Information Resources Management: Comprehensive Strategic Plan	 
Needed to Address Mounting Challenges (22-FEB-02, GAO-02-292).	 
                                                                 
Congress passed the Paperwork Reduction Act (PRA) to establish a 
single, overarching policy framework for the management of	 
government information resources. The act established information
resources management (IRM) as an approach governing the 	 
collection, dissemination, security, privacy, and management of  
information. The act also created the Office of Information and  
Regulatory Affairs (OIRA) to provide leadership, policy 	 
direction, and oversight of governmentwide IRM. It further	 
required OIRA to develop and maintain a governmentwide strategic 
IRM plan and charged that office with responsibilities for	 
general IRM policy and information technology. Although OIRA	 
designated the Chief Information Officers Council's strategic	 
plan for fiscal years 2001-2002 as the governmentwide strategic  
IRM plan required by the PRA, this does not constitute an	 
effective and comprehensive strategic vision. OIRA has issued	 
policy and implementing guidance, conducted oversight activities,
and taken various steps in each of the functional areas. GAO	 
found that the documents cited by OMB during it's review did not,
separately or collectively, meet the requirements for a 	 
governmentwide strategic IRM plan established by PRA.		 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-02-292 					        
    ACCNO:   A02787						        
  TITLE:     Information Resources Management: Comprehensive Strategic
Plan Needed to Address Mounting Challenges			 
     DATE:   02/22/2002 
  SUBJECT:   Government information				 
	     Information resources management			 
	     Information technology				 
	     Strategic planning 				 
	     Performance and Accountability Series		 
	     2001						 
                                                                 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-02-292
     
United States General Accounting Office

GAO

Report to the Chairman, Committee on Governmental Affairs, U.S. Senate

February 2002

INFORMATION RESOURCES MANAGEMENT

Comprehensive Strategic Plan Needed to Address Mounting Challenges

GAO-02-292

Contents

Letter

Results in Brief
Background
A Coordinated Federal IRM Plan Is Essential to Achieving Results;

OIRA's Plan Falls Short OIRA Has Responded to PRA Policy, Oversight, and
Functional

Responsibilities Conclusions Recommendations Agency Comments and Our
Evaluation

                                     1

                                    2 4

                                     9

15 20 21 22

Appendix I Scope and Methodology

Appendix II Key Requirements of the Paperwork Reduction Act and OIRA Actions

Appendix III Comments from the Office of Management and Budget

Related GAO Products

Abbreviations

AIMD Accounting and Information Management Division
CDC Centers for Disease Control and Prevention
CIO Chief Information Officer
FTE full-time-equivalent
GAO General Accounting Office
GGD General Government Division
IRM information resources management
IT information technology
NARA National Archives and Records Administration
NTIS National Technical Information Service
OCG Office of the Comptroller General
OIRA Office of Information and Regulatory Affairs
OMB Office of Management and Budget
PRA Paperwork Reduction Act

United States General Accounting Office Washington, DC 20548

February 22, 2002

The Honorable Joseph I. Lieberman
Chairman, Committee on Governmental Affairs
United States Senate

Dear Mr. Chairman:

The events of September 11 and the subsequent anthrax attacks have
demonstrated the importance of accurate, timely information and the need
for strong leadership in integrating and managing this information across
government agencies. As agencies have struggled with issues involving
intelligence gathering, information sharing and dissemination, security,
and information technology (IT), it has become increasingly apparent that
our government needs to better assess-from a strategic standpoint-all
aspects of how it handles information.

In recognition of the importance of government information, the Congress
in 1980, as you know, passed the Paperwork Reduction Act (PRA) to
establish a single, overarching policy framework for the management of
information resources. The act, amended in 1986 and 1995, established
information resources management (IRM) as an approach governing
virtually all aspects of government information activities, including
collection, dissemination, security and privacy, and management of
information technology. The act also created the Office of Information and
Regulatory Affairs (OIRA) within the Office of Management and Budget
(OMB), to provide leadership, policy direction, and oversight of
governmentwide IRM. It further

* required OIRA to develop and maintain a governmentwide strategic IRM plan,
and

* charged OIRA with responsibilities for general IRM policy and specific IRM
functions: information collection, dissemination, statistical policy and
coordination, records management, privacy and security, and information
technology.

Since 1998, OIRA has designated the Chief Information Officers Council's
strategic plan as the principal means of meeting the requirement for a
governmentwide strategic IRM plan. The most recent plan is for fiscal years
2001-2002 and was published jointly by OMB and the CIO Council in October
2000. According to this plan, its goal is to enhance the strategic focus of
the Council, establish roadmaps for achieving the strategic vision,

Results in Brief

define measures to assist the Council in evaluating its progress toward
meeting its challenges, and provide a basis for budget planning.

This report responds to your request that we review OIRA's actions to
fulfill its responsibilities under PRA. Specifically, our objectives were to
(1) assess the adequacy of the governmentwide strategic IRM plan developed
in response to the act's requirements and (2) provide status information on
OIRA's actions to address its IRM policymaking, oversight, and functional
responsibilities under the act. Our review was conducted at OMB headquarters
in Washington, D.C., from June through December 2001, in accordance with
generally accepted government auditing standards. Appendix I contains
details of our scope and methodology.

While OIRA designated the Chief Information Officers Council's strategic
plan for fiscal years 2001-2002 as the governmentwide strategic IRM plan
required by the Paperwork Reduction Act, it does not constitute an effective
and comprehensive strategic vision.

* The plan establishes a vision and a number of governmentwide goals that
address significant issues such as e-government, information security, and
development of information technology skills and resources. Each goal has a
set of associated objectives and strategies. The goals, however, are not
linked to expected improvements in agency and program performance. The goals
also do not address IRM comprehensively; for example, statistical
activities, records management, and the collection and control of paperwork
are not addressed.

* In discussing our evaluation, OIRA asserted that while the Chief
Information Officers Council's plan is the primary vehicle for complying
with the planning requirements in PRA, other documents supplement the plan.
These other documents include the President's Management Agenda issued in
August 2001, budget documents for fiscal year 2002, and summaries of agency
reports on paperwork elimination (October 2001) and computer security
(February 2002). Of the documents cited, only the president's management
agenda is strategic in providing a governmentwide goal and associated
strategies for expanding e-government. The remaining documents deal with
various aspects of the government's use of IRM but do not contain
governmentwide goals, strategies, or performance measures, and thus do not
address the weaknesses we identified. Further, this multitude of documents,
issued at different points in time, has not historically been integrated or
linked together to clearly communicate to internal and external stakeholders
a unified strategic vision and accountability measures for government IRM.

* These shortcomings call into question the degree of management attention
that OIRA has traditionally devoted to producing the governmentwide
strategic IRM plan. Without an effective unifying plan, federal agencies are
left to address information needs in isolation, without a comprehensive
vision to unify their efforts. Further, the risk is increased that current
and emerging IRM challenges will not be met. We are making recommendations
to the OIRA administrator on developing an effective and comprehensive plan.

Regarding the status of actions to respond to other key requirements in PRA,
OIRA has issued policy and implementing guidance, conducted oversight
activities, and taken a variety of actions regarding each of the functional
areas. Based on our work over the last decade, however, OIRA still faces
challenges including improving the collection, use, and dissemination of
government information, assuring the protection of critical private and
public information systems, and strengthening information technology
management processes. We have made numerous recommendations in previous
reports to address these challenges, many of which have not yet been
implemented.

In commenting on a draft of this report, the director, OMB, expressed
concern that it (1) narrowly focuses on the finding that a governmentwide
strategic plan must be a single document and reiterated OMB's position that
the documents cited during our review meet the requirements for a
governmentwide strategic IRM plan, and (2) does not incorporate the
importance of the associate director for IT and e-government in providing
direction to agencies on many PRA-related areas. We disagree that our report
narrowly focuses on the strategic plan's being a single document. Our
principal finding was that the documents cited by OMB during our review did
not, separately or collectively, meet the requirements for a governmentwide
strategic IRM plan established by PRA.

Further, while we believe there is value in producing a single plan to
clearly communicate the administration's vision for IRM, we do not believe
that OMB must necessarily produce an entirely new document to accomplish
this. OMB has options for building on past efforts-including the CIO Council
strategic plan, the president's management agenda, and the president's
budget for 2003-to craft a plan that contains a comprehensive strategic
statement of goals and resources.

Regarding the president's budget for 2003, released on February 4, 2002,
after we sent a draft of this report to OMB for comment, it contains many of
the elements required in a strategic plan that were not present in

Background

previous documents cited by OMB and appears to address, in part, the
recommendations in this report. As a result, we believe this document, when
viewed in conjunction with the president's management agenda, represents
credible progress toward developing a governmentwide plan. We intend to
follow up on this and other documents OMB has indicated are forthcoming to
determine the extent to which our recommendations have been implemented.

In regard to the associate director, we acknowledge the role that OMB has
given him to provide strategic direction to agencies and have modified our
recommendations to recognize the importance of the administrator's working
in conjunction with this official in articulating a comprehensive IRM vision
and in developing a governmentwide plan that meets PRA requirements.

The need for strong leadership and a governmentwide strategic view of
information management has long been recognized as critical. Along with
establishing a single policy framework for federal management of information
resources and formalizing the institutionalization of IRM as the approach
governing information activities, the Paperwork Reduction Act (PRA) in 1980
created OIRA to develop IRM policy and oversee its implementation, at the
same time giving it oversight responsibilities in specific IRM functional
areas. The OIRA administrator is also to serve as the principal adviser to
the director of OMB on IRM policy. The Clinger-Cohen Act of 1996 amended PRA
to also give OIRA, through the director, significant leadership
responsibilities in supporting agencies' actions to improve their IT
management practices.

