Description
Strategic planning is an organization's process of defining its strategy, or direction, and making decisions on allocating its resources to pursue this strategy.
The Library of Congress
Office of the Inspector General
Library-Wide
Information Technology Strategic Planning: A Well-Developed Framework is Essential to Support the Library’s Current and Future IT Needs
Report No. 2008-PA-105 March 2009
PUBLIC RELEASE
UNITED STATES GOVERNMENT
LIBRARY OF CONGRESS
Office of the Inspector General
Memorandum
TO: FROM: SUBJECT:
James H. Billington April 22, 2009 Librarian of Congress Karl W. Schornagel Inspector General Information Technology Strategic Planning: A Well Developed Framework is Essential to Support the Library’s Current and Future IT Needs Report No. 2008?PA?105
This transmits our report titled “Information Technology Strategic Planning: A Well Developed Framework is Essential to Support the Library’s Current and Future IT Needs,” prepared by our contractor, A?Tech Systems, Inc.
Management’s response to our draft report is briefly summarized in the Executive Summary and in more detail after individual recommendations. The complete response is included as an appendix to the report.
Based on the written comments to the draft report, we consider all of the recommendations resolved except for 2.C., 3.A., and 5.E., with which the Library either disagreed or did not provide a firm response, and recommendations 1.E., 2.D., 4.A., 4.B., 4.D., 5.A., with which the Library “partially agreed” but did not provide an adequate explanation as to the partial nature of the agreement. We urge the Library to consider the recommendations in this report seriously, as they point to nothing more – or less – than proven best practices in government and business. In accordance with LCR 211?6, Section 11.A, please provide, within 30 calendar days, an action plan addressing implementation of the recommendations, including implementation dates.
We appreciate the cooperation and courtesies extended by the Office of Strategic Initiatives and many other Service and Support Units throughout the Library during this review. cc: Chief Operating Officer Associate Librarian for Strategic Initiatives
A WELL DEVELOPED FRAMEWORK IS ESSENTIAL TO SUPPORT THE LIBRARY’S CURRENT AND FUTURE IT NEEDS
INFORMATION TECHNOLOGY STRATEGIC PLANNING:
TABLE OF CONTENTS
EXECUTIVE SUMMARY ......................................................................................1 BACKGROUND....................................................................................................3 OBJECTIVES, SCOPE, AND METHODOLOGY..................................................4 FINDING 1 – STRATEGIC PLANNING PROCESS .............................................7 FINDING 2 – IT INVESTMENT PROCESS ........................................................14 FINDING 3 – ORGANIZATIONAL STRUCTURE...............................................22 FINDING 4 – ENTERPRISE ARCHITECTURE ..................................................25 FINDING 5 – CUSTOMER SERVICE .................................................................30 CONCLUSION....................................................................................................35 APPENDIX A - REFERENCES ..........................................................................37 APPENDIX B - ACRONYMS ..............................................................................39 APPENDIX C - PROPOSED FY 2009 IT BUDGETS .........................................41 APPENDIX D – NLS IT SECURITY EXPENSES ...............................................45 APPENDIX E – LIBRARY RESPONSE TO REPORT........................................49
EXECUTIVE SUMMARY
The intent of this review was to assess the effectiveness of information technology (IT) strategic planning at the Library of Congress (Library or LC). To evaluate whether the Office of Strategic Initiatives (OSI) Strategic Plan supports and implements the Library’s Strategic Plan as it pertained to the IT infrastructure, the Library Office of the Inspector General (OIG) contracted with A?TECH Systems, Inc. The evaluation focused on: 1. Determining how the OSI Strategic Plan addresses the recommendations of pertinent prior recommendations made by the National Research Council in a report titled “LC21: A Digital Strategy for the Library of Congress” (the LC 21 report); 2. Verifying whether the OSI Strategic Plan meets the Library’s current and future needs; 3. Validating the assumptions, data, and conclusions in the OSI Strategic Plan; and 4. Comparing the organizational placement and structure of Information Technology Services (ITS) with other government and similarly staffed corporate organizations. Since the LC21 report was published in 2000, the Library has made many technology improvements. The technology “evolution” at the Library includes migrating from mainframe systems, standardizing network infrastructure, updating the storage architecture, building an alternate computing facility (ACF) that provides backup for all three Library data centers, building a secure financial hosting environment (FHE), instituting a project management function, implementing a system life cycle development process (SDLC), deploying a standardized Microsoft XP workstation environment, and developing a National Institute of Standards and Technology (NIST) compliant Certification and Accreditation (C&A) process. The Library has standardized internal and external websites, developed digital collections containing more than 300 terabytes of data, and built a network of national and international digital partners. The Library is often at the forefront of identifying and participating in forward thinking digital initiatives. In short, the Library has made great progress in improving its IT infrastructure and backbone. However, the Strategic Planning process for IT at the Library of Congress is not well integrated with essential planning components, and is not instituted Library?wide, resulting in the following findings. 1. STRATEGIC PLANNING PROCESS ? Strategic Planning for IT is not a unifying force at the Library, does not link directly to the Library Strategic Plan, and does not have a forward?looking view.
1
2. IT INVESTMENT PROCESS ? Strategic Planning is not linked to the IT investment process, resulting in the duplication of efforts and acquisitions. 3. ORGANIZATIONAL STRUCTURE ? The organizational structure of the Information Technology Services (ITS) directorate at the Library does not foster strategic planning and good IT governance. 4. ENTERPRISE ARCHITECTURE ? The Library is missing an Enterprise Architecture program that should be coupled with a strategy to provide a roadmap for implementing future technology. 5. CUSTOMER SERVICE – ITS customer service needs improvement.
In our opinion, all of these findings are in large part the result of an unclear sense of how IT planning fits into the Library’s mission and the roles and responsibilities of the employees, as well as a lack of linkage between the IT strategic planning processes at the Library and actual performance. Furthermore, those Library employees charged with IT planning need to adopt a holistic view of planning that incorporates and supports a clear mission view with an insight into customer goals and objectives. Although some steps have been taken towards this effort, the progress is not seen Library?wide. We received a formal response to this report on April 15, 2009. Library management agreed with the majority of our findings and recommendations. Although management did not feel the improvements since the LC21 report were adequately addressed, we believe these improvements were sufficiently addressed in the executive summary and the conclusion of this report. Management responses and A?Tech comments are included in the report after each recommendation. The entire response can be found in Appendix E.
2
BACKGROUND
The Library is the nation's oldest federal cultural institution and serves as the research arm of Congress. It is also the largest library in the world, with nearly 150 million books, recordings, photographs, maps and manuscripts in its collections. The Library's mission is to make its resources available and useful to the Congress and the American people and to sustain and preserve a universal collection of knowledge and creativity for future generations. A decade ago, the Library commissioned the National Research Council (NRC) to conduct a study to provide strategic advice concerning the Information Technology path that the Library should take over the next decade. The result of the study was the LC21 report (LC21 report or “report”). The report provided numerous findings and recommendations, which serve as a framework for the Library’s transition into the Digital Age. More recently, the Library’s Strategic Planning Team and working groups in each Service and Support Unit, created the Library of Congress Strategic Plan for Fiscal Years (FY) 2008?2013, with valuable feedback provided from the Library’s customers and stakeholders. To support the Library’s goals, the Office of Strategic Initiatives (OSI) developed the OSI Strategic Plan FY 2008?2013, a guide for ensuring more of the Library’s resources are available online and collecting and preserving at?risk, born?digital content. In FY 2001, the Librarian created – and filled – the position of Associate Librarian for Strategic Initiatives (ALSI) to support the Library of Congress' vision and strategy by directing the overall strategic planning for the Library and the national program for long?term preservation of digital cultural assets. This Executive Committee?level position originally had oversight of two major programs: ? ? the National Digital Library Program (with American Memory as the flagship project to make the Library’s collections available to the public); and the National Digital Information Infrastructure and Preservation Program (NDIIPP) (responsible for the development of a national strategy, in cooperation with other institutions, for the collection, access and preservation of digital materials).
Now, the ALSI is also responsible for educational outreach, primarily the “Teaching with Primary Sources” (TPS) program, whose objective is to increase use of the Library’s digital primary sources in K?12 educational settings. In FY 2002, the ALSI was named the Library’s Chief Information Officer (CIO), and charged with leading the Library’s Information Technology Services (ITS) directorate, an infrastructure unit responsible for supporting the Library’s IT resources. Until this point, ITS had been part of the Library’s enabling infrastructure, a Support Unit reporting directly to the Deputy Librarian.
3
OBJECTIVES, SCOPE, AND METHODOLOGY
This review supported the Library’s goal on Organization, to continuously improve quality and efficiency of delivery of products and services. Our review included an evaluation of the Library’s plan for managing its IT infrastructure investments. The Library’s Inspector General set forth our primary objectives, which included: 1. Assessing the manner and degree to which the OSI Strategic Plan addresses pertinent recommendations of the LC21 report. The primary sub?objectives were: ? Determining which LC21 Report recommendations are still relevant to LC needs and if any relevant recommendations were excluded as well as the rationale for exclusion. ? Determining which LC21 report recommendations were incorporated into the OSI Strategic Plan, and to what degree they were included and/or modified. 2. Assessing the adequacy of the OSI Strategic Plan in supporting and implementing the LC Strategic Plan. The primary sub?objectives were: ? Determining if the OSI Strategic Plan adequately addresses the implementation of current LC IT infrastructure needs; and ? Determining if the OSI Strategic Plan adequately addresses the identification and satisfaction of future Library IT infrastructure requirements. 3. Determining the validity and integrity of the OSI Strategic Plan. The primary sub?objectives were: ? Determining if the elements of the OSI Strategic Plan support those of the LC Strategic Plan relative to IT infrastructure; ? Determining if the OSI Strategic Plan was coordinated with other impacted LC Service Units; ? Determining if the OSI Strategic Plan was based on valid data and assumptions; and ? Determining if the OSI Strategic Plan conclusions were rationally consistent with the data and assumptions. 4. Determining the appropriateness and effectiveness of the ITS organizational structure and placement. The primary sub?objectives were: ? Determining if ITS organizational placement is conducive to meeting the requirements of the OSI Strategic Plan and the LC Strategic Plan;
4
? ? ?
Determining if the ITS internal structure and placement is in keeping with government best practices; Determining the nature and extent of any possible functional overlap with other Library Service/Support Units; and Determining the impact of functional overlap on Library strategic planning and implementation of the LC Strategic Plan.
The scope of our review included evaluating activities associated with short and long?term planning for technology; Enterprise Architecture; architectural development, system development and IT investments; and the organization and management of ITS. We conducted our fieldwork from October to December 2008. We verified our interview records and obtained clarification on Library standards, processes, and documentation from December 2008 to January 2009. During the report writing phase in February 2009, there was further verification of feedback received from OSI. Specific steps included:
? ? ?
? ? ? ? ? ? ?
Interviewing appropriate Library staff about the continuing relevance of each LC21 report recommendation to the Library’s current and future programs and analyzing the results of interviews; Reviewing LC21 report recommendations and the elements of the OSI Strategic Plan, and comparing the two documents for conformance and sufficiency; Interviewing appropriate staff in LC Service Units concerning the adequacy of current LC IT infrastructure and OSI’s coordination of the planning effort to meet current needs. Validating interview results with LC technical staff and, as appropriate, validating through other LC officials; Interviewing appropriate staff in LC Service Units about the planning process for determining future requirements and identifying anticipated technologies necessary to meet future needs or if current technology can meet needs; Validating interview results with LC technical staff and, as appropriate, validating through other LC officials; Comparing the OSI Strategic Plan with strategic plans of other agencies. Assessing whether its method and approach is effective in accomplishing implementation of IT infrastructure goals; Reviewing the elements of the OSI Strategic Plan for consistency with those of the LC Strategic Plan and identifying sufficiency, inconsistencies, and agreements; Comparing the plans to assess the degree to which the elements of the OSI Strategic Plan fit in with the LC Strategic Plan; Interviewing OSI staff and other LC Service/Support Unit staff affected by the OSI Strategic Plan about the coordination of all LC strategic planning and analyzing interview results; Interviewing OSI staff that developed the OSI Strategic Plan about the plan’s rationale, including the appropriateness and factual nature of the data. In addition, discussing the identification and basis for any assumptions and conclusions reached. Assessing interview results and, as appropriate, validating through other LC officials; 5
? ? ? ? ?
Comparing data and assumptions used in formulating the OSI Strategic Plan with its conclusions and assessing for consistency and sufficiency; Interviewing appropriate staff about ITS efforts to meet IT infrastructure needs, comparing with related information gathered in previous LC interviews, and analyzing results; Researching/interviewing with other federal agencies and the IT community for best practices in terms of IT Unit placement and structure; Analyzing LC documents assigning functions to LC components. Validating actual functions through interviews with appropriate LC staff; and Interviewing appropriate LC staff concerning the impact of possible overlap on both LC strategic planning and LC support of implementation of the LC Strategic Plan.
We evaluated Library written procedures and actual practices against criteria documented in Library of Congress regulations (LCR), Government Accountability Office (GAO) guidance, and industry standards and best practices maintained by the Information System Audit and Control Association (ISACA). Specific Library and industry criteria used to evaluate evidence included: ? LC Strategic Plan FY 20082013; ? OSI Strategic Plan FY 20082013; ? LC21: A Digital Strategy for the Library of Congress; ? Draft Library of Congress Digital Strategy dated February 2009; ? LCR 2111, Organization of the Office of the Librarian of Congress; ? OSI Proposed Reorganization Packet dated January 2009; ? LCR 2201: Functions and Organization of the Office of Strategic Initiatives; ? LCR 2122: Functions and Organization of Information Technology Services, Office of the Librarian; ? LCR 213: Functions and Organization of Library Services; ? LCR 2151, Functions and Organization of the Copyright Office; ? LCR 2161, Functions and Organization of the Law Library of Congress; ? LCR 217, Functions and Organization of the Congressional Research Service; ? LCR 1510: Financial Management; ? LCR 1511: Planning, Budgeting, and Program Performance Assessment; and ? Control Objectives for Information and Related Technology (COBIT) 4.1 by the IT Governance Institute.
6
FINDING 1 – STRATEGIC PLANNING PROCESS
We found that the strategic planning process is not a unifying force at the Library of Congress and not incorporated into the organization’s culture. Specifically, we found that: 1. The Library’s Strategic Planning process was not inclusive of all internal stakeholders; 2. The Library’s IT Strategic Plan does not align well with the Library’s Strategic Plan; and 3. The Library’s digitization efforts are scattered and lacking in specific focus. The Strategic Planning Office (SPO), located in the Office of the Chief Financial Officer (OCFO), maintains the Library’s Strategic Plan, from which the IT Strategic Plan should flow. A key component of any strategic plan is its ability to track accomplishments against predefined goals and objectives using various metrics. Although the SPO has implemented a system to track performance against the strategic plans, the development of a Service Unit/Support Unit strategic plan is a “voluntary process.”1 The “Management Review of the Library of Congress” Final Report (Booz Allen & Hamilton), May 7, 1996 found that, “[a]lthough ITS has a Strategic Plan, it does not include a vision for the future that includes IT as an enabler of the Library's mission, an integrated IRM (Information Resource Management) architecture, or performance improvement objectives that are measurable and linked to mission performance. The Library lacks a clear technology vision to support processes within the Library and the creation of networks of institutions that enable the world's knowledge resources to be shared.” Since this report was published, the Library has made strides in technology; however, its planning process still lacks integration with architecture and with performance improvement objectives. The current trend in developing strategic plans is to involve all employees in planning, making them accountable for goals and associated results. As one writer states, “tructuring the strategic planning process to involve frontline staff establishes a holistic framework that encompasses and engages the whole organization rather than just upper management. It will also help develop an engaged process in which upper and lower levels of the organization are aligned to collaborate in the development of a strategic plan and direction. The end result is a stronger alignment between strategic planning and execution, which leads to greater organizational performance and capacity.”2
1 LCR 1511 Planning, Budgeting, and Program Performance Assessment Section 2.A.4. states “Service and Support Units may develop individual organizational strategic plans.” 2 Thomas Plant, Public Sector Strategic Planning: An Emergent Approach, Performance Improvement, 45.5: 5?6. ABI/INFORM Global, ProQuest, (2006).
