Social Security Administration: Information Technology Challenges Facing
the Commissioner (Testimony, 03/12/98, GAO/T-AIMD-98-109).
Pursuant to a congressional request, GAO discussed the information
technology challenges facing the Social Security Administration and its
recently appointed commissioner.
GAO noted that: (1) SSA made significant early progress in assessing and
renovating mission-critical mainframe systems--those necessary to
prevent the disruption of benefits--and has been a leader among federal
agencies; (2) yet as of GAO's report of last October indicated, three
key risks remained, mainly stemming from the large degree to which SSA
interfaces with other entities in the sharing of information; (3) one
major risk concerned year 2000 compliance of the 54 state Disability
Determination Services (DDS) that provide vital support to the agency in
administering SSA's disability programs; (4) the second major risk
concerned data exchanges, ensuring that information obtained from
outside sources--such as other federal agencies, state agencies, and
private businesses--was not corrupted by data being passed from systems
that were not year 2000 compliant; (5) SSA exchanges data with thousands
of such sources; (6) third, such risks were compounded by the lack of
contingency plans to ensure business continuity in the event of systems
failure; (7) the resources that SSA plans to invest in acquiring
Intelligent Workstation/Local Area Network (IWS/LAN) are enormous; (8)
over 7 years the agency plans to spend about $1 billion during phase I
to replace its present computer terminals with intelligent workstations
and local area networks; (9) as of March 1, SSA had completed
installation of about 30,000 IWSs and 800 LANs, generally meeting or
exceeding its phase I schedule; (10) GAO has not identified any
significant problems in SSA's installation of IWS/LAN equipment at its
field offices to date, and the agency has taken steps to minimize
adverse impact on service to the public while installation takes place;
(11) at the conclusion of GAO's review, however, SSA had not established
targeted goals or a process or using performance measures to asses
IWS/LAN's impact in agency productivity improvements; (12) SSA has
recognized weaknesses in its own capability to develop software, and is
improving its processes and methods; and (13) SSA plans many initiatives
using the Internet to provide electronic service delivery to its
clients.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: T-AIMD-98-109
TITLE: Social Security Administration: Information Technology
Challenges Facing the Commissioner
DATE: 03/12/98
SUBJECT: Data integrity
Computer software verification and validation
Federal social security programs
Information resources management
Local area networks
Social security benefits
Computer software
Systems conversions
IDENTIFIER: SSA Year 2000 Program
SSA Disability Determination Program
Internet
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO report. Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved. Major **
** divisions and subdivisions of the text, such as Chapters, **
** Sections, and Appendixes, are identified by double and **
** single lines. The numbers on the right end of these lines **
** indicate the position of each of the subsections in the **
** document outline. These numbers do NOT correspond with the **
** page numbers of the printed product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
** A printed copy of this report may be obtained from the GAO **
** Document Distribution Center. For further details, please **
** send an e-mail message to: **
** **
** **
** **
** with the message 'info' in the body. **
******************************************************************
Cover
================================================================ COVER
Before the Subcommittee on Human Resources and the Subcommittee on
Social Security, Committee on Ways and Means, House of
Representatives
For Release on Delivery
Expected at
10 a.m.
Thursday,
March 12, 1998
SOCIAL SECURITY ADMINISTRATION -
INFORMATION TECHNOLOGY CHALLENGES
FACING THE COMMISSIONER
Statement of Joel C. Willemssen
Director, Civil Agencies Information Systems
Accounting and Information Management Division
GAO/T-AIMD-98-109
GAO/AIMD-98-109t
(511226)
Abbreviations
=============================================================== ABBREV
DDS -
GSA -
IWS -
IWS/LAN -
LAN -
MB -
NT -
OMB -
PEBES -
RDS -
SSA -
============================================================ Chapter 0
Messrs. Chairmen and Members of the Subcommittees:
We are pleased to be here today to discuss the information technology
challenges facing the Social Security Administration (SSA) and its
recently appointed Commissioner. As with every other organization,
both public and private, successfully crossing the threshold into the
next century is the top information technology priority. My
testimony today will update our report of last fall on where SSA
stands in this area.\1
Beyond ensuring readiness for the millennium, another large challenge
for SSA is successfully implementing its Intelligent
Workstation/Local Area Network (IWS/LAN) initiative.\2 SSA expects
this new capability, which my testimony will also address, to play a
major role in its redesigned work processes and in better serving an
increasing beneficiary population.