In addition to these statutory responsibilities, OIRA is responsible for
providing overall leadership of executive branch regulatory activities. OIRA
also reviews significant new regulations issued by executive departments and
agencies (other than independent regulatory agencies) before they are
published in the Federal Register. In calendar year 2000, OIRA staff
reviewed approximately 2,900 proposed and 4,500 final rules.

OIRA is organized into five branches: Information Policy and Technology
Management, Statistical Policy, Commerce and Lands, Human Resources and
Housing, and Natural Resources. Information Policy and Technology is
responsible for information dissemination, records management, privacy and
security, and IT. Statistical Policy, headed by the chief statistician, is
responsible for the statistical policy and coordination

requirements contained in the act. Desk officers in Commerce and Lands,
Human Resources and Housing, and Natural Resources are responsible for
information collection and regulatory review and related issues for specific
agencies in a matrixed fashion, in consultation with relevant OIRA branches
as well as the budget side of OMB. As of December 31, 2001, OIRA had a total
of 51 full-time equivalent (FTE) staff assigned to the five branches:
Information Policy and Technology Management (12 FTEs), Statistical Policy
(6), Commerce and Lands (8), Human Resources and Housing (9), and Natural
Resources (9). The OIRA Records Management Center accounted for one
additional position; the Office of the OIRA Administrator accounted for the
remaining six positions. OIRA has been allotted and is in the process of
filling 5 additional slots.

Two other entities perform PRA-related activities. First, the Chief
Information Officers (CIO) Council was established by executive order1 in
July 1996 as the principal interagency forum for improving agency IRM
practices. For example, the Council is to make recommendations for overall
IT management policy, procedures, and standards, and to provide advice to
OMB on the development of the governmentwide strategic IRM plan required by
PRA. The Council is composed of the CIOs and deputy CIOs from 28 federal
agencies, plus senior officials from OMB. Second, last June OMB established
the position of associate director for information technology and
e-government. This individual is responsible for (1) working to further the
administration's goal of using the Internet to create a citizen-centric
government; (2) ensuring that the federal government takes maximum advantage
of technology and best practices to improve quality, effectiveness, and
efficiency; and (3) leading the development and implementation of federal IT
policy. In addition, the associate director is responsible for (1)
overseeing implementation of IT throughout the federal government, (2)
working with the deputy director for management-also described by OMB as the
federal CIO-to perform a variety of oversight functions statutorily assigned
to OMB, and (3) directing the activities of the CIO Council.

We have previously reported on OIRA's efforts to respond to the PRA
requirements for a governmentwide strategic plan.2 In 1998, we reported that
none of the various reports OIRA had designated since 1995 as being

1 Executive Order 13011, Federal Information Technology, July 16, 1996.

2  Regulatory  Management: Implementation  of Selected  OMB Responsibilities
Under the Paperwork Reduction Act (GAO/GGD-98-120, July 9, 1998).

the strategic IRM plan clearly discussed the objectives and means by which
the federal government would use all types of information resources to
improve agency and program performance-a key PRA requirement.

A Broad, Governmentwide Recent events have highlighted information as not
only an asset but a Perspective: More critical tool, essential to achieving
the fundamental purposes of Imperative Than Ever government. In the
aftermath of the attacks of the past few months,

agencies have clearly struggled with issues concerning intelligence
gathering, information sharing and dissemination, security, and critical
information technology infrastructure. For example:

* Our September 2001 combating terrorism report3 highlighted that the
growing threat of terrorism presented evolving challenges to the existing
framework for leadership and coordination. We reported that the interagency
and intergovernmental nature of programs to combat terrorism make it
important that certain overall leadership and coordination functions be
performed above the level of individual agencies. Accordingly, we
recommended that the President appoint a single focal point with
responsibility for overall leadership and coordination, including the
development of a national strategy. The president subsequently appointed
former governor Tom Ridge as the new director of homeland security,
responsible for coordinating federal, state, and local actions and for
leading and overseeing such a comprehensive approach to safeguarding the
nation against terrorism. The successful formulation of such a comprehensive
strategy will require development of one overall plan for the collection and
analysis of information relating to terrorist activities or threats across
the United States, and the securing of IT systems to facilitate the sharing
of this information among the many entities involved.

* That same report also addressed the need to protect critical federal
systems from computer-based attacks. As we reported, while an array of
activities had been undertaken to implement a national strategy to mitigate
risks to computer systems and the critical operations and infrastructures
they support, progress in certain key areas had been slow. Specifically,

3 Combating Terrorism: Selected Challenges and Related Recommendations
(GAO-01-822, September 20, 2001). See also Homeland Security: A Framework
for Addressing the Nation's Efforts (GAO-01-1158T, September 21, 2001) and
Combating Terrorism: Comments on Counterterrorism Leadership and National
Strategy (GAO-01-556T, March 27, 2001).

agencies had taken steps to develop critical infrastructure protection
plans, but independent audits continue to identify persistent, significant
information security weaknesses that place federal operations at risk.
Further, while outreach efforts by numerous federal entities to establish
cooperative relationships with and among private and other nonfederal
organizations had raised awareness and prompted information sharing,
substantive analysis of sector-wide and cross-sector interdependencies and
vulnerabilities had been limited. We recommended that the federal
government's critical infrastructure protection strategy, which was under
review at the time of our report, define (1) specific roles and
responsibilities, (2) objectives, milestones, and an action plan, and (3)
performance measures.

* The recent attacks have also highlighted the need for immigration, law
enforcement, intelligence, and defense and foreign policy agencies to better
share information on domestic and international terrorists and criminals.
Concerns have been raised that the various databases and information systems
containing this information may not be sufficiently linked to ensure that
all levels of government have complete and accurate information.

* Recent events have also reemphasized the importance of ongoing efforts to
improve the public health infrastructure that detects disease outbreaks,
identifies sources and modes of transmission, and performs laboratory
identification. According to the Centers for Disease Control and Prevention
(CDC), the ability to share information on potential threats and remedial
actions, and exchange data on newly identified disease outbreaks, is
critical to our defense against bioterrorism. However, we, CDC, and others
have identified deficiencies in the information systems and
telecommunications capabilities at the local, state, and national levels
that hinder effective bioterrorism identification and response. For example,
in March 2001, CDC recommended that all health departments have continuous,
high-speed access to the Internet and standards for data collection,
transport, electronic reporting, and information exchange that protect
privacy and seamlessly connect local, state, and federal data systems. In
recent testimony, CDC emphasized that since September 11 it has accelerated
its efforts to work with state and local health agencies, share critical
lessons learned, and identify priority areas for immediate strengthening.4

4 Prepared statement by Edward L. Baker, M.D., M.P.H.; Director, Public
Health Practice Program, Office Centers for Disease Control and Prevention,
Department of Health and Human Services, before the Subcommittee on
Technology and Procurement Policy, Senate Committee on Government Reform,
December 14, 2001.

Beyond the recent terrorist acts, emerging trends also make clear the
importance of information resources to government, and the need for a
strategic approach. One such trend is the continuing shift from an
industrial to a knowledge-based5 and global economy6 in which knowledge
becomes the main driver of value and creation of wealth. One characteristic
of a knowledge-based economy is a higher set of public expectations about
government performance and accountability. In addition, the knowledge-based
economy presents complex issues that require input from multiple
institutions at different levels of government and within the private and
nonprofit sectors. To address these challenges, government needs processes
and structures that embrace long-term, cross-issue, strategic thinking.
Understanding and developing these new processes will require active use and
exchange of knowledge and information that are relevant, timely, accurate,
valid, reliable, and accessible.

The administration has also recognized the need to improve government
performance and, as a result, has established an ambitious agenda that is
dependent on effective management of information resources. One of the
governmentwide goals in The President's Management Agenda for Fiscal Year
2002 is to expand e-government to provide high-quality service to citizens
at reduced cost, make government services more accessible, and increase
government transparency and accountability. To accomplish this, the
administration plans to support projects that offer performance gains across
agency boundaries, such as the development of a Web-based portal that will
allow citizens to apply for federal grants on-line. Making this strategy
successful will require the government to address such challenges as
implementing appropriate security controls, protecting personal privacy, and
maintaining electronic records.

5 A knowledge-based economy is one characterized by the production of
information and services in which intellectual assets are the central
resource.

6 See Managing in the New Millennium: Shaping a More Efficient and Effective
Government for the 21st Century (GAO/T-OCG-00-9, March 29, 2000).

A Coordinated Federal IRM Plan Is Essential to Achieving Results; OIRA's
Plan Falls Short

Given the changing environment in which the need for a performance-based
federal approach to managing the government's information resources is of
paramount importance, strategic planning provides an essential foundation.
It defines what an organization seeks to accomplish, identifies the
strategies it will use to achieve desired results, and then
determines-through measurement-how well it is succeeding in reaching
results-oriented goals and achieving objectives. An important element of a
strategic plan is that it presents an integrated system of high-level
decisions that are reached through a formal, visible process. The plan is
thus an effective tool with which to communicate the mission and direction
to stakeholders.