7
We do not agree with the decision of the Library’s leadership to make strategic planning a management?only activity. We suggest that the Library allow line employees to actively participate in the strategic planning process. The Library Strategic Plan should be part of line employee as well as management training programs. Execution of strategic planning objectives should be tied to line employee performance plans. There is evidence of an effort to link strategic planning objectives through the annual planning process, but the implementation is uneven throughout the Library. We acknowledge there is currently an effort through the Workforce Performance Management Initiative to improve this across the Library, but this effort is not fully realized. Although the Service and Support Units are not required to develop a strategic plan, they must identify program activities for Annual Program Performance Plans (AP3s) and ensure that an Internal Control Program (ICP) is in place. The automated planning system used for AP3s does allow organizations to include their strategic plans, but there is no way to enforce a linkage to their strategic plan or the Library’s plan. The entire system is based on self?assessment by the Service/Support Units and has automated a paper process. To make the AP3 and the ICP processes truly effective, the SPO or other area of the Office of the Librarian must be resourced to perform an evaluation function, a best practice in other federal agencies. Lack of Buyin to Library’s Strategic Plan Below the Senior Management Level In interviewing Library staff, we found that most felt they had not been active participants in the development of the Library’s Strategic Plan or in the IT Strategic Plan. Those interviewees who previously worked at other federal agencies felt that the Library’s processes for IT strategic planning were “immature” by comparison. Since the strategic planning process at the Library is a management?only activity, those employees below the senior management level lacked an understanding of the objectives of the Library Strategic Plan to make it actionable and relevant to their responsibilities. The LC strategic planning process included 51 senior managers and subject matter experts. Each Service and Support Unit had a working group made up of managers to develop recommendations for the Library Strategic Plan. The only exposure that line employees had to the plan before it became final consisted of Gazette articles, an employee Town Hall meeting, information meetings held at different sites to provide awareness of the plan, and a month?long opportunity to review and comment on the draft plan online. SPO received feedback from only 37 out of 4200 employees and incorporated appropriate feedback into the final version of the Library Strategic Plan. All these activities do not equate to active participation. Line employees need to participate in the strategic planning process from start to finish. Several line employees said that there was too much of an emphasis in the LC Strategic Plan and the OSI Strategic Plan on external factors such as the World Digital Library (WDL) and NDIIPP rather than internal Library infrastructure. 8
Misaligned Strategic Plans and Ineffective Planning Process We were unable to directly link the IT components of the OSI FY 08?13 Strategic Plan back to those found in the corresponding Library strategic plan. Before the Library began its efforts for the LC FY 08?13 Strategic Plan, OSI had nearly completed the development of its own FY 08?13 strategic plan. Since the OSI strategic plan was published after the Library’s strategic plan, it is not known why adjustments were not made so that the proper linkages were in place. The strategic goals for the Library and OSI do not align. Furthermore, the performance indicators and representative measures between the Library of Congress Strategic Plan, OSI Strategic Plan, and the OSI AP3 do not align. For example, in the Library’s Plan, the organization goals contain measures of IT efficiency: ? user satisfaction with computer workstations, computer servers, hardware and software; ? time allotted to install computer workstations; technical support provided; and ? IT user training. However, these performance measures were not carried forward to the OSI Strategic Plan. Instead, OSI put forth a different set of goals, objectives, and measures, and used a different methodology for the development of the Plan. Their strategies included: ? secured, available, and scalable technology infrastructure; ? defined Library of Congress technical infrastructure for shared tools and services among networked entities; and ? defined future institution?wide architecture and support for a national networked digital information architectural framework, specialized institutional digital media repository services, and preserved authentic digital content over time. Despite developing a separate OSI Strategic Plan, IT objectives were not communicated across the Library and there was not a clear sense of vision and purpose for IT. In speaking with interviewees, most felt there was no visibility into IT priorities. In the past, ITS has developed a strategic plan separate from OSI. It is not clear why they stopped this practice. OSI has done an excellent job of tracking future library trends, but it is not clear how these trends will result in new technology for the Library or how emerging best practices will be leveraged for internal Library programs. 9
The Library Does Not Have a Focused Digitization Vision The responsibility for strategic planning is subject to confusion because an October 3, 2000 “special announcement” assigned the CIO overall responsibility for strategic planning. However, an October 30, 2002 memorandum delegated responsibility for strategic planning to the CFO. The current LCR, Functions and Organizations of the Office of Strategic Initiatives assigns OSI the responsibility for “digital strategic planning.” This regulation does not include a definition of “digital strategic planning” and may be subject to interpretation. Further, the memorandum dated January 14, 2003 titled Coordination of the Library’s Digital Initiatives assigns the CIO with broad management responsibility for transforming the Library; leaving the management control framework for digital migration open to interpretation. At that time, the Digital Executive Oversight Group (DEOG) was established, composed of Service Unit heads, to serve as the internal means for vetting, justifying, and allocating resources for the Library’s digital programs and IT initiatives. Since then, the Digital Library Content Group (DLCG) has been created to coordinate and prioritize from an institutional perspective digital content projects and initiatives that result in materials presented to the public. It is unclear how the DLCG ties back to the DEOG. Notably, despite many successes, the strategy for “digitizing” the Library collections seems to lack an overall Library vision. OSI sees itself as an extension of the Librarian’s Office. Indeed OSI and the other Service Units appear to be following different paths. A prime example of this problem is the Sloan Foundation Project, in which OSI and Library Services (LS) disagreed on what to digitize and whether to accept funding for the project. In the end, and although OSI is technically charged with leading the Library’s digital strategy, LS embarked on a project funded by the Sloan Foundation to digitize collections LS felt were critical. To address a recent GAO review, which stated “The Library’s strategic plan does not clearly align the organization’s activities and resources to address digitization,”3 the Library drafted the Library of Congress Digital Strategy dated February 4, 2009. While the new digital strategy does attempt to address the different goals of each Service Unit, it is a recent document and does not currently reflect the reality on the ground. It does not address GAO’s recommendation to “articulate the roles and responsibilities of all relevant service units and offices in developing and executing the strategy. Some examples of the digital strategy paths that the Service Units are taking follow: ? Library Services (LS) is interested in digitizing its General Collections prior to the 1923 Copyright restriction, obtaining digital deposits from the Copyright system, and making arrangements with publishers to provide access to the
3 GAO Review, Objective 1: Library of Congress Collections Management, Opportunities to Improve
Effectiveness through Digitization, September 2008 (Draft).
10
?
?
?
The LC21 committee recommended the creation of an external technical advisory board to advise the Executive Committee on the development and directions in IT relevant to the Library and offer advice on initiatives and enterprises with the IT vision, strategy, and research program (ITVSRP). In September 2008, OSI convened a special conference entitled “Technology Trends & the Library of the Future.” During the conference, OSI representatives met with a panel of technical experts and Library of Congress consultants “to examine driving Social, Economic, Legal, Political and Technology Trends; identify how these trends might affect future scenarios; and form the basis for a Visionary Statement for the Library of Congress of the Future.” The experts were asked to become a part of the OSI Technical Advisory Board and a subset of this board would provide guidance and oversight in prototyping efforts. However, the rest of the Library was not involved in this conference. We did not find evidence of how this committee’s recommendations translate into actionable requirements for the Library. In the meantime, LS representatives have sought out amazon.com representatives for technical guidance and are forming scanning and hosting contracts with the Internet Archive to provide public access to their general collections. Other areas of the Library have inquired into using the Internet Archive contracts. Since we began our review, the Librarian formed a Library?wide committee called the Committee on Strategic Direction (COSD), which first convened in late January 2009. The COSD “seeks to promote synergies; and it will produce a single document that will enable the Library to speak with one voice to the Congress and to all other audiences about the strategic direction of the Library as a whole for the medium? 11
public on digital material. They are currently digitizing the talking books and the audio?visual collections. The Law Library (LL) is interested in using technology to exchange revised legal information nationally and internationally and digitizing its rare book collection, collecting legal blogs, the permanent Congressional Record, and collecting Supreme Court nomination information to support Congress and the legal community. The Congressional Research Service (CRS) wants to preserve CRS main files, research legacy files, and born?digital files to support congressional requests on recurring legislative issues. Additionally, CRS is adding born?digital congressional memoranda to its digital collections. It has digitized published CRS writings, non?distributable CRS publications, and a large collection of CRS research for specific hearings. CRS has a Web?harvesting project for legislative analysis and for archival purposes and has submitted a request to digitize the US Serials Set, 1970?1995. The Copyright Office (COP) is interested in digitizing 70 million hardcopy records and interfacing with LS to provide mandatory digital deposits. COP would like to implement a system to transfer files to LS while at the same time preserve the Copyright Office's eCo system security and the digital file's data integrity.
term future.” The Librarian outlined seven goals to serve as a guide to the COSD in their efforts to define the Library’s strategic direction for the remainder of the current Strategic Plan and beyond. We have received clarification from the Office of the Librarian that the COSD was developed as a think tank and the end product will contain statements of success that could be included in future Librarian Guidance and may serve as an amendment to the Library’s Strategic Plan. Because it is a legislative branch agency, the Library does not fall under the Government Performance and Results Act (GPRA) or other guidance governing IT planning and spending. However, at a 2007 budget hearing, the Librarian stated that the Library would use a process similar to GPRA for strategic planning. Although GPRA was established in 1993, it remains the foundation for most federal IT planning guidance. For this review, GPRA and other Office of Management and Budget (OMB) guidance are considered best practices. OMB Circular 211, Part 6, 210?220, states that, “[a]n agency's strategic plan keys on those programs and activities that carry out the agency's mission. Strategic plans will provide the overarching framework for an agency's performance budget. Revisions of a strategic plan will focus on developing a performance budget, updating performance measures and targets, and implementing follow?up actions to PART (Program Assessment Rating Tool) assessments. Strategic plans should guide the formulation and execution of the budget. A strategic plan is a tool to be used in setting priorities and allocating resources consistent with these priorities. A strategic plan is not a budget request; the projected levels of goal achievement must be commensurate with anticipated resource levels.” Although the Library is not required to follow OMB guidance, we believe that it is essential that the Library look at strategic planning in this best?practice context. Currently, the linkage between Library of Congress strategic plan strategies and the performance indicators of the OSI strategic plan do not align. We believe that the Library must map out these relationships and develop a plan to resolve these issues. The lack of a clear connection between IT Strategic Plans and agency mission and goals prevents a clear plan from emerging. All strategic plans should address the Library’s mission and should directly speak to the goals and objectives addressed in the plan. Currently, the Library’s plan is not strong in addressing IT as an enabler across all areas of the Library. The lack of linkage and clarity in the process prevents the strategic planning effort from being a unifying force. The lack of a unified policy for digitization has resulted in scattered, sometimes conflicting, efforts by various Service Units to digitize portions of their collections they believe most important. This has resulted in multiple digitized collections, spanning multiple Library web sites, with no common search and access tools and no comprehensive index or inventory. We applaud the Librarian’s vision to create a strategic transformational guide, as it evidences recognition of the need for change in the Library's strategic direction. We hope the COSD will cohesively link the Service and Support Unit strategic plans into the Library’s plan. To successfully 12
move the Library forward as a total institution with one voice, the guide should not contain only statements of success and recommendations. It should contain a plan of execution with implementable details with buy?in from the Service/Support Units.
RECOMMENDATIONS
To ensure strategic planning for IT is a unifying force at the Library, IT planning must link directly and have a forward?looking view. To accomplish this, the Library should:
A. Create a process to ensure that organizational strategic plans align with its strategic plan; specifically, the IT Strategic Plan should align directly with, flow from, and include the same goals as the Library’s Strategic Plan;
Management Response: Management agreed with our recommendation. The development of a unified policy on digitization will be initiated.
B. Involve line employees in the strategic planning process by having them participate in Service Unit and Support working groups to develop recommendations for the Library’s Strategic Plan;
Management Response: Management agreed with our recommendation. The Library will continue efforts to increase employee participation in the strategic planning process. C. Ensure that all initiatives concerning future library technology are shared Library?wide; Management Response: Management agreed with our recommendation. D. Produce a transformational guide that contains a plan of execution to ensure that the Library moves forward as a total institution with one voice; and Management Response: Management partially agreed with our recommendation but was unsure as to its content. ATech Response: The guide needs to be a plan that includes clear, executable steps that will accomplish the required transformation. E. Form a cohesive, integrated, and centrally managed LC Digital Strategy Plan with all the roles and responsibilities of all relevant Service and Support Units clearly defined. Management Response: The Library agreed with our recommendation but disagreed with the specific terminology we used. The intent of our recommendation remains the same, regardless of nomenclature.
13
FINDING 2 – IT INVESTMENT PROCESS
We found that the IT investment process at the Library is not linked to its strategic plan.
1. The Library’s IT planning is not linked to an investment process. 2. There is duplication of costs. 3. There is no consistent Cost?benefit Analysis (Analysis of Alternatives) done by ITS. 4. The Library does not transparently track IT costs.
The LC21 report specifically proposed the formation of an IT vision, strategy, research, and planning (ITVSRP) group to lead the Library, national libraries, and world libraries into the Digital Age. The ITVSRP would be an ongoing working group of leaders from across the Library and this group would approve all significant technology investments. We found no evidence of such a group. The Digital Executive Oversight Group (DEOG), Digital Library Content Group (DLCG), the Internet Operations Group (IOG), a Metadata Group, and an ITS Configuration Control Board (CCB) are all the Library’s attempts to fulfill the role of an ITVSRP in a fragmented manner, however, these groups do not perform the role of an investment approval function, either individually or collectively.
The Library has chosen to address the recommendation to approve IT investments mainly via the Management Decision Package (MDEP). According to Library of Congress Regulation (LCR) 1510 ? Financial Management, this is “the tool that Service/Support Units use in submitting their budget requests to OCFO and Library Management. The MDEP provides the detail that is necessary to make sound management decisions and/or to address Congressional mandates in the House and Senate reports. The MDEP includes the details of needed resources, a narrative justification, and impact statements.” The Executive Committee reviews all MDEP budget requests and as of FY 2009, all IT?related MDEPs are reviewed by ITS for impact on the Library’s IT infrastructure.
No Comprehensive Library Strategy for IT investments Despite the MDEP process, we concluded that there is not an overall Library strategy for prioritizing and budgeting for IT investments to include new projects, replacement of existing systems, hardware, software, and services support. The documents that we received for review were incomplete and did not present evidence of a systematic IT Investment Process. The FY 2010 Budget for the Library includes a technology focus, but mainly addresses a refresh of the technology infrastructure, as opposed to presenting a long?term strategic statement. There is a perception within the Library that project funding is dependent on the relationships established with OSI/ITS management. It is significant to note that whether true or not, the widely held perception that OSI receives priority in IT
14
issues affects the behavior of other Service/Support units. For example, there is a clear linkage between the proliferation of IT support organizations throughout the Library and this perception: due to the expectation that their service requests will receive lower priority than OSI’s, other Library entities attempt to compensate by creating their own support frameworks. We found no evidence of a prioritized “portfolio” of IT investments, where spending decisions were regarded as a whole and were weighted against criteria for meeting mission performance. We found examples of an Investment Portfolio and a Technology Roadmap for specialized OSI programs such as NDIIPP, but this is not carried forward across the Library. In September 2008, OSI published a “Plan for Cyclical Investments in Technical Infrastructure FY 2010?2014.” Although this document represents a good start for developing an overall Library technology vision, it does not encompass major systems such as financial, budgetary, facilities support, or any systems that would support the Library’s overall business areas in the future. It mainly addressed the technical infrastructure for digital collections. We recognize that the Library is not required to produce Exhibit 300 documentation, which supports the budget justification and reporting requirements for major IT investments as required by OMB Circular No. A?11 Part 7, Section 300: Planning, Budgeting, Acquisition, and Management of Capital Assets. However, to create a comprehensive strategy for IT investments, this plan should contain details sufficient for implementation for major Library systems. Exhibit 300 represents a best practice example.
No Coordination of IT Costs across Library Although the Service/Support Units recognize a need for IT Security, they are frustrated about their inability to project adequate funding to support “unfunded mandates” such as Certification and Accreditation (C&A) requirements. When the IT Security Program was first established, ITS received Congressional funding to certify and accredit the Library’s mission?critical legacy systems. There is, however, no continuing funding for ongoing support of C&A requirements. Since the implementation of the Library’s C&A program, system owners have incurred substantial annual IT Security and mitigation costs. Service/Support Units bear the financial responsibility for C&As of systems developed since 2004. The Information Technology Security Group (ITSG) contractor estimated that C&As would cost the Library approximately $270K a year. The ITSG Chief maintains that a risk assessment can be completed within two weeks and estimated an average cost of $15?20K per system. System owners are reporting higher actual costs. The National Library Service for the Blind and Physically Handicapped (NLSBPH or NLS) has tracked its IT Security costs (actual and projected) for 2006?2009, and reported a total cost close to $1 million (See Appendix D for more details). Service/Support Units have been advised to use their own IT funding to obtain C&A contractor support. While there is no centralized funding for C&As, the ITSG Chief has provided, on a discretionary basis, ITS?funded contractor resources to Library offices.
