Electronic Government: Government Paperwork Elimination Act Presents
Challenges for Agencies (Letter Report, 09/15/2000, GAO/AIMD-00-282).

Pursuant to a congressional request, GAO reviewed the Government
Paperwork Elimination Act (GPEA) and how it enables citizens to interact
with the federal government electronically, focusing on: (1) the status
of the Office of Management and Budget's (OMB) efforts to develop
guidance implementing GPEA; and (2) major challenges or impediments that
might affect successful GPEA implementation.

GAO noted that: (1) as required by GPEA, OMB has developed and issued
useful guidance and procedures for implementing and reporting on GPEA
efforts; (2) in May 2000, OMB issued guidance which calls for agencies
to: (a) examine business processes that might be revamped to employ
electronic documents, forms, or transactions; (b) identify customer
needs and demands; (c) consider the costs, benefits, and risks
associated with making the transition to electronic environments; and
(d) develop plans and strategies for recordkeeping and security; (3) the
guidance requires each agency to develop and submit to OMB a GPEA
implementation plan and schedule by October 2000; (4) in July 2000, OMB
issued final reporting requirements for agencies to follow in preparing
these plans and schedules; (5) in addition, OMB's May 2000 guidance
directed several agencies to develop more detailed policies and guidance
relevant to certain aspects of GPEA; (6) while the guidance being
developed will assist agencies in GPEA implementation, these documents
alone will not ensure successful outcomes; (7) agencies must address a
variety of information technology (IT) management challenges that are
fundamental to the success of GPEA; and (8) agencies will need to: (a)
use disciplined investment management practices to ensure that the full
costs of providing electronic filing, recordkeeping, and transactions
prompted by GPEA are identified and examined within the context of
expected benefits; (b) adequately plan for and implement computer
network and telecommunications infrastructure and technical
architectures to provide the capacity and connectivity needed to support
the electronic traffic generated by new or enhanced electronic
offerings; (c) provide a secure computing environment to support the
broad array of electronic government (e-government) services envisioned
by GPEA in order to reduce the risks of unauthorized access, which could
lead to fraud, theft, destruction of assets, and service disruptions;
(d) develop adequate capabilities for creating, storing, retrieving,
and, when appropriate, disposing of electronic records; and (e) overcome
two basic challenges related to IT human resources--a shortage of
skilled IT workers and the need to provide a broad range of staff
training and development--so that staff can effectively operate and
maintain new e-government systems, adequately oversee related contractor
support, and deliver responsive service to the public.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-00-282
     TITLE:  Electronic Government: Government Paperwork Elimination
	     Act Presents Challenges for Agencies
      DATE:  09/15/2000
   SUBJECT:  Electronic forms
	     Internal controls
	     Computer security
	     Information technology
	     Reporting requirements
	     Information resources management
	     Computer networks
	     Telecommunication
	     Records management
IDENTIFIER:  Internet
	     GSA Access Certificates for Electronic Services Program
	     ILOVEYOU Computer Virus

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO/AIMD-00-282

Report to the Ranking Minority Member, Committee on Governmental Affairs, U.
S. Senate

September 2000 ELECTRONIC GOVERNMENT

Government Paperwork Elimination Act Presents Challenges for Agencies

GAO/ AIMD- 00- 282

Letter 3 Appendixes Appendix I: Objectives, Scope, and Methodology 28

Appendix II: Selected GAO Reports on Information Technology Management 30

Appendix III: GAO Guides on Information Technology Management 34

Figures Figure 1: Steps Outlined in OMB Guidance to Agencies for
Implementing GPEA 8

Figure 2: Federal Entities Involved in Establishing Governmentwide GPEA
Guidance 11

Abbreviations

ACES Access Certificates for Electronic Services CFO chief financial officer
CIO chief information officer DNS Domain Name System FBCA Federal Bridge
Certification Authority FIPS Federal Information Processing Standards GPEA
Government Paperwork Elimination Act GSA General Services Administration
HTML Hypertext Markup Language HTTP Hypertext Transfer Protocol IT
information technology ITAA Information Technology Association of America
NARA National Archives and Records Administration NIST National Institute of
Standards and Technology OMB Office of Management and Budget PKI public key
infrastructure PRA Paperwork Reduction Act SSA Social Security
Administration TCP/ IP Transmission Control Protocol/ Internet Protocol

Accounting and Information Management Division

Lett er

B- 286007 September 15, 2000 The Honorable Joseph I. Lieberman Ranking
Minority Member Committee on Governmental Affairs United States Senate

Dear Senator Lieberman: Advances in the use of information technology and
the Internet are transforming the way federal agencies communicate, use
information, deliver services, and conduct business. If used effectively,
these advances can help reshape government, making it more innovative,
efficient, and responsive to the public. To increase the ability of citizens
to interact with the federal government electronically, in 1998 the Congress
enacted the Government Paperwork Elimination Act (P. L. No. 105- 277, Div.
C, tit. XVII). The act requires that by 2003 federal agencies provide the
public, when practicable, the option of submitting, maintaining, and
disclosing required information- such as employment records, tax forms, and
loan applications- electronically, instead of on paper.

This report responds to your December 22, 1999, request for information
regarding the (1) status of the Office of Management and Budget's (OMB)
efforts to develop guidance implementing GPEA and (2) major challenges or
impediments that might affect successful GPEA implementation.

Results in Brief As required by GPEA, OMB has developed and issued useful
guidance and procedures for implementing and reporting on GPEA efforts. In
May 2000,

OMB issued guidance describing key factors for agencies to consider in
evaluating the practicability of giving persons or entities the option to
electronically maintain, submit, or disclose required information, including
the related use of electronic signatures. The guidance calls for agencies to
examine business processes that might be revamped to employ electronic
documents, forms, or transactions; identify customer needs and demands;
consider the costs, benefits, and risks associated with making the
transition to electronic environments; and develop plans and strategies for
recordkeeping and security. The guidance requires each agency to develop and
submit to OMB a GPEA implementation plan and schedule by

October 2000. In July 2000, OMB issued final reporting requirements for
agencies to follow in preparing these plans and schedules.

In addition, OMB's May 2000 guidance directed several agencies to develop
more detailed policies and guidance relevant to certain aspects of GPEA. In
response, the Department of the Treasury has developed a policy paper on the
use of electronic authentication techniques for federal payments,
collections, and collateral transactions conducted over open networks; the
National Archives and Records Administration (NARA) has developed guidance
on managing records that have been created using electronic signature
technology; the Department of Justice has drafted guidance on legal
considerations in designing and implementing electronic processes; and the
Department of Commerce's National Institute of Standards and Technology
(NIST), in conjunction with the Federal Public Key Infrastructure (PKI)
Steering Committee, 1 has drafted technical guidance on the use of public
key technology for electronic signatures. At the close of our review in
August 2000, final revisions were being made to these documents, and OMB
expected them to be issued shortly.

While the guidance being developed will assist agencies in GPEA
implementation, these documents alone will not ensure successful outcomes.
Agencies' top management involvement, support, and leadership as well as
diligent oversight from OMB and the Congress are essential. Moreover,
agencies must address a variety of information technology (IT) management
challenges that are fundamental to the success of GPEA. These issues, which
agencies identified in comments or reports to OMB and in discussions with
us, parallel IT management challenges identified in our past reviews of
agencies' IT initiatives. Specifically, agencies will need to

use disciplined investment management practices to ensure that the full
costs of providing electronic filing, recordkeeping, and transactions
prompted by GPEA are identified and examined within the context of expected
benefits, such as lower transaction costs, increased productivity, and
improved timeliness and quality of service delivery; adequately plan for and
implement computer network and

telecommunications infrastructures and technical architectures to 1 The
Federal PKI Steering Committee is a formal governmentwide committee that
provides leadership, support, and coordination of agency activities to
promote the development of an interoperable and extensible PKI.

provide the capacity and connectivity needed to support the electronic
traffic generated by new or enhanced electronic offerings; provide a secure
computing environment to support the broad array of

e- government services envisioned by GPEA in order to reduce the risks of
unauthorized access, which could lead to fraud, theft, destruction of
assets, and service disruptions; develop adequate capabilities for creating,
storing, retrieving, and, when

appropriate, disposing of electronic records; and overcome two basic
challenges related to IT human resources- a

shortage of skilled IT workers and the need to provide a broad range of
staff training and development- so that staff can effectively operate and
maintain new e- government systems, adequately oversee related contractor
support, and deliver responsive service to the public.