However, the CIO Council plan that was prepared to respond to the
requirements of the PRA is not an effective and comprehensive governmentwide
plan. Specifically, the plan's governmentwide goals (1) are not linked to
expected improvements in agency and program performance and (2) do not
comprehensively address IRM. In addition, strategies for reaching the goals
are incomplete. Additional documents that OIRA cited as supplementing the
CIO plan do not address the weaknesses we identified. As a result, agencies
are left to address information needs in isolation without a comprehensive
vision to unify their efforts. Further, the risk is increased that current
and emerging IRM challenges will not be met.

A Strategic Governmentwide IRM Plan Is Required

Over the past 20 years, the Congress has put in place a statutory framework
to improve the performance and accountability of executive agencies and to
enhance executive branch and congressional decisionmaking. Results-oriented
management legislation, coupled with legislation reforming IT, has enabled
substantial progress in establishing the basic infrastructure needed to
create high-performing federal organizations.

PRA requires OIRA to develop and maintain a governmentwide strategic IRM
plan to describe how the federal government will apply information resources
to improve agency and program performance. Specifically, this strategic plan
was intended to provide a comprehensive vision for the future of IRM in
government, and would establish governmentwide goals for using information
resources to improve agency and program performance, and describe the
strategies, including resources needed, to accomplish these goals.

PRA further stipulates that the strategic IRM plan must include (1) plans
for enhancing public access to and dissemination of information using
electronic and other formats; (2) plans for meeting the information
technology needs of the government; (3) plans for reducing information
burdens and meeting shared data needs with shared resources; and (4) a
description of progress in applying IRM to improving agency mission
performance. The plan is also to be developed in consultation with the
archivist of the United States, the administrator of general services, the
director of the National Institute of Standards and Technology, and the
director of the Office of Personnel Management.

The CIO Council's Strategic Plan Has Been Designated the Governmentwide Plan

Since 1998, OIRA's response to the PRA mandate for a strategic plan has been
to jointly publish a strategic plan with the CIO Council. The most recent
plan, the CIO Council Strategic Plan for Fiscal Years 2001-2002, was issued
in October 2000. The development of this plan was the result of extensive
discussion, both internally with agency CIOs and with some external
stakeholders, such as state and IT industry CIOs.

The CIO Council plan articulates a vision that was used to guide the plan's
goals and objectives: Better government through better use of information,
people, processes, and technology. The plan reflects the Council's view of
critical, cross-cutting IT issues that are affecting the federal
government's ability to serve its citizens. It also provides background and
rationale for the issues, and a brief description of the Council's past
accomplishments in each area. For fiscal years 2001-2002, the Council
identified six themes that frame the specific goals that accompany them.
These goals are as follows:

* Connect all citizens to the products, services, and information of their
government.

* Develop interoperable and innovative governmentwide IT initiatives.

* Implement a secure and reliable information infrastructure that the
customer can access and trust.

* Develop IT skills and resources to meet mission objectives.

* Collaborate between the public and private sectors to achieve better
government.

* Develop investment management policies, practices, and tools that enable
improved delivery of government programs and services.

Each goal has a set of associated objectives or major actions needed. A
total of 88 detailed initiatives are provided, representing specific,
concrete actions that the Council can take to implement its objectives.

The CIO Council Strategic Plan Does Not Meet Most PRA Requirements

While a robust document for the Council, this plan does not constitute an
effective governmentwide strategic IRM plan under PRA. First, although the
plan establishes a number of goals that are clearly governmentwide in
nature, these goals are not linked to expected improvements in agency and
program performance. For example, the plan contains a governmentwide goal of
interoperable and innovative IT initiatives; however, the plan does not
discuss how these initiatives will improve agency performance or establish
targets for improvement. Further, the plan's goals do not address IRM
comprehensively; for example, statistical activities, records management,
and the collection and control of paperwork are not addressed.

Second, while the plan contains strategies for reaching the goals, these
strategies are incomplete. Specifically, the plan does not address, even at
a high level, OIRA's policymaking and oversight role in helping to attain
those goals. Further, the plan does not discuss the resources needed
governmentwide-by OIRA, the CIO Council, and federal agencies-to achieve its
goals.

Finally, the plan addresses some but not all of the remaining items
highlighted in PRA. Specifically:

* The plan does address enhancing public access to and dissemination of
information. The first goal-connecting all citizens to the products,
services, and information of their government-is focused on making
government information accessible and facilitating transactions with
citizens. Strategies to accomplish this goal included developing the
FirstGov.gov portal for government services.7

* The plan includes a discussion of meeting the IT needs of the government.
Specifically, goal six focuses on IT investment management practices and
tools to improve delivery of government services and programs. Strategies
include improving the quality of data used to support investment
decisionmaking, information technology acquisition strategies, and IT
performance measurement.

* It does not address reducing the information burden to the public. While
it includes goals and strategies that may ultimately result in burden
reduction-such as creating interoperable and innovative governmentwide
initiatives-they are not linked to burden reduction. The plan also does

7 FirstGov.gov is a Web site that is intended to serve as a portal to all of
the federal government's publicly available, on-line information services.

not include a discussion of meeting shared data needs with shared resources,
as required by the act.

* Notably lacking in the plan is any description of progress already made in
applying IRM principles to improving agency performance and mission
accomplishment. Further, the plan's performance measures are not geared
toward providing the required information on progress. These measures are
solely focused on gauging Council progress in meeting the goals, rather than
on progress in improving agency and program performance.

In regard to the consultations required by PRA, representatives of key
agencies currently sit on the Council and, thus, participated in the
development of the plan, according to OIRA and CIO Council officials. OMB
officials also indicated that by conducting meetings with these agencies,
and through other guidance and review activities, the strategic viewpoint of
these senior officials was captured.

In discussing our views of the CIO Council plan, OMB officials responded
that while the CIO Council plan is OIRA's primary means of complying with
the strategic planning requirements under PRA, OMB produces a range of other
documents that also contain elements of the governmentwide plan. It is this
collection of documents, as a whole, that constitutes the governmentwide
strategic IRM plan under PRA. According to OMB officials, these additional
documents are as follows:

* Government Information Security Reform Act. Under this act, agencies are
required to report to OMB annually on independent evaluations of their
information security programs. OMB is then required to summarize these
reports; OMB officials said that this summary provides strategic direction
for the security area. Agencies reported to OMB in September 2001; OMB
issued the governmentwide summary on February 13, 2002.

* Budget Information. OMB officials cited two budget documents that provide
governmentwide strategic direction. According to these officials, Table 22-1
in the budget sets strategic direction for IT and e-government and discusses
agency performance. In addition, these officials stated that the exhibit
53s, submitted by agencies as part of the budget process, provide specific
performance information on planned spending for major and significant
information systems. In addition, the chief statistician cited the annual
OMB report, Statistical Programs of the United States Government, which
describes proposed funding and priority activities for federal statistics.

* Plans Under the Government Paperwork Elimination Act. Under this act,
agencies are required to report to OMB on their plans for providing

the public with the option of submitting, maintaining, and disclosing
required information electronically, instead of on paper. OIRA has
summarized these plans in a database which, according to OIRA, provides part
of the strategic direction for IRM. In September 2001,8 we reported on the
status of agency implementation of the act. We found that although agency
implementation plans submitted in October 2000 included much potentially
useful information, many omissions and inconsistencies were evident. In
addition, we noted that the plans did not provide sufficient information
regarding agencies' strategic actions that could minimize the risk of not
meeting the deadline for providing electronic options. We concluded that
given these shortcomings, OMB would be challenged in its oversight role of
ensuring that agencies comply with the act. In commenting on this report,
OMB officials noted that in October 2001, they collected additional
information from agencies to address these issues; we did not review this
additional information.

* The Information Collection Budget. Each year, OIRA publishes an
Information Collection Budget by gathering data from executive branch
agencies on the total number of burden hours9 OIRA approved for collection
of information at the end of the fiscal year, and agency estimates of the
burden for the coming fiscal year. This document includes a governmentwide
goal for burden reduction and reports the reasons for any increasing burden.
It also highlights agency efforts to streamline and reduce information
collections from the public for the upcoming fiscal year.

* The National Archives and Records Administration (NARA) Strategic Plan.
OMB officials stated that this plan provides a strategy for how NARA plans
to fulfill its mission and that agency records managers regard this plan as
providing strategic direction for their own activities.

* The President's Management Agenda. Again, according to OMB officials, the
e-government goal contained in the president's management agenda provides a
strategic vision for expanding the use of e-government. According to OMB
officials, this will soon be supplemented by a report specifically on the
e-government initiative, which will further address strategic direction for
e-government.

8 Electronic Government: Better Information Needed on Agencies'
Implementation of the Government Paperwork Elimination Act (GAO-01-1100,
September 28, 2001).

9 "Burden hours" are the principal units of measure of paperwork burden.
Burden hours are generally calculated as a function of estimates of (1) the
amount of time it will take an individual to collect and provide information
and (2) the number of individuals an information collection affects.

These documents-whether viewed individually or in total-do not address the
weaknesses we have identified. Of these documents, one report stands out as
governmentwide and strategic-the president's management agenda, which
articulates the goal of expanding e-government as well as strategies for
accomplishing that goal. Although this agenda adds additional perspective on
the administration's strategic direction for certain aspects of IRM, it is
not broad enough to compensate for the weaknesses in the CIO Council plan.
In addition, the current NARA strategic plan for fiscal years 1997-2007
includes no governmentwide goals and strategies for records management.
Rather, NARA's articulated goals and strategies focus on the mission of the
agency: providing ready access to information that documents citizens'
rights, officials' actions, and the national experience. The remaining
documents deal with various aspects of the government's use of information
resources, but are not strategic or focused on the future, and do not
provide goals, strategies, and performance measures.