15
In addition to the costs incurred for “unfunded mandates”, we found numerous areas where there were overlaps in support services and systems. For example, LS, COP, CRS, and LL all maintain their own fully staffed technology offices. These offices include a Help Desk, utilizing their own staff and/or contractors. Sometimes they use a separate Help Desk system rather than the ITS customized Remedy Help Desk system. Other offices in the Library each have at least one IT Liaison or a small IT staff that serves as a first line Help Desk. Even the Office of the Librarian has its own IT staff. All Service/Support Units independently obtain some level of IT contractor support. End users contact their own Help Desk or IT Liaison who attempts to address problems with their own resources and contacts the ITS Help Desk for issues crossing office boundaries. The Library staff does not feel that there is a clear distinction between what ITS funding provides and what the Service/Support Units must provide out of their funding. The Library staff reported that the information they found on the ITS Intranet Site regarding IT Security Directives, the SDLC process, and products ITS supported and provided often differed from the information they received in written and verbal communications. For example, inconsistent documentation has led some offices to repeat C&As multiple times. There is an unusually large number of IT positions at the Library beyond the positions in OSI/ITS. The Service/Support Units are funding their own positions to supplement insufficient IT support. To assess this, we extracted the 2210 occupational series, which is traditionally pure IT support rather than an analyst position. “This series covers two?grade interval administrative positions that manage, supervise, lead, administer, develop, deliver, and support information technology (IT) systems and services. This series covers only those positions for which the paramount requirement is knowledge of IT principles, concepts, and methods; e.g., data storage, software applications, and networking.” Please refer to http://www.opm.gov/oca/compmemo/2001/2001?05A.pdf for more information. OSI has 228 2210?series positions, costing $25,589,654 annually. This does not include those in other computer support positions, those performing these tasks in other service units, or IT contractor support. OSI augments its staff with over 50 contractors and others are brought in on a project?by?project basis. Table 1 shows the number of 2210 series employees outside of OSI. In all, outside the framework of the ITS help desk, the Library employs about 360 IT support staff at a cost of $38 million. 16
Table 1 NonOSI 2210 Series Employee Information
OFFICE Copyright CRS Law Library Library Services All Other Total 2210 Salaries NUMBER OF 2210 SERIES EMPLOYEES 19 35 9 48 20 131 EST TOTAL (SALARIES ONLY) $ 1,811,528 2,522,007 915,975 5,255,587 2,070,647 $12,575,744
Inconsistent CostBenefit Analyses
A well?planned, rational acquisition decision requires a cost?benefit analysis. Acquisitions can have many options; for example, for hardware, there are multiple makers of equipment and multiple vendors. In addition, there are multiple possible equipment configurations, and finally, there is the option to remain with a legacy system. A cost?benefit analysis is intended to explore which option is most cost? beneficial long?term by projecting the costs and benefits for each possible option, or at least for the most likely or desirable options. We did not see consistent evidence of cost?benefit analyses for the acquisition or in? house development of IT systems. Market surveys are used often as rationale to not conduct cost?benefit analyses and to justify making the decision to develop in?house or contract out for system development. For example, the LC Accreditation Tool Package, was internally developed to assist systems owners to complete required documents for C&A of systems. The ITSG Chief says he conducted a market survey and no products met the Library's requirements, so he did not perform a cost? benefit analysis. ITS did not search for a COTS product when the staff decided to develop an Archive Interface Utility (AIU) for the National Audio?Visual Conservation Center (NAVCC). The AIU transfers, verifies, and copies files from the production environment to the NAVCC Archive Storage area. The development of AIU started in late 2005 and was first released in October 2007. ITS moved this system into production without full acceptance testing from the system owner. The system owner experienced ongoing performance and functionality problems with the AIU throughout FY 2008 before he replaced the AIU with a modified open source COTS product. The system owner asked LS contractors to implement the Storage and Archive Manager – Quick File System (SAM?QFS) solution. LS contractors spent two weeks testing and two weeks to implement the SAM?QFS solution as a replacement at a fraction of the cost of the abandoned AIU. 17
FEDLINK has searched for a replacement for its financial system for over 10 years and spent $500K in an effort with ITS and contractors to implement Momentum without conducting a cost?benefit analysis before giving up. A cost?benefit analysis may have identified lower cost COTS options. Given the post?implementation Momentum problems experienced by OCFO, the Library should also have conducted a risk analysis prior to starting implementation efforts. Now the FEDLINK staff is working with ITS to develop a customized system. ITS is in the process of analyzing 400 pages of requirements for a system design. Lack of Transparency in Tracking IT Costs When requesting budget and spending information concerning IT spending across the Library, we found that as with many other government accounting systems, IT expenses cannot be accurately retrieved from the Momentum system. These costs are combined within object classes for equipment services and maintenance. We reviewed the FY 09 Library budget justification as well as proposed FY 09 IT budgets from the Service/Support Units. We included salaries for government IT staff without benefits or other compensation. We determined that the ITS proposed budget for FY 09 is $51,987,000 (with contractor support) and the rest of the OSI’s proposed budget is $34,304,000, which funds a combination of program and support functions. The rest of the Library will augment the centralized IT support with approximately $35,012,867 of decentralized IT Support. The IT support costs reviewed included IT government salaries, IT contractor support, vendor support, hardware, software, and IT training (See Appendix C for more details on the proposed FY 09 IT budgets). In conducting interviews with Library staff below the senior management level, we found that most were unfamiliar or confused with the process for requesting small or unexpected IT services. OSI maintains a PC Store with standard, approved hardware and an inventory of approved software licenses. Once the PC Store or software budgets are depleted or if there are variations on a supported service/product, Service/Supports Units are expected to fund these purchases out of their budgets. We found a number of problems with this approach. First, we found that these IT expenses were often tracked as office equipment or supplies. We discovered there was no way to track these IT expenses in the Library once they were integrated into a unit’s budget. Secondly, when Service/Support Units make individual purchases instead of going through a Library?wide negotiated contract, the Library does not benefit from economies of scale. Another problem with this approach is that these offices might be unfamiliar with the IT products they are purchasing and run the risk of purchasing the wrong product, from the wrong vendor. For example, a Service Unit recently purchased platinum support for its servers when a lower?priced level of support would have met its requirements. In addition, the life cycle costs of the products may not have been considered. Although the Library’s overall IT budget appears to be similar or lower than other federal agencies of similar size and mission, the IT needs of the Library are not 18
complex. However, with the lack of an investment process and coordinated strategy, much of the funding spent on IT is going towards uncoordinated and duplicative efforts relating to Help Desk support, software, hardware, IT contractor support, vendor support, and training. Investment decisions in IT made without doing a cost?benefit analysis often lead to unsound decisions, as discussed earlier in the NAVCC and the FEDLINK cases. The Library as part of the legislative branch is not obligated to follow a Capital Planning and Investment Control (CPIC) process. However as one author stated, “[a]lthough compliance with federal laws and regulations is important, the more compelling reason for taking IT capital planning seriously is that an effective process can significantly increase IT return on investment. Given the fiscal constraints within which most federal programs must operate, the potential to achieve dramatic improvements in program effectiveness and efficiency through the innovative use of IT should rank at the top of any managers list of priorities.”4 A Library employee with prior IT capital planning experience at the Treasury Department stated that the investment process for IT was at Stage 1, possibly Stage 2 of the Information Technology Infrastructure Management (ITIM) Model (defined in Table 2). We agreed with the employee that the Library is at Stage 1 of maturity. As defined by Stage 1 of the ITIM, “there is generally little relationship between the success or failure of one project and the success or failure of another project. If an IT project succeeds and is seen as a good investment, it is largely due to exceptional actions on the part of the project team, and thus its success might be difficult to repeat. Investment processes that are important for success may be known, but only to isolated teams; this process knowledge is not widely shared or institutionalized. Most organizations with Stage 1 maturity have some type of project selection process in place as part of their annual budgeting activity. However, the selection process is frequently rudimentary, poorly documented, and inconsistently applied.” The Library should be focusing on obtaining at least a stage 2 maturity and should project the goal of reaching Stage 3 in the next few years. Stage 2 involves “Building the Investment Foundation: developing project selection criteria, benefit and risk criteria, and an awareness of organizational priorities." Stage 3 involves developing a complete investment portfolio.
4
Thomas G. Kessler, Patricia A. Kelley, Federal IT Capital Planning and Investment Control. Public Manager, 37 (4), 56?60, 2008.
19
Table 2 ITIM Stages of Maturity
Another area that may serve to save costs is to require that an evaluation of alternatives be conducted for system purchases. According to OMB guidance, “Evaluation of Alternatives: Analyses should also consider alternative means of achieving program objectives by examining different program scales, different methods of provision, and different degrees of government involvement. For example, in evaluating a decision to acquire a capital asset, the analysis should generally consider: (i) doing nothing; (ii) direct purchase; (iii) upgrading, renovating, sharing, or converting existing government property; or (iv) leasing or contracting for services.” One possible opportunity for an evaluation of alternatives is to assess the costs of digitizing special collections versus the cost of systematically digitizing the entire collection of books (for now excluding those subject to copyright protection).
RECOMMENDATIONS
Strategic Planning should be linked to the IT investment process at the Library, to eliminate the duplication of efforts and acquisitions. To that end: A. ITS should inventory and prioritize all existing systems that require upgrade and new IT projects to create an IT portfolio. Ideally, this should also include smaller systems and purchases that fall below the capital threshold. Management Response: Management agreed with our recommendation.
20
B. The Library should develop a plan to review and eliminate duplicative costs including Help Desks, technical liaisons in Service Units, and coordinate purchases. Management Response: Management agreed with our recommendation. The Library’s CFO will develop a plan to identify any duplicative costs in these areas.
ATech Comments: We did not imply that these duplicative costs arose from the perception that OSI receives a disproportionate share of ITS resources.
We wish to reiterate the intent of our recommendation, which was not to identify specific and exact duplication of IT costs, but instead to identify where Library Service and Support Units have created fully functional IT support organizations, and evaluate the possibility of significantly reducing these costs by consolidating IT support within ITS and adopting our recommendation to implement service level agreements for IT support.
C. All IT costs including computer security should be accounted for as part of the IT budgetary process.
Management Response: Management was unclear about this recommendation. ATech Comment: All IT costs should be accounted for and funded Library?wide rather than pushed down to Service and Support Unit budgets. D. The Library should develop a Cost?benefit Analysis (Analysis of Alternatives) Process for all IT investments and include risk criteria.
Management Response: Management partially agreed. This process should be applicable to new expenditures exceeding $100,000 for systems, not including upgrades, etc.
ATech Comment: We concur with the $100,000 threshold. However, some upgrades should be subject to cost?benefit analysis because a replacement or a delay in the upgrade may be the better option. In addition, lifecycle costs must be considered for all acquisitions, because those can frequently increase costs beyond the stated threshold. E. The Library should develop a methodology to maintain and track all Library IT expenses.
Management Response: Management agreed with our recommendation. The Library CFO will recommend a procedure for tracking IT expenses across appropriations. F. The Library should review and plan for moving forward through the stages of the ITIM.
Management Response: Management agreed with our recommendation. 21
FINDING 3 – ORGANIZATIONAL STRUCTURE
The organizational structure of the ITS Directorate at the Library does not foster strategic planning and proper IT governance. 1. OSI combines both IT support and other programmatic functions. 2. There is no centralized IT governance mechanism. According to LCR 220?1: Functions and Organization of the Office of Strategic Initiatives, “The OSI mission is to support the Library of Congress’ vision and strategy by directing the digital strategic planning for the Library, overseeing the Library’s institution?wide digital initiatives, and leading the national program to build the required preservation network and infrastructure for the nation’s cultural digital assets. The OSI, through its Information Technology Services function, also ensures the effective delivery of information technology resources and services in support of the Library’s mission, functions, and activities… ” LCR 220?1 also states that one of OSI’s functions is to “Manage the Library’s programs, budgets, and allocation of resources for the Digital Futures Program (domestic and international content – including American Memory, technical infrastructures and electronic outreach services), the National Digital Information Infrastructure and Preservation Program (NDIIPP), the Information Technology Services (ITS) functions, and the OSI.” OSI is also responsible for the Teaching with Primary Sources Program (TPS). OSI Is Not Optimally Structured OSI is unique among the federal agencies that we researched in that along with the CIO function, it includes a major programmatic function. When interviewing many OSI (non?ITS) staff, with a few exceptions it was evident that their focus was programmatic (such as NDIIPP and TPS) rather than supporting the Library as a whole. The traditional CIO responsibilities are taken on by ITS, organizationally placed within OSI with no direct representation on the Executive Committee (representation was recommended by the LC21 report). ITS was originally an Enabling Infrastructure (Support Unit) reporting directly to the Deputy Librarian. In FY 2002, however, ITS was folded into the newly created OSI, and the position of Director of ITS lost its “CIO” designation. The head of OSI, the Associate Librarian for Strategic Initiatives was named the CIO, and the director of ITS was placed below the CIO level. The CIO’s focus has primarily been on external programs such as NDIIPP and TPS, rather than on pursuing a strategic plan and vision for ITS. Although the ALSI has a track record of highly successful program implementations, organizational structures should be based on function and purpose and not individuals.
22
Further, because ITS is a second–level organization, it does not have the mandate or authority to enforce proper Library?wide IT governance, thus resulting in a series of optional IT security measures. As the Library begins to build an Enterprise Architecture (EA), this problem will repeat itself, as ITS will not have the authority to enforce Library?wide compliance with standards and EA governance principles. OSI has proposed a reorganization in which ITS will report not to the ALSI but to the Deputy ALSI. From a Library?wide perspective, this change has no effect on the chain of command. Significantly, the IT Security Group (ITSG), located in ITS, lacks meaningful enforcement authority. There are not always consequences for violations of IT security because the ITSG has only limited authority to take action or to request termination of system access when it detects security violations. Effectively, the IT security program at the Library has no teeth. It is the perception of other Service/Support Units that ITS supports OSI priorities first and others must fall in line behind them. The proposed movement of the Digital Scanning Center from ITS to OSI adds to that perception and further muddles the distinction between programmatic and support functions. Our research of CIO functions across several legislative and executive agencies revealed that the Library’s programmatic function under the CIO is unique among federal agencies. We also found in federal agencies and major universities with similar missions to the Library, the CIO of the IT organization generally reports directly to the head of the organization. In other words, the Director of ITS would traditionally be the CIO and report directly to the Librarian. We found no instances in which a CIO was in charge of both major programmatic areas and infrastructural support functions. Although the ALSI is the CIO for the Library, she is perceived by the rest of the Library as a CIO in name only. This is largely due to her focus on the major programmatic areas rather than the infrastructural IT support functions. The CIO of an agency that is listed (in section 901(b) of title 31, United States Code) shall “have information resources management duties as that official's primary duty.” The Library of Congress does not have to conform to this; however, this is a standard best practice. The CIO Council provides a wealth of information on best practices at http://www.cio.gov/index.cfm?function=documents. A 2004 GAO survey found that the majority of federal agencies complied with this requirement and the CIO reported directly to the agency head. GAO commented in one of these reports, “n addition to requiring that federal agency CIOs have many specific responsibilities, federal law also generally requires that these CIOs report directly to their agency heads. This requirement establishes an identifiable line of accountability and recognizes the importance of CIOs’ being full participants in the executive team in order to successfully carry out their responsibilities.” See http://www.gao.gov/new.items/d04823.pdf for more information. 23
A recent OMB memorandum stated, “Except where otherwise authorized by law, regulation, or other policy, the CIO has the authority to set Agency?wide IT policy, including all areas of IT governance such as an Enterprise Architecture and standards, IT capital planning and investment management, IT asset management, IT budgeting and acquisition, IT performance management, risk management, IT workforce management, IT security and operations, and information security.” See http://www.whitehouse.gov/omb/assets/omb/memoranda/fy2009/m09?02.pdf for more information. The ALSI is not endowed by the Library with the authority to make Library?wide decisions on IT governance, IT capital planning, and IT asset management. This is evidenced by the fact that other Service and Support Units make their own IT investment decisions and, sometimes, capital planning, IT budget management, and acquisitions. In addition, although the ALSI promulgates Library?wide IT security guidance, she has limited authority to enforce security requirements on Library areas outside OSI. A CIO cannot properly lead an IT organization without full authority and responsibility for these critical elements.
RECOMMENDATIONS
The organizational structure of the ITS Directorate needs to be realigned to foster strategic planning and IT governance at the Library. To accomplish this, the Library should:
A. Separate the IT support functions from OSI and establish the Office of the Chief Information Officer (OCIO) from the ITS Directorate and other IT support functions of OSI. The CIO will report directly to the Librarian or Chief Operating Officer with duties, responsibilities, and authority consistent with best practices. Management Response: Response to our recommendation is delayed until further study. B. Endow the CIO with the authority and responsibility for overall IT Strategic Planning, IT Capital Planning, IT Asset Management, Enterprise Architecture, and to establish a Customer Advocate role to ensure accountability; and C. Endow organizational function such as IT Security with appropriate enforcement authority as well as policy responsibilities. Management Response: Management agreed “in principle” with recommendations B and C. ATech Comment: We reiterate our recommendations. Both of these are industry?standard best practices to which the Library does not subscribe.