Appendix II lists recent GAO reports detailing these IT management problems.

Background The dramatic rise in computer and network interconnectivity and
interdependency in recent years has substantially changed how individuals,

businesses, and government entities interact with one another. Business-
tobusiness transactions, personal finance and banking, and travel and retail
shopping are increasingly being done through the Internet and other means of
electronic data exchange. According to a recent Department of Commerce
report, the remarkable growth of the Internet in recent years shows no signs
of abating. During the past year Internet access has grown significantly in
all regions of the world, rising from 171 million people in March 1999 to
304 million in March 2000. The amount of information available to people
with Internet access has also grown rapidly. A recent study indicates that
in January 2000 the World Wide Web contained more than 1 billion unique
pages, compared to 100 million in October 1997. Moreover, according to a
summary prepared by The Industry Standard, forecasts for 2003 of the dollar
value of transactions that are conducted electronically between U. S.
businesses range from $634 billion to $2. 8 trillion. 2

Government agencies have implemented an array of e- government applications
including using the Internet to collect and disseminate all

2 Digital Economy 2000, June 2000, Department of Commerce.

types of information and forms; buy and pay for goods and services; enable
citizens to file claims and comments or ask questions; submit bids and
proposals; order records; and apply for licenses, grants, and benefits. For
example, the General Services Administration, the National Aeronautics and
Space Administration, the Department of Defense, and other agencies have
been implementing on- line procurement operations for several years and are
expanding their use of electronic commerce to facilitate day- to- day
operations. Similarly, the Internal Revenue Service, Department of
Education, and Social Security Administration have been using Internet
applications to improve service delivery to taxpayers, students, and senior
citizens.

GPEA promotes expansion of this trend. Specifically, GPEA requires federal
executive agencies by 2003 to provide individuals or entities that deal with
agencies the option of electronic maintenance, submission, or disclosure of
information, as a substitute for paper, including the related use of
electronic signatures when practicable. These options will in some cases
replace and in others supplement existing paper processes. The act
encourages electronic filing and electronic recordkeeping, particularly by
employers, and gives electronic records and their related electronic
signatures full legal effect. It also requires agencies to guard privacy and
protect documents from being altered and encourages federal government use
of a range of electronic signature alternatives. The recently enacted
Electronic Signatures in Global and National Commerce Act (P. L. 106- 229)
complements GPEA in that it gives legal validity and enforceability within
the United States to the use of electronic records and signatures in
interstate and foreign commerce.

In order to undertake the electronic information processes contemplated by
GPEA, the use of electronic signatures becomes increasingly important.
Electronic signatures are a key element of many electronic transactions.
GPEA defines an electronic signature as a method of signing an electronic
message that identifies and authenticates a particular person as the source
of the electronic message and indicates such person's approval of the
information contained in the electronic message. Several techniques can be
used to produce electronic signatures. One type is a digital signature which
relies on cryptographic techniques to help ensure data integrity

Implementing GPEA effectively will require agencies to consider the existing
framework of laws, directives, and guidance intended to improve the federal
government's ability to use IT effectively and securely as a means to reduce
costs and improve service. This framework includes the

Paperwork Reduction Act; the Clinger- Cohen Act; the Computer Security Act;
OMB Circular A- 130, Management of Federal Information Resources, which
provides uniform governmentwide information resources management policies
including those related to performance measurement, strategic planning,
information systems management oversight, and information security; OMB's
Memorandum M- 97- 02, which establishes the decision criteria that OMB will
use to evaluate major information system investments proposed for submission
in the President's Budget; OMB's Memorandum M- 00- 07, which requires
agencies to explicitly identify how they are building security into system
architectures; and GAO's guides on business process reengineering,
information security management, and information technology investment
management. A list of GAO guides is provided in appendix III.

OMB Has Issued GPEA GPEA states that OMB is responsible for ensuring that
federal agencies

Implementation meet GPEA's October 21, 2003, implementation deadline to give
persons or

entities who are required to maintain, submit, or disclose information the
Guidance

option of doing so electronically when practicable. To help accomplish this,
GPEA directs OMB to develop procedures for federal agencies to follow in
using and accepting electronic signatures and for allowing private employers
to store and file electronically with executive agencies forms containing
employee information.

On May 2, 2000, OMB issued GPEA implementation guidance, which lays out a
process and principles for agencies to employ in evaluating the use and
acceptance of electronic documents and signatures. 3 The OMB guidance is in
two parts. The first part sets forth the policies and procedures agencies
should follow to implement the act. The second part is intended to provide
federal managers with guidance on deciding whether to use electronic
signature technology for a particular application. Overall, the guidance
directs agencies to develop and implement plans for optional electronic
filing and recordkeeping. These plans must be supported by an assessment of
the practicability of submitting information electronically, maintaining
records electronically, and using electronic signature technologies. Figure
1 highlights major steps that agencies are to take in doing so.

3 On March 5, 1999, OMB published proposed GPEA implementation guidance for
public comment in the Federal Register( 64 FR 10896). It was also sent
directly to federal agencies for comment and made available through the
Internet.

Figure 1: Steps Outlined in OMB Guidance to Agencies for Implementing GPEA

1. Examine business processes 6. Develop plans for retaining and

that might be revamped to disposing of information, ensuring

employ electronic documents, that it can be made continuously

forms, or transactions. available to those who need it.

2. Identify customer needs and 7. Develop management strategies

demands as well as the to provide appropriate security for

existing risks associated with physical access to electronic

fraud, error, or misuse. records.

3. Identify the benefits and risks 8. Determine whether regulations

that may accrue from the use and policies are adequate to

of electronic transactions or support electronic transactions

documents. and recordkeeping or additional

agreements are needed for the 4. Study the legal implications

particular application. about the use of electronic transactions or
documents in

9. Integrate these plans into the the particular application.

agency's strategic IT planning and regular reporting to OMB. 5. Evaluate
electronic signature

alternatives, including risks, costs, and practicality.

To assist in monitoring agencies' efforts to implement GPEA and transition
to e- government, OMB's guidance requires each agency, by October 2000, to
develop and submit to OMB a GPEA implementation plan and schedule. According
to OMB, the plan should prioritize implementation of systems or system
modules based on achievability and net benefit. Agencies must coordinate the
GPEA plan and schedule with their strategic IT planning activities and must
report progress annually. Agencies' GPEA progress reporting should be
consistent with and incorporated into annual performance reporting required
under OMB Circular A- 11, Preparation and Submission of Budget Estimates.

In July 2000, OMB issued procedural guidance to further explain reporting
requirements for agency GPEA implementation plans and provide more
structured and standardized report formats. The reporting guidance requires
agencies to submit information regarding plans for providing a

fully electronic option for transactions that are part of the agency
information collection activities under the Paperwork Reduction Act (PRA) 4
as well as other transactions, such as interagency reporting and information
dissemination activities. The guidance defines a fully electronic option as
one that requires no compulsory paper- based reporting, signatures,
correspondence, or dissemination to or with the respondents. An agency must
provide OMB with an explanation if it determines that optional electronic
reporting to or communication with respondents is not practicable.