Further, the multitude of documents-issued at different points in time- that
OIRA indicated comprise the governmentwide plan are neither integrated nor
formalized in any way. Nor is there any published tool to identify and
locate these documents, should agencies, the Congress, or other stakeholders
want to view the plan in its totality. As a result, these documents do not
clearly communicate the strategic IRM vision of the government.

The shortcomings we have identified in the current plan indicate that OIRA
has not devoted sufficient attention to producing an effective
governmentwide strategic IRM plan. As a result, agencies are left to address
information needs in isolation without a comprehensive vision to unify their
efforts. Further, the risk is increased that investments in IT will not be
leveraged across the government; that duplicative initiatives will be
undertaken; that opportunities for data sharing and public access will be
missed; that privacy will be compromised; and that the security of
information, information systems, and critical infrastructure will be
jeopardized. Without OIRA leadership, top-level management commitment, and
the application of appropriate resources to ensure the development of a
comprehensive and meaningful plan, the mounting challenges that the
government faces in managing information may not be met.

OIRA Has Responded to PRA Policy, Oversight, and Functional Responsibilities

While the CIO Council's strategic plan does not effectively serve as the
governmentwide vehicle envisioned under PRA, OIRA is responding to other PRA
policymaking, oversight, and functional requirements. OIRA officials see
themselves as having provided leadership in IRM, and point to the successful
resolution of the Year 2000 problem as among OMB's greatest accomplishments
over the last 5 years. They also cite the establishment of FirstGov.gov as a
major accomplishment. We agree that these are significant. In fact, our work
on the Year 2000 issue specifically acknowledged the important role that OMB
played in leading, coordinating, and monitoring federal activity.10 And in
2000 we testified that FirstGov.gov represented an important, previously
unavailable capability that was rapidly and successfully put into place.11

Regarding the development of general IRM policy, OIRA officials said that
they see policymaking as a primary responsibility. OIRA most recently
updated Circular A-130, Management of Federal Information Resources in
November 2000 to incorporate changes resulting from the Clinger-Cohen Act of
1996 and subsequent policies outlined in OMB Circular A-11. This version of
Circular A-130 specifically incorporates the requirements that agencies
focus IRM planning to support their strategic missions, implement a capital
planning and investment control process that links to budget formulation and
execution, and rethink and restructure their business processes before
investing in information technology.

In terms of oversight, according to OIRA officials, they leverage existing
statutory processes, including reviews of the budget, proposed agency
information collections, regulations, legislation, and systems of records12
under the Privacy Act to oversee agency IRM activities. Additionally, they
noted that they work with agency CIOs through the budget process, Government
Performance and Results Act reporting, and information-collection reviews to
further policy oversight. OIRA officials also emphasized their work with the
CIO Council and other interagency groups as a means of overseeing agency
activities. They stressed that OMB is not

10 Year 2000 Computing Challenge: Lessons Learned Can Be Applied to Other
Management Challenges (GAO/AIMD-00-290, September 12, 2000).

11 Electronic Government: Opportunities and Challenges Facing the FirstGov
Web Gateway (GAO-01-87T, October 2, 2000).

12 Under the Privacy Act of 1974, any group of records under the control of
an agency from which information is retrieved by the name of the individual
or by some identifying number, symbol, or other identifying particular
assigned to the individual.

an audit organization, and that A-130 requires agencies to monitor their own
compliance with IRM policies, procedures, and guidance.

OIRA has also taken action to respond to the specific IRM functional
responsibilities in PRA: information collection, dissemination, statistical
policy and coordination, records management, privacy and security, and IT.
Since 1995, OMB has issued guidance in each of these areas including on such
topics as Internet privacy, dissemination, and information technology. In
addition, it has responded to specific requirements by reviewing and
approving proposed agency information collections, appointing a chief
statistician to coordinate statistical activities, seeking statutory
authority to expand data sharing among statistical agencies, and working
with the CIO Council to improve IT management. The full range of these
actions are recounted in appendix II.

Our past work demonstrates, however, that OIRA faces continuing and new
challenges in each of these areas. For example:

* Information Collection/Burden Reduction. Over the past 3 years, we have
reported that federal paperwork has continued to increase. For example, in
April 2001, we reported that paperwork had increased by nearly 180 million
burden hours during fiscal year 2000-the second largest 1-year increase
since the act was passed.13 This increase was largely attributable to the
Internal Revenue Service, which raised its paperwork estimate by about 240
million burden hours. We also reported that PRA violations-in which
information-collection authorizations from OMB had expired or were otherwise
inconsistent with the act's provisions-had declined from 710 to 487, but
were still a serious problem. We concluded that while OIRA had taken some
steps to limit violations, more needed to be done, including taking steps to
work with the budget side of OMB to bring agencies into compliance.14 In
commenting on this report, OMB officials noted that in November 2001, the
OIRA administrator and OMB general counsel sent a memorandum to agencies
stressing the importance of having agencies eliminate existing violations
and prevent new ones.

13 Paperwork Reduction Act: Burden Estimates Continue to Increase
(GAO-01-648T, April 24, 2001).

14 Paperwork Reduction Act: Burden Increases at IRS and Other Agencies
(GAO/T-GGD-00-114, April 12, 2000) and Paperwork Reduction Act: Burden
Increases and Unauthorized Information Collections (GAO/T-GGD-99-78, April
15, 1999).

* Information Dissemination. Two recent reports underscored the evolving
nature of information dissemination issues and the challenges that the
government faces in moving toward increased electronic dissemination of
information. One on the National Technical Information Service (NTIS)-a
repository for scientific and technical information- stated that rising
demand for electronic products, coupled with increasing availability of this
information on the Internet, raised fundamental issues about how the
information should be collected, stored, and disseminated-and specifically,
about the future of NTIS itself.15 Specifically, we raised policy questions
concerning whether a central repository was still needed and if so, how it
should be structured. In addition, our report on the Government Printing
Office-which prints and disseminates publications for all three branches of
government- concluded that while electronic dissemination of government
publications provided an attractive alternative to paper, a number of
challenges would need to be overcome if the government were to increase
electronic dissemination. These challenges included ensuring permanence,
equitable access, and authenticity of documents in an electronic
environment.16

* Statistical Policy. In March 1998, in testimony on a reorganization
proposal involving part of the federal statistical system, we summarized our
past work in this area.17 We concluded that the inability of agencies to
share data is one of the most significant issues facing the statistical
system, and one of the major factors affecting the quality of data, the
efficiency of the system, and the amount of burden placed on those who
provide information to the agencies.18

* Records Management. Last July we testified that the management of
electronic records was a substantial challenge facing the government and the
National Archives and Records Administration in implementing the Government
Paperwork Elimination Act and in moving toward e-

15 Information Management: Dissemination of Technical Reports (GAO-01-490,
May 18, 2001).

16 Information Management: Electronic Dissemination of Government
Publications (GAO-01-428, March 30, 2001).

17 Statistical Agencies: Proposed Consolidation and Data Sharing Legislation
(GAO/T-GGD-98-91, March 26, 1998).

18 See also Record Linkage and Privacy: Issues in Creating New Federal
Research and Statistical Information (GAO-01-126SP. April 2001), which
discusses the benefits from and the privacy issues raised by record
linkages-combining multiple sources of existing data-conducted for research
and statistical purposes.

government.19 We underscored the need for strong, central leadership to
overcome this challenge.

* Privacy. In September 2000, we reported that most Web sites we reviewed
had posted privacy policies but had not consistently posted policies on
pages we identified as collecting substantial amounts of personal
information. We concluded that OMB's guidance was unclear in several
respects, and contained undefined language.20 And last April we reported on
agency use of Internet "cookies"21 and concluded that OMB's guidance left
agencies to implement fragmented directives contained in multiple documents.
Further, the guidance itself was not clear on the disclosure requirements
for a certain type of cookie.22

* Information Technology. In last January's Performance and Accountability
Series of reports, we identified information technology management-including
improving the collection, use, and dissemination of government information;
strengthening computer security; and strengthening IT management
processes-as a major management challenge facing the federal government.23
We pointed out that the momentum generated by the government's response to
the Year 2000 change should not be lost, and that the lessons learned should
be considered in addressing other pressing challenges. The report further
reemphasized the need for sustained and focused central leadership, and
particularly for a federal chief information officer to provide strong focus
and attention to the full range of IRM and IT issues.

* Information Security. Since 1997, we have designated information security
as a high-risk area because growing evidence indicated that controls over
computerized federal operations were not effective and related risks were
escalating, in part due to increasing reliance on the Internet. 24 While
many actions have been taken, current activity is not

19 Electronic Government: Challenges Must Be Addressed With Effective
Leadership and Management (GAO-01-959T, July 11, 2001).

20 Internet Privacy: Agencies' Efforts to Implement OMB's Privacy Policy
(GAO/GGD-00-191, September 5, 2000).

21 Text files that have unique identifiers associated with them and are used
to store and retrieve information that allows Web sites to recognize
returning users, track on-line purchases, or maintain and serve customized
Web pages.

