have cooperated more with the technology modernization over the past five years, but they still exert tremendous influence over the design of information systems.

For example, at the FAA's Oklahoma City Logistics Center, which repairs and maintains radar systems and other equipment used to support the air traffic control system, an agency contractor says that some of the internal technology at air traffic controllers' workstations has been replaced. But the controllers, strongly supported by their unions, have been reluctant to permit updates to the screens and tools they've grown accustomed to, he says. Hence, the workstations contain outdated switches, roller tracking balls and one-hand keyboards overlaid onto new software and internal components.

Social Security Administration

Citizens also can access the agency online and search a database of frequently asked questions. However, Adams says it's too soon to tell whether the presence of the Web site has reduced the burden on call center operators.

Internally, Social Security's information management record is less impressive than its public efforts. GAO found in an August report (GAO-01-961), that the agency had "many important IT management policies in place" in five key areas, but it "did not always implement them consistently."

Specifically, Social Security hasn't established key policies, procedures or practices vital to ensuring the effective management of its information technology assets, the report said. In all five management areas-investment management, enterprise architecture, software acquisition and development, information security and human capital-GAO found significant weaknesses. Agency officials agreed with GAO's findings, and the office of the commissioner said the agency is taking steps to shore up its information technology management practices. D. Dean Mesterharm, the deputy commissioner for systems and Social Security's information technology policy chief, says the agency also needs to approach its technology purchases more intelligently.

Mesterharm has staggered the agency's purchase of desktop computer workstations. Social Security procured 40,000 workstations in fiscal 2000, 35,000 the following year and plans to buy another 20,000 in fiscal 2002, he says. Buying in chunks saved time because purchasing reporting requirements could be spread out, Mesterharm says. Also, by buying new systems each year, the agency takes advantage of improved computer performance and expanded storage capabilities.

• Do employees have the information they need, provided in a timely manner, to effectively carry out the mission of the agency?
• Does the agency have the capacity to determine whether the information provided is sufficient and timely?
• To what extent are decisions on procuring additional information resources related to requirements necessary to enable the agency to better achieve results?
• Does information about agency operations and performance flow vertically and horizontally through the agency, as well as to external stakeholders?
• Does the agency, to the extent that it's practical, make use of electronic solutions in providing services or information to the people that it serves?