Electronic Government: Selected Agency Plans for Implementing the
Government Paperwork Elimination Act (21-JUN-01, GAO-01-861T).	 
								 
The Government Paperwork Elimination Act (GPEA) requires that by 
2003 federal agencies provide the public, when practicable, the  
option of submitting, maintaining, and disclosing required	 
information--such as employment records, tax forms, and loan	 
applications--electronically, instead of on paper. In October	 
2000, federal agencies submitted GPEA implementation plans to the
Office of Management and Budget (OMB), which is responsible for  
executive branch oversight of GPEA. The plans submitted by the	 
the Department of the Treasury and the Environmental Protection  
Agency (EPA) generally provide the kind of information that was  
specified in OMB's July 2000 guidance. However, the Department of
Defense's (DOD) plan did not include a description of the	 
department's overall GPEA strategy and, in some cases, the data  
provided for specific information collections may be inaccurate, 
incomplete or duplicative. Officials of all three agencies said  
that they faced challenges in complying with GPEA, particularly  
with regard to implementing adequate security assurances for	 
sensitive electronic transactions and in planning for and	 
implementing computer network infrastructures. Further, OMB will 
be challenged in providing oversight of agency GPEA activities	 
because the plans submitted by the agencies go not document key  
strategic actions, nor do they specify when they will be	 
undertaken. Taken in isolation, the plans do not provide	 
sufficient information to assess agencies' progress in meeting	 
the objectives of the act. To address this issue, OMB may wish to
require agencies to report on major agencywide activities,	 
including specific planned tasks and milestones and the rationale
for adopting them.						 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-01-861T					        
    ACCNO:   A01225						        
  TITLE:     Electronic Government: Selected Agency Plans for	      
             Implementing the Government Paperwork Elimination Act            
     DATE:   06/21/2001 
  SUBJECT:   Environmental monitoring				 
	     Information technology				 
	     Electronic government				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-01-861T
     
For Release on Delivery Expected at 10: 30 a. m. EDT Thursday, June 21, 2001

ELECTRONIC GOVERNMENT

Selected Agency Plans for Implementing the Government Paperwork Elimination
Act

Statement of Joel C. Willemssen Managing Director, Information Technology
Issues Testimony

Before the Committee on Government Reform, House of Representatives

United States General Accounting Office

GAO

GAO- 01- 861T

Page 1 GAO- 01- 861T GPEA Implementation Plans

Mr. Chairman and Members of the Committee: I appreciate the opportunity to
be here today to participate in the Committee?s hearing on implementation of
the Government Paperwork Elimination Act (GPEA). 1 The act requires that by
2003 federal agencies provide the public, when practicable, the option of
submitting, maintaining, and disclosing required information- such as
employment records, tax forms, and loan applications- electronically,
instead of on paper. In October 2000, federal agencies submitted GPEA
implementation plans to the Office of Management and Budget (OMB), which is
responsible for executive branch oversight of GPEA.

As you know, we are currently conducting a review of agency GPEA
implementation plans at the request of the Chairman of the Senate Committee
on Governmental Affairs. For this hearing, you asked us to report
specifically on the efforts of three agencies to meet the requirements of
GPEA, as reflected in the plans they submitted to OMB. The three agencies
are the Department of the Treasury, the Environmental Protection Agency
(EPA), and the Department of Defense (DOD). After describing the framework
of OMB?s GPEA guidance, I will discuss each agency?s plan, including its
overall strategy for complying with GPEA, as well as the data on
information- collection activities provided as attachments to each of their
plans.

To prepare for this hearing, we obtained and analyzed the plans submitted by
each of the three agencies and held discussions with cognizant officials on
their progress and challenges in meeting GPEA?s October 2003 deadline.
Because of time constraints, we did not attempt to verify the data reported
in the plans regarding planned electronic conversions for specific systems
and processes.

The plans submitted by Treasury and EPA generally provide the kind of
information that was specified in OMB?s July 2000 guidance. However, DOD?s
plan did not include a description of the department?s overall GPEA strategy
and, in some cases, the data provided for specific information collections
may be inaccurate, incomplete, or duplicative.