22 Internet Privacy: Implementation of Federal Guidance for Agency Use of
"Cookies" (GAO-01-424, April 27, 2001).

23 Major Management Challenges and Program Risks: A Governmentwide
Perspective (GAO-01-241, January 2001).

24 High-Risk Series: An Update (GAO-01-263, January 2001).

keeping pace with the growing threat. In recent testimony, 25 we reported
that our most recent analyses of audit reports published from July 2000
through September 2001, continued to show significant weaknesses at each of
the 24 agencies included in our review. Consequently, critical operations,
assets, and sensitive information gathered from the public and other sources
continued to be vulnerable to disruption, data tampering, fraud, and
inappropriate disclosure. While recognizing that the administration had
taken a number of positive steps to protect critical public and private
information systems, we concluded that the government still faced a
challenge in ensuring that risks from cyber threats are appropriately
addressed in the context of the broader array of risks to the nation's
welfare. Further, we recommended that the federal government's strategy for
protecting these systems define (1) specific roles and responsibilities, (2)
objectives, milestones, and an action plan, and (3) performance measures.

Over the years, we have made numerous recommendations to both OMB and the
agencies on IRM matters. While actions have been taken to respond to our
recommendations, more needs to be done. Some of the more significant
recommendations involving OIRA that have not yet been implemented include
the following:

* In 1996, in reporting on Clinger-Cohen Act implementation, we recommended
that OMB identify the type and amount of skills required for OMB to execute
IT portfolio analyses; determine the degree to which these needs are
currently satisfied; specify the gap; and design and implement a plan to
close the gap.26 Although OIRA officials said they are examining their
staffing needs, no systematic review has been conducted to date.

* In the same 1996 report, we recommended that OMB evaluate information
system project cost, benefit, and risk data when analyzing the results of
agency IT investments. Such analyses should produce agency track records
that clearly and definitively show what improvements in mission performance
have been achieved for the IT dollars expended. Although OMB has provided
anecdotal evidence of expected and actual mission performance improvements
for some major systems projects, it is not

25 Computer Security: Improvements Needed to Reduce Risk to Critical Federal
Operations and Assets (GAO-02-231T, November 9, 2001).

26  Information  Technology  Investment: Agencies  Can Improve  Performance,
Reduce Costs, and Minimize Risks (GAO/AIMD-96-64, September 30, 1996).

Conclusions

clear that OMB has constructed or plans to construct systematic agency track
records.

* In 1998, in a report on OIRA's implementation of PRA, we recommended that
OMB ensure that its annual performance plan and program reports to the
Congress under the Government Performance and Results Act identify specific
strategies, resources, and performance measures that it will use to address
OIRA's PRA responsibilities.27 OMB has not acted on this recommendation.

* In 2000, in a report on Internet privacy, we recommended that OMB (1)
consider how best to help agencies better ensure that individuals are
provided clear and adequate notice about how their personal information is
treated when they visit federal Web sites, and (2) determine whether current
oversight strategies are adequate.28 In addition, in reporting on federal
agency use of Internet cookies, we recommended that OMB unify its guidance
on Web site privacy policies and clarify the resulting guidance to provide
comprehensive direction on the use of cookies by federal agencies on their
Web sites.29 Although OIRA officials said that they plan to launch a privacy
initiative to address these recommendations, no action has been taken to
date.

Current and emerging challenges-including the events of September 11 and the
subsequent anthrax attacks-emphasize the importance of the integrated
approach that IRM embodies and the need for a strategic plan to guide the
government's management of its increasingly valuable information resources.
However, OIRA has not established an effective governmentwide strategic IRM
plan to accomplish this. Given the magnitude of the changes that have
occurred since the CIO Council plan was published in October 2000, OIRA has
both an obligation and an opportunity to lead the development of a unified
governmentwide plan that

* communicates a clear and comprehensive vision for how the government will
use information resources to improve agency performance,

27 Regulatory Management: Implementation of Selected OMB Responsibilities
Under the Paperwork Reduction Act (GAO/GGD-98-120, July 9, 1998).

28 GAO/GGD-00-191, September 5, 2000.

29 GAO-01-424, April 27, 2001.

* is responsive to  the current external environment including the impact of
recent terrorist attacks and other trends,

*  recognizes  the  resources  including  human capital  needed  to  achieve
governmentwide IRM goals, and

* reflects consultation with all stakeholders-including the Office of

Homeland Security, entities involved in information security and critical
infrastructure protection, and the officials identified in the act-who are
critical to meeting IRM challenges and the goals the administration has
established in its management agenda.

The shortcomings we identified in the CIO Council plan call into question
the degree of management attention that OIRA has devoted thus far to
producing the governmentwide plan. Without such a plan, OIRA and the
agencies lack a unifying governmentwide vision for how investments in and
use of information resources will facilitate the current and emerging agenda
of the federal government. Further, the risk is increased that investments
in IT will not be leveraged across the government; that duplicative
initiatives will be undertaken; that opportunities for data sharing and
public access will be missed; that privacy will be compromised; and that the
security of information, information systems, and critical infrastructure
will be jeopardized. Without OIRA leadership, top-level management
commitment, and the application of appropriate resources to ensure the
development of a comprehensive and meaningful plan, the mounting challenges
that the government faces in managing information may not be met.

While OIRA has not yet established an effective governmentwide IRM plan, it
has taken action to respond to other PRA policymaking, oversight, and
functional requirements. Nevertheless, OIRA faces challenges in managing
critical information resources and many of the recommendations we have made
over the years have not yet been implemented.

In order to address the current and emerging challenges that the government
faces in managing information resources and take advantage of opportunities
for improvement, we recommend that the administrator, OIRA, develop and
implement a governmentwide strategic IRM plan that articulates a
comprehensive federal vision and plan for all aspects of government
information. In addition, recognizing the new emphasis that OMB has placed
on e-government, it will be important that the administrator work in
conjunction with the associate director for

Recommendations

technology and e-government in developing this plan. In particular, the
following actions should be taken:

* Consistent with the Paperwork Reduction Act, establish governmentwide
goals for IRM that are linked to improvements in agency and program
performance, identify strategies for achieving the goals that clearly define
the roles of OIRA and agencies, and develop performance measures to assess
progress in using IRM to improve agency and program performance.

* Assess the external environment and emerging future challenges and trends,
including the recent terrorist attacks, and their impact on the government's
collection, use, maintenance, and dissemination of information.

* As part of an assessment of the government's internal environment,
determine the resources, including human capital, needed to meet
governmentwide IRM goals. This should include an assessment of OIRA's human
capital capability, including the numbers of staff and types of skills
needed, to conduct this strategic planning process and lead governmentwide
implementation of the resulting plan. Based on this assessment, the
administrator, OIRA, should seek to fill any gaps identified.

* Seek involvement in the planning processes from the CIO Council, the

Agency Comments
and Our Evaluation

Office of Homeland Security, entities involved in information security and
critical infrastructure protection, federal agencies, private-sector
organizations, state and local governments, and other relevant stakeholders
in meeting the government's needs for a strong and unified information
management vision.

In written comments on a draft of this report, which are reprinted in
appendix III, the director, OMB, recognized that our report had significant
implications for agency PRA implementation but expressed several concerns
with its contents. First, he expressed concern that the report narrowly
focuses on the finding that a governmentwide strategic plan must be a single
document. He reiterated OMB's position that the documents they cited during
our review-the CIO Council Strategic Plan, the information collection
budget, the president's management agenda, and others-and the president's
budget for 2003, which was released after our draft report was sent for
comment-in total meet the requirements for a governmentwide strategic IRM
plan and provide adequate strategic direction to agencies. Second, the
director expressed concern that the report does not incorporate the role of
the associate director for information technology and e-government into its
findings or analysis.

The director stated that, in leading implementation of the e-government
strategy outlined in the president's management agenda, the associate
director provides strategic direction to agencies for many of the functions
in PRA, including information security, privacy, e-government, IT spending,
enterprise architecture, and capital planning, and leads the work of OIRA
and other OMB offices to improve agency performance on these issues. Lastly,
the director stated that the report does not analyze the impact of OMB's
policies and practices-established in response to the requirements of PRA
and other IRM statutes-on agency performance. He further stated that such an
analysis would demonstrate that the president's e-government initiative and
other actions are highly effective in carrying out the purposes of PRA.

We disagree with the director's statement that our report narrowly focuses
on the requirement for a strategic plan to be a single document. We
performed a rigorous analysis of the documents cited by OMB during our
review and compared their contents against the requirements of the PRA. Our
primary finding was that these documents do not, separately or collectively,
meet the requirements for a governmentwide plan. As discussed in our report,
we acknowledge the strategic elements of the CIO Council plan and the
president's management agenda but found that these documents do not
comprehensively cover IRM issues and are missing other key elements of a
strategic IRM plan. The remaining documents cited by OMB are not strategic
or focused on the future, and do not provide goals, strategies, and
performance measures. Further, we think there is value in crafting a single
plan-not only because it is required by PRA but also because it would
provide a vehicle for clearly communicating an integrated strategic IRM
vision to agencies, the Congress, and the public. However, contrary to what
OMB's letter implies, we do not believe that OMB must necessarily produce an
entirely new document to accomplish this. OMB has options for building on
past efforts-including the CIO council strategic plan, the president's
management agenda, and the president's budget for 2003-to develop a plan
that contains a comprehensive strategic statement of goals and resources.

Regarding the budget for 2003-released after our draft report was sent for
comment-this document identifies e-government and IT management reform as
administration priorities. Specifically, it contains (1) a description of IT
management issues including duplicative IT investments and the failure of IT
investments to significantly improve agency performance, (2) additional
information on the administration's e-government goals and strategies and
high-level descriptions of specific e-

government initiatives, (3) descriptions of agency progress in developing
capital planning and investment control processes, enterprise architectures,
and business cases for IT projects, and in implementing e-government, and
(4) identifies process improvement milestones for calendar year 2002.