The guidance outlines the content and format of the plan, provides examples
of the types of transactions covered by GPEA, and reiterates the requirement
from the May guidance that an agency's GPEA plan relate to strategic IT
planning in the budget process. Specifically, if an agency needs additional
resources to implement the plan, its budget request under OMB Circular A- 11
should reflect that need, and agency Government Performance and Results Act
reports should address, as appropriate, progress in implementing GPEA and e-
government initiatives.

In addition, OMB is providing each agency a list of the agency's information
collections that already allow for at least some electronic reporting. OMB
is obtaining this information from a database that it maintains on current
information collections. Agencies are to review this list for accuracy and
use it to determine which of the collections provide a fully electronic
option. According to OMB, this list of collections, along with the standard
reporting formats for GPEA, should assist agencies in developing GPEA plans
and provide standard, baseline information for the agencies and OMB to use
in monitoring the progress of GPEA implementation and the transition to e-
government. OMB officials told us that a primary means of providing
continuing guidance and oversight for the implementation of GPEA will be its
review and annual reporting of agencies' information collection activities.

OMB's reporting guidance requires an agency's GPEA submission to include the
following information:

4 The Paperwork Reduction Act of 1995 (P. L. 104- 13) gives OMB certain
responsibilities for overseeing federal information collection. OMB reviews
agencies' information collections to determine why they need the
information, how they plan to use it, and whether there is a better way to
collect it.

a cover letter describing the agency's overall strategy and efforts to
comply with GPEA and meet its deadlines; an agency's plans for offering a
fully electronic option for transactions

that are part of information collections covered by the PRA reporting
process as well as interagency reporting and information dissemination
activities with estimates, for each collection or report, of the number of
persons or entities involved, the date for offering a fully electronic
option, and plans for using electronic signatures; for any transactions that
an agency has determined pose a “high risk,”

such as those that involve particularly sensitive information collections or
very large numbers of respondents, additional information describing the
transaction, its sensitivity, and additional risk management measures that
will be undertaken.

Agency GPEA plans and schedules are due to OMB no later than October 31,
2000. Annual progress reports and updates to an agency's GPEA plan and
schedule will be submitted to OMB for review as part of the annual reporting
required under the PRA and the OMB Circular A- 11 process.

Other Federal Agencies Are In addition to guidance on developing agency
implementation plans, OMB's

Developing Related GPEA GPEA guidance assigns more specific responsibilities
to five other

Guidance agencies. These responsibilities pertain to providing supplemental
policy,

practical guidance, or support to agencies in specific areas related to GPEA
goals and implementation, including electronic records management; legal
considerations; and the implementation of authentication technologies,
including digital signatures.

Figure 2: Federal Entities Involved in Establishing Governmentwide GPEA
Guidance Office of Management and Budget

Define agency implementation steps Require agency plans by October 2000
Require agency annual progress reports Assign GPEA- related policy
development duties

Justice Treasury

Commerce General Services

National Archives

Legal guidance Policies for using

(National Institute Administration

and Records

for agencies' electronic

for Standards and

Support of

Administration

GPEA efforts authentication

Technology)

agencies' Policies and

techniques for Federal Information

implementation guidance on

federal payment, Processing

efforts through Federal records

collection, and Standards

ACES Program management

collateral supporting agency

and other associated with

transactions GPEA efforts

guidance e- government

transactions.

Federal PKI Steering Committee

Guidance to help agencies determine whether they should use

public key technology

These entities have already either begun support efforts or drafted
guidance. OMB is currently reviewing all the draft supplemental guidance
documents to ensure that discussions of similar topics, such as risk
management, are appropriately consistent and not overly duplicative. Upon
final approval by OMB, these guidance documents will be issued in final
form. The status of each of these efforts is described below.

The Department of the Treasury has developed a policy paper on the use of
electronic authentication techniques, including digital signatures, for
federal payment, collection, and collateral transactions conducted over open
networks, such as the Internet. In general, the paper describes the
importance of assessing risk factors, such as monetary loss, reputation
risk, and productivity risk for each program or system under consideration
in order to determine robustness of the electronic authentication techniques
that must be used. Treasury sent a draft policy paper to OMB and other
agencies for review on March 15, 2000. Treasury officials told us that they
revised the policy paper based on agency comments. The National Archives and
Records Administration (NARA) has

developed guidance on managing records that have been created using
electronic signature technology. Among other matters, this guidance, which
is intended to supplement existing NARA guidance on records management,
discusses various approaches available to ensure the trustworthiness of
electronically signed records, including records that need to be preserved
for a finite period of time or permanently; how agencies can determine which
electronic signature records to retain; and special considerations for
records documenting legal rights and records that must be retained
permanently. NARA provided draft guidance to OMB and other agencies for
review on April 7, 2000. NARA officials told us that they made further
revisions to the document based on comments received from agencies. The
Department of Justice has drafted a detailed guide for federal

agencies on legal considerations in designing and implementing electronic
processes. The Justice guide explains the legal implications associated with
implementing electronically based processes, examines four overarching
issues (accessibility, legal sufficiency, reliability, and legality) that
should be considered in deciding whether and how to convert any given type
of system or operation, and discusses general and specific steps agencies
should consider in converting to electronic processes. The guidance, which
was provided to OMB and other agencies for comment on May 3, 2000, refers
agencies to guidance issued by OMB and NARA, and recommends that agencies
use available sources of expertise, such as the agency's general counsel and
inspector general's office, to reduce the legal risks of “going
paperless.” Justice is now revising the draft guidance based on
comments received.

The Department of Commerce's NIST and the Federal PKI Steering Committee
have drafted technical guidance to assist federal agency officials in
determining when to use public key technology for digital signatures or
authentication over open networks such as the Internet. A PKI is a system of
computers, software, policies, and people that can be used to facilitate the
protection of sensitive information and communications. 5 The draft guidance
includes specific questions and issues that agencies should consider in
evaluating potential applications of public key technology for digital
signatures and user authentication and in properly implementing those
applications selected. In addition, the guidance states that implementation
of digital signatures may necessitate the transformation of business
processes. The steering committee sent out the document for agency review
and comment on May 30, 2000. The steering committee revised the document
based on agency comments and submitted it to OMB in early July 2000. The
Chair of the steering committee told us that the document has subsequently
been provided to NIST. It will be issued as a “Special
Publication” upon final approval by OMB. The OMB GPEA guidance tasks
the General Services Administration

(GSA) to support agencies' implementation of digital signature technology
and related electronic service delivery. GSA has been working since 1996 on
a program called Access Certificates for Electronic Services (ACES), which
is intended to help jumpstart agency adoption of PKI technology by providing
agencies a range of support services so that individual agencies will not
have to design and build their own PKIs. In 1999, GSA awarded an ACES
contract for these services to three vendors. In May 2000, GSA arranged with
two of these vendors to make 500, 000 ACES certificates available for use
free of issuance cost. GSA and the contractors hope that by waiving the
issuance cost of certificates, federal agencies will be motivated to use
ACES to provide businesses and the public with a safe and secure way to
interact with the government over the Internet. The PKI Steering Committee
guidance discussed in the previous paragraph encourages agencies to consider
using ACES contracts. However, agencies are free

5 For more information on public key technology, see The Evolving Federal
Public Key Infrastructure( Federal Public Key Infrastructure Steering
Committee, Federal Chief Information Officers Council, June 2000), gits-
sec. treas. gov; and Information Superhighway: An Overview of Technology
Challenges( GAO/ AIMD- 95- 23, January 23, 1995).

to pursue their own PKI vendor services through agency- specific contract
vehicles if they wish. 6

The OMB GPEA guidance also tasked NIST to develop Federal Information
Processing Standards (FIPS), as appropriate, to further the goals of GPEA.
Although NIST believes that current FIPS are sufficient to cover GPEA
requirements, the agency is working on enhanced security standards and is
open to considering agencies' proposals for additional FIPS where a need is
not being met by current FIPS or voluntary industry consensus standards.