24
FINDING 4 – ENTERPRISE ARCHITECTURE
The Library lacks an Enterprise Architecture (EA) program. We found that the Library has not yet implemented an Enterprise Architecture. At best, OSI has documented the Library’s “as?is” architecture. The Library is behind most other federal agencies in developing an Enterprise Architecture. OSI indicated that this was due to budgetary constraints. Recently, the Library embarked on an EA project. To this end, OSI has contracted with the Gartner Group for support to develop a plan for this initiative. A core team, consisting of senior OSI and ITS managers, spearheaded by the ITSG Chief, has been meeting with Gartner to develop EA documentation. The team has conducted interviews with subject matter experts made up of OSI and ITS managers as well as Service Units. OSI is also embarking on related architecture projects such as: ? ? ? ? ? Information Architecture?User Experience as?is and possibly to?be (the Contractor will be delivering a report based on user studies and Web metrics); Information Architecture Services and Tools; Web/Delivery Architecture Web 2.0 delivery mechanisms and exploring software platforms and delivery options for a complete re?architecting/re? building of the Web environment in 2010; Search and Discovery Metasearch for LC home page and search engines; Metadata Group has established a Web site to share documents, has a charter and is finishing Use Cases for metadata requirements for multiple data sources and data used. The group is investigating automated tools (primarily open source); and Digital repository requirements.
?
OSI has brought on a project coordination contractor to provide project management, logistics support, and deliverable coordination and management for architecture?related projects. However, this fragmented approach does not represent a comprehensive EA as seen in other federal agencies. EA provides a high?level snapshot of IT systems and business processes and provides a framework for making IT investment decisions. An EA is a living process, requiring continuous maintenance. EA is intended to help guide wise IT decisions that support business processes, rather than requiring business processes to fit into IT models. According to the GAO, “An EA is a systematically derived snapshot—in useful models, diagrams, and narrative—of a given entity’s operations (business and systems); including how its operations are performed, what information and technology are used to perform the operations, where the operations are performed, who performs them, and when and why they are performed. The
25
architecture describes the entity in both logical terms (e.g., interrelated functions, information needs and flows, work locations, systems, and applications) and technical terms (e.g., hardware, software, data, communications, and security). EAs provide these perspectives for both the entity’s current (or “as?is”) environment and for its target (or “to be”) environment; they also provide a high?level capital investment roadmap for moving from one environment to the other.” For more information, see http://www.gao.gov/new.items/d03959.pdf. GAO has developed an Enterprise Architecture Management Maturity Framework (EAMMF) to evaluate Federal Enterprise Architectures (FEA). According to our evaluation, the Library is at Stage 1, which indicates that it is in the process of creating EA awareness. This is because the Library has initiated “some enterprise architecture activity, but these efforts are ad hoc and unstructured, lack institutional leadership and direction, and do not provide the management foundation necessary for successful enterprise architecture development as defined in stage 2.” See http://www.gao.gov/new.items/d06831.pdf for more information. GAO, OMB guidance, and federal CIO Council reports for developing an Enterprise Architecture are found at http://www.whitehouse.gov/omb/e?gov/fea/.) Recently, OMB developed a framework for FEA entitled the Federal Segment Architecture Methodology (FSAM), a systematic process that includes best practices from across the federal EA community. There are templates available on the FSAM Web site for this process. As defined in the OMB FEA Practice Guidance, there are core mission area, business service, and enterprise service segments. Below is a chart from FSAM guidance that shows how many of these pieces may be incorporated into a viable process. See http://www.fsam.gov/index.php for more information.
26
Table 3 FSAM Guidance
Although an EA is not a panacea for all IT issues, it does help bring a holistic view to the IT endeavor. Without an EA: 1. The Library cannot adequately link IT to the mission of the Library and provide a comprehensive framework to identify how IT assets directly enable the Library’s business processes and how those processes execute the Library’s mission. 2. There could be potential for interoperability problems between systems that could impact how the Library’s systems interface with each other. 3. It is harder to respond to changes because there is not a comprehensive reference for the Library to assess the impact changes will have on each component within the Library’s Enterprise Architecture or to ensure the components continue to run smoothly through change management. 4. It is harder to design new systems and modify existing systems because there is no frame of reference. 5. The Library may see fewer opportunities for economies of scale in purchasing. 6. It is harder to implement common security standards and security architectures. 7. The Library incurs additional technical risk by not having a technology infrastructure based on industry standard solutions and on trends of the future.
27
RECOMMENDATIONS
The Library needs to implement an Enterprise Architecture that could be coupled with a strategy and provide a roadmap for implementing technology in the future. To this end, the Library should: A. Follow the FSAM templates as a model for developing the architecture segments to avoid reinventing the wheel and use federal agency best practices for EA and use mainstream tools and processes; Management Response: Management partially agreed with our recommendation. ATech Comment: We are unclear as to the “partial” nature of management’s agreement with our recommendation, which was simply to use industry?established tools and best practices. Management did not indicate with which part of the recommendation it disagreed. B. Evaluate proposed plans for the development of an EA with EAMMF to ensure that the plans are in complete alignment; Management Response: Management partially agreed: “We will use EA metrics … which can include, and may largely coincide with, the EAMMF criteria.” ATech Comment: We disagree with management’s unwillingness to use proven, published criteria for this process. The Library intends to reinvent the wheel. We disagree with this approach when there are already significant existing bodies of knowledge and experience in this subject area. The EAMMF is flexible enough to accommodate the Library’s needs without needing to be reimagined. C. Keep the process for developing an EA in line with similar agencies to avoid developing a process that is too complex or out of scope with agencies of similar size; Management Response: Management agreed with our recommendation. ATech Comment: The Library should review the EA infrastructures of agencies with similar missions and technical requirements. D. Include all EA costs in a single budget line item for the entire Library to avoid creating a burdensome or costly process for system owners; and Management Response: Management partially agreed with our
28
recommendation. OSI will track all EA Program Office costs. Other costs can be accounted for in the Library’s different appropriations, but not contained in a single budget line item. ATech Comment: We disagree with management. We reiterate our recommendation that a centrally managed and significant project such as EA must be centrally funded. E. Involve all Service and Support Unit system/business process owners. Management Response: Management agreed with our recommendation.
29
FINDING 5 – CUSTOMER SERVICE
ITS Customer service needs improvement. 1. The Library has IT customer support issues. 2. ITS does not leverage tools such as Service Level Agreements or Performance Metrics. Customer Support Issues Our review indicated that beyond long?term strategic planning issues, ITS customers were experiencing significant customer service problems. We believe that this condition is related to the lack of long?term strategic planning in that ITS does not operate on a long?term plan to monitor or improve customer service. To avoid working with ITS, Service/Support Units often purchase their own equipment and software, procure IT contractor support, develop their own systems, or outsource development/hosting, and whenever possible deploy their own software and hardware. ITS customers say that the organization does not understand their business needs and requirements and provides inadequate support. Many customers believe that the quality of service and support they receive are based on personal relationships. Some customers believe that knowing certain individuals in ITS personally is what enables them to get the job done. People who are new to the Library have trouble obtaining help or finding the right people to answer their questions. Some customers reported limited or no contact with their ITS Research & Development (R&D) liaisons and perceive it is because they lack seniority. The Help Desk is the primary channel through which customers request new software and hardware and service for existing equipment. Some issues we found include: ? Help Desk tickets are not always properly assigned to the person providing the service or ordering the equipment/software. A search in December 2008 revealed that there were 800+ tickets assigned to the Chief of End User Computing. It is unlikely the Chief would be personally providing services. ? Help Desk tickets are not consistently reassigned when ITS employees or the contractors leave the Library or are assigned to a different position. ? A search in January 2009 showed 4,079 tickets in an “Open” status, with original dates ranging from 1989 to 2008, and 137 tickets opened from 1996 to 2008 showed as being in a “Hold” status. ? Approved requests for equipment or service are not always fulfilled and the requestors often receive no explanation why. Sometimes ITS will deliver equipment long after the requestors have purchased their own
30
?
equipment. Often, customers will find a way to perform the service themselves. Sometimes ITS will implement services without the requestor's knowledge. Customers are frustrated with the high number of tickets (a minimum of five) to provide new employees with system and telecommunications access and equipment.
Users have experienced lengthy delays in the approval process for new software. Sometimes the wait time is so lengthy that a new version of the software is released before the request is approved, thereby making the original request obsolete. Sometimes, tickets are closed without resolution of the reported software deployment problem and a new ticket must be opened. The Help Desk is staffed by contractors, whose quality is inconsistent. Help Desk contractors will often install the wrong versions of software and the customers will reinstall the software themselves. Customers have reported that instead of fixing a problem, the Help Desk contractors will frequently replace hard drives or recreate customer accounts. Library customers have said that they created their own IT support organizations because ITS did not meet their needs. For example: ? CRS created a network separate from ITS and procures its own equipment and software; ? LL outsourced the Global Legal Information Network (GLIN); ? NLS purchased its own servers and maintains a separate data center. NLS performs system development, Web development, and system hosting services in?house or with outside contractor support; ? LS insisted on managing and outsourcing the development of NAVCC Workflow Application. LS has also insisted that the development for the overall Library repository be outsourced. Many customers report that equipment available in the PC Store, operated by ITS, does not meet their needs. The list of items or support provided by ITS changes frequently. Customers have also reported that ITS does not maintain an inventory of spare parts for the supported equipment. We found no evidence of the distribution of end?user surveys, Help Desk surveys, or open informational meetings with customers to obtain feedback. The Operations Committee is attended only by the technology heads. The ITS R&D liaisons interact mostly with senior management and the Workstation Configuration Control (WCC) group has a limited membership. While the information provided at WCC meetings is useful, the meeting minutes are only disseminated to its members via email or access to a special drive. Members have reported it is more of a forum for announcements rather than discussion. The IOG also has limited membership, but has received the most positive feedback. The IOG is also the only group that 31
disseminates the meeting minutes on the Intranet Site and follows up with members when they do not attend meetings. ITS is currently developing a communications plan to improve information dissemination to the rest of the Library and within ITS. Service Level Agreements and Performance Metrics Most organizations use Service Level Agreements (SLA) to manage their customers’ expectations and set standards by which their service can be evaluated, and in turn, by which they can evaluate their own staff. For example, at the Library, the Office of Contracts and Grants Management (OCGM) publishes a listing of timeframes in which customers can expect their acquisitions to be completed. OCGM also uses these timeframes to assess its own performance, and further, to evaluate its staff. ITS does not use SLAs because it believes that they are best suited for contractors. ITS uses “Memoranda of Understanding” (MOU) and “Project Charters” as a way to assign roles and responsibilities. ITS customers, however, reported that the MOUs are one?way, mostly defining the customer’s responsibilities, but not assigning performance standards to ITS, the service provider, and further, do not guarantee service or support. SLAs represent a best practice for service providers, whether or not there is an exchange of funds. SLAs define service standards, manage customer expectations, and provide a yardstick by which service quality can be evaluated. SLAs can include metrics such as hours of support, call response time, and escalation procedures. These SLAs will help end users understand the service that they can expect. Higher levels will require additional resources. We believe that the publishing of SLAs will provide the end users with more understanding of the levels of support that they can expect. We also believe that ITS should join an organization such as the Help Desk Institute to obtain best practices for customer support and in operating a Help Desk. In addition, we suggest the use of the Information Technology Infrastructure Library (ITIL) for comprehensive documentation of best practices for IT service management. According to an article published by the Help Desk Institute, “We suggest the use of SLAs so that the end user’s have a basis for knowing what service to expect. Fundamentally, the service level agreement process provides a methodology for introducing and implementing reasonable expectations for the customer community and your Help Desk or Customer Support Center. SLAs serve as a guide for establishing good, sound business relationships.” For more information, please see http://www.thinkhdi.com/library/deliverfile.aspx?filecontentid=55. Without SLAs or performance metrics, ITS cannot understand or manage customer expectations. Without this feedback chain, ITS has no real way of knowing if it is meeting its support objectives and customer expectations. 32
With respect to IT issues, it appears that the Library acts as five separate businesses instead of a single institution. There are solo and sometimes duplicative system development projects going on throughout the Library without OSI and ITS' knowledge. There is also no true system integration. The Service/Support Units compete for IT resources instead of working together to coordinate economies of scale for software, hardware, equipment, Help Desk, and system development and outsourced hosting costs.
Because of a perceived reluctance by ITS to take on ownership of IT problems or projects, customers search for ways to work around or not notify ITS of pending projects. Others will attempt and then give up pursuing projects that could be a Library?wide benefit such as the deployment of Multi?Functional Devices (MFDs or combination printer/copier/scanners). Our review indicated that Integrated Support Services (ISS) took all of the appropriate steps, including involving ITS in the requirements phase of the current contract, to enable the scanning and networking functions of the machines now in place Library?wide. However, there is a stalemate between ITS and ISS as to who is responsible for networking these MFDs, leaving them to be used throughout the Library solely as copiers. At the end of a five?year contract, the Library will have paid a total of $5,782,870 without realizing the full functionality of these MFDs. We were unable to determine the incremental cost of leasing MFDs as opposed to plain copiers without MFD functionality.
RECOMMENDATIONS The Library needs to implement a formal process for soliciting customer feedback for recommendations, ideas, and complaints, and implement changes to improve customer service. Specifically, ITS should:
A. Implement Service Level Agreements to manage customer expectations; Management Response: Management partially agreed with our recommendation. ATech Comment: Once again, we are unclear as to the “partial” nature of management’s agreement with our recommendation. Service level agreements can be structured in any way the Library desires, and simply establish baseline service guidelines on which management and customers can rely. B. Review the PM, SDLC, IT Security, and Help Desk processes and obtain feedback from the Service/Support Units to improve efficiency and effectiveness; Management Response: Management agreed with our recommendation.
33
C. Use best practices for service management from organizations such as the Help Desk Institute and ITIL and other organizations; Management Response: Management agreed with our recommendation. D. Instead of enhancing the current Help Desk system, implement a COTS enterprise Help Desk system that includes capabilities for customer feedback on calls, reporting on the closure rate of calls, types of calls, and other metrics. Since CRS purchased the latest version of Remedy, ITS should use the CRS contract for this or research other COTS options; Management Response: Management agreed with our recommendation. E. Negotiate a new Help Desk service contract to meet the different service level requirements of all Service and Support Units to eliminate duplicative Help Desk support services; Management Response: Management disagreed with our recommendation. Management believes, at this time, that having some services provided to certain staff at the service/support unit level is desirable. Having a distributed model of services instead of a centralized model does not necessarily mean there are duplicative costs. The CFO will address this recommendation in his study on duplicative costs. ATech Comment: The intent of this recommendation was to address the need for the Library to evaluate duplicative costs incurred by having distributed and independent help desk functions throughout its various offices. F. Develop a set of metrics for ongoing use to measure performance. These metrics should change and evolve over time as one area shows improvement; new metrics should be developed for other areas; and Management Response: Management agreed with our recommendation. G. Conduct regular customer surveys and open informational meetings. Management Response: Management agreed with our recommendation.
34
CONCLUSION
We believe that since the National Research Council issued the LC21 report in 2000, the IT support organizations at the Library of Congress have transformed themselves from IT support “shops,” to organizations which lead the country and the world in digital library technology. We were also impressed with the intelligence and technical savvy of the Library staff. It is now time for the Library to transform its management of IT from five separate businesses to a total institution. To remain a leader in the digital age, the Library must work collectively to address digital strategy, repository, and preservation; information retrieval; metadata standards; copyright deposits; IT cost accounting and metrics; IT leadership and governance; IT security; IT support/customer service; and IT investments. Many recommendations made in this report can be implemented at a low cost and can be accomplished with existing resources. Those requiring resources could be balanced against cost saving measures. We caution that the planning process should be agile rather than burdensome, and transparent to achieve maximum buy? in. We also advise the recommendations be implemented in coordination with all the Service and Support Units as some activities will reach across multiple reporting frameworks and appropriations. The GAO Executive Guide speaks about balance in planning, “CIOs recognize that balancing short?term successes with longer?term business change initiatives is key to keeping their business customers satisfied…These CIOs are careful not to get caught in the cycle of continual planning, but take steps to ensure effective progression from planning to implementation. They return to their plans iteratively, updating them as progress is made and business needs evolve.”5 We recommend the Library consult with the CIOs of organizations such as the Department of Education, George Mason University, the National Institutes of Health, the National Science Foundation, the Smithsonian, and the United States Patent and Trademark Offices on their IT strategic planning processes (see references 18?24 for the IT strategic plans of these organizations). The LC21 report made the following recommendations, which still hold true today: “…information technology can, should, and must be taken as a strategic asset of the Library as a whole and managed strategically from the very top.“ “…there needs to be serious strategic planning. Concrete projects must be established and undertaken to make real the Library’s ability to select, acquire, preserve, and manage digital content. These initiatives must reach across the whole interlinked set of processes from copyright registration through deposit to reader services.” We suggest that the Library continue work in these very critical areas and begin
5
The GAO Executive Guide, February 2001, Maximizing the Success of Chief Information Officers – Learning From Leading Organizations.
35
immediate implementation of our recommendations. An effective IT strategic planning process will provide the framework that is needed to assess costs and benefits, manage priorities, and plan for the future. The customer’s needs, both internal and external, should drive the requirements and be the foundation for determining project success.