Today we will also discuss our recent report assessing SSA's actions
to improve its software development processes.\3 Finally, we will
update our testimony of last year on SSA's experiences with making
personal earnings and benefits information available to individuals
via the Internet.\4
--------------------
\1 Social Security Administration: Significant Progress Made in Year
2000 Effort, But Key Risks Remain (GAO/AIMD-98-6, Oct. 22, 1997).
\2 In June 1996, SSA awarded a national IWS/LAN contract to modernize
and standardize the distributed processing environment in its
headquarters and field components and in state Disability
Determination Services (DDS) offices. This initiative is intended to
provide distributed processing--intelligent workstations (personal
computers) on employee desktops, connected to each other and to SSA's
mainframe computers by local and wide area networks. Phase I of the
initiative is set to provide 56,500 workstations, 1,742 local area
networks, and 2,500 notebook computers to SSA and DDS offices
nationwide between December 1996 and June 1999.
\3 Social Security Administration: Software Development Process
Improvements Started But Work Remains (GAO/AIMD-98-39, Jan. 28,
1998).
\4 Social Security Administration: Internet Access to Personal
Earnings and Benefits Information (GAO/T-AIMD/HEHS-97-123, May 6,
1997).
YEAR 2000: CITED RISKS BEING
ADDRESSED
---------------------------------------------------------- Chapter 0:1
For the past several decades, computer systems have typically used
two digits to represent the year, such as "98" for 1998, in order to
conserve electronic data storage and reduce operating costs. In this
format, however, 2000 is indistinguishable from 1900 because both are
represented as "00." As a result, if not modified, systems or
applications that use dates or perform date- or time-sensitive
calculations may generate incorrect results beyond 1999.
SSA has been anticipating the change of century since 1989,
initiating an early response to the potential crisis. It made
significant early progress in assessing and renovating
mission-critical mainframe systems--those necessary to prevent the
disruption of benefits --and has been a leader among federal
agencies. Yet as our report of last October indicated, three key
risks remained, mainly stemming from the large degree to which SSA
interfaces with other entities in the sharing of information.
One major risk concerned Year 2000 compliance of the 54 state
Disability Determination Services (DDS)\5 that provide vital support
to the agency in administering SSA's disability programs. The second
major risk concerned data exchanges, ensuring that information
obtained from outside sources--such as other federal agencies, state
agencies, and private businesses--was not "corrupted" by data being
passed from systems that were not Year 2000 compliant. SSA exchanges
data with thousands of such sources. Third, such risks were
compounded by the lack of contingency plans to ensure business
continuity in the event of systems failure.
Our report made several specific recommendations to mitigate these
risks. These included (1) expeditious completion of the assessment
of mission-critical systems at state DDS offices and the use of those
results to establish specific plans of action, (2) stronger oversight
by SSA of DDS Year 2000 activities, (3) discussion of the status of
DDS Year 2000 activities in SSA's quarterly reports to the Office of
Management and Budget (OMB), (4) expeditious completion of SSA's Year
2000 compliance coordination with all data exchange partners, and (5)
development of specific contingency plans that articulate clear
strategies for ensuring the continuity of core business functions.
SSA agreed with all of our recommendations, and actions to complete
them are underway. We understand that the states are in various
stages of addressing the Year 2000 problem, but note that SSA has
begun to monitor these activities; among other things, it is
requiring biweekly status reports from the DDSs. Further, as of this
week, the agency planned to have a contingency plan available at the
end of the month.
--------------------
\5 One for each state plus the District of Columbia, Guam, Puerto
Rico, and the Virgin Islands. A federal DDS serves as a backup and
model office for testing new technologies and work processes.
ONGOING ISSUES CONCERNING
IWS/LAN IMPLEMENTATION
---------------------------------------------------------- Chapter 0:2
The resources that SSA plans to invest in acquiring IWS/LAN are
enormous: Over 7 years the agency plans to spend about $1 billion
during phase I to replace its present computer terminals with
"intelligent" workstations and local area networks. As of March 1,
SSA had completed installation of about 30,000 IWSs and 800 LANs,
generally meeting or exceeding its phase I schedule.
The basic intelligent workstation that SSA is procuring includes a
(1) 15-inch color display monitor, (2) 100-megahertz Pentium
workstation with 32 megabytes (MB) of random access memory, (3)
1.2-gigabyte hard (fixed) disk drive, and (4) 16-bit network card
with adaptation cable. Preliminary testing has indicated that the
IWS/LAN workstation random access memory will need to be upgraded
from 32 MB to at least 64 MB.
Last year SSA's contractor, Unisys Corporation, submitted a proposal
to upgrade to a processing speed higher than 100 megahertz at
additional cost. Unisys noted that it was having difficulty in
obtaining 100-megahertz workstations. Although personal computers
available in today's market are about three times this speed, SSA
stated that the 100-megahertz processing speed does meet its current
needs. The agency is, however, continuing to discuss this issue with
Unisys.