The Treasury, NARA, Justice, and NIST documents will provide guidance on the
issues they address to supplement the broader OMB guidelines on GPEA
implementation. Agencies can refer to these documents in preparing their
GPEA plans to ensure that they are giving adequate consideration to key
implementation issues covered by the act.

Challenges in As agencies respond to GPEA, the new technology applications
and

Implementing GPEA opportunities that result will undoubtedly continue to
change the way the

federal government conducts business, communicates, and interacts with
citizens, industry, and other government entities. Nevertheless, in comments
on a draft of OMB's guidance and in comments on their own e- government
initiatives, agencies have identified several issues as significant
challenges to successfully implementing the types of electronic services
envisioned in GPEA. These challenges parallel concerns that we have raised
in previous reports on agencies' IT initiatives (see appendix II).
Specifically, agencies noted the challenges of identifying and providing for
the full costs associated with electronic forms processing and other
transactions; ensuring the adequacy of computer technology infrastructures
that are to be used for e- government services; ensuring the security and
privacy of electronic transactions; overcoming recordkeeping challenges; and
acquiring skilled employees and providing appropriate training.

None of these challenges is insurmountable, but they must be addressed at
the program, agency, and governmentwide levels to ensure successful e-
government outcomes. In addition, overcoming these challenges will require
effective leadership by agencies' chief information officers (CIO)

6 For more information on ACES, see GSA's Web site at: www. gsa. gov/ aces/.

working in partnership with the program organizations. The information
technology reforms now required by the Congress, including GPEA, will be
difficult for agencies to achieve without effective CIO leadership in place
to ensure that IT investment decisions are directly integrated into the
agencies' strategic and program plans. As we recently testified, while
notable progress has been made in establishing federal CIOs, more remains to
be done to ensure that these executives establish themselves as effective
information management leaders, build credible information management
organizations, and deliver high- value IT investment results. 7

The Importance of Sound E- government is dependent on the effective use and
management of

IT Investment information technologies. A primary challenge for agencies in
moving

Decision- Making Practices toward e- government is to implement and follow
information technology

management practices that help ensure IT dollars are directed toward prudent
investments that focus on achieving cost savings, increasing productivity,
and improving the timeliness and quality of service delivery.

Several agencies emphasized that GPEA- related initiatives will be costly to
implement. They expressed concern about securing funds for the many efforts
involved, such as updating network plans, conducting risk analyses,
evaluating technology alternatives, procuring and installing recordkeeping
software, and testing networks. The Social Security Administration (SSA)
noted in comments on OMB's initial draft guidance for GPEA implementation
that implementing GPEA could cost SSA over $40 million and run past the year
2005 if SSA were to include full electronic processing of transactions in
its efforts. Because GPEA requires agencies to add the option of
transmitting forms and services electronically when practicable, while
preserving the paper- driven processes already in place, the legislation
entails extra expenses, at least in the short term.

Careful IT investment planning will be critical as agencies determine which
GPEA projects to fund. Many of our agency information technology management
assessments have identified fundamental weaknesses in the way information
technology investment decisions are made, including (1) a lack of clarity
about how these investments are being or will be used to improve performance
or help achieve specific agency goals and (2) incomplete data on which to
base informed decisions. Moreover, our

7 Chief Information Officers: Implementing Effective CIO Organizations (GAO/
T- AIMD- 00- 128, March 24, 2000).

reviews of strategic plans and annual performance plans have noted weak
linkages between the mission goals and planned or ongoing information
technology initiatives that are essential to achieving those goals. 8

While GPEA focuses on the need to develop and offer electronic options for
forms and services, it also links directly to mission performance outcomes.
Electronic delivery, authentication, and processing of forms and services
will, in many instances, require agencies to consider additional
organizational changes to accommodate new ways of doing business. These
changes may be time consuming and could delay agencies' progress toward
meeting GPEA goals. For instance, the Food and Drug Administration, in its
comments to OMB's draft GPEA guidance, stated that an electronic environment
requires a “paradigm shift” to a new way of doing business and
requires additional resources and planning efforts to train agency personnel
for this new corporate culture. Treasury officials observed that customer
expectations will be a force for change because electronic transactions
create an expectation on the part of users that they will get quick
responses. This new way of operating will create training needs and may
necessitate fewer layers of review within agencies.

Addressing these issues will require agencies to implement a disciplined
approach to investment management. Without such an approach, IT projects can
become risky, costly, unproductive mistakes. There are some governmentwide
efforts on these issues underway. For example, during the summer of 2000,
OMB is meeting with all CIO Council agencies regarding their IT capital
planning and investment control processes. The meetings are between the CIO,
chief financial officer (CFO), the procurement executive, and budget officer
of each agency and the OMB statutory offices and resource management
offices. According to OMB officials, these meetings will result in agency
guidance for the fiscal year 2002 budget submission and for improving their
investment management processes overall.

The Need for Adequate Information technology initiatives, including e-
government programs,

Systems Architectures and require well- designed, robust systems
architectures. Agencies evaluating

Technology Infrastructures the capabilities of their current information
systems may find that they will

have to make extensive changes to their technical architectures to meet the
8 Managing for Results: Opportunities for Continued Improvements in
Agencies' Performance Plans( GAO/ GGD/ AIMD- 99- 215, July 20, 1999).

requirements of GPEA. Our reviews show that agencies often attempt to build
modernized systems before having complete and enforced enterprise
architectures. These architectures are essentially construction plans that
systematically detail the full breadth and depth of an organization's
mission- based mode of operations in logical and technical terms. Without
these blueprints to guide and constrain IT investments, such as
interdependent e- government system applications, there is no systematic way
to preclude either inconsistent system design or inconsistent development
decisions and the resulting suboptimal performance and added cost associated
with incompatible systems. 9

Success in e- government also will require an adequate technology
infrastructure, such as the telecommunications networks, databases,
hardware, interfaces, and operating software that will support easy and
reliable electronic access to government. In comments to OMB and in
discussions with us, many agencies expressed concern that in going forward
with GPEA implementation, upgrades or improvements in agencies' computer
network infrastructures may be needed. In particular, attention may be
needed in the following areas.

Providing adequate network capacity or bandwidth. Government agencies will
need to consider the amount of electronic traffic that will be generated by
an electronic offering and provide adequate connectivity to support that
load. Some Web sites have been completely overwhelmed and disabled when far
greater numbers of users visited the sites than their developers had
anticipated. In 1997, realizing that Web pages for its Mars Pathfinder
mission might be overloaded by large numbers of visitors from around the
world, NASA was able to circumvent such an overload by setting up mirror
(duplicate) sites to handle these visitors. Ensuring the reliability of
platform and software applications. As GPEA

implementation progresses, agencies will increasingly depend on computers
and telecommunications to perform important functions that are essential to
the national welfare and that directly affect the lives of millions of
people every day. Such functions are likely to support critical

9 For discussions of the importance of systems architecture, see GAO's
Performance and Accountability Series, Major Management Challenges and
Program Risks: A Governmentwide Perspective( GAO/ OCG- 99- 1, January 1999);
Air Traffic Control: Complete and Enforced Architecture Needed for FAA
Systems Modernization( GAO/ AIMD- 97- 30,

February 3, 1997), and Customs Service Modernization: Architecture Must Be
Complete and Enforced to Effectively Build and Maintain Systems( GAO/ AIMD-
98- 70, May 5, 1998).

operations related to national defense, tax collection, import control,
benefits payments, and law enforcement- operations that must not be subject
to frequent disruptions or slowdowns. The Web servers and other computer
platforms that support e- government services- including their operating
systems and the software that connects them- must provide reliable support
for potentially heavy user demands. Systems must reliably confirm that a
transaction is complete and also must reliably abort a transaction
completely and consistently in the event that a problem occurs. The
technology in use today does not always respond consistently and
unambiguously. Developing common technical standards. Even a smoothly
operating

electronic delivery service will fail to fulfill the promise of e-
government if users cannot use it easily. The use of common technical
standards will help. For example, basic functions such as browsing an on-
line catalog and placing an order rely on the TCP/ IP (Transmission Control
Protocol/ Internet Protocol) for the transmission of data over the Internet,
DNS (Domain Name System) for translating computer names into numeric IP
addresses, HTTP (Hypertext Transfer Protocol) for information exchange
between the Web browser and Web server, and HTML (Hypertext Markup Language)
for formatting Web content. Besides these well- established and widely used
standards, other standards are being developed to provide interoperable
electronic delivery of services to the public.