36
APPENDIX A REFERENCES
1. Booz Allen & Hamilton, Management Review of the Library of Congress Final Report, May 7, 1996. (Part of OIG Hardcopy Collection.) Reference 1 Supplement, GAO Testimony Library of Congress Opportunities to Improve General and Financial Management, May 1996. 2. GAO Executive Guide: INFORMATION TECHNOLOGY INVESTMENT MANAGEMENT: A Framework for Assessing and Improving Process Maturity: Version 1.1, GAO?04?394G, March 2004. 3. GAO Executive Guide, Maximizing the Success of Chief Information Officers – Learning From Leading Organizations, February 2001. 4. GAO Executive Guide, Improving Mission Performance Through Strategic Information Management and TechnologyLearning from Leading Organizations (GAO/AIMD?94?115), May 1994. 5. GAO Guide, Assessing Risks and Returns: A Guide for Evaluating Federal Agencies' IT Investment Decisionmaking (GAO/AIMD?10.1.13), February 1997. 6. GAO Report, Federal Chief Information Officers Responsibilities, Reporting Relationships, Tenure, and Challenges, GAO?04?823, July 2004. 7. GAO Report, ENTERPRISE ARCHITECTURE: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation, GAO?06?831, August 2006. 8. GAO Report, Information Technology, FBI Needs an Enterprise Architecture to Guide its Modernization Activities, GAO?03?959, September 2003. 9. GAO Review, Objective 1: Library of Congress Collections Management, Opportunities to Improve Effectiveness through Digitization, September 2008 (Draft). 10. Thomas G. Kessler, Patricia A. Kelley, Federal IT Capital Planning and Investment Control. Public Manager, 37 (4), 56?60, 2008. 11. NRC, LC21 A Digital Strategy for the Library of Congress, Copyright 2000. 12. OMB Circular A–11, Part 6, Preparation and Submission of Strategic Plans, Annual Performance Plans, and Annual Program Performance Reports, July 2003.
37
13. OMB Circular A?II, Part 7, Preparation, Submission, and Execution of the Budget, Section 300, Planning, Budgeting, Acquisition, and Management of Capital Assets, July 2007. 14. OMB Memorandum, Information Technology Management Structure and Governance Framework, M?09?02, October 21, 2008. 15. OPM Interpretive Guidance for the Information Technology Management Series, GS2210, CG01?0001, June 2001.
16. Thomas Plant, Public Sector Strategic Planning: An Emergent Approach, Performance Improvement, 45.5: 5?6. ABI/INFORM Global, ProQuest, (2006). 17. US Code: Title 40, Subtitle III, Chapter 113, Subchapter II, § 11315, Agency Chief Information Officer. 18. Department of Education, Information Resource Management Strategic Plan FY 2007 – 2011. 19. George Mason University’s Information Technology Unit Responds to the Academic Unit 2010 Plans. 20. The Strategic Information Resources Management Plan of the National Archives and Records Administration, February 2008.
21. National Institutes of Health Center for Information Technology Strategic Plan, 2008 – 2012. 22. NSF Information Resource Management Plan, September 2008. 23. Smithsonian Information Technology Plan FY 2008–FY 2013. 24. United States Patent and Trademark Office, Office of the Chief Information Officer Strategic Information Technology Plan FY 2007–FY 2012.
25. OSI, Plan for Cyclical Investments in Technical Infrastructure FY 20102014, September 2008. 26. ITS Presentation, LC Enterprise Architecture Program Overview to Operations Committee, November 2008.
38
APPENDIX B ACRONYMS
AIU – Archive Interface Utility ALSI – Associate Librarian for Strategic Initiatives AP3 – Annual Performance Program Plan ASL – Associate Librarian C&A – Certification and Accreditation CCB? Configuration Control Board CFO – Chief Financial Officer CIO – Chief Information Officer CIPC – Capital Planning and Investment Control CMM – Capability Maturity Model COBIT – Control Objectives for Information and Related Technology COO – Chief Operating Officer COP – Copyright Office COSD – Committee on Strategic Direction COTS – Commercial?Off?The?Shelf CRS – Congressional Research Service DLCG – Digital Library Content Group EAMMF – Enterprise Architecture Management Maturity Framework FEA – Federal Enterprise Architecture FSAM – Federal Segment Architecture Management GAO – Government Accountability Office GIPRA – Government Performance and Results Act GPO – Government Printing Office ICP – Internal Control Program IOG – Internet Operations Group IT – Information Technology ISS – Integrated Support Services ITIL – Information Technology Infrastructure Library ITIM – Information Technology Infrastructure Management Model ITSG – IT Security Group ITS – Information Technology Services ITVRSP – IT vision, strategy and research program Library or LC – Library of Congress LC21 report – LC21: A Digital Strategy for the Library of Congress LCR – Library of Congress Regulation LL – Law Library LS – Library Services MDEP – Management Decision Package MFD – Multi?Functional Device MOU – Memorandum of Understanding NAVCC – National Audio?Visual Conservation Center NDIIPP – National Digital Information Infrastructure Preservation Program
39
NDLP – National Digital Library Program NIST – National Institute of Standards and Technology NLS or NLSBPH – National Library Service for the Blind and Physically Handicapped NRC ? National Research Council PART – Program Assessment Rating Tool OCFO – Office of the Chief Financial Officer OIG – Office of the Inspector General OMB – Office of Management and Budget OPM – Office of Personnel Management OSEP – Office of Security and Emergency Preparedness OSI – Office of Strategic Initiatives SAM ?QFS – Storage and Archive Manager – Quick File System SLA – Service Level Agreement SPO – Strategic Planning Office TPS – Teaching with Primary Sources VPN – Virtual Private Network WCC – Workstation Configuration Control WCM – Workstation Configuration Management
40
APPENDIX C PROPOSED FY 2009 IT BUDGETS
Proposed FY 2009 OSI Budget & IT Budgets for other Service & Support Units
Office of Strategic Initiatives Proposed Budget OSI Fulltime & Other government salaries (without Benefits) OSI Non?Pay Total OSI Budget without ITS Breakdown of ITS Directorate Proposed Budgets ITS Pay Fulltime & Other government salaries without Benefits ITS Non?Pay Total ITS Budget Total OSI Fulltime & Other Pay without Benefits Total Non?Pay Office of Strategic Initiatives Total Breakdown of OSI Directorate Proposed Budgets Digital Initiatives: $13,284,000 Pay ? FT Permanent & Other $9,686,000 Non Pay Information Technology Services: $27,108,000 Pay Fulltime (FT), Other, Benefits $30,225,000 Non Pay National Digital Information Infrastructure: Teaching With Primary Sources: $1,209,000 Pay FT Other, Benefits $5,961,000 Non Pay Office of Strategic Initiatives Total with Benefits Proposed IT Support Budgets For OSI/ITS Customers Copyright Congressional Research Service Law Library Library Services Human Resource Services Integrated Support Services Office of The Chief Financial Officer Office of The Librarian Office of The Inspector General Office of Security And Emergency Preparedness Total For Office of Strategic Initiatives/Information Technology Services Customers Breakdown of Service/Enabling Infrastructure Units Proposed IT Budgets" Copyright IT government support salaries without Benefits IT contractor support: Oracle 8.1 And Analytics Implementation COP Repository Feasibility Study eCo support Contractors (Catapult, Central Printing, Adobe)
$11,146,000 $23,158,000 $34,304,000 $21,762,000 $30,225,000 $51,987,000 $32,908,000 $53,383,000 $86,291,000 $22,970,000 $57,333,000 $7,511,000 $7,170,000 $94,984,000 $5,756,576 $7,770,530 $1,989,792 $11,969,843 $1,498,073 $1,560,411 $3,381,000 $675,973 $117,219 $283,450 $35,002,867 $2,171,502 $1,400,000 $300,000 $720,479
$293,450 To $35,012,867 One Time One Time
41
Proposed FY 2009 OSI Budget & IT Budgets for other Service & Support Units
Help Desk Metasearch Project Hardware Purchase/Replacement: Pre?Product Environment Scanners Video Cards Vendor support (E.G. Maintenance On Servers/Network) Seibel And Scanners Software Purchase/License IT Training/Conferences (Eco Training, Accuate & MS Project Course, Voyager Conference) Copyright Total Congressional Research Service IT government support salaries (without Benefits) IT contractor support: Hardware Purchase/Replacement Vendor support (E.G. Maintenance On Servers/Network) Software Purchase/License IT Training/Conferences Congressional Research Service Total Law Library IT government support salaries (W/O Benefits) IT contractor support For GLIN Hardware Purchase/Replacement (Non?GLIN) Vendor support For GLIN Software Purchase/License (Non?GLIN) IT Training/Conferences: Law Library Total Library Services IT government support salaries (without Benefits) Technology Policy IT contractor support (Tech Audit) TP SubTotal Automation Planning Liaison Office: IT contractor support Hardware Purchase/Replacement Vendor support Software Purchase/License IT Training/Conferences: Automation Planning Liaison Office SubTotal National Library Service For The Blind Physically Handicapped: $700,000 $15,000 $75,000 $12,800 $2,970 $49,000 $259,324 $50,500 $5,756,576 $4,560,530 $1,300,000 $600,000 $1,200,000 $100,000 $10,000 $7,770,530 $915,975 $997,002 $745 $63,847 $12,223 $0 $1,989,792 $6,514,093 $100,000 100,000 $35,000 $170,685 $23,200 $255,965 $20,000 $504,850 One Time (Includes salaries for the Automation Contacts, Does not include Future NAVCC FTEs) One Time Hardware $73,580 Note 1: includes Software Maintenance on in?house developed software applications. Note 2: Just completed major upgrade to systems due to the Digital Conversion and implementing a new Website This Year. Office considers figure unusually high for
IT contractor support
$1,108,900
42
Proposed FY 2009 OSI Budget & IT Budgets for other Service & Support Units
a typical year. Due to Workstation Configuration Management (WCM) initiative, NLS is aggressively replacing computer hardware not certified for windows XP. Purchasing additional PC's due to WCM repair process and new it security requirements. Figure high for a typical year. Expense includes a $30k payment made every three years to its for hardware replacement for our digital archiving system and $10k maintenance that was prepaid in FY 2008 . Due to WCM initiative, we are getting our software licenses in order. Making purchases to support engineering for the DTB player (such as CAD software). Figure considered unusually high for a typical year. Total Contract value was $400,000 for 2 year support
Hardware Purchase/Replacement
$141,000
Vendor support (E.G. Maintenance On Servers/Network)
$40,000
Software Purchase/License IT Training/Conferences BPH SubTotal National AudioVisual Conservation Center: IT contractor support ? NAVCC Software Applications Hardware Purchase/Replacement Vendor support (E.G. Maintenance On Servers/Network) Software Purchase/License IT Training/Conferences National AudioVisual Conservation Center Sub Total Library Services Total Human Resource Services IT government support salaries (W/O Benefits) IT contractor support Hardware Purchase/Replacement Vendor support (E.G. Maintenance On Servers/Network, Which May Not Apply To COP.) Software Purchase/License IT Training/Conferences Human Resource Services Total Integrated Support Services IT government support salaries (without Benefits) IT contractor support Hardware Purchase/Replacement Vendor support (E.G. Maintenance On Servers/Network) Software Purchase/License IT Training/Conferences Integrated Support Services Total Office of The Chief Financial Officer
$85,500 $25,500 $1,400,900 $200,000 $2,750,000 $500,000 $0 $0 $3,450,000 $11,969,843 $519,978 $0 $14,724 $893,102 $58,880 $11,389 $1,498,073 $371,411 $770,000 $37,000 $0 $281,000 $101,000 $1,560,411
43
Proposed FY 2009 OSI Budget & IT Budgets for other Service & Support Units
IT government support salaries (without Benefits) IT contractor support For Momentum Hardware (Significantly More Spent In Past Years.) Vendor support Software Purchase/License IT Training/Conferences Office of the Chief Financial Officer Total Office of The Librarian IT government support salaries (without Benefits) IT contractor support Hardware Purchase/Replacement Vendor support Software Purchase/License (No Annual Fees) IT Training/Conferences Office of the Librarian Total Office of The Inspector General IT government support salaries (without Benefits) IT contractor support Hardware Purchase/Repair Software Purchase/License Vendor support IT Training/Conferences Office of the Inspector General Total Office of Security Emergency Preparedness IT government support salaries (without Benefits) IT contractor support For MC Dean IT Related Library's Police Communications Center (PCC) For One?Year Period Ending May 1, 2009. Hardware Purchase/Repair Vendor support & Software For Personnel Security Program Office Database" IT Training/Conferences Office of Security Emergency Preparedness Total $606,069 $2,757,722 $1,000 $0 $0 $16,209 $3,381,000 $624,430 $0 $34,543 $0 $15,000 $2,000 $675,973 $116,419 $0 $800 $0 $0 $117,219 $178,450 $50,000 $25,000 $25,000 $5,000 $283,450 To $35,000 To $293,450
44
APPENDIX D – NLS IT SECURITY EXPENSES
IT Security Expenses for the NLS
Year/Description of expense FY 2006 Work involved in creating initial PICS C&A Work involved in estimate for PICS POAM fixes Work involved in IT security test ? accommodating blind staff problems Process IT security wavier documentation Lost work due to VPN problems & inefficiencies TOTAL FY 2006 FY 2007 PICS C&A Annual update PICS Phase 2 ? research/documentation creation to accommodate IT security rules Total NLS Hours 245 20 15 30 60 370 40 NLS Staff Hardware Cost Cost $16,057 $1,344 $1,008 $1,934 $3,786 $24,129 $2,816 $0 Consultant Cost $4,000 $4,000 $500 $3,500 $12,000 TOTAL COST $36,129
75
$5,279 $8,447 $2,112 $6,430 $3,254 $2,010 $2,112
$49,236
$10,000 $500
PICS Phase 2 ? effort involved in accommodating IT security rules 120 PICS Phase 2 ? hardware purchased as a result of IT security accommodations 30 Workstation Configuration management (WCM) preparations 100 Research into possible use of VMware Process IT security waiver documentation Work involved in IT security test ? accommodating blind staff problems Preparations/Research for Comprehensive Mailing List System and Blind and Physically Handicapped Inventory Control System (CMLS/BPHICS) and C&A Effort and expenses associated with ensuring NLS computer room compliant with IT security rules (platform, lock) 52 30 30
100
$7,039
35
$2,109
$3,500
45
IT Security Expenses for the NLS
Year/Description of expense Lost work due to VPN problems & inefficiencies TOTAL FY 2007 FY 2008 Production Inventory Control System (PICS) C&A Annual update Re Estimate PICS Plan of Action and Milestones (POAM) fixes Effort to set up firewall rules for NLS producers PICS Phase 2 ? Impacts of accommodating IT security rules (coding) 240 PICS Phase 2 ? redo C&A package 200 Effort spent working on acquiring NLS test networks Acquisition of Network hardware to accommodate test networks Process IT security wavier documentation 150 50 $12,556 $10,184 $2,961 $3,792 $30,000 $59,670 $17,502 $55,000 Total NLS Hours 60 672 40 40 40 NLS Staff Hardware Cost Cost $3,818 $45,425 $2,917 $2,917 $2,917 $52,736 Consultant Cost $4,000 $14,500 TOTAL COST $112,661
60 Effort spent on Workstation Configuration management (WCM) preparations for 64 bit engineering workstations 315 Work involved in IT security test ? accommodating blind staff problems 35 Effort spent on Workstation Configuration management (WCM) preparations ? software inventory, documentation(outside of regular XP upgrade) 510 Lost work due to VPN problems & inefficiencies 70 TOTAL FY 2008 FY 2009 – estimated: PICS C&A Annual updates PICS ? redo C&A to include download website 1750 50 160
$19,532 $2,210
$500
$31,124 $4,122 $112,735 $3,532 $9,994
$30,000
$15,000 $8,000 $138,170 $8,000
$280,905
46
IT Security Expenses for the NLS
Year/Description of expense Effort to maintain firewall rules for NLS producers Total NLS Hours NLS Staff Hardware Cost Cost $1,348 Consultant Cost TOTAL COST
35 Effort spent on Workstation Configuration management (WCM) Implementation (outside of regular XP upgrade) 500 Process IT security wavier documentation 40 Extra computers to deal with possible problems with WCM rebuilds (extra computers, lost staff time) 90 Work involved in IT security test ? accommodating blind staff problems 35 Effort spent on Workstation Configuration Management (WCM) preparations for 64 bit engineering workstations 70 Time spent by NLS staff testing applications as part of WCM requirements Lost work due to VPN problems & inefficiencies TOTAL FY 2009 Items pending funding: Fixing PICS POAM items Possible Future expenses: C&A on CMLS/BPHICS C&A on XESS C&A on Network Database C&A on READS C&A on IMS TOTAL Pending Funding Overall TOTAL FY 2009 GRAND TOTAL FYs 20062009 plus pending funding
$29,906 $2,701
$17,000
$5,479 $2,245
$8,000
$500
$4,927
140 45 1165 1165 2792
$8,789 $1,639 $70,561 ? ? ? ? ? ? $0 $70,561 $252,851
$8,000 ? ? ? ? ? $0 $8,000 $90,736
$15,000 $6,000 $46,500 $438,000 ? ? ? ? ? $438,000 $484,500 $649,170
$125,061 0 ? ? ? ? ? $438,000 $563,061 $992,756*
* There is a $1 discrepancy due to rounding.