Officials of all three agencies said that they faced challenges in complying
with GPEA, particularly with regard to implementing adequate security
assurances for sensitive electronic transactions and in planning for and

1 P. L. No. 105- 277, Div. C, tit. XVII. Results in Brief

Page 2 GAO- 01- 861T GPEA Implementation Plans

implementing computer network infrastructures. Further, OMB will be
challenged in providing oversight of agency GPEA activities because the
plans submitted by the agencies do not document key strategic actions, nor
do they specify when they will be undertaken. Taken in isolation, the plans
do not provide sufficient information to assess agencies? progress in
meeting the objectives of the act. To address this issue, OMB may wish to
require agencies to report on major agencywide activities, including
specific planned tasks and milestones and the rationale for adopting them.

Advances in the use of information technology and the Internet are
transforming the way federal agencies communicate, use information, deliver
services, and conduct business. To increase the ability of citizens to
interact with the federal government electronically, in 1998 the Congress
enacted GPEA.

GPEA makes OMB responsible for ensuring that federal agencies meet the act?s
October 21, 2003, implementation deadline. In May 2000, OMB issued GPEA
implementation guidance, 2 which lays out a process and principles for
agencies to employ in evaluating the use and acceptance of electronic
documents and signatures. The guidance calls for agencies to examine
business processes that might be revamped to employ electronic documents,
forms, or transactions; identify customer needs and demands; consider the
costs, benefits, and risks associated with making the transition to
electronic environments; and develop plans and strategies for recordkeeping
and security. In September 2000, we concluded that OMB?s GPEA guidance- as
well as the guidance and supplementary efforts being undertaken by Treasury,
the National Archives and Records Administration, the Departments of Justice
and Commerce and others- provided a useful foundation of information to
assist agencies with GPEA implementation and the transition to electronic
government (egovernment). 3 Our report also laid out information technology

management challenges that are fundamental to the success of GPEA. OMB?s May
guidance also required each agency, by October 2000, to develop and submit a
GPEA implementation plan and schedule. According to this guidance, these
plans were to prioritize implementation of systems and system modules based
on achievability and net benefit. Further,

2 OMB Memorandum M- 00- 10, ?OMB Procedures and Guidance on Implementing the
Government Paperwork Elimination Act.? 3 Electronic Government: Government
Paperwork Elimination Act Presents Challenges for Agencies (GAO/ AIMD- 00-
282, September 15, 2000). Background

Page 3 GAO- 01- 861T GPEA Implementation Plans

agencies were required to coordinate their GPEA plans and schedules with
their strategic information technology (IT) planning activities and report
progress annually.

In July 2000 OMB issued supplemental guidance that provided a structured,
standardized format for agency reporting of GPEA implementation plans.
Unlike the May 2000 guidance, which discussed a wide range of activities
needed for an agency to comply with GPEA, this new guidance focused on
specific kinds of data that OMB was expecting agencies to submit in the
October 2000 plans. The new guidance specified that the plans be divided
into four parts:

First, agencies were to provide a cover letter describing their overall
strategy and actions to comply with the act. This letter is the part of the
plan that provides an agencywide perspective on GPEA compliance efforts.

Second, agencies were required to provide data in tabular form regarding
information- collection activities approved by OMB under the Paperwork
Reduction Act (PRA), which mandates that OMB review how agencies collect and
use information. 4 The data tables were to include a column showing when an
electronic option would be completed (if one was being planned) and whether
electronic signatures were to be used.

Third, agencies were requested to provide an additional table showing
interagency reporting, information- dissemination activities, and other
agency- identified transactions. According to OMB?s guidance,

?interagency reporting? encompasses ongoing, periodic reports, such as
personnel and payroll reports, which are exchanged among agencies.
?Information- dissemination activities? refers to information products
intended for the general public, such as the periodic release of labor
statistics. Like the PRA- based inventory, this list was to include a column
showing when an electronic option would be completed, if planned, and
whether electronic signatures were to be used.