As the expected time period for implementation of IWS/LAN will span
the change of century, it is obviously important that all components
be Year 2000 compliant. SSA's contract with Unisys does not,
however, contain such a requirement. Moreover, SSA has acknowledged,
and we have validated, that some of the earlier workstations that it
acquired are not Year 2000 compliant.\6 However, SSA maintains--and
we have confirmed--that the operating system it has selected for
IWS/LAN, Windows NT, corrects the particular Year 2000-related
problem. SSA has also said that it is now testing all new hardware
and software, including equipment substitutions proposed by Unisys,
to ensure Year 2000 compliance before site installation.
Phase II is intended to build upon acquisition of the initial IWS/LAN
infrastructure, adding new hardware and software--such as database
engines, scanners, and bar code readers--to support future process
redesign initiatives. Contract award for phase II is planned for
fiscal year 1999, with site installations between fiscal years 1999
and 2001.
We have not identified any significant problems in SSA's installation
of IWS/LAN equipment at its field offices to date, and the agency has
taken steps to minimize adverse impact on service to the public while
installation takes place. Some state DDSs, however, have recently
raised concerns about lack of control over their networks and
inadequate response time on IWS/LAN service calls, resulting in some
disruption to their operations. SSA currently maintains central
control. Under this arrangement, problems with local equipment must
be handled by SSA's contractor, even though many DDSs feel they have
sufficient technical staff to do the job. Because of this issue,
states have said that they want SSA to pilot test IWS/LAN in one or
more DDS offices to evaluate options that would allow states more
flexibility in managing their networks. Florida, in fact, refused to
accept more IWS/LAN terminals until this issue is resolved. SSA is
now working with the DDSs to identify alternatives for providing the
states with some degree of management control.
Turning to managing the acquisition of information technology
resources as an investment, SSA has--consistent with the
Clinger-Cohen Act of 1996 and OMB guidance-- followed several
essential practices with IWS/LAN. This includes assessing costs,
benefits, and risks, along with monitoring progress against competing
priorities, projected costs, schedules, and resource availability.
What SSA has not established, however, are critical practices for
measuring IWS/LAN's contribution toward improving mission
performance. While it does have baseline data and measures that
could be used to assess the project's impact on performance, it lacks
specific target goals and a process by which overall IWS/LAN impact
on program performance can be gauged. Further, while OMB guidelines
call for post-implementation evaluations to be completed, SSA does
not plan to do this.
In a September 1994 report, we noted that SSA had initiated action to
identify cost and performance goals for IWS/LAN.\7 SSA identified six
categories of performance measures that could be used to track the
impact of IWS/LAN technology on service delivery goals, and had
planned to establish target productivity gains for each measure upon
award of the IWS/LAN contract.
At the conclusion of our review, however, SSA had not established
targeted goals or a process for using performance measures to assess
IWS/LAN's impact on agency productivity improvements. According to
officials, the agency has no plans to use these measures in this way
because it believes the results of earlier pilots sufficiently
demonstrated that savings will be achieved with each IWS/LAN
installation, and because the measures had been developed in response
to a General Services Administration (GSA) procurement requirement.
Since GSA no longer performs this role, SSA sees these actions as no
longer necessary. Yet without specific goals, processes, and
performance measurements, it will be difficult to assess whether
IWS/LAN improves service to the public. Further, the Clinger-Cohen
Act requires agencies to develop performance measures to assess how
well information technology supports their programs.
Knowing how well such technology improvements are actually working
will be critical, given the expected jump in SSA's workload into the
next century. The number of disability beneficiaries alone is
expected to increase substantially between calendar years 1997 and
2005--from an estimated 6.2 million to over 9.6 million.
Concurrent with phase I installation is development of the first
major programmatic software application--the Reengineered Disability
System (RDS)--to be installed on the IWS/LAN infrastructure. It is
intended to support SSA disability claims processing under a new
client/server environment.\8 Pilot testing of RDS software to
evaluate actual costs and benefits of the system and identify IWS/LAN
phase II equipment needs began last August. However, performance and
technical problems encountered during the RDS pilot have resulted in
a planned 9-month delay--to July 1998--in implementing the pilot
system in the first state, Virginia. This will likely cause
corresponding delays in SSA's schedule for acquiring and implementing
IWS/LAN phase II equipment, and further delays in national
implementation of RDS.\9
--------------------
\6 These workstations failed to advance the date from December 31,
1999, to January 1, 2000, without user intervention.
\7 Social Security Administration: Risks Associated With Information
Technology Investment Continue (GAO/AIMD-94-143, Sept. 19, 1994).
\8 In a client/server environment, servers and individual
workstations are all capable of performing tasks that previously only
the mainframe computer could accomplish. This can sometimes result
in improvements over mainframe performance.
\9 In September 1996 we reported that software development problems
had delayed the scheduled implementation of RDS by more than 2 years.
See Social Security Administration: Effective Leadership Needed to
Meet Daunting Challenges (GAO/HEHS-96-196, Sept. 12, 1996).