To help agencies with many of these issues, the Federal CIO Council, with
assistance from GAO, is developing a guide to provide a suggested framework
to agencies as they carry out the processes necessary to develop and
maintain an enterprise architecture. This guide builds on policy guidance
that began in 1997 with OMB's Memorandum M- 97- 16, Information Technology
Architectures, which establishes the minimum criteria for IT architecture
required of agencies by the Clinger- Cohen Act of 1996. In September 1999,
the CIO Council issued the Federal Enterprise Architecture Framework to
provide an organized structure and common terms for federal entities to use
in developing within their own organizations specific architectures that
could then be integrated with governmentwide systems.

Ensuring Security and A secure computing environment will be needed to
support the broad array

Privacy of e- government services envisioned by GPEA. Participants-
including

government agencies, private businesses, and individual citizens- must feel
comfortable using electronic means to carry out sensitive transactions,

such as obtaining a license, bidding on a contract, or making a benefit
claim. Personal information must be adequately protected from unauthorized
disclosure, and electronic transactions must be guarded against tampering
and fraud. Also, essential computer systems must be protected from undue
disruptions, such as those resulting from recent computer virus epidemics.
10

Establishing an adequately secure computer environment will be a major
undertaking for federal agencies because most have not institutionalized
basic controls and management practices to effectively manage computer
security risks. The Department of Transportation, in its comments on OMB's
proposed GPEA implementation guidance, underscored the need for improved
security, stating that “opening databases creates potential
vulnerabilities, including those related to security administration, key
management, and system configuration.”

Concerns about security needs for GPEA initiatives reflect security concerns
about computerized federal operations in general. Audit reports that we and
agency inspectors general have issued have identified serious and pervasive
computer security weaknesses throughout the federal government. Our most
recent analysis showed that such weaknesses were reported for 24 of the
largest federal agencies from July 1999 through August 2000. 11 Repeatedly,
we have found that the underlying cause of these persistent problems is that
agencies have not instituted a basic cycle of management procedures for
ensuring that risks are fully understood and that controls implemented to
mitigate risks are effective. For example, since July 30, 1999, we have
reported such weaknesses at the departments of Energy, Treasury, Defense,
and Agriculture, and at the Environmental

10 For information on recent computer virus epidemics see Information
Security: The Melissa Computer Virus Demonstrates Urgent Need for Stronger
Protection Over Systems and Sensitive Data( GAO/ T- AIMD- 99- 146, April 15,
1999); Critical Infrastructure Protection: “ILOVEYOU” Computer
Virus Highlights Need for Improved Alert and Coordination Capabilities( GAO/
T- AIMD- 00- 181, May 18, 2000); and Information Security:
“ILOVEYOU” Computer Virus Emphasizes Critical Need for Agency
and Governmentwide Improvements (GAO/ T- AIMD- 00- 171, May 10, 2000). 11
Information Security: Serious and Widespread Weaknesses Persist at Federal
Agencies (GAO/ AIMD- 00- 295, September 6, 2000).

Protection Agency. 12 While agencies are working to correct specific control
deficiencies as well as the related management weaknesses, progress has been
slow. We, in our comments on OMB's proposed GPEA implementation guidance,
emphasized that agencies need to perform careful risk assessments before
implementing GPEA. 13

As with other aspects of GPEA, addressing security and privacy needs is
likely to require additional funding- at least in the short term- as
agencies make investments in the infrastructure and capabilities needed to
enable secure electronic business operations. Agencies have been required to
secure critical and sensitive data for decades. In particular, the Computer
Security Act of 1987 and related OMB guidance have required agencies to
assess their information security risks and implement security controls
commensurate with these risks. Nevertheless, agencies noted that they may be
hard- pressed to allocate sufficient resources to provide the level of
assurance necessary for widespread implementation of electronic federal
processes. For example, the Department of Agriculture, in commenting on
OMB's proposed GPEA implementation guidance, noted that it would have to
update its network plans, conduct risk analyses, evaluate technology
alternatives, and perform network testing, and that the requisite funding
and staff resources were not available for the immediate future.

In addition to improvements at individual agencies, a more effective
governmentwide strategy for improving federal security is needed to fully
realize the benefits of GPEA implementation- a strategy that involves
conducting routine periodic independent audits of agency security programs;
assisting agencies in determining the level of protection that is
appropriate for various types of data under their control; and strengthening
central leadership and coordination of information security– related
activities across government. As we testified in July 2000, an important

12 Information Security: Vulnerabilities in DOE's Systems for Unclassified
Civilian Research (GAO/ AIMD- 00- 140, June 9, 2000); Information Security:
Fundamental Weaknesses Place EPA Data and Operations at Risk( GAO/ T- AIMD-
00- 97, February 17, 2000); Financial Management Service: Significant
Weaknesses in Computer Controls( GAO/ AIMD- 00- 4, October 4, 1999); DOD
Information Security: Serious Weaknesses Continue to Place Defense
Operations at Risk( GAO/ AIMD- 99- 107, August 26, 1999); Bureau of the
Public Debt: Areas for Improvement in Computer Controls( GAO/ AIMD- 99- 242,
August 6, 1999); USDA Information Security: Weaknesses at National Finance
Center Increase Risk of Fraud, Misuse, and Improper Disclosure( GAO/ AIMD-
99- 227, July 30,1999).

13 Information Technology: Comments on Proposed OMB Guidance for
Implementing the Government Paperwork Elimination Act( GAO/ AIMD- 99- 228R,
July 2, 1999).

element of such efforts will be defining and clarifying the roles and
responsibilities of organizations- especially federal entities- serving as
central repositories of information or as coordination focal points. 14 For
example, the disruption caused by the recent ILOVEYOU virus attack in May
2000 illustrated that the federal government, as well as other government
and industry sectors, were not effective in detecting viruses early and
immediately warning agencies about the imminent threat. 15 Federal entities
with governmentwide responsibilities- including OMB, the CIO Council, the
Federal Computer Incident Response Capability, and the National
Infrastructure Protection Center- are currently working with federal
agencies to improve our government's ability to share critical information
and respond to events such as the ILOVEYOU attack. In addition, they have
initiated several efforts to assist agencies in fundamentally improving
their information security programs, including development of a common
framework for evaluating agency progress in this area.

Another important element of security will be wider implementation of public
key cryptography. Such technology, when properly implemented and maintained,
can provide assurance that (1) the parties to an electronic transaction are
really the entities they claim to be, (2) information has not been altered,
and (3) neither party will be able to wrongfully deny that they took part in
the transaction when acknowledgments are used. Key federal security experts
believe that these assurances are necessary to support broader
implementation of e- government services.