The budget also contains a scorecard used to grade agency progress in the
five governmentwide initiatives-including e-government-described in the
president's management agenda. In addition, for major IT investments, the
budget identifies total investments for 2001 through 2003, links each
investment to the agency's strategic goals, and provides performance goals
and measures for these projects. The budget also contains a discussion on
strengthening federal statistics and identifies four programs supported by
the budget that are intended to address shortcomings in the statistical
infrastructure.

Our preliminary analysis indicates that this budget contains many of the
elements required in a strategic plan that were not present in previous
documents cited by OMB and, when viewed in conjunction with the president's
management agenda, represents credible progress toward developing a
governmentwide plan. Specifically, it includes a discussion- within the
context of e-government-of how the government will use information resources
to improve agency performance, and identifies goals and strategies. It also
discusses other required elements, including (1) enhancing public access to
and dissemination of information and (2) meeting the IT needs of the
government, and cites the need to reduce reporting burden on businesses and
share data among federal agencies. Further, it provides the status of
agency-by-agency progress in establishing IT management processes and
implementing e-government and the scorecard provides a means of measuring
agency progress. The discussion also links improving information sharing
among levels of government to providing for homeland security.

However, some of the areas that the budget does not appear to address
include (1) the role of OIRA and the CIO Council in implementing the
government's strategies, (2) an assessment of the long-term resources
(beyond fiscal year 2003)-including human capital-needed to meet the goals,
and (3) how key stakeholders were involved in developing these plans.
Nevertheless, based on a preliminary review of this document, it appears to
address, in part, the recommendations in this report. We intend to follow up
on this and other documents that OMB has indicated are forthcoming to
determine the extent to which our recommendations are fully addressed.

We acknowledge the role that OMB has given to the associate director to
provide strategic direction to agencies and we support additional efforts to
focus attention on IRM matters, especially given the magnitude of the
government's challenges. However, we believe that a governmentwide strategic
IRM plan is nonetheless needed to communicate an integrated IRM vision to
the Congress and other key stakeholders, as well as federal agencies. As a
result, we have modified our recommendations to recognize the importance of
the administrator's working in conjunction with the associate director to
articulate a comprehensive IRM vision and develop a governmentwide plan that
meets PRA requirements.

Finally, we acknowledge that we did not assess the impact of OIRA's
policymaking and oversight efforts-performed in response to the requirements
of the PRA and other IRM legislation-on agency performance. However, our
past work, referenced in this report, provides ample evidence of agency
performance problems in such areas as IT management, security, privacy, and
data sharing and confirms that OMB faces significant and continuing
challenges in these area. Further, as discussed in our report, our past work
led to our identifying information security as a governmentwide high-risk
area and IT management as a major management challenge. In fact, OMB
identifies some of these same performance problems in its budget for 2003
and in its related assessments of agency progress in expanding e-government.
In addition, we note that the president's e-government initiative is clearly
in its early stages; any efforts to evaluate its impact on agency
performance at this time would be premature.

The deputy administrator, OIRA, and other officials also separately provided
oral technical comments, which we have incorporated as appropriate.

As agreed with your office, unless you publicly announce the contents of
this report earlier, we plan no further distribution until 30 days from the
date of this letter. At that time, we will provide copies to the ranking
minority member, Senate Committee on Governmental Affairs; the chairman and
ranking minority member, House Committee on Government Reform; and the
director, Office of Management and Budget. Copies will also be available on
our Web site at www.gao.gov.

If you have any questions, please contact me at (202) 512-6240 or Patricia
D. Fletcher, assistant director, at (202) 512-4071. We can also be reached
by e-mail at [email protected] and [email protected], respectively. Key
contributors to this report were Michael P. Fruitman, Ona M. Noble,
Robert P. Parker, Colleen M. Phillips, and David F. Plocher.

Sincerely yours,

Linda D. Koontz
Director, Information Management Issues

                      Appendix I: Scope and Methodology

To evaluate the adequacy of OIRA's strategic planning efforts, we performed
a content analysis of the Federal Chief Information Officers (CIO) Council
Strategic Plan for fiscal years 2001-2002-which OIRA officials identified as
the governmentwide IRM plan-and compared it with specific PRA requirements
(S 3505 A). We also interviewed OIRA and CIO Council officials to obtain
information on the plan's preparation. We reviewed our prior reports for
information on evaluations and recommendations made for previous OIRA
governmentwide strategic IRM plans. Further, to understand the challenges
the government faces in managing information in today's environment, we
reviewed our more recent reports on terrorism, bioterrorism, and homeland
security issues. In addition, we reviewed The President's Management Agenda
for Fiscal Year 2002.

We also reviewed additional documents that, according to OIRA, also comprise
the governmentwide IRM plan. These included the 1997-2007 Strategic Plan of
the National Archives and Records Administration, OMB's Information
Collection Budget, the exhibit 53s and table 22-1 in the president's budget
for fiscal year 2002, and OMB's Statistical Programs of the United States
Government. We also reviewed OMB memoranda to agencies entitled Procedures
and Guidance on Implementing the Government Paperwork Elimination Act (April
25, 2000), Guidance for Preparing and Submitting Security Plans of Action
and Milestones (October 17, 2001), and Implementation of the President's
Management Agenda and Presentation of the Fiscal Year 2003 Budget Request

(October 30, 2001). Finally, we reviewed the president's budget for fiscal
year 2003 after it was released on February 4, 2002.

To determine OIRA actions to respond to specific IRM functional
requirements, we reviewed OMB circulars, bulletins, memoranda, and other
documents. In addition, we interviewed OIRA officials responsible for each
of the functional areas. We reviewed our prior work on this subject, and
assessed OIRA's status regarding outstanding recommendations. We focused
primarily on actions taken by OIRA since 1995, the date of the most recent
PRA amendments. However, we did not assess the adequacy of OIRA's actions to
respond to these requirements.

Appendix II: Key Requirements of the Paperwork Reduction Act and OIRA
Actions

                      OIRA requirements Actions taken

Section 3504(b): General IRM Policy

Develop  and oversee  the  implementation of  uniform information  resources
management policies, principles, standards, and guidelines.

* OMB revised its IRM policy guidance, Circular No. A-130, to reflect the
1995 Act and to reflect the Clinger-Cohen Act of 1996 and other matters.
Circular A-130 complements 5 CFR 1320, "Controlling Paperwork Burden on the
Public."

* OIRA's general approach to oversight is to leverage its existing statutory
processes, including the budget, regulatory review, information collection
review, legislative review, Privacy Act systems of record review, and
periodic reports from the agencies.

Foster greater sharing, dissemination, and access to public information,
including through

* the use of the Government Information Locator Service (GILS); and

* the development of utilization of common standards for information
collection, storage, and processing and communications, including standards
for security interconnectivity.

* OIRA officials acknowledged that GILS is still a requirement; however,
they stated that increased use of the Internet, coupled with the development
of more powerful search engines, has lessened the importance of this
approach to locating government information.

* They highlighted the establishment of FirstGov.gov-a federal government
portal that provides a single point of access to all federal government
information posted on the World Wide Web-as a major accomplishment in this
area. In addition, OIRA has worked with the CIO Council to establish Access
America portals in the areas of health, trade, students, and seniors.

* OIRA does not set technical standards; OMB works with NIST and consults
with the CIO Council to define policy standards for operational matters.

Initiate and review proposals for changes in legislation, regulations, and
agency procedures to improve information resources management practices.

* OIRA officials say they do not initiate legislative proposals, but review
them via consultation with the CIO Council, individual agencies, and OMB's
Legislative Reference Division. Altogether, OIRA receives about 5 or 6
proposals each day.

* OIRA does not have a systematic process for initiating or reviewing agency
procedures to improve IRM.

Oversee the development and implementation * OIRA officials stated that they
encourage  agencies to  follow  best practices-  of  best practices  in IRM,
including training. relying on the CIO Council's leadership and influence.

* NIST disseminates security best practices.

Oversee agency integration of  program OIRA officials stressed that agencies
are  responsible  for overseeing  their  own management  functions with  IRM
functions. management functions through the agency's CIO.

Section 3504(c): Collection and Control of Paperwork

Review and approve proposed agency collections of information.

OIRA operates the paperwork clearance process established under the
Paperwork Reduction Act of 1980. OIRA has draft guidance for agency
compliance with the PRA's paperwork clearance requirements (preliminary
January 1997 draft, revised August 1999). In fiscal year 2001, OIRA reviewed
1,521 proposed agency collections, approved 1, 411, and disapproved 5. The
remainder were withdrawn or returned to the agency.

Coordinate the review of information collection concerning procurement and
acquisition with the Office of Federal Procurement Policy (OFPP). 
Minimize information collection burden and maximize the practical utility of
and public benefit from information collected.

According to OIRA, the desk officers responsible for information collection
review routinely coordinate collections concerning procurement and
acquisition with OFPP, but such coordination is not documented.

According to OIRA, the information collection review process is used to
minimize information collection burden and maximize practical utility and
public benefit.

Establish and oversee standards and guidelines for estimated paperwork
burden.

OIRA  published  standards  for estimating  paperwork  burden  in 1999,  and
oversees implementation through the paperwork clearance process.