4 Under the Paperwork Reduction Act of 1995 (P. L. 104- 13), OMB determines
whether the agency needs the information, whether the agency has minimized
the burden on the public of collecting it, and whether the agency has
maximized the utility of the information collected. OMB?s Supplemental

Guidance on Preparing Agency Plans

Page 4 GAO- 01- 861T GPEA Implementation Plans

Lastly, supplemental information was also to be provided about any of the
previously listed transactions that the agency had determined to pose a
?high risk,? such as those involving particularly sensitive information or
very large numbers of respondents. This section of the plan was to include a
description of the transactions, their sensitivity, and additional risk
management measures that would be taken.

Let me now turn to the three agency plans you asked us to review. According
to Treasury?s plan, the department?s GPEA- related activities are a critical
component of the overall departmental effort to fundamentally redefine the
way it performs its critical missions. According to the plan, a key element
of that effort was the development of an e- government strategic plan- just
published this month- which Treasury is using as a framework for selecting
and implementing electronic initiatives.

In addition to its internal initiatives, Treasury?s plan notes that the
department has been involved in governmentwide actions to advance electronic
government and comply with GPEA. A key example is Pay. gov, an Internet
portal developed by its Financial Management Service. According to the plan,
the services of Pay. gov can help agencies meet GPEA requirements to accept
forms electronically by 2003 by offering a package of electronic financial
services to assist agencies, such as enabling end- users to submit agency
forms and authorize payments, presenting agency bills to end- users, and
establishing the identity of endusers and reporting information about
transactions back to the agencies. Once fully operational, this service
could help agencies throughout the federal government to more easily reach
the goals of GPEA.

According to the department?s deputy chief information officer (CIO), the
progress of major GPEA- related initiatives at Treasury is being monitored
through monthly CIO meetings with representatives from each of the
department?s various bureaus and by using an investment management tool. 5
The Deputy CIO added that compliance with GPEA is also included in the
criteria that Treasury uses in its investment review process for evaluating
newly proposed information technology projects.

5 This tool, known as I- TIPS (Information Technology Investment Portfolio
System), is a web- based decision support and project management tool to
help support the management of information technology investments.
Department of the

Treasury

Page 5 GAO- 01- 861T GPEA Implementation Plans

Treasury used its database of information collections identified under PRA
as a starting point for preparing the required data tables for its GPEA
implementation plan. PRA information collections include such things as
requests for forms and publications, tax- related forms, and
businessproduction reports. To refine the list, the department?s CIO
organization convened a group comprising representatives from Treasury?s IT
policy and strategy group, CIO development team, bureau representatives, and
policy office representatives. The group reviewed the PRA collections and
added a records management initiative that had not been part of the original
database.

Treasury?s plan provides the kind of information stipulated in OMB?s July
2000 guidance. Altogether, Treasury identified 336 PRA informationcollection
processes that are subject to GPEA. According to the plan, 23 of these are
scheduled for conversion to an electronic option in 2001, 36 are scheduled
for 2002, and 84 are scheduled for 2003. Of the remaining initiatives, 80
were reported to already be converted, two are scheduled for conversion in
2004, and 111 were not assigned a completion date for conversion. In all but
one case where the conversion date was beyond October 2003 or not assigned,
Treasury included explanations, as required by OMB?s guidance.

Further, Treasury identified 105 initiatives offering an electronic option
for interagency reporting, information- dissemination activities, and other
transactions, and four transactions identified as high risk. 6 For those
initiatives included in Treasury?s plan that did not specify completion
dates, the department plans to include that information when it becomes
available, according to the deputy CIO. The plan also is expected to be
updated as the bureaus and department offices make progress toward
completing its initiatives.

According to its October 2000 plan, EPA is currently undertaking three major
activities in an effort to provide e- government services and comply with
GPEA. The first initiative is to establish a new rule that would permit
electronic reporting and recordkeeping and establish the requirements
necessary to ensure that electronic documents are valid and authentic. EPA
has drafted the proposed new rule, and it is currently being reviewed

6 The four high risk transactions are (1) The Bureau of Engraving and
Printing?s (BEP) ?Owner?s

Affidavit of Partial Destruction of Mutilated Currency,? (2) BEP?s ?Claim
for Amounts Due in the Case of Deceased Owner of Mutilated Currency,? (3)
multiple application forms associated with the Community Development
Financial Institutions Fund, and (4) ?Request for Transfer of Property
Seized/ Forfeited by a Treasury Agency,? also known as an asset- sharing
request. Treasury?s Data Collection

Activities Environmental Protection Agency

Page 6 GAO- 01- 861T GPEA Implementation Plans

by administration officials. Agency officials expect it to be approved this
year, with a final rule to be published in 2002.