The federal government is aggressively promoting the deployment of PKI
technology. The Federal PKI Steering Committee, for example, was established
to coordinate PKI pilot projects on a governmentwide basis and to undertake
efforts to encourage the adoption of PKI technology. Federal agencies-
including NASA, DOD, and the Patent and Trademark Office- are experimenting
with 24 pilot PKI programs. Furthermore, as mentioned earlier, GSA's ACES
program is intended to facilitate agency adoption of PKI technology by
establishing a framework for issuing and managing digital signature
certificates.

14 Critical Infrastructure Protection: Challenges to Building a
Comprehensive Strategy for Information Sharing and Coordination( GAO/ T-
AIMD- 00- 268, July 26, 2000). 15 GAO/ T- AIMD- 00- 181, May 18, 2000, and
GAO/ T- AIMD- 00- 171, May 10, 2000.

The public key and digital signature technologies used to authenticate
sensitive electronic transactions are a source of concern that some agencies
mentioned in comments on OMB's draft GPEA guidance. Our own work indicates
that these technologies will require further development. 16 A number of
significant challenges must still be overcome before the technology can be
widely deployed and implemented in the federal government. For instance, it
has not yet been demonstrated that a governmentwide federal PKI, connecting
hundreds of thousands or millions of users, can operate efficiently and
effectively. The government is developing a Federal Bridge Certification
Authority (FBCA) to serve as electronic “glue” to connect the
various PKIs that are developed separately by different federal agencies.
Although a prototype test involving five organizations' PKIs was conducted
in April 2000, the FBCA is not yet operational and not all of its functions
have yet been demonstrated. In addition, a significant up- front cost is
involved in fielding and maintaining PKI capability. Certification
authorities, including those established by the ACES program, must be set up
to positively identify users, issue them electronic certificates, and manage
the exchange, verification, and revocation of certificates. In addition,
existing software and systems must be modified so that they can interact
with the PKI. Lastly, although several PKI products are currently on the
market, many believe that interoperability and user friendliness could be
improved.

Establishing Reliable In implementing GPEA and moving toward e- government,
executivebranch

Recordkeeping agencies and NARA will be faced with the substantial challenge
of

preserving electronic records in an era of rapidly changing technology.
Agencies must create electronic records, store them, properly dispose of
them when appropriate, and send permanently valuable records to NARA for
archival storage. Staff members creating records, for example, need to be
made aware of what constitutes an electronic record, how to save it, and how
to archive it for future use. For e- mail alone, this can be an intricate
task given the (1) huge volumes of e- mail agency employees now send and
receive in performing their official duties and (2) related privacy issues.

When deciding how to store electronic documents, agencies must take into
account the legal viability of the records they create. The Department of
Justice, in its draft guidance for federal agencies on designing and
implementing electronic processes, notes that agencies must ensure that

16 GAO/ T- AIMD/ GGD- 00- 179, May 22, 2000.

the important information in a transaction is collected, retained, and
accessible whenever needed, even years later, and even when changes have
occurred to computer hardware and software. These records must be
sufficiently reliable and persuasive to satisfy courts and others who must
assess agency actions. In addition, agencies' use of electronic methods to
obtain, send, disclose, and store information must comply with applicable
laws, such as those governing privacy, confidentiality, recordkeeping, and
accessibility for disabled individuals.

The long- term preservation and retention of those electronic records is a
challenge because software products change frequently. The Department of
Health and Human Services, in its comments on OMB's initial draft guidance
for GPEA, expressed concerns about obsolescence of hardware and software,
and NARA, in its guidance, remarked that this obsolescence can make record
retention burdensome. The NARA guidance developed in response to GPEA also
recognizes that records management involving records that have been created
using electronic signature technology is a complex process, requiring
training and knowledge on the part of both IT specialists and records
management personnel at the agencies. The guidance points out that in
systems implemented as a result of GPEA, records management requirements
will be an important element of the IT system requirements.

NARA itself must be able to receive electronic records from agencies, store
them, and retrieve them when needed. 17 To do so, it must expand its
capacity to accept an increasing volume of electronic records from agencies.
NARA notes that federal agencies are individually generating huge volumes of
electronic records annually just in e- mail, much of which may need to be
preserved by NARA. In addition to the increasing volume, the increasing
variety of electronic records such as word processing documents, e- mail
messages, databases, digital images, and Web site pages complicate NARA's
mission to preserve these records. According to NARA, it lacks the capacity
to accommodate its current backlog of files and the exploding volume and
variety of electronic data files that it receives from federal agencies.

17 For further information on NARA's activities, see National Archives:
Preserving Electronic Records in an Era of Rapidly Changing Technology( GAO/
GGD- 99- 94, July 19, 1999).

Providing Expertise and As federal agencies increase their efforts to
provide electronic service

Training delivery systems, they face a short supply of IT human resources to

develop and manage Web- based and other applications that will be required
to implement GPEA. The demand for IT workers is large and growing. According
to an April 2000 skills study by the Information Technology Association of
America (ITAA), employers will attempt to fill 1. 6 million new IT jobs in
2000. The largest skill gaps are for enterprise systems integration and Web
development positions. These positions require advanced technical skills,
and qualified applicants are scarce. Technical support and network
administration positions, requiring skills in troubleshooting, customer
service, and systems operations and maintenance, also are in high demand by
both IT and non- IT companies.

In a 1999 survey conducted by ITAA, federal CIOs reported that IT workforce
issues, including age, skill mix, and recruiting problems, are becoming the
most vexing problems confronting them. For example, several CIOs indicated
that over 50 percent of their IT workforce would be eligible to retire
within 3 years, underscoring the workforce issue as a problem that would get
worse before it gets better. The rapid rate of technological change, in
combination with the lack of current technological skills, is creating a
significant gap between skill supply and demand in the federal workplace.
CIOs also reported a lack of more traditional skills- project and program
management and contract management skills.

The Federal CIO Council has recognized increasing difficulties that agencies
have in recruiting qualified staff. Federal salaries and benefits are
perceived as less competitive with each passing year. The council is working
to validate and substantiate the extent of the federal IT workforce
challenge and to develop and implement strategies for recruitment,
retention, and development of IT professionals.

In addition to recruiting qualified staff, implementing GPEA will require
staff training in a number of areas. Agencies are becoming acutely aware
that e- government technology applications work only if people have the
training to execute them properly. Increasing the computer literacy of the
federal workforce can help to ensure that, as citizen- to- government
interactions become more automated, government employees are ready to
actively participate in the transition. The new technology also creates a
need for specialized training of available staff in areas such as Web- based
applications, security, and software maintenance and engineering.

In particular, the process of adopting a new system can be made much less
difficult by offering well- designed, user- oriented training sessions that
demonstrate not only how the system works, but how it fits into the larger
work picture and “citizen as customer” orientation. Training is
especially important in making the transition to applications called for by
GPEA because these applications demand that organizations move away from a
paper- based business paradigm to an electronic, customer- centric paradigm.
In comments on OMB's initial draft guidance for implementing GPEA, agencies
expressed concerns about the training that will be required, noting that
such training will entail time and expense. The Department of Agriculture,
for example, commented in its response to OMB's initial draft guidance that
implementing GPEA would lead to significant changes in the way federal
agencies currently operate, and Agriculture would have to train both its
employees and its customers to do business differently.

Conclusions OMB's guidance- as well as the guidance and supplementary
efforts being undertaken by Treasury, NARA, Justice, Commerce, the Federal
PKI

Steering Committee, and others- provides a useful foundation of information
to assist agencies with GPEA implementation and the transition to e-
government. Effectively applying the guidance will require agencies to
undertake significant planning and training efforts and to devote time and
attention to intra- agency and governmentwide implementation and
coordination issues. In doing this, agencies must overcome the challenges
that have historically troubled many information technology initiatives:
poorly planned and implemented investment practices, inadequate technology
infrastructures, insufficient security and privacy measures, changing
recordkeeping needs and technologies, and gaps in technical expertise and
training.