                 Section 3504(d): Information Dissemination

Develop  and oversee  the implementation of  *  In 1995 OMB  issued guidance
(M-95-22, 9/29/95) on implementing the

policies,  principles, standards,  and guidelines  information dissemination
provisions  of PRA. This  guidance was  incorporated into its  February 1996
revisions to A-130.

to

*   apply  to  agency dissemination,  regardless  of   *  According to  OIRA
officials,  OMB has  been  in consultation  with  stakeholders and  form  or
format;  and  other interested  parties to  discuss the  current information
policies of A-130 and to

Appendix II: Key Requirements of the Paperwork Reduction Act and OIRA
Actions

OIRA requirements Actions taken

* promote public access to information. discern if they continues to address
the needs of agencies and stakeholders in using government information.

* OIRA officials also said that oversight of this policy is accomplished
through the information collection process, conversations with agency CIOs,
review of agency Web sites, and discussions with agency personnel.

Section 3504(e): Statistical Policy and Coordination

Appoint  a chief statistician  to coordinate  the activities of  the federal
statistical system.

OMB has  appointed a chief statistician  who heads OIRA's Statistical Policy
Branch and is responsible for these functions.

Establish an interagency council on statistical policy to advise and assist
OIRA in carrying out these functions.

The PRA of 1995 formalized the Interagency Council on Statistical Policy
(ICSP), to advise and assist the director of OMB in carrying out statistical
policy and coordination functions. The ICSP is headed by the chief
statistician and consists of the heads of major statistical programs as well
as representatives of other statistical agencies on a rotating basis.

Prepare an annual report on statistical program funding.

The chief statistician prepares an annual report, entitled Statistical
Programs of the United States Government, on the activities of the
statistical system, including program funding.

Coordinate the federal statistical system to ensure its efficiency and
effectiveness, along with the integrity, objectivity, impartiality, utility,
confidentiality of information collected for statistical purposes.

* According to OMB officials, OIRA uses a variety of mechanisms to
coordinate the federal statistical system. These include the budget
formulation and information collection review processes; the development and
implementation of long-range plans; the issuance and revision of statistical
policy standards and orders; consultation with the Interagency Council on
Statistical Policy; and the activities and recommendations of interagency
committees such as the Federal Committee on Statistical Methodology, the
Interagency Committee for the American Community Survey, the Interagency
Forum on Aging-Related Statistics, the Interagency Forum on Child and Family
Statistics, and the Task Force on One-Stop Shopping for Federal Statistics.

* In 1997 OMB issued an order on confidentiality covering information
collection by statistical agencies. The chief statistician stated that OIRA
has not formally evaluated the impact of this order. However, she stated
that it has been very useful to some of the statistical agencies,
particularly in clarifying that confidential statistical data are not to be
used for administrative or regulatory purposes.

Ensure  that   agency  budget  proposals  are   consistent  with  systemwide
priorities.

The Statistical Policy Branch coordinates the budget requests of key
multiagency programs to ensure consistency with systemwide priorities. In
addition, the budgets of all principal statistical agencies are reviewed by
OMB's Resource Management Organizations and the Statistical Policy Branch.
According to the chief statistician, the statistical program budgets of
other agencies, which account for about 60 percent of the approximately $4
billion of annual federal spending on statistics, are not covered by this
review, primarily because of inadequate detail on budget materials.

Develop and oversee the implementation of * Statistical Policy Branch staff
participate directly in the review of proposed
governmentwide policies, principles, standards, information collection
requests by federal agencies. According to the chief
and guidelines for collection methods, data statistician, this participation
provides the staff with oversight of the
classifications, dissemination, timely release, questionnaires and
statistical methodologies used to collect information, as well
and needs for administration of federal as the use of these collections for
federal program needs.
programs. * OIRA has also expanded or updated classification standards for
industries (1997,

2001), occupations (1998), metropolitan and micropolitan areas (2000), and
race and ethnicity (1997), and is developing a new product classification
system.

* An OMB policy directive, last updated in 1985, specifies the process for
the timely release of principal economic indicators, and requires agencies
to conduct periodic evaluations of the quality of those indicators.
According to the chief statistician, OIRA does not conduct a formal review
of these evaluations, relying on agencies to use them to improve the
timeliness and quality of their statistical programs, but does use them in
the information collection request and budget formulation processes.

Appendix II: Key Requirements of the Paperwork Reduction Act and OIRA
Actions

OIRA requirements Actions taken

Evaluate statistical program performance and In addition to relying on
individual agencies to perform evaluations of statistical agency compliance
with governmentwide programs for compliance with governmentwide polices and
guidelines, OIRA uses policies, principles, standards, and guidelines. the
information collection and budget review processes to evaluate statistical

                    program performance and compliance.

Promote sharing of information collected for statistical purposes consistent
with privacy rights and confidentiality pledges.

* OMB prepared legislation that the House of Representatives passed as the
Statistical Efficiency Act of 1999. Subsequent President's budgets have
continued to urge enactment of this legislation which would permit data
sharing solely for statistical purposes for a specified group of statistical
agencies.

* To promote data sharing consistent with privacy rights and confidentiality
pledges, OMB in 1997 issued a confidentiality order for information
collected by statistical agencies. OIRA officials have not formally
evaluated the impact of this order, but have noted that some statistical
agencies have found it very useful, particularly in clarifying that
statistical data collected under a confidentiality pledge are not to be used
for nonstatistical purposes, such as administrative or regulatory purposes.

* According to the chief statistician, OIRA has, on occasion, used the
provisions of 44 U.S.C. 3509 to designate a single agency to collect and
share data needed by multiple agencies (consistent with privacy rights and
confidentiality pledges), thereby reducing respondent burden.

     Coordinate the participation of the United States in international
                          statistical activities.

The Statistical Policy Branch serves as the focal point for coordinating
U.S. participation in international statistical activities. OIRA coordinates
agency participation in statistical activities with the United Nations
Statistical Division, the Organization for Economic Cooperation and
Development, and the Statistical Office of the European Communities. The
chief statistician represents the United States at meetings of the United
Nations Statistical Commission. The chief statistician stated that through
this participation, she ensures that U.S. interests are taken into account
in these policy-setting forums, where programs for international statistical
work are developed and adopted. She noted that in preparation for these
meetings, agency views are sought on the agenda items by contacting the
member agencies of the ICSP. She also stated that working through the
Council, OMB ensures that the appropriate technical experts represent the
United States in various subject matter meetings and in international
standards development work.

Promote opportunities for training in statistical policy functions.

According to the chief statistician, the Statistical Policy Branch
encourages agencies to send staff to OIRA to be trained. For each of the
past 6 years, agency staff have worked at OIRA, participating in such
activities as the preparation of the annual report on statistical programs
and the review of information collection requests.

Section 3504(f): Records Management

Provide advice and assistance to the Archivist of the United States and the
Administrator of General Services to promote coordination of records
management requirements with IRM policies, principles, standards, and
guidelines.

* OMB officials stated that OIRA relies heavily on NARA to take leadership
for records management policy.

* OIRA officials stated that they and OMB budget examiners work closely with
both NARA and GSA. They have provided advice countless times, but these
interactions are informal and therefore undocumented.

Review agency compliance with records management legal and regulatory
requirements.

OIRA relies on NARA to ensure compliance with records management
requirements processes. From fiscal years 1996 through 2000, NARA conducted
16 evaluations of agency records programs-including Agriculture, Defense,
Commerce, FBI, and CIA-and reported numerous weaknesses, making
recommendations for improvement. No additional evaluations have been
conducted since then.

Oversee the application of records * OMB Circular A-130 requires agencies to
ensure that records management management policies, principles, standards,
programs adequately document agency activities and incorporate records and
guidelines, including the requirements for management functions into the
design, development, and implementation of

archiving information maintained in electronic information systems.

Appendix II: Key Requirements of the Paperwork Reduction Act and OIRA
Actions

OIRA requirements Actions taken
format, in the planning and design of * OIRA officials stated that they
oversee agency application of records
information systems. management policies through the information collection
budget and review

processes.

* According to OMB officials, an e-government initiative on e-records
management will provide a framework for this.

                   Section 3504(g): Privacy and Security

Develop and oversee the implementation of OMB Circular A-130 provides
implementing guidance to agencies on security and policies, principles,
standards, and guidelines privacy. In addition, it contains specific
guidance on federal agency responsibilities on privacy, confidentiality,
security, disclosure for maintaining records about individuals (app. I) and
on security of federal and sharing of information, and security. automated
information resources (app. III). Further, OIRA has issued several

memoranda addressing such issues as interagency data sharing, Internet
privacy issues, and the need to incorporate security and privacy in
information systems design and investment.

Oversee and coordinate compliance with the Freedom of Information Act, the
Privacy Act, and the Computer Security Act of 1987, and related information
management laws.

According to OIRA, it oversees and coordinates compliance with the Computer
Security Act through the provisions of the Government Information Security
Reform Act that require agencies to engage in systematic self-reporting on
their computer security programs. OIRA oversees the Privacy Act though its
reporting requirements and review of agency notices for new or modified
Privacy Act systems of records. Freedom of Information Act oversight is
given to the Department of Justice, although OMB provides guidance on fees.
OIRA also receives and reviews all agency inspector general reports and
annual reports, monitors GSA's incident report tracking system, and reviews
the integration of IT security in the budget process and the capital
planning and investment control process.

Require agencies to identify and afford security protections commensurate
with the risk and management of the harm resulting from the loss, misuse, or
unauthorized access to or modification of information.

A-130 requires a risk-based approach to information security and stipulates
that new or continued funding for IT systems is contingent on meeting
security criteria. OIRA officials again emphasized that it is the individual
agency's responsibility to provide appropriate risk-based security
protections.