The second major initiative is the development of a computer network
facility known as the Central Data Exchange. This new facility is to be the
central point of entry for all electronic reporting, and is expected to
provide security, authentication, error detection, and distribution
capabilities. EPA expects the facility to be fully operational by the fall
of 2002.

The third major initiative is to improve EPA?s information security. We have
previously reported on significant weaknesses in EPA?s information security
program. 7 The October 2000 plan states that the agency has made significant
progress in improving its cyber defenses by implementing security
confidentiality protocols and procedures. Further, agency officials state
that they are actively exploring the use of electronic signatures and public
key infrastructure (PKI) 8 technology to ensure the security,
confidentiality, and non- repudiation of sensitive data collections.

EPA used an iterative process to develop its October 2000 plan. Starting
with its internal PRA database as a baseline, Office of Environmental
Information personnel created a template of information collections that was
sent to each program office for validation and for completion of additional
GPEA- related data. The agency?s final plan contains a detailed inventory of
its PRA information collections. An EPA official said that this inventory
and its related attachments include all of the information regarding plans
for electronic interagency reporting, information dissemination activities,
and high- risk transactions, as required by OMB.

EPA identified 279 data- collection activities applicable to GPEA. Through
iterative reviews, it determined that 108 of these were not candidates for
electronic reporting for reasons such as that they involved interaction with
only a few members of the public or because filling out a paper form was
deemed to not be a significant burden. According to the agency?s plan, of
the 171 data collections that were considered suitable for electronic

7 Information Security: Fundamental Weaknesses Place EPA Data and Operations
at Risk (GAO/ AIMD00- 215, July 6, 2000). 8 A PKI is a system of hardware,
software, policies and people that, when fully and properly implemented, can
provide a suite of information security assurances- including
confidentiality, data integrity, authentication, and nonrepudiation- that
are important in protecting sensitive communications and transactions. EPA?s
Data Collection

Activities

Page 7 GAO- 01- 861T GPEA Implementation Plans

reporting, 21 have already been converted, 3 are scheduled for 2001, 13 are
scheduled for 2002, and 96 are scheduled for 2003.

The remaining 38 data collections that will not be ready for electronic
reporting by the GPEA deadline all involve the reporting of confidential
business information. The electronic transmission of this type of data poses
additional risks that EPA does not plan to have fully addressed by October
2003. Agency officials state that they are in the process of assessing these
data collections to determine how to collect these data centrally and in a
secure form. By 2003 they expect that they will be testing methods of secure
transmission but do not expect them to be operational until after the GPEA
deadline.

According to EPA officials, in anticipation of a request by OMB for updated
information on the data- collection inventories, they sent a letter to the
program offices asking for such updated information. Using these responses,
EPA officials plan to update their data- collection inventory.

DOD?s October 2000 GPEA plan does not include a description of the
department?s overall strategy and efforts to comply with GPEA. Likewise, DOD
officials could not provide us with documentation specifically addressing a
departmentwide implementation strategy.

Officials from DOD?s Office CIO told us that major GPEA- related activities
within the department are focused on enabling and enhancing electronic
business applications and that the department?s strategic plans for business
process transformation include objectives that incidentally address the
goals of GPEA. Examples include the department?s paperless contracting
project- which aims to achieve paperless processes for many aspects of
contracting and invoicing- and its Central Contractor Registration System,
which contains electronic information about contractors and vendors. The
bulk of DOD?s departmentwide activity is focused on developing a PKI to
control access to sensitive information and provide security for electronic
transactions via digital signatures.

To assemble the department?s plan, officials from the CIO?s office began by
providing the military services and other departmental components with
listings of their information collections reported under PRA and requested
that they provide GPEA information for those items and add any others that
might be appropriate. The services and components, in turn, relayed the data
requests to their sub- components until a level was reached that could
provide information about the specific collections. The Department of

Defense DOD?s Data Collection Activities

Page 8 GAO- 01- 861T GPEA Implementation Plans

data were then reported back up to the office of the CIO, where they were
consolidated into a single report for OMB.

