The Government Accountability Office (GAO) is flagging cost over-runs and delays in efforts by the Office of Personnel Management (OPM) to modernize a key legacy financial system, and giving the agency a list of recommendations including adopting some key practices for the project.
In a new report, GAO says that while OPM has completed several phases of a replacement effort to swap the Federal Financial System (FFS) with the Trust Funds Modernization (TFM) Program that began in fiscal year (FY) 2017, its estimated costs have increased by $13.4 million – to $71.9 million – and several phases have been delayed.
“The Office of Personnel Management’s outdated and struggling Federal Financial System helps manage over $1 trillion in assets to support over 8 million Federal employees and retirees,” wrote GAO. “While OPM adopted some leading practices – particularly those for ensuring that systems are built to specifications – it hasn’t adopted others for estimating costs and schedule or ensuring cybersecurity.”
According to GAO, OPM attributes the delays to a variety of reasons, including poor documentation and insufficient staff expertise regarding the legacy system. OPM has performed risk assessments of the modernization efforts, but they were not comprehensive or accurate in reflecting the risks the program faces, GAO said.
“Specifically, while OPM performed recommended assessments of the modernization, it did not address all known risks,” wrote GAO.
Further, while OPM fully adopted leading IT management practices for requirements management, GAO wrote, it didn’t do so for cost and schedule estimation, and cybersecurity.
GAO made five recommendations for OPM to improve its efforts. OPM concurred with two of the recommendations, partially concurred with two more, and did not concur with one recommendation. Among those recommendations include:
- Ensuring the “FFS-R project conducts a comprehensive M3 risk assessment and defines and meets exit criteria for the Migration Phase Release 1 and Release 2 tollgates before proceeding to the next phase of the modernization” – OPM partially concurred;
- Ensure the TFM program develops cost estimates using best practices described in GAO’s Cost Estimating and Assessment Guide – OPM partially concurred;
- Ensure that the TFM program updates the TFM schedule using best practices from GAO’s Schedule Assessment Guide by addressing those schedule characteristics that were not substantially or fully met – OPM concurred;
- Make sure interagency agreements, including service level agreements, identifying how security requirements will be conducted and the level of services, including cyber – OPM concurred; and
- Ensure the Office of the CIO and TFM Program Management Office have identified and acquired sufficient systems and cybersecurity exports to staff the TFM program.
GAO said that OPM did not concur with the final recommendation.
“Specifically, OPM stated that the CFO worked with OCIO and the TFM program management office to identify cybersecurity experts to adequately staff the TFM program,” GAO wrote. “OPM further stated that the cybersecurity experts identified by OCIO are responsible for verifying connectivity and ensuring system access standards comply with current cybersecurity standards, among other things.”
“However, as noted earlier, while OPM developed a resource management plan, the plan did not identify personnel resources with relevant cybersecurity expertise,” GAO continued. “Although OPM may have since identified cybersecurity experts and assigned responsibilities, without first assessing and identifying the program’s needs for cybersecurity expertise, the agency will be unable to know whether they have adequate cybersecurity experts with the appropriate qualifications to meet the program and project needs.”