              Section 3504(h): Federal Information Technology

In consultation with the Director of NIST and According to OIRA officials,
OIRA staff routinely consult with NIST and the General
the Administrator of General Services, develop Services Administration in
developing policy and guidance.
and oversee the implementation of policies,
principles, standards, and guidelines for
information technology functions and system
standards.

Monitor the effectiveness of, and compliance with, directives issued under
the Clinger-Cohen Act and relative to the IT fund.

OIRA holds annual capital planning and investment control meetings with
individual agencies to judge the well being of IT portfolios. OIRA officials
stated that they maintain a database to track agency portfolios over time,
but consider this information to be "pre-decisional"; it was thus not made
available to us. However, additional detail on agency IT portfolios was
provided in the 2003 budget.

Coordinate the development and review of IRM policy associated with
procurement and acquisition with the Office of Federal Procurement Policy.

OIRA officials collaborate with  the Office of Federal Procurement Policy on
issues related to IT procurement and acquisition.

Ensure (1) agency integration of IRM plans, program plans, and budgets for
acquisition and use of IT; and (2) the efficiency and effectiveness of
interagency IT initiatives.

OIRA officials use the budget and capital planning processes, in addition to
the  guidance  in A-130,  to  ensure  agency integration  of  IRM plans  and
budgets.

Appendix II: Key Requirements of the Paperwork Reduction Act and OIRA
Actions

OIRA requirements Actions taken

Promote the use of IT to improve the * OIRA works closely with the CIO
Council to ensure the efficiency and

productivity, efficiency, and effectiveness of effectiveness of interagency
IT initiatives.
federal programs. * OIRA promotes the use of information technology by
participating in interagency

meetings, through the information collection review process, and desk
officer

liaison activities with agencies.

* According to OIRA officials, OIRA uses requirements for capital planning
and investment control processes, enterprise architectures, and business
cases during the budget process to improve how agencies plan, acquire, and
manage IT.

Appendix III: Comments from the Office of Management and Budget

Appendix III: Comments from the Office of Management and Budget

Related GAO Products

Bioterrorism: The Centers for Disease Control and Prevention's Role in
Public Health Protection (GAO-02-235T, November 15, 2001)

Computer Security: Improvements Needed to Reduce Risk to Critical Federal
Operations and Assets (GAO-02-231T, November 9, 2001)

Homeland Security: Challenges and Strategies in Addressing Short- and
Long-Term National Needs (GAO-02-160T, November 7, 2001)

Electronic Government: Better Information Needed on Agencies' Implementation
of the Government Paperwork Elimination Act (GAO-01-1100, September 28,
2001)

Homeland Security: A Framework for Addressing the Nation's Efforts

(GAO-01-1158T, September 21, 2001)

Combating Terrorism: Selected Challenges and Related Recommendations
(GAO-01-822, September 20, 2001)

Electronic Government: Challenges Must Be Addressed With Effective
Leadership and Management (GAO-01-959T, July 11, 2001)

Information Management: Dissemination of Technical Reports (GAO-01-490, May
18, 2001)

Internet Privacy: Implementation of Federal Guidance for Agency Use of
"Cookies" (GAO-01-424, April 27, 2001)

Paperwork Reduction Act: Burden Estimates Continue to Increase (GAO-01-648T,
April 24, 2001)

Record Linkage and Privacy: Issues in Creating New Federal Research and
Statistical Information (GAO-01-126SP, April 2001)

Information Management: Electronic Dissemination of Government Publications
(GAO-01-428, March 30, 2001)

Combating Terrorism: Comments on Counterterrorism Leadership and National
Strategy (GAO-01-556T, March 21, 2001)

Information Management: Progress in Implementing the 1996 Electronic Freedom
of Information Act Amendments (GAO-01-378, March 16, 2001)

Related GAO Products

High-Risk Series: An Update (GAO-01-263, January 2001)

Major Management Challenges and Program Risks: A Governmentwide Perspective
(GAO-01-241, January 2001)

Determining Performance and Accountability Challenges and High Risks
(GAO-01-159SP, November 2000)

Electronic Government: Opportunities and Challenges Facing the FirstGov Web
Gateway (GAO-01-87T, October 2, 2000)

Federal Chief Information Officer: Leadership Needed to Confront Serious
Challenges and Emerging Issues (GAO/T-AIMD-00-316, September 12, 2000)

Year 2000 Computing Challenge: Lessons Learned Can Be Applied to Other
Management Challenges (GAO/AIMD-00-290, September 12, 2000)

Internet Privacy: Agencies' Efforts to Implement OMB's Privacy Policy

(GAO/GGD-00-191, September 5, 2000)

Congressional Oversight: Challenges for the 21st Century (GAO/T-OCG-00-11,
July 20, 2000)

Revisions to OMB's Circular A-130 (GAO/AIMD-00-183R, May 23, 2000)

Paperwork Reduction Act: Burden Increases at IRS and Other Agencies

(GAO/T-GGD-00-114, April 12, 2000)

Office of Management and Budget: Future Challenges to Management

(GAO/T-GGD/AIMD-00-141, April 7, 2000)

Managing in the New Millennium: Shaping a More Efficient and Effective
Government for the 21st Century (GAO/T-OCG-00-9, March 29, 2000)

Year 2000 Computing Challenge: Federal Business Continuity and Contingency
Plans and Day One Strategies (GAO/T-AIMD-00-40, October 29, 1999)

Managing for Results: Answers to Hearing Questions on Quality Management
(GAO/GGD-99-181R, September 10, 1999)

Related GAO Products

National Archives: Preserving Electronic Records in an Era of Rapidly
Changing Technology (GAO/GGD-99-94, July 19, 1999)

Paperwork Reduction Act: Burden Increases and Unauthorized Information
Collections (GAO/T-GGD-99-78, April 15, 1999)

Government Management: Observations on OMB's Management Leadership Efforts
(GAO/T-GGD/AIMD-99-65, February 4, 1999)

Information Security: Serious Weaknesses Place Critical Federal Operations
and Assets at Risk (GAO/AIMD-98-92, September 23, 1998)

Regulatory Management: Implementation of Selected OMB Responsibilities Under
the Paperwork Reduction Act (GAO/GGD-98-120, July 9, 1998)

Government Management: Observations on OMB's Management Leadership Efforts
(GAO/T-GGD/AIMD-98-148, May 12, 1998)

Statistical Agencies: Proposed Consolidation and Data Sharing Legislation
(GAO/T-GGD-98-91, March 26, 1998)

Managing for Results: Observations on Agencies' Strategic Plans

(GAO/T-GGD-98-66, February 12, 1998)

Managing for Results: Agencies' Annual Performance Plans Can Help Address
Strategic Planning Challenges (GAO/GGD-98-44, January 30, 1998)

Managing for Results: Observations on OMB's September 1997 Strategic Plan
(GAO/T-AIMD/GGD-98-10, October 6, 1997)

Agencies' Strategic Plans Under GPRA: Key Questions to Facilitate
Congressional Review (GAO/GGD-10.1.16, May 1997)

Statistical Agencies: Consolidation and Quality Issues (GAO/T-GGD-97-78,
April 9, 1997)

Managing for Results: Enhancing the Usefulness of GPRA Consultations Between
the Executive Branch and Congress (GAO/T-GGD-97-56, March 10, 1997)

Related GAO Products

Information Technology Investment: Agencies Can Improve Performance, Reduce
Costs, and Minimize Risks (GAO/AIMD-96-64, September 30, 1996)

Information Management Reform: Effective Implementation Is Essential for
Improving Federal Performance (GAO/T-AIMD-96-132, July 17, 1996)

Statistical Agencies: Statutory Requirements Affecting Government Policies
and Programs (GAO/GGD-96-106, July 17, 1996)

Federal Statistics: Principal Statistical Agencies' Missions and Funding

(GAO/GGD-96-107, July 1, 1996)

Executive Guide: Effectively Implementing the Government Performance and
Results Act (GAO/GGD-96-118, June 1996)

Executive Guide: Improving Mission Performance Through Strategic Information
Management and Technology (GAO/AIMD-94-115, May 1994)

GAO's Mission

Obtaining Copies of GAO Reports and Testimony

The General Accounting Office, the investigative arm of Congress, exists to
support Congress in meeting its constitutional responsibilities and to help
improve the performance and accountability of the federal government for the
American people. GAO examines the use of public funds; evaluates federal
programs and policies; and provides analyses, recommendations, and other
assistance to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents is through the
Internet. GAO's Web site (www.gao.gov) contains abstracts and full-text
files of current reports and testimony and an expanding archive of older
products. The Web site features a search engine to help you locate documents
using key words and phrases. You can print these documents in their
entirety, including charts and other graphics.

Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its Web
site daily. The list contains links to the full-text document files. To have
GAO e-mail this list to you every afternoon, go to www.gao.gov and select
"Subscribe to daily e-mail alert for newly released products" under the GAO
Reports heading.

Order by Mail or Phone The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out to
the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:

U.S. General Accounting Office P.O. Box 37050 Washington, D.C. 20013

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

Visit GAO's Document GAO Building

Distribution  Center  Room 1100,  700 4th  Street, NW  (corner of 4th  and G
Streets, NW) Washington, D.C. 20013

To Report Fraud, Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm,

Waste, and Abuse in E-mail: [email protected], or

Federal Programs 1-800-424-5454 or (202) 512-7470 (automated answering
system).

Jeff   Nelligan,  Managing   Director,   [email protected]   (202)  512-4800

Public Affairs U.S.  General Accounting Office, 441 G. Street NW, Room 7149,
Washington, D.C. 20548
*** End of document. ***