The data tables provided in DOD?s plan generally conform to the format
specified in OMB?s July 2000 guidance. The tables indicate that DOD
conducted 449 information collection- activities meeting OMB?s reporting
requirements for PRA. They also identify 13 interagency reporting and
information dissemination activities, as well as four transactions that were
determined to pose a high risk. 9

The Office of the CIO did not review the data it received from the various
DOD components for completeness or accuracy before reporting the information
to OMB in October 2000. In reviewing the data, we found indications that
some may be inaccurate, incomplete, or duplicative. For example, the Defense
Security Service made 238 entries for data- collection activities that
included little of the information requested by OMB and appeared, in many
cases, not appropriate as separate entries. In discussions with us, DOD
officials agreed that the Defense Security Service had reported incomplete
and possibly inaccurate information and said that they would request that
the service correct it.

The Office of the CIO has taken steps to follow up on the information
submitted by the military services and DOD components. In January 2001, the
CIO issued a memorandum to the services and components forwarding OMB?s May
2000 guidance on GPEA implementation. The memo stated that CIOs of the DOD
components would be expected to apply it during their continued planning,
development, redesign, operation, and oversight of department systems.
According to CIO officials, this memo is the first formal DOD guidance
document specifically addressing GPEA.

Further, in April, the DOD CIO office requested that the services and
components review the accuracy of their portions of the GPEA implementation
plan. However, DOD CIO officials indicated that only one official- from the
Office of the Assistant Secretary of Defense (Public Affairs)- had responded
to this information request, and that was to correct possible errors for a
single item. 10

9 The four high- risk transactions are (1) Application for Uniformed
Services Identification Card, (2) Exceptional Family Member Medical and
Educational Summary, (3) TRICARE Senior Prime Enrollment Application, and
(4) Continued Health Care Benefit Program Application.

10 The item was ?Stars and Stripes Audience Survey.?

Page 9 GAO- 01- 861T GPEA Implementation Plans

Mr. Chairman, you also asked us to assess the Personnel and Readiness
portion of DOD?s plan. For this category, DOD reported 76 PRA information-
collection activities and ten interagency reporting and information-
dissemination activities. DOD provided a projected completion date for one
of the 76 PRA- type activities and for two of the ten interagency and
information- dissemination activities.

Additionally, we found that 38 of the 76 PRA information collections and
four of the ten interagency reporting and information- dissemination
activities were likely duplicate entries. We met with officials from the
Office of the CIO and the Undersecretary of Defense for Personnel and
Readiness and pointed out the potential duplication. The officials agreed
and subsequently notified us that Personnel and Readiness had corrected the
discrepancies.

In our discussions with agency officials, several themes emerged as
significant challenges in meeting the goals of GPEA. First, all three
agencies have determined that the security assurances provided through the
use of PKI technology will be needed to enable many of their sensitive
electronic transactions. 11 As I mentioned earlier, DOD?s Office of the CIO
is developing a departmentwide PKI, and the office is working with the
General Services Administration (GSA) to make its PKI interoperable with
GSA?s governmentwide Access Certificates for Electronic Services program.
EPA is also pilot- testing the use of electronic signatures and digital
certificates through GSA?s program, and has applied for a grant from GSA to
conduct a PKI interoperability project. Treasury is also closely involved in
the governmentwide effort to develop PKI, having recently chaired the CIO
Council?s Federal PKI Steering Committee. According to Treasury?s deputy
CIO, the department will be challenged to develop its own PKI because it
will need to pool resources from, and coordinate activities with, all of its
bureaus.