Effective GPEA implementation will depend on top agency leaders, OMB, and
the Congress ensuring that steps toward e- government are effectively merged
with corresponding management and process improvements. This oversight will
be critical in ensuring that agencies work efficiently within a changing
technological environment while applying the varied and evolving guidance
provided by OMB and other federal entities. Agency and congressional leaders
will have to provide sustained direction and oversight as well to overcome
the challenges that accompany- and can derail- information technology
initiatives.

As previously mentioned, issues we have covered in prior reports provide an
overview of the types of challenges that agencies will need to address to
maximize the opportunities for successful GPEA implementation. Our previous
reports, listed in appendix II, contain recommendations to agencies for
improving their IT management practices. In addition, GAO has published
guidance on several of these issues that agencies can refer to when planning
their GPEA initiatives. This guidance is listed in appendix III.

Agency Comments and In oral comments on a draft of this report, officials
from OMB's Office of

Our Evaluation Information and Regulatory Affairs generally agreed with the
information

presented regarding OMB's efforts to develop guidance implementing GPEA and
the discussion of major challenges to successful GPEA implementation. They
offered comments of a technical or clarifying nature, which we have
incorporated where appropriate.

As agreed with your office, unless you publicly announce the contents of
this report earlier, we will not distribute it until 30 days from its issue
date. At that time, we will send copies to Senator Fred Thompson, Chairman,
Senate Committee on Governmental Affairs; Senator George V. Voinovich,
Chairman, and Senator Richard J. Durbin, Ranking Minority Member,
Subcommittee on Oversight of Government Management, Restructuring and the
District of Columbia, Senate Committee on Governmental Affairs; Senator Jon
Kyl, Chairman, and Senator Dianne Feinstein, Ranking Minority Member,
Subcommittee on Technology, Terrorism, and Government Information, Senate
Committee on the Judiciary; Senator Christopher S. Bond, Chairman, and
Senator John F. Kerry, Ranking Minority Member, Senate Committee on Small
Business; Representative Tom Bliley, Chairman, and Representative John D.
Dingell, Ranking Minority Member, House Committee on Commerce;
Representative Steve Horn, Chairman, and Representative Jim Turner, Ranking
Minority Member, Subcommittee on Government Management, Information and
Technology, House Committee on Government Reform; Representative Constance
A. Morella, Chairwoman, and Representative James A. Barcia, Ranking Minority
Member, Subcommittee on Technology, House Committee on Science; and
Representative Jim M. Talent, Chairman, and Representative Nydia M.
Velazquez, Ranking Minority Member, House Committee on Small Business. In
addition, we are providing copies to the Honorable Jacob J. Lew, Director,
Office of Management and Budget, and

other interested parties. Copies will be made available to others upon
request.

If you have questions regarding this report, please contact me at (202) 512-
6240 or by e- mail at mcclured. aimd@ gao. gov. Key contributors to this
report were Jean Boltz, Cristina Chaplain, Mary Marshall, and Pat Slocum.

Sincerely yours, David L. McClure Associate Director Defense and
Governmentwide

Information Systems

Appendi Appendi xes xI

Objectives, Scope, and Methodology Our objectives were to determine (1) the
status of the Office of Management and Budget's (OMB) efforts to develop
guidance for executive agencies on implementing GPEA, and (2) major
challenges or impediments that might affect GPEA implementation.

To determine the status of OMB's efforts to develop guidance for GPEA
implementation, we reviewed OMB's proposed and final GPEA implementation
guidance documents as well as comments on the initial draft guidance sent to
OMB by federal agencies, state government organizations, and private
organizations. In addition, we met with OMB officials to discuss whether OMB
had received further comments from organizations on its draft implementation
guidance and what actions OMB had taken in response to comments it received.
We also discussed steps OMB was taking to coordinate its efforts with other
agencies to which it had assigned responsibilities for developing executive-
branch policies and guidance related to GPEA: the departments of Justice and
Treasury, the General Services Administration (GSA), the Department of
Commerce's National Institute of Standards and Technology (NIST), and the
National Archives and Records Administration (NARA). We met with officials
at these agencies and obtained draft GPEA implementation guidance from
Justice, Treasury, and NARA. We asked OMB officials to describe their plans
for tracking agencies' progress on GPEA implementation, including OMB's
budget reviews and its Information Collection Budget reporting process under
the Paperwork Reduction Act. In addition, we reviewed OMB's guidance to
agencies on how to prepare reports describing their GPEA implementation
plans and schedules.

To identify challenges or impediments that might affect GPEA implementation,
we met with responsible officials at those agencies assigned executive-
branch responsibilities for GPEA implementation and we reviewed pertinent
documentation. In addition, we reviewed draft GPEA implementation guidance
issued by NARA, Justice, Treasury, and the Federal PKI Steering Committee.
We also analyzed descriptions of federal agencies' electronic information
dissemination initiatives contained within reports that these agencies had
sent to OMB for its Information Collection Budget report for fiscal year
2000. In addition, we analyzed our own previous reports on pertinent IT
management issues.

We also reviewed studies performed by federal agencies and private industry
on Internet use and electronic business; we did not independently verify
information contained in these studies.

We discussed a draft of this report with officials from OMB's Office of
Information and Regulatory Affairs. They offered comments of a technical or
clarifying nature, which we have incorporated in the report where
appropriate.

We performed our audit work from January through August 2000 in accordance
with generally accepted government auditing standards.

Selected GAO Reports on Information

Appendi xII

Technology Management Information Security: Serious and Widespread
Weaknesses Persist at Federal Agencies. GAO/ AIMD- 00- 295, September 6,
2000. Defense Management: Electronic Commerce Implementation Strategy Can Be
Improved. GAO/ NSIAD- 00- 108, July 18, 2000.

Information Security: Fundamental Weaknesses Place EPA Data and Operations
at Risk. GAO/ AIMD- 00- 215, July 6, 2000.

Information Policy: NTIS' Financial Position Provides an Opportunity to
Reassess Its Mission. GAO/ GGD- 00- 147, June 30, 2000.

Federal Rulemaking: Agencies' Use of Information Technology to Facilitate
Public Participation. GAO/ GGD- 00- 135R, June 30, 2000.

Information Security: Vulnerabilities in DOE's Systems for Unclassified
Civilian Research. GAO/ AIMD- 00- 140, June 9, 2000.

Information Technology Management: SBA Needs to Establish Policies and
Procedures for Key IT Processes. GAO/ AIMD- 00- 170, May 31, 2000.

Managing for Results: Assessing the Quality of Program Performance Data.
GAO/ GGD- 00- 140R, May 25, 2000.

Critical Infrastructure Protection: “ILOVEYOU” Computer Virus
Highlights Need for Improved Alert and Coordination Capabilities. GAO/ T-
AIMD- 00- 181, May 18, 2000.

Information Security: Controls Over Software Changes at Federal Agencies.
GAO/ AIMD- 00- 151R, May 4, 2000.

Federal Information Security: Actions Needed to Address Widespread
Weaknesses. GAO/ T- AIMD- 00- 135, March 29, 2000.

Information Security: Comments on Proposed Government Information Security
Act of 1999. GAO/ T- AIMD- 00- 107, March 2, 2000.

Critical Infrastructure Protection: Comments on the National Plan for
Information Systems Protection. GAO/ T- AIMD- 00- 72, February 1, 2000.

Computer Security: FAA Needs to Improve Controls Over Use of Foreign
Nationals to Remediate and Review Software. GAO/ AIMD- 00- 55, December 23,
1999.

Information Security: Weaknesses at 22 Agencies. GAO/ AIMD- 00- 32R,
November 10, 1999.