SOFTWARE DEVELOPMENT: KEY
IMPROVEMENTS BEGUN, BUT
BASELINE DATA, MEASURABLE GOALS
STILL NEEDED
---------------------------------------------------------- Chapter 0:3
How software is developed is another critical consideration; whether
the modernized processes will function as intended and achieve the
desired gains in productivity will depend in large measure on the
quality of the software. Yet software development is widely seen as
one of the riskiest areas of systems development. SSA has recognized
weaknesses in its own capability to develop software, and is
improving its processes and methods. This comes at a critical time,
since the agency is beginning development of its new generation of
software to operate on the IWS/LAN to support the redesigned work
processes of a client/server environment.
Significant actions that SSA has initiated include (1) launching a
formal software process improvement program, (2) acquiring assistance
from a nationally recognized research and development center in
assessing its strengths and weaknesses and in assisting with
improvement,\10 and (3) establishing management groups to oversee
software process improvement activities.
Key elements of the software improvement program, however, are still
lacking--elements without which progress and success cannot be
measured. These are: specific, quantifiable goals, and baseline
data to use in assessing whether those goals have been attained.
Until such features are available, SSA will lack assurance that its
improvement efforts will result in the consistent and cost-effective
production of high-quality software.
Our report\11 recommends that as part of its recently initiated pilot
projects, SSA develop and implement plans that articulate a strategy
and time frames for developing baseline data, identifying specific
goals, and monitoring progress toward achieving those goals. We are
encouraged by SSA's response, which included agreement and a
description of steps it had begun to carry out these recommendations.
--------------------
\10 The Software Engineering Institute, Carnegie Mellon University,
Pittsburgh.
\11 GAO/AIMD-98-39, Jan. 28, 1998.
PERSONAL EARNINGS AND BENEFIT
ESTIMATE STATEMENTS: INTERNET
AVAILABILITY ON HOLD
---------------------------------------------------------- Chapter 0:4
For over 10 years, SSA has been providing, on request, a Personal
Earnings and Benefit Estimate Statement (PEBES). The statement
includes a yearly record of earnings, estimates of Social Security
taxes paid, and various benefits estimates. Beginning in fiscal year
1995, such statements were sent annually to all eligible U.S.
workers aged 60 and over; beginning October 1, 1999, the statements
are to be sent to all eligible workers 25 and over--an estimated 123
million people. The public has generally found these to be useful in
financial planning.\12
In an effort to provide "world-class service" and be as responsive as
possible to the public, SSA in March 1997 initiated on-line
dissemination of PEBES to individuals via the Internet. The agency
felt that using the Internet in this way would ensure that client
data would be safeguarded and confidentiality preserved. Within a
month, however, press reports of privacy concerns circulated,
sparking widespread fear that the privacy of this information could
not be guaranteed.
SSA plans many initiatives using the Internet to provide electronic
service delivery to its clients. As such, our testimony of last May
before the Subcommittee on Social Security focused on Internet
information security in general, describing its risks and approaches
to making it more secure. The relative insecurity of the Internet
makes its use as a vehicle for transmitting sensitive
information--such as Social Security information--a decision
requiring careful consideration. It is a question of balancing
greater convenience against increased risk--not only that information
would be divulged to those who should not have access to it, but also
that the database itself could be compromised.
For most organizations, a prudent approach to information security is
three-pronged, including the ability to protect against security
breaches at an appropriate level, detect successful breaches, and
react quickly in order to track and prosecute offenders. The
Internet security issue remains a daunting one, and SSA--like other
federal agencies--will have to rely on commercial solutions and
expert opinion; this is, however, an area in which there is no clear
consensus.
Shortly before our May testimony, the Acting Commissioner suspended
on-line PEBES availability, promising a reexamination of the service
that would include public forums around the country. After analyzing
the results of those forums, the Acting Commissioner announced last
September that a modified version of the on-line PEBES system would
be available by the end of 1997.
The new Commissioner, however, has placed implementation of the new
system on hold. SSA has hired a private contractor to assess the
risk of the modified system; we see this as an important, welcome
step in determining the vulnerabilities involved in the use of the
Internet.
--------------------
\12 See GAO/T-AIMD/HEHS-97-123 and SSA Benefit Statements: Well
Received by the Public but Difficult to Comprehend (GAO/HEHS-97-19,
Dec. 5, 1996).
-------------------------------------------------------- Chapter 0:4.1
In summary, it is clear that SSA has made progress in dealing with
its information technology challenges; it is equally clear, however,
that such challenges will continue to face the agency, especially as
it transitions to a new processing environment while concurrently
dealing with the coming change of century. As a prime face of the
government to virtually every American citizen, the stakes in how
well the agency meets these continuing challenges are high.
This concludes my statement. I would be happy to respond to any
questions that you or other members of the Subcommittees may have at
this time.
*** End of document. ***