47
PAGE INTENTIONALLY LEFT BLANK
48
APPENDIX E – LIBRARY RESPONSE TO REPORT
49
doc_161027935.pdf
Strategic planning is an organization's process of defining its strategy, or direction, and making decisions on allocating its resources to pursue this strategy.
The Library of Congress
Office of the Inspector General
Library-Wide
Information Technology Strategic Planning: A Well-Developed Framework is Essential to Support the Library’s Current and Future IT Needs
Report No. 2008-PA-105 March 2009
PUBLIC RELEASE
UNITED STATES GOVERNMENT
LIBRARY OF CONGRESS
Office of the Inspector General
Memorandum
TO: FROM: SUBJECT:
James H. Billington April 22, 2009 Librarian of Congress Karl W. Schornagel Inspector General Information Technology Strategic Planning: A Well Developed Framework is Essential to Support the Library’s Current and Future IT Needs Report No. 2008?PA?105
This transmits our report titled “Information Technology Strategic Planning: A Well Developed Framework is Essential to Support the Library’s Current and Future IT Needs,” prepared by our contractor, A?Tech Systems, Inc.
Management’s response to our draft report is briefly summarized in the Executive Summary and in more detail after individual recommendations. The complete response is included as an appendix to the report.
Based on the written comments to the draft report, we consider all of the recommendations resolved except for 2.C., 3.A., and 5.E., with which the Library either disagreed or did not provide a firm response, and recommendations 1.E., 2.D., 4.A., 4.B., 4.D., 5.A., with which the Library “partially agreed” but did not provide an adequate explanation as to the partial nature of the agreement. We urge the Library to consider the recommendations in this report seriously, as they point to nothing more – or less – than proven best practices in government and business. In accordance with LCR 211?6, Section 11.A, please provide, within 30 calendar days, an action plan addressing implementation of the recommendations, including implementation dates.
We appreciate the cooperation and courtesies extended by the Office of Strategic Initiatives and many other Service and Support Units throughout the Library during this review. cc: Chief Operating Officer Associate Librarian for Strategic Initiatives
A WELL DEVELOPED FRAMEWORK IS ESSENTIAL TO SUPPORT THE LIBRARY’S CURRENT AND FUTURE IT NEEDS
INFORMATION TECHNOLOGY STRATEGIC PLANNING:
TABLE OF CONTENTS
EXECUTIVE SUMMARY ......................................................................................1 BACKGROUND....................................................................................................3 OBJECTIVES, SCOPE, AND METHODOLOGY..................................................4 FINDING 1 – STRATEGIC PLANNING PROCESS .............................................7 FINDING 2 – IT INVESTMENT PROCESS ........................................................14 FINDING 3 – ORGANIZATIONAL STRUCTURE...............................................22 FINDING 4 – ENTERPRISE ARCHITECTURE ..................................................25 FINDING 5 – CUSTOMER SERVICE .................................................................30 CONCLUSION....................................................................................................35 APPENDIX A - REFERENCES ..........................................................................37 APPENDIX B - ACRONYMS ..............................................................................39 APPENDIX C - PROPOSED FY 2009 IT BUDGETS .........................................41 APPENDIX D – NLS IT SECURITY EXPENSES ...............................................45 APPENDIX E – LIBRARY RESPONSE TO REPORT........................................49
EXECUTIVE SUMMARY
The intent of this review was to assess the effectiveness of information technology (IT) strategic planning at the Library of Congress (Library or LC). To evaluate whether the Office of Strategic Initiatives (OSI) Strategic Plan supports and implements the Library’s Strategic Plan as it pertained to the IT infrastructure, the Library Office of the Inspector General (OIG) contracted with A?TECH Systems, Inc. The evaluation focused on: 1. Determining how the OSI Strategic Plan addresses the recommendations of pertinent prior recommendations made by the National Research Council in a report titled “LC21: A Digital Strategy for the Library of Congress” (the LC 21 report); 2. Verifying whether the OSI Strategic Plan meets the Library’s current and future needs; 3. Validating the assumptions, data, and conclusions in the OSI Strategic Plan; and 4. Comparing the organizational placement and structure of Information Technology Services (ITS) with other government and similarly staffed corporate organizations. Since the LC21 report was published in 2000, the Library has made many technology improvements. The technology “evolution” at the Library includes migrating from mainframe systems, standardizing network infrastructure, updating the storage architecture, building an alternate computing facility (ACF) that provides backup for all three Library data centers, building a secure financial hosting environment (FHE), instituting a project management function, implementing a system life cycle development process (SDLC), deploying a standardized Microsoft XP workstation environment, and developing a National Institute of Standards and Technology (NIST) compliant Certification and Accreditation (C&A) process. The Library has standardized internal and external websites, developed digital collections containing more than 300 terabytes of data, and built a network of national and international digital partners. The Library is often at the forefront of identifying and participating in forward thinking digital initiatives. In short, the Library has made great progress in improving its IT infrastructure and backbone. However, the Strategic Planning process for IT at the Library of Congress is not well integrated with essential planning components, and is not instituted Library?wide, resulting in the following findings. 1. STRATEGIC PLANNING PROCESS ? Strategic Planning for IT is not a unifying force at the Library, does not link directly to the Library Strategic Plan, and does not have a forward?looking view.
1
2. IT INVESTMENT PROCESS ? Strategic Planning is not linked to the IT investment process, resulting in the duplication of efforts and acquisitions. 3. ORGANIZATIONAL STRUCTURE ? The organizational structure of the Information Technology Services (ITS) directorate at the Library does not foster strategic planning and good IT governance. 4. ENTERPRISE ARCHITECTURE ? The Library is missing an Enterprise Architecture program that should be coupled with a strategy to provide a roadmap for implementing future technology. 5. CUSTOMER SERVICE – ITS customer service needs improvement.
In our opinion, all of these findings are in large part the result of an unclear sense of how IT planning fits into the Library’s mission and the roles and responsibilities of the employees, as well as a lack of linkage between the IT strategic planning processes at the Library and actual performance. Furthermore, those Library employees charged with IT planning need to adopt a holistic view of planning that incorporates and supports a clear mission view with an insight into customer goals and objectives. Although some steps have been taken towards this effort, the progress is not seen Library?wide. We received a formal response to this report on April 15, 2009. Library management agreed with the majority of our findings and recommendations. Although management did not feel the improvements since the LC21 report were adequately addressed, we believe these improvements were sufficiently addressed in the executive summary and the conclusion of this report. Management responses and A?Tech comments are included in the report after each recommendation. The entire response can be found in Appendix E.
2
BACKGROUND
The Library is the nation's oldest federal cultural institution and serves as the research arm of Congress. It is also the largest library in the world, with nearly 150 million books, recordings, photographs, maps and manuscripts in its collections. The Library's mission is to make its resources available and useful to the Congress and the American people and to sustain and preserve a universal collection of knowledge and creativity for future generations. A decade ago, the Library commissioned the National Research Council (NRC) to conduct a study to provide strategic advice concerning the Information Technology path that the Library should take over the next decade. The result of the study was the LC21 report (LC21 report or “report”). The report provided numerous findings and recommendations, which serve as a framework for the Library’s transition into the Digital Age. More recently, the Library’s Strategic Planning Team and working groups in each Service and Support Unit, created the Library of Congress Strategic Plan for Fiscal Years (FY) 2008?2013, with valuable feedback provided from the Library’s customers and stakeholders. To support the Library’s goals, the Office of Strategic Initiatives (OSI) developed the OSI Strategic Plan FY 2008?2013, a guide for ensuring more of the Library’s resources are available online and collecting and preserving at?risk, born?digital content. In FY 2001, the Librarian created – and filled – the position of Associate Librarian for Strategic Initiatives (ALSI) to support the Library of Congress' vision and strategy by directing the overall strategic planning for the Library and the national program for long?term preservation of digital cultural assets. This Executive Committee?level position originally had oversight of two major programs: ? ? the National Digital Library Program (with American Memory as the flagship project to make the Library’s collections available to the public); and the National Digital Information Infrastructure and Preservation Program (NDIIPP) (responsible for the development of a national strategy, in cooperation with other institutions, for the collection, access and preservation of digital materials).
Now, the ALSI is also responsible for educational outreach, primarily the “Teaching with Primary Sources” (TPS) program, whose objective is to increase use of the Library’s digital primary sources in K?12 educational settings. In FY 2002, the ALSI was named the Library’s Chief Information Officer (CIO), and charged with leading the Library’s Information Technology Services (ITS) directorate, an infrastructure unit responsible for supporting the Library’s IT resources. Until this point, ITS had been part of the Library’s enabling infrastructure, a Support Unit reporting directly to the Deputy Librarian.
3
OBJECTIVES, SCOPE, AND METHODOLOGY
This review supported the Library’s goal on Organization, to continuously improve quality and efficiency of delivery of products and services. Our review included an evaluation of the Library’s plan for managing its IT infrastructure investments. The Library’s Inspector General set forth our primary objectives, which included: 1. Assessing the manner and degree to which the OSI Strategic Plan addresses pertinent recommendations of the LC21 report. The primary sub?objectives were: ? Determining which LC21 Report recommendations are still relevant to LC needs and if any relevant recommendations were excluded as well as the rationale for exclusion. ? Determining which LC21 report recommendations were incorporated into the OSI Strategic Plan, and to what degree they were included and/or modified. 2. Assessing the adequacy of the OSI Strategic Plan in supporting and implementing the LC Strategic Plan. The primary sub?objectives were: ? Determining if the OSI Strategic Plan adequately addresses the implementation of current LC IT infrastructure needs; and ? Determining if the OSI Strategic Plan adequately addresses the identification and satisfaction of future Library IT infrastructure requirements. 3. Determining the validity and integrity of the OSI Strategic Plan. The primary sub?objectives were: ? Determining if the elements of the OSI Strategic Plan support those of the LC Strategic Plan relative to IT infrastructure; ? Determining if the OSI Strategic Plan was coordinated with other impacted LC Service Units; ? Determining if the OSI Strategic Plan was based on valid data and assumptions; and ? Determining if the OSI Strategic Plan conclusions were rationally consistent with the data and assumptions. 4. Determining the appropriateness and effectiveness of the ITS organizational structure and placement. The primary sub?objectives were: ? Determining if ITS organizational placement is conducive to meeting the requirements of the OSI Strategic Plan and the LC Strategic Plan;
4
? ? ?
Determining if the ITS internal structure and placement is in keeping with government best practices; Determining the nature and extent of any possible functional overlap with other Library Service/Support Units; and Determining the impact of functional overlap on Library strategic planning and implementation of the LC Strategic Plan.
The scope of our review included evaluating activities associated with short and long?term planning for technology; Enterprise Architecture; architectural development, system development and IT investments; and the organization and management of ITS. We conducted our fieldwork from October to December 2008. We verified our interview records and obtained clarification on Library standards, processes, and documentation from December 2008 to January 2009. During the report writing phase in February 2009, there was further verification of feedback received from OSI. Specific steps included:
? ? ?
? ? ? ? ? ? ?
Interviewing appropriate Library staff about the continuing relevance of each LC21 report recommendation to the Library’s current and future programs and analyzing the results of interviews; Reviewing LC21 report recommendations and the elements of the OSI Strategic Plan, and comparing the two documents for conformance and sufficiency; Interviewing appropriate staff in LC Service Units concerning the adequacy of current LC IT infrastructure and OSI’s coordination of the planning effort to meet current needs. Validating interview results with LC technical staff and, as appropriate, validating through other LC officials; Interviewing appropriate staff in LC Service Units about the planning process for determining future requirements and identifying anticipated technologies necessary to meet future needs or if current technology can meet needs; Validating interview results with LC technical staff and, as appropriate, validating through other LC officials; Comparing the OSI Strategic Plan with strategic plans of other agencies. Assessing whether its method and approach is effective in accomplishing implementation of IT infrastructure goals; Reviewing the elements of the OSI Strategic Plan for consistency with those of the LC Strategic Plan and identifying sufficiency, inconsistencies, and agreements; Comparing the plans to assess the degree to which the elements of the OSI Strategic Plan fit in with the LC Strategic Plan; Interviewing OSI staff and other LC Service/Support Unit staff affected by the OSI Strategic Plan about the coordination of all LC strategic planning and analyzing interview results; Interviewing OSI staff that developed the OSI Strategic Plan about the plan’s rationale, including the appropriateness and factual nature of the data. In addition, discussing the identification and basis for any assumptions and conclusions reached. Assessing interview results and, as appropriate, validating through other LC officials; 5
? ? ? ? ?
Comparing data and assumptions used in formulating the OSI Strategic Plan with its conclusions and assessing for consistency and sufficiency; Interviewing appropriate staff about ITS efforts to meet IT infrastructure needs, comparing with related information gathered in previous LC interviews, and analyzing results; Researching/interviewing with other federal agencies and the IT community for best practices in terms of IT Unit placement and structure; Analyzing LC documents assigning functions to LC components. Validating actual functions through interviews with appropriate LC staff; and Interviewing appropriate LC staff concerning the impact of possible overlap on both LC strategic planning and LC support of implementation of the LC Strategic Plan.
We evaluated Library written procedures and actual practices against criteria documented in Library of Congress regulations (LCR), Government Accountability Office (GAO) guidance, and industry standards and best practices maintained by the Information System Audit and Control Association (ISACA). Specific Library and industry criteria used to evaluate evidence included: ? LC Strategic Plan FY 20082013; ? OSI Strategic Plan FY 20082013; ? LC21: A Digital Strategy for the Library of Congress; ? Draft Library of Congress Digital Strategy dated February 2009; ? LCR 2111, Organization of the Office of the Librarian of Congress; ? OSI Proposed Reorganization Packet dated January 2009; ? LCR 2201: Functions and Organization of the Office of Strategic Initiatives; ? LCR 2122: Functions and Organization of Information Technology Services, Office of the Librarian; ? LCR 213: Functions and Organization of Library Services; ? LCR 2151, Functions and Organization of the Copyright Office; ? LCR 2161, Functions and Organization of the Law Library of Congress; ? LCR 217, Functions and Organization of the Congressional Research Service; ? LCR 1510: Financial Management; ? LCR 1511: Planning, Budgeting, and Program Performance Assessment; and ? Control Objectives for Information and Related Technology (COBIT) 4.1 by the IT Governance Institute.
6
FINDING 1 – STRATEGIC PLANNING PROCESS
We found that the strategic planning process is not a unifying force at the Library of Congress and not incorporated into the organization’s culture. Specifically, we found that: 1. The Library’s Strategic Planning process was not inclusive of all internal stakeholders; 2. The Library’s IT Strategic Plan does not align well with the Library’s Strategic Plan; and 3. The Library’s digitization efforts are scattered and lacking in specific focus. The Strategic Planning Office (SPO), located in the Office of the Chief Financial Officer (OCFO), maintains the Library’s Strategic Plan, from which the IT Strategic Plan should flow. A key component of any strategic plan is its ability to track accomplishments against predefined goals and objectives using various metrics. Although the SPO has implemented a system to track performance against the strategic plans, the development of a Service Unit/Support Unit strategic plan is a “voluntary process.”1 The “Management Review of the Library of Congress” Final Report (Booz Allen & Hamilton), May 7, 1996 found that, “[a]lthough ITS has a Strategic Plan, it does not include a vision for the future that includes IT as an enabler of the Library's mission, an integrated IRM (Information Resource Management) architecture, or performance improvement objectives that are measurable and linked to mission performance. The Library lacks a clear technology vision to support processes within the Library and the creation of networks of institutions that enable the world's knowledge resources to be shared.” Since this report was published, the Library has made strides in technology; however, its planning process still lacks integration with architecture and with performance improvement objectives. The current trend in developing strategic plans is to involve all employees in planning, making them accountable for goals and associated results. As one writer states, “
1 LCR 1511 Planning, Budgeting, and Program Performance Assessment Section 2.A.4. states “Service and Support Units may develop individual organizational strategic plans.” 2 Thomas Plant, Public Sector Strategic Planning: An Emergent Approach, Performance Improvement, 45.5: 5?6. ABI/INFORM Global, ProQuest, (2006).
7
We do not agree with the decision of the Library’s leadership to make strategic planning a management?only activity. We suggest that the Library allow line employees to actively participate in the strategic planning process. The Library Strategic Plan should be part of line employee as well as management training programs. Execution of strategic planning objectives should be tied to line employee performance plans. There is evidence of an effort to link strategic planning objectives through the annual planning process, but the implementation is uneven throughout the Library. We acknowledge there is currently an effort through the Workforce Performance Management Initiative to improve this across the Library, but this effort is not fully realized. Although the Service and Support Units are not required to develop a strategic plan, they must identify program activities for Annual Program Performance Plans (AP3s) and ensure that an Internal Control Program (ICP) is in place. The automated planning system used for AP3s does allow organizations to include their strategic plans, but there is no way to enforce a linkage to their strategic plan or the Library’s plan. The entire system is based on self?assessment by the Service/Support Units and has automated a paper process. To make the AP3 and the ICP processes truly effective, the SPO or other area of the Office of the Librarian must be resourced to perform an evaluation function, a best practice in other federal agencies. Lack of Buyin to Library’s Strategic Plan Below the Senior Management Level In interviewing Library staff, we found that most felt they had not been active participants in the development of the Library’s Strategic Plan or in the IT Strategic Plan. Those interviewees who previously worked at other federal agencies felt that the Library’s processes for IT strategic planning were “immature” by comparison. Since the strategic planning process at the Library is a management?only activity, those employees below the senior management level lacked an understanding of the objectives of the Library Strategic Plan to make it actionable and relevant to their responsibilities. The LC strategic planning process included 51 senior managers and subject matter experts. Each Service and Support Unit had a working group made up of managers to develop recommendations for the Library Strategic Plan. The only exposure that line employees had to the plan before it became final consisted of Gazette articles, an employee Town Hall meeting, information meetings held at different sites to provide awareness of the plan, and a month?long opportunity to review and comment on the draft plan online. SPO received feedback from only 37 out of 4200 employees and incorporated appropriate feedback into the final version of the Library Strategic Plan. All these activities do not equate to active participation. Line employees need to participate in the strategic planning process from start to finish. Several line employees said that there was too much of an emphasis in the LC Strategic Plan and the OSI Strategic Plan on external factors such as the World Digital Library (WDL) and NDIIPP rather than internal Library infrastructure. 8
Misaligned Strategic Plans and Ineffective Planning Process We were unable to directly link the IT components of the OSI FY 08?13 Strategic Plan back to those found in the corresponding Library strategic plan. Before the Library began its efforts for the LC FY 08?13 Strategic Plan, OSI had nearly completed the development of its own FY 08?13 strategic plan. Since the OSI strategic plan was published after the Library’s strategic plan, it is not known why adjustments were not made so that the proper linkages were in place. The strategic goals for the Library and OSI do not align. Furthermore, the performance indicators and representative measures between the Library of Congress Strategic Plan, OSI Strategic Plan, and the OSI AP3 do not align. For example, in the Library’s Plan, the organization goals contain measures of IT efficiency: ? user satisfaction with computer workstations, computer servers, hardware and software; ? time allotted to install computer workstations; technical support provided; and ? IT user training. However, these performance measures were not carried forward to the OSI Strategic Plan. Instead, OSI put forth a different set of goals, objectives, and measures, and used a different methodology for the development of the Plan. Their strategies included: ? secured, available, and scalable technology infrastructure; ? defined Library of Congress technical infrastructure for shared tools and services among networked entities; and ? defined future institution?wide architecture and support for a national networked digital information architectural framework, specialized institutional digital media repository services, and preserved authentic digital content over time. Despite developing a separate OSI Strategic Plan, IT objectives were not communicated across the Library and there was not a clear sense of vision and purpose for IT. In speaking with interviewees, most felt there was no visibility into IT priorities. In the past, ITS has developed a strategic plan separate from OSI. It is not clear why they stopped this practice. OSI has done an excellent job of tracking future library trends, but it is not clear how these trends will result in new technology for the Library or how emerging best practices will be leveraged for internal Library programs. 9
The Library Does Not Have a Focused Digitization Vision The responsibility for strategic planning is subject to confusion because an October 3, 2000 “special announcement” assigned the CIO overall responsibility for strategic planning. However, an October 30, 2002 memorandum delegated responsibility for strategic planning to the CFO. The current LCR, Functions and Organizations of the Office of Strategic Initiatives assigns OSI the responsibility for “digital strategic planning.” This regulation does not include a definition of “digital strategic planning” and may be subject to interpretation. Further, the memorandum dated January 14, 2003 titled Coordination of the Library’s Digital Initiatives assigns the CIO with broad management responsibility for transforming the Library; leaving the management control framework for digital migration open to interpretation. At that time, the Digital Executive Oversight Group (DEOG) was established, composed of Service Unit heads, to serve as the internal means for vetting, justifying, and allocating resources for the Library’s digital programs and IT initiatives. Since then, the Digital Library Content Group (DLCG) has been created to coordinate and prioritize from an institutional perspective digital content projects and initiatives that result in materials presented to the public. It is unclear how the DLCG ties back to the DEOG. Notably, despite many successes, the strategy for “digitizing” the Library collections seems to lack an overall Library vision. OSI sees itself as an extension of the Librarian’s Office. Indeed OSI and the other Service Units appear to be following different paths. A prime example of this problem is the Sloan Foundation Project, in which OSI and Library Services (LS) disagreed on what to digitize and whether to accept funding for the project. In the end, and although OSI is technically charged with leading the Library’s digital strategy, LS embarked on a project funded by the Sloan Foundation to digitize collections LS felt were critical. To address a recent GAO review, which stated “The Library’s strategic plan does not clearly align the organization’s activities and resources to address digitization,”3 the Library drafted the Library of Congress Digital Strategy dated February 4, 2009. While the new digital strategy does attempt to address the different goals of each Service Unit, it is a recent document and does not currently reflect the reality on the ground. It does not address GAO’s recommendation to “articulate the roles and responsibilities of all relevant service units and offices in developing and executing the strategy. Some examples of the digital strategy paths that the Service Units are taking follow: ? Library Services (LS) is interested in digitizing its General Collections prior to the 1923 Copyright restriction, obtaining digital deposits from the Copyright system, and making arrangements with publishers to provide access to the
3 GAO Review, Objective 1: Library of Congress Collections Management, Opportunities to Improve
Effectiveness through Digitization, September 2008 (Draft).
10
?
?
?
The LC21 committee recommended the creation of an external technical advisory board to advise the Executive Committee on the development and directions in IT relevant to the Library and offer advice on initiatives and enterprises with the IT vision, strategy, and research program (ITVSRP). In September 2008, OSI convened a special conference entitled “Technology Trends & the Library of the Future.” During the conference, OSI representatives met with a panel of technical experts and Library of Congress consultants “to examine driving Social, Economic, Legal, Political and Technology Trends; identify how these trends might affect future scenarios; and form the basis for a Visionary Statement for the Library of Congress of the Future.” The experts were asked to become a part of the OSI Technical Advisory Board and a subset of this board would provide guidance and oversight in prototyping efforts. However, the rest of the Library was not involved in this conference. We did not find evidence of how this committee’s recommendations translate into actionable requirements for the Library. In the meantime, LS representatives have sought out amazon.com representatives for technical guidance and are forming scanning and hosting contracts with the Internet Archive to provide public access to their general collections. Other areas of the Library have inquired into using the Internet Archive contracts. Since we began our review, the Librarian formed a Library?wide committee called the Committee on Strategic Direction (COSD), which first convened in late January 2009. The COSD “seeks to promote synergies; and it will produce a single document that will enable the Library to speak with one voice to the Congress and to all other audiences about the strategic direction of the Library as a whole for the medium? 11
public on digital material. They are currently digitizing the talking books and the audio?visual collections. The Law Library (LL) is interested in using technology to exchange revised legal information nationally and internationally and digitizing its rare book collection, collecting legal blogs, the permanent Congressional Record, and collecting Supreme Court nomination information to support Congress and the legal community. The Congressional Research Service (CRS) wants to preserve CRS main files, research legacy files, and born?digital files to support congressional requests on recurring legislative issues. Additionally, CRS is adding born?digital congressional memoranda to its digital collections. It has digitized published CRS writings, non?distributable CRS publications, and a large collection of CRS research for specific hearings. CRS has a Web?harvesting project for legislative analysis and for archival purposes and has submitted a request to digitize the US Serials Set, 1970?1995. The Copyright Office (COP) is interested in digitizing 70 million hardcopy records and interfacing with LS to provide mandatory digital deposits. COP would like to implement a system to transfer files to LS while at the same time preserve the Copyright Office's eCo system security and the digital file's data integrity.
term future.” The Librarian outlined seven goals to serve as a guide to the COSD in their efforts to define the Library’s strategic direction for the remainder of the current Strategic Plan and beyond. We have received clarification from the Office of the Librarian that the COSD was developed as a think tank and the end product will contain statements of success that could be included in future Librarian Guidance and may serve as an amendment to the Library’s Strategic Plan. Because it is a legislative branch agency, the Library does not fall under the Government Performance and Results Act (GPRA) or other guidance governing IT planning and spending. However, at a 2007 budget hearing, the Librarian stated that the Library would use a process similar to GPRA for strategic planning. Although GPRA was established in 1993, it remains the foundation for most federal IT planning guidance. For this review, GPRA and other Office of Management and Budget (OMB) guidance are considered best practices. OMB Circular 211, Part 6, 210?220, states that, “[a]n agency's strategic plan keys on those programs and activities that carry out the agency's mission. Strategic plans will provide the overarching framework for an agency's performance budget. Revisions of a strategic plan will focus on developing a performance budget, updating performance measures and targets, and implementing follow?up actions to PART (Program Assessment Rating Tool) assessments. Strategic plans should guide the formulation and execution of the budget. A strategic plan is a tool to be used in setting priorities and allocating resources consistent with these priorities. A strategic plan is not a budget request; the projected levels of goal achievement must be commensurate with anticipated resource levels.” Although the Library is not required to follow OMB guidance, we believe that it is essential that the Library look at strategic planning in this best?practice context. Currently, the linkage between Library of Congress strategic plan strategies and the performance indicators of the OSI strategic plan do not align. We believe that the Library must map out these relationships and develop a plan to resolve these issues. The lack of a clear connection between IT Strategic Plans and agency mission and goals prevents a clear plan from emerging. All strategic plans should address the Library’s mission and should directly speak to the goals and objectives addressed in the plan. Currently, the Library’s plan is not strong in addressing IT as an enabler across all areas of the Library. The lack of linkage and clarity in the process prevents the strategic planning effort from being a unifying force. The lack of a unified policy for digitization has resulted in scattered, sometimes conflicting, efforts by various Service Units to digitize portions of their collections they believe most important. This has resulted in multiple digitized collections, spanning multiple Library web sites, with no common search and access tools and no comprehensive index or inventory. We applaud the Librarian’s vision to create a strategic transformational guide, as it evidences recognition of the need for change in the Library's strategic direction. We hope the COSD will cohesively link the Service and Support Unit strategic plans into the Library’s plan. To successfully 12
move the Library forward as a total institution with one voice, the guide should not contain only statements of success and recommendations. It should contain a plan of execution with implementable details with buy?in from the Service/Support Units.
RECOMMENDATIONS
To ensure strategic planning for IT is a unifying force at the Library, IT planning must link directly and have a forward?looking view. To accomplish this, the Library should:
A. Create a process to ensure that organizational strategic plans align with its strategic plan; specifically, the IT Strategic Plan should align directly with, flow from, and include the same goals as the Library’s Strategic Plan;
Management Response: Management agreed with our recommendation. The development of a unified policy on digitization will be initiated.
B. Involve line employees in the strategic planning process by having them participate in Service Unit and Support working groups to develop recommendations for the Library’s Strategic Plan;
Management Response: Management agreed with our recommendation. The Library will continue efforts to increase employee participation in the strategic planning process. C. Ensure that all initiatives concerning future library technology are shared Library?wide; Management Response: Management agreed with our recommendation. D. Produce a transformational guide that contains a plan of execution to ensure that the Library moves forward as a total institution with one voice; and Management Response: Management partially agreed with our recommendation but was unsure as to its content. ATech Response: The guide needs to be a plan that includes clear, executable steps that will accomplish the required transformation. E. Form a cohesive, integrated, and centrally managed LC Digital Strategy Plan with all the roles and responsibilities of all relevant Service and Support Units clearly defined. Management Response: The Library agreed with our recommendation but disagreed with the specific terminology we used. The intent of our recommendation remains the same, regardless of nomenclature.
13
FINDING 2 – IT INVESTMENT PROCESS
We found that the IT investment process at the Library is not linked to its strategic plan.
1. The Library’s IT planning is not linked to an investment process. 2. There is duplication of costs. 3. There is no consistent Cost?benefit Analysis (Analysis of Alternatives) done by ITS. 4. The Library does not transparently track IT costs.
The LC21 report specifically proposed the formation of an IT vision, strategy, research, and planning (ITVSRP) group to lead the Library, national libraries, and world libraries into the Digital Age. The ITVSRP would be an ongoing working group of leaders from across the Library and this group would approve all significant technology investments. We found no evidence of such a group. The Digital Executive Oversight Group (DEOG), Digital Library Content Group (DLCG), the Internet Operations Group (IOG), a Metadata Group, and an ITS Configuration Control Board (CCB) are all the Library’s attempts to fulfill the role of an ITVSRP in a fragmented manner, however, these groups do not perform the role of an investment approval function, either individually or collectively.
The Library has chosen to address the recommendation to approve IT investments mainly via the Management Decision Package (MDEP). According to Library of Congress Regulation (LCR) 1510 ? Financial Management, this is “the tool that Service/Support Units use in submitting their budget requests to OCFO and Library Management. The MDEP provides the detail that is necessary to make sound management decisions and/or to address Congressional mandates in the House and Senate reports. The MDEP includes the details of needed resources, a narrative justification, and impact statements.” The Executive Committee reviews all MDEP budget requests and as of FY 2009, all IT?related MDEPs are reviewed by ITS for impact on the Library’s IT infrastructure.
No Comprehensive Library Strategy for IT investments Despite the MDEP process, we concluded that there is not an overall Library strategy for prioritizing and budgeting for IT investments to include new projects, replacement of existing systems, hardware, software, and services support. The documents that we received for review were incomplete and did not present evidence of a systematic IT Investment Process. The FY 2010 Budget for the Library includes a technology focus, but mainly addresses a refresh of the technology infrastructure, as opposed to presenting a long?term strategic statement. There is a perception within the Library that project funding is dependent on the relationships established with OSI/ITS management. It is significant to note that whether true or not, the widely held perception that OSI receives priority in IT
14
issues affects the behavior of other Service/Support units. For example, there is a clear linkage between the proliferation of IT support organizations throughout the Library and this perception: due to the expectation that their service requests will receive lower priority than OSI’s, other Library entities attempt to compensate by creating their own support frameworks. We found no evidence of a prioritized “portfolio” of IT investments, where spending decisions were regarded as a whole and were weighted against criteria for meeting mission performance. We found examples of an Investment Portfolio and a Technology Roadmap for specialized OSI programs such as NDIIPP, but this is not carried forward across the Library. In September 2008, OSI published a “Plan for Cyclical Investments in Technical Infrastructure FY 2010?2014.” Although this document represents a good start for developing an overall Library technology vision, it does not encompass major systems such as financial, budgetary, facilities support, or any systems that would support the Library’s overall business areas in the future. It mainly addressed the technical infrastructure for digital collections. We recognize that the Library is not required to produce Exhibit 300 documentation, which supports the budget justification and reporting requirements for major IT investments as required by OMB Circular No. A?11 Part 7, Section 300: Planning, Budgeting, Acquisition, and Management of Capital Assets. However, to create a comprehensive strategy for IT investments, this plan should contain details sufficient for implementation for major Library systems. Exhibit 300 represents a best practice example.
No Coordination of IT Costs across Library Although the Service/Support Units recognize a need for IT Security, they are frustrated about their inability to project adequate funding to support “unfunded mandates” such as Certification and Accreditation (C&A) requirements. When the IT Security Program was first established, ITS received Congressional funding to certify and accredit the Library’s mission?critical legacy systems. There is, however, no continuing funding for ongoing support of C&A requirements. Since the implementation of the Library’s C&A program, system owners have incurred substantial annual IT Security and mitigation costs. Service/Support Units bear the financial responsibility for C&As of systems developed since 2004. The Information Technology Security Group (ITSG) contractor estimated that C&As would cost the Library approximately $270K a year. The ITSG Chief maintains that a risk assessment can be completed within two weeks and estimated an average cost of $15?20K per system. System owners are reporting higher actual costs. The National Library Service for the Blind and Physically Handicapped (NLSBPH or NLS) has tracked its IT Security costs (actual and projected) for 2006?2009, and reported a total cost close to $1 million (See Appendix D for more details). Service/Support Units have been advised to use their own IT funding to obtain C&A contractor support. While there is no centralized funding for C&As, the ITSG Chief has provided, on a discretionary basis, ITS?funded contractor resources to Library offices.