Critical Infrastructure Protection: Fundamental Improvements Needed to
Assure Security of Federal Operations. GAO/ T- AIMD- 00- 7, October 6, 1999.

Information Systems: The Status of Computer Security at the Department of
Veterans Affairs. GAO/ AIMD- 00- 5, October 4, 1999.

Financial Management Service: Significant Weaknesses in Computer Controls.
GAO/ AIMD- 00- 4, October 4, 1999.

Critical Infrastructure Protection: Comprehensive Strategy Can Draw on Year
2000 Experiences. GAO/ AIMD- 00- 1, October 1, 1999.

Federal Reserve Banks: Areas for Improvement in Computer Controls. GAO/
AIMD- 99- 280, September 15, 1999.

DOD Information Security: Serious Weaknesses Continue to Place Defense
Operations at Risk. GAO/ AIMD- 99- 107, August 26, 1999.

USDA Information Security: Weaknesses at National Finance Center Increase
Risk of Fraud, Misuse, and Improper Disclosure. GAO/ AIMD- 99- 227, July 30,
1999.

Information Security: Recent Attacks on Federal Web Sites Underscore Need
for Stronger Information Security Management. GAO/ T- AIMD- 99- 223, June
24, 1999.

Information Security: Many NASA Mission- Critical Systems Face Serious
Risks. GAO/ AIMD- 99- 47, May 20, 1999.

Information Security: The Melissa Computer Virus Demonstrates Urgent Need
for Stronger Protection Over Systems and Sensitive Data. GAO/ T- AIMD- 99-
146, April 15, 1999.

Financial Audit: 1998 Financial Report of the United States Government. GAO/
AIMD- 99- 130, March 31, 1999.

Customs Service Modernization: Serious Management and Technical Weaknesses
Must Be Corrected. GAO/ AIMD- 99- 41, February 26, 1999.

HUD Information Systems: Improved Management Practices Needed to Control
Integration Cost and Schedule. GAO/ AIMD- 99- 25, December 18, 1998.

IRS Systems Security: Although Significant Improvements Made, Tax Processing
Operations and Data Still at Serious Risk. GAO/ AIMD- 99- 38, December 14,
1998.

Financial Management Service: Areas for Improvement in Computer Controls.
GAO/ AIMD- 99- 10, October 20, 1998.

Bureau of the Public Debt: Areas for Improvement in Computer Controls. GAO/
AIMD- 99- 2, October 14, 1998.

Information Systems: VA Computer Control Weaknesses Increase Risk of Fraud,
Misuse, and Improper Disclosure. GAO/ AIMD- 98- 175, September 23, 1998.

Information Security: Serious Weaknesses Place Critical Federal Operations
and Assets at Risk. GAO/ AIMD- 98- 92, September 23, 1998.

Social Security Administration: Technical and Performance Challenges
Threaten Progress of Modernization. GAO/ AIMD- 98- 136, June 19, 1998.

Air Traffic Control: Weak Computer Security Practices Jeopardize Flight
Safety. GAO/ AIMD- 98- 155, May 18, 1998.

Computer Security: Pervasive, Serious Weaknesses Jeopardize State Department
Operations. GAO/ AIMD- 98- 145, May 18, 1998.

Customs Service Modernization: Architecture Must Be Complete and Enforced to
Effectively Build and Maintain Systems. GAO/ AIMD- 98- 70, May 5, 1998.

Tax Systems Modernization: Blueprint Is a Good Start But Not Yet
Sufficiently Complete to Build or Acquire Systems. GAO/ AIMD/ GGD- 98- 54,
February 24, 1998.

Defense IRM: Poor Implementation of Management Controls Has Put Migration
Strategy at Risk. GAO/ AIMD- 98- 5, October 20, 1997.

GAO Guides on Information Technology

Appendi xI II

Management Information Technology Investment Management: An Overview of
GAO's Assessment Framework, Exposure Draft. GAO/ AIMD- 00- 155, May 2000,
Version 1.

Information Technology Investment Management: A Framework for Assessing and
Improving Process Maturity, Exposure Draft. GAO/ AIMD- 10. 1.23, May 2000.

Information Security Risk Assessment: Practices of Leading Organizations.
GAO/ AIMD- 00- 33, November 1999.

Executive Guide: Information Security Management: Learning From Leading
Organizations. GAO/ AIMD- 98- 68, May 1998.

Executive Guide: Measuring Performance and Demonstrating Results of
Information Technology Investments. GAO/ AIMD- 98- 89, March 1998.

Business Process Reengineering Assessment Guide. GAO/ AIMD- 10.1.15, April
1997, Version 3.

Assessing Risks and Returns: A Guide for Evaluating Federal Agencies' IT
Investment Decision- Making. GAO/ AIMD- 10.1.13, February 1997, Version 1.

Executive Guide: Improving Mission Performance Through Strategic Information
Management and Technology. GAO/ AIMD- 94- 115, May 1994.

(511864) Lett er

Ordering Information The first copy of each GAO report is free. Additional
copies of reports are $2 each. A check or money order should be made out to

the Superintendent of Documents. VISA and MasterCard credit cards are
accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail: U. S. General Accounting Office P. O. Box 37050 Washington,
DC 20013

Orders by visiting: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW)
U. S. General Accounting Office Washington, DC

Orders by phone: (202) 512- 6000 fax: (202) 512- 6061 TDD (202) 512- 2537

Each day, GAO issues a list of newly available reports and testimony. To
receive facsimile copies of the daily list or any list from the past 30
days, please call (202) 512- 6000 using a touchtone phone. A recorded menu
will provide information on how to obtain these lists.

Orders by Internet: For information on how to access GAO reports on the
Internet, send an e- mail message with “info” in the body to:
info@ www. gao. gov or visit GAO's World Wide Web home page at: http:// www.
gao. gov

To Report Fraud,

Contact one:

Waste, or Abuse in

Web site: http:// www. gao. gov/ fraudnet/ fraudnet. htm

Federal Programs

e- mail: fraudnet@ gao. gov 1- 800- 424- 5454 (automated answering system)

GAO United States General Accounting Office

Page 1 GAO/ AIMD- 00- 282 GPEA Implementation

Contents

Page 2 GAO/ AIMD- 00- 282 GPEA Implementation

Page 3 GAO/ AIMD- 00- 282 GPEA Implementation United States General
Accounting Office

Washington, D. C. 20548 Page 3 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 4 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 5 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 6 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 7 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 8 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 9 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 10 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 11 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 12 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 13 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 14 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 15 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 16 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 17 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 18 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 19 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 20 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 21 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 22 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 23 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 24 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 25 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 26 GAO/ AIMD- 00- 282 GPEA Implementation

B- 286007 Page 27 GAO/ AIMD- 00- 282 GPEA Implementation

Page 28 GAO/ AIMD- 00- 282 GPEA Implementation

Appendix I

Appendix I Objectives, Scope, and Methodology

Page 29 GAO/ AIMD- 00- 282 GPEA Implementation

Page 30 GAO/ AIMD- 00- 282 GPEA Implementation

Appendix II

Appendix II Selected GAO Reports on Information Technology Management

Page 31 GAO/ AIMD- 00- 282 GPEA Implementation

Appendix II Selected GAO Reports on Information Technology Management

Page 32 GAO/ AIMD- 00- 282 GPEA Implementation

Appendix II Selected GAO Reports on Information Technology Management

Page 33 GAO/ AIMD- 00- 282 GPEA Implementation

Page 34 GAO/ AIMD- 00- 282 GPEA Implementation

Appendix III

United States General Accounting Office Washington, D. C. 20548- 0001

Official Business Penalty for Private Use $300

Address Correction Requested Bulk Rate

Postage & Fees Paid GAO Permit No. GI00
*** End of document. ***