Second, EPA and Treasury both commented about the importance of adequately
planning for and implementing computer network and telecommunications
infrastructures to provide the capacity and connectivity needed to support
the electronic traffic generated by new or enhanced electronic offerings.
According to agency officials, many types of transactions covered by GPEA
will require the support of new

11 Issues related to implementation of PKI technology are discussed in
further detail in Information Security: Advances and Remaining Challenges to
Adoption of Public Key Infrastructure Technology (GAO- 01- 277, February 26,
2001). Data- Collection Activities

for Personnel and Readiness

Agencies Face Challenges in Achieving Full Compliance with GPEA

Page 10 GAO- 01- 861T GPEA Implementation Plans

enterprisewide infrastructure. For example, EPA?s Central Data Exchange
project is a major infrastructure undertaking that will be critical to
enabling the electronic exchange of information between EPA and state
environmental agencies. Likewise, Treasury is developing the Treasury
Communications Enterprise to provide a common departmentwide communications
infrastructure to support electronic government initiatives throughout the
department.

Third, agencies will need adequate capabilities for storing, retrieving, and
disposing of electronic records. EPA officials expressed concern about the
status of governmentwide electronic recordkeeping standards, which have not
yet been finalized. Many electronic systems are already being developed and
implemented that may be incompatible with future standards.

As we reported last September, 12 federal agencies face additional
information management challenges that are also fundamental to the success
of GPEA. Specifically, agencies will need to

use disciplined investment management practices to ensure that the full
costs of providing electronic filing, recordkeeping, and transactions
prompted by GPEA are identified and examined within the context of expected
benefits; and

ensure that IT human capital needs are addressed so that staff can
effectively operate and maintain new e- government systems, adequately
oversee related contractor support, and deliver responsive service to the
public.

OMB will also be challenged in its oversight role of ensuring that agencies
comply with GPEA. As I mentioned, OMB?s initial guidance issued in May 2000
prescribed policies and procedures for agencies to follow in implementing
the act. For example, the guidance states that agencies should prioritize
GPEA implementation based on achievability and net benefit. A number of the
prescribed procedures were focused on agencywide strategic actions, such as

examining business processes that might be revamped to employ electronic
documents, forms, or transactions;

12 Electronic Government: Government Paperwork Elimination Act Presents
Challenges for Agencies (GAO/ AIMD- 00- 282, September 15, 2000). OMB Will
Be

Challenged in Overseeing Agency Strategic GPEARelated Activities

Page 11 GAO- 01- 861T GPEA Implementation Plans

identifying customer needs and demands as well as the existing risks
associated with fraud, error, or misuse; and

evaluating electronic signature alternatives, including risks, costs, and
practicality.

However, the GPEA implementation plans submitted by federal agencies do not
provide sufficient information with which to assess whether agencies have
been engaging in these processes. While OMB?s subsequent July reporting
guidance called for a brief cover letter describing an agency?s overall
strategy and actions to comply with the act, it did not stipulate a full
report on the variety of strategic activities and other tasks that agencies
were expected to perform, and their schedules for carrying them out.
Further, the format prescribed for the information- collection data tables
does not provide for any indication of whether electronic implementation has
been prioritized based on achievability and net benefit.

OMB may wish to consider whether a more comprehensive agency status report
is necessary in order to gain better insight into agencywide GPEA planning.
Specifically, agencies could be asked to report on the status of the
specific tasks outlined in OMB?s May 2000 guidance, and provide milestones
for completing tasks that are still underway. This would allow OMB to better
assess whether individual agencies are likely to achieve the objectives of
the act.

Mr. Chairman, this concludes my statement. I would be pleased to respond to
any questions that you or other members of the Committee may have at this
time.

For information about this testimony, please contact me at (202) 512- 6408
or by e- mail at willemssenj@ gao. gov. Individuals making key contributions
to this testimony include Felipe Colï¿½n, Jr., John de Ferrari, Steven Law,
Juan Reyes, Elizabeth Roach, Jamelyn Smith, and Yvonne Vigil.

(310422) Contacts and

Acknowledgments

Orders by Internet For information on how to access GAO reports on the
Internet, send an e- mail message with ?info? in the body to:

Info@ www. gao. gov or visit GAO?s World Wide Web home page at: http:// www.
gao. gov

Contact one: Web site: http:// www. gao. gov/ fraudnet/ fraudnet. htm E-
mail: fraudnet@ gao. gov 1- 800- 424- 5454 (automated answering system)
Ordering Information

To Report Fraud, Waste, and Abuse in Federal Programs
*** End of document. ***