15
In addition to the costs incurred for “unfunded mandates”, we found numerous areas where there were overlaps in support services and systems. For example, LS, COP, CRS, and LL all maintain their own fully staffed technology offices. These offices include a Help Desk, utilizing their own staff and/or contractors. Sometimes they use a separate Help Desk system rather than the ITS customized Remedy Help Desk system. Other offices in the Library each have at least one IT Liaison or a small IT staff that serves as a first line Help Desk. Even the Office of the Librarian has its own IT staff. All Service/Support Units independently obtain some level of IT contractor support. End users contact their own Help Desk or IT Liaison who attempts to address problems with their own resources and contacts the ITS Help Desk for issues crossing office boundaries. The Library staff does not feel that there is a clear distinction between what ITS funding provides and what the Service/Support Units must provide out of their funding. The Library staff reported that the information they found on the ITS Intranet Site regarding IT Security Directives, the SDLC process, and products ITS supported and provided often differed from the information they received in written and verbal communications. For example, inconsistent documentation has led some offices to repeat C&As multiple times. There is an unusually large number of IT positions at the Library beyond the positions in OSI/ITS. The Service/Support Units are funding their own positions to supplement insufficient IT support. To assess this, we extracted the 2210 occupational series, which is traditionally pure IT support rather than an analyst position. “This series covers two?grade interval administrative positions that manage, supervise, lead, administer, develop, deliver, and support information technology (IT) systems and services. This series covers only those positions for which the paramount requirement is knowledge of IT principles, concepts, and methods; e.g., data storage, software applications, and networking.” Please refer to http://www.opm.gov/oca/compmemo/2001/2001?05A.pdf for more information. OSI has 228 2210?series positions, costing $25,589,654 annually. This does not include those in other computer support positions, those performing these tasks in other service units, or IT contractor support. OSI augments its staff with over 50 contractors and others are brought in on a project?by?project basis. Table 1 shows the number of 2210 series employees outside of OSI. In all, outside the framework of the ITS help desk, the Library employs about 360 IT support staff at a cost of $38 million. 16
Table 1 NonOSI 2210 Series Employee Information
OFFICE Copyright CRS Law Library Library Services All Other Total 2210 Salaries NUMBER OF 2210 SERIES EMPLOYEES 19 35 9 48 20 131 EST TOTAL (SALARIES ONLY) $ 1,811,528 2,522,007 915,975 5,255,587 2,070,647 $12,575,744
Inconsistent CostBenefit Analyses
A well?planned, rational acquisition decision requires a cost?benefit analysis. Acquisitions can have many options; for example, for hardware, there are multiple makers of equipment and multiple vendors. In addition, there are multiple possible equipment configurations, and finally, there is the option to remain with a legacy system. A cost?benefit analysis is intended to explore which option is most cost? beneficial long?term by projecting the costs and benefits for each possible option, or at least for the most likely or desirable options. We did not see consistent evidence of cost?benefit analyses for the acquisition or in? house development of IT systems. Market surveys are used often as rationale to not conduct cost?benefit analyses and to justify making the decision to develop in?house or contract out for system development. For example, the LC Accreditation Tool Package, was internally developed to assist systems owners to complete required documents for C&A of systems. The ITSG Chief says he conducted a market survey and no products met the Library's requirements, so he did not perform a cost? benefit analysis. ITS did not search for a COTS product when the staff decided to develop an Archive Interface Utility (AIU) for the National Audio?Visual Conservation Center (NAVCC). The AIU transfers, verifies, and copies files from the production environment to the NAVCC Archive Storage area. The development of AIU started in late 2005 and was first released in October 2007. ITS moved this system into production without full acceptance testing from the system owner. The system owner experienced ongoing performance and functionality problems with the AIU throughout FY 2008 before he replaced the AIU with a modified open source COTS product. The system owner asked LS contractors to implement the Storage and Archive Manager – Quick File System (SAM?QFS) solution. LS contractors spent two weeks testing and two weeks to implement the SAM?QFS solution as a replacement at a fraction of the cost of the abandoned AIU. 17
FEDLINK has searched for a replacement for its financial system for over 10 years and spent $500K in an effort with ITS and contractors to implement Momentum without conducting a cost?benefit analysis before giving up. A cost?benefit analysis may have identified lower cost COTS options. Given the post?implementation Momentum problems experienced by OCFO, the Library should also have conducted a risk analysis prior to starting implementation efforts. Now the FEDLINK staff is working with ITS to develop a customized system. ITS is in the process of analyzing 400 pages of requirements for a system design. Lack of Transparency in Tracking IT Costs When requesting budget and spending information concerning IT spending across the Library, we found that as with many other government accounting systems, IT expenses cannot be accurately retrieved from the Momentum system. These costs are combined within object classes for equipment services and maintenance. We reviewed the FY 09 Library budget justification as well as proposed FY 09 IT budgets from the Service/Support Units. We included salaries for government IT staff without benefits or other compensation. We determined that the ITS proposed budget for FY 09 is $51,987,000 (with contractor support) and the rest of the OSI’s proposed budget is $34,304,000, which funds a combination of program and support functions. The rest of the Library will augment the centralized IT support with approximately $35,012,867 of decentralized IT Support. The IT support costs reviewed included IT government salaries, IT contractor support, vendor support, hardware, software, and IT training (See Appendix C for more details on the proposed FY 09 IT budgets). In conducting interviews with Library staff below the senior management level, we found that most were unfamiliar or confused with the process for requesting small or unexpected IT services. OSI maintains a PC Store with standard, approved hardware and an inventory of approved software licenses. Once the PC Store or software budgets are depleted or if there are variations on a supported service/product, Service/Supports Units are expected to fund these purchases out of their budgets. We found a number of problems with this approach. First, we found that these IT expenses were often tracked as office equipment or supplies. We discovered there was no way to track these IT expenses in the Library once they were integrated into a unit’s budget. Secondly, when Service/Support Units make individual purchases instead of going through a Library?wide negotiated contract, the Library does not benefit from economies of scale. Another problem with this approach is that these offices might be unfamiliar with the IT products they are purchasing and run the risk of purchasing the wrong product, from the wrong vendor. For example, a Service Unit recently purchased platinum support for its servers when a lower?priced level of support would have met its requirements. In addition, the life cycle costs of the products may not have been considered. Although the Library’s overall IT budget appears to be similar or lower than other federal agencies of similar size and mission, the IT needs of the Library are not 18
complex. However, with the lack of an investment process and coordinated strategy, much of the funding spent on IT is going towards uncoordinated and duplicative efforts relating to Help Desk support, software, hardware, IT contractor support, vendor support, and training. Investment decisions in IT made without doing a cost?benefit analysis often lead to unsound decisions, as discussed earlier in the NAVCC and the FEDLINK cases. The Library as part of the legislative branch is not obligated to follow a Capital Planning and Investment Control (CPIC) process. However as one author stated, “[a]lthough compliance with federal laws and regulations is important, the more compelling reason for taking IT capital planning seriously is that an effective process can significantly increase IT return on investment. Given the fiscal constraints within which most federal programs must operate, the potential to achieve dramatic improvements in program effectiveness and efficiency through the innovative use of IT should rank at the top of any managers list of priorities.”4 A Library employee with prior IT capital planning experience at the Treasury Department stated that the investment process for IT was at Stage 1, possibly Stage 2 of the Information Technology Infrastructure Management (ITIM) Model (defined in Table 2). We agreed with the employee that the Library is at Stage 1 of maturity. As defined by Stage 1 of the ITIM, “there is generally little relationship between the success or failure of one project and the success or failure of another project. If an IT project succeeds and is seen as a good investment, it is largely due to exceptional actions on the part of the project team, and thus its success might be difficult to repeat. Investment processes that are important for success may be known, but only to isolated teams; this process knowledge is not widely shared or institutionalized. Most organizations with Stage 1 maturity have some type of project selection process in place as part of their annual budgeting activity. However, the selection process is frequently rudimentary, poorly documented, and inconsistently applied.” The Library should be focusing on obtaining at least a stage 2 maturity and should project the goal of reaching Stage 3 in the next few years. Stage 2 involves “Building the Investment Foundation: developing project selection criteria, benefit and risk criteria, and an awareness of organizational priorities." Stage 3 involves developing a complete investment portfolio.
4
Thomas G. Kessler, Patricia A. Kelley, Federal IT Capital Planning and Investment Control. Public Manager, 37 (4), 56?60, 2008.
19
Table 2 ITIM Stages of Maturity
Another area that may serve to save costs is to require that an evaluation of alternatives be conducted for system purchases. According to OMB guidance, “Evaluation of Alternatives: Analyses should also consider alternative means of achieving program objectives by examining different program scales, different methods of provision, and different degrees of government involvement. For example, in evaluating a decision to acquire a capital asset, the analysis should generally consider: (i) doing nothing; (ii) direct purchase; (iii) upgrading, renovating, sharing, or converting existing government property; or (iv) leasing or contracting for services.” One possible opportunity for an evaluation of alternatives is to assess the costs of digitizing special collections versus the cost of systematically digitizing the entire collection of books (for now excluding those subject to copyright protection).
RECOMMENDATIONS
Strategic Planning should be linked to the IT investment process at the Library, to eliminate the duplication of efforts and acquisitions. To that end: A. ITS should inventory and prioritize all existing systems that require upgrade and new IT projects to create an IT portfolio. Ideally, this should also include smaller systems and purchases that fall below the capital threshold. Management Response: Management agreed with our recommendation.
20
B. The Library should develop a plan to review and eliminate duplicative costs including Help Desks, technical liaisons in Service Units, and coordinate purchases. Management Response: Management agreed with our recommendation. The Library’s CFO will develop a plan to identify any duplicative costs in these areas.
ATech Comments: We did not imply that these duplicative costs arose from the perception that OSI receives a disproportionate share of ITS resources.
We wish to reiterate the intent of our recommendation, which was not to identify specific and exact duplication of IT costs, but instead to identify where Library Service and Support Units have created fully functional IT support organizations, and evaluate the possibility of significantly reducing these costs by consolidating IT support within ITS and adopting our recommendation to implement service level agreements for IT support.
C. All IT costs including computer security should be accounted for as part of the IT budgetary process.
Management Response: Management was unclear about this recommendation. ATech Comment: All IT costs should be accounted for and funded Library?wide rather than pushed down to Service and Support Unit budgets. D. The Library should develop a Cost?benefit Analysis (Analysis of Alternatives) Process for all IT investments and include risk criteria.
Management Response: Management partially agreed. This process should be applicable to new expenditures exceeding $100,000 for systems, not including upgrades, etc.
ATech Comment: We concur with the $100,000 threshold. However, some upgrades should be subject to cost?benefit analysis because a replacement or a delay in the upgrade may be the better option. In addition, lifecycle costs must be considered for all acquisitions, because those can frequently increase costs beyond the stated threshold. E. The Library should develop a methodology to maintain and track all Library IT expenses.
Management Response: Management agreed with our recommendation. The Library CFO will recommend a procedure for tracking IT expenses across appropriations. F. The Library should review and plan for moving forward through the stages of the ITIM.
Management Response: Management agreed with our recommendation. 21
FINDING 3 – ORGANIZATIONAL STRUCTURE
The organizational structure of the ITS Directorate at the Library does not foster strategic planning and proper IT governance. 1. OSI combines both IT support and other programmatic functions. 2. There is no centralized IT governance mechanism. According to LCR 220?1: Functions and Organization of the Office of Strategic Initiatives, “The OSI mission is to support the Library of Congress’ vision and strategy by directing the digital strategic planning for the Library, overseeing the Library’s institution?wide digital initiatives, and leading the national program to build the required preservation network and infrastructure for the nation’s cultural digital assets. The OSI, through its Information Technology Services function, also ensures the effective delivery of information technology resources and services in support of the Library’s mission, functions, and activities… ” LCR 220?1 also states that one of OSI’s functions is to “Manage the Library’s programs, budgets, and allocation of resources for the Digital Futures Program (domestic and international content – including American Memory, technical infrastructures and electronic outreach services), the National Digital Information Infrastructure and Preservation Program (NDIIPP), the Information Technology Services (ITS) functions, and the OSI.” OSI is also responsible for the Teaching with Primary Sources Program (TPS). OSI Is Not Optimally Structured OSI is unique among the federal agencies that we researched in that along with the CIO function, it includes a major programmatic function. When interviewing many OSI (non?ITS) staff, with a few exceptions it was evident that their focus was programmatic (such as NDIIPP and TPS) rather than supporting the Library as a whole. The traditional CIO responsibilities are taken on by ITS, organizationally placed within OSI with no direct representation on the Executive Committee (representation was recommended by the LC21 report). ITS was originally an Enabling Infrastructure (Support Unit) reporting directly to the Deputy Librarian. In FY 2002, however, ITS was folded into the newly created OSI, and the position of Director of ITS lost its “CIO” designation. The head of OSI, the Associate Librarian for Strategic Initiatives was named the CIO, and the director of ITS was placed below the CIO level. The CIO’s focus has primarily been on external programs such as NDIIPP and TPS, rather than on pursuing a strategic plan and vision for ITS. Although the ALSI has a track record of highly successful program implementations, organizational structures should be based on function and purpose and not individuals.
22
Further, because ITS is a second–level organization, it does not have the mandate or authority to enforce proper Library?wide IT governance, thus resulting in a series of optional IT security measures. As the Library begins to build an Enterprise Architecture (EA), this problem will repeat itself, as ITS will not have the authority to enforce Library?wide compliance with standards and EA governance principles. OSI has proposed a reorganization in which ITS will report not to the ALSI but to the Deputy ALSI. From a Library?wide perspective, this change has no effect on the chain of command. Significantly, the IT Security Group (ITSG), located in ITS, lacks meaningful enforcement authority. There are not always consequences for violations of IT security because the ITSG has only limited authority to take action or to request termination of system access when it detects security violations. Effectively, the IT security program at the Library has no teeth. It is the perception of other Service/Support Units that ITS supports OSI priorities first and others must fall in line behind them. The proposed movement of the Digital Scanning Center from ITS to OSI adds to that perception and further muddles the distinction between programmatic and support functions. Our research of CIO functions across several legislative and executive agencies revealed that the Library’s programmatic function under the CIO is unique among federal agencies. We also found in federal agencies and major universities with similar missions to the Library, the CIO of the IT organization generally reports directly to the head of the organization. In other words, the Director of ITS would traditionally be the CIO and report directly to the Librarian. We found no instances in which a CIO was in charge of both major programmatic areas and infrastructural support functions. Although the ALSI is the CIO for the Library, she is perceived by the rest of the Library as a CIO in name only. This is largely due to her focus on the major programmatic areas rather than the infrastructural IT support functions. The CIO of an agency that is listed (in section 901(b) of title 31, United States Code) shall “have information resources management duties as that official's primary duty.” The Library of Congress does not have to conform to this; however, this is a standard best practice. The CIO Council provides a wealth of information on best practices at http://www.cio.gov/index.cfm?function=documents. A 2004 GAO survey found that the majority of federal agencies complied with this requirement and the CIO reported directly to the agency head. GAO commented in one of these reports, “n addition to requiring that federal agency CIOs have many specific responsibilities, federal law also generally requires that these CIOs report directly to their agency heads. This requirement establishes an identifiable line of accountability and recognizes the importance of CIOs’ being full participants in the executive team in order to successfully carry out their responsibilities.” See http://www.gao.gov/new.items/d04823.pdf for more information. 23
A recent OMB memorandum stated, “Except where otherwise authorized by law, regulation, or other policy, the CIO has the authority to set Agency?wide IT policy, including all areas of IT governance such as an Enterprise Architecture and standards, IT capital planning and investment management, IT asset management, IT budgeting and acquisition, IT performance management, risk management, IT workforce management, IT security and operations, and information security.” See http://www.whitehouse.gov/omb/assets/omb/memoranda/fy2009/m09?02.pdf for more information. The ALSI is not endowed by the Library with the authority to make Library?wide decisions on IT governance, IT capital planning, and IT asset management. This is evidenced by the fact that other Service and Support Units make their own IT investment decisions and, sometimes, capital planning, IT budget management, and acquisitions. In addition, although the ALSI promulgates Library?wide IT security guidance, she has limited authority to enforce security requirements on Library areas outside OSI. A CIO cannot properly lead an IT organization without full authority and responsibility for these critical elements.
RECOMMENDATIONS
The organizational structure of the ITS Directorate needs to be realigned to foster strategic planning and IT governance at the Library. To accomplish this, the Library should:
A. Separate the IT support functions from OSI and establish the Office of the Chief Information Officer (OCIO) from the ITS Directorate and other IT support functions of OSI. The CIO will report directly to the Librarian or Chief Operating Officer with duties, responsibilities, and authority consistent with best practices. Management Response: Response to our recommendation is delayed until further study. B. Endow the CIO with the authority and responsibility for overall IT Strategic Planning, IT Capital Planning, IT Asset Management, Enterprise Architecture, and to establish a Customer Advocate role to ensure accountability; and C. Endow organizational function such as IT Security with appropriate enforcement authority as well as policy responsibilities. Management Response: Management agreed “in principle” with recommendations B and C. ATech Comment: We reiterate our recommendations. Both of these are industry?standard best practices to which the Library does not subscribe.
24
FINDING 4 – ENTERPRISE ARCHITECTURE
The Library lacks an Enterprise Architecture (EA) program. We found that the Library has not yet implemented an Enterprise Architecture. At best, OSI has documented the Library’s “as?is” architecture. The Library is behind most other federal agencies in developing an Enterprise Architecture. OSI indicated that this was due to budgetary constraints. Recently, the Library embarked on an EA project. To this end, OSI has contracted with the Gartner Group for support to develop a plan for this initiative. A core team, consisting of senior OSI and ITS managers, spearheaded by the ITSG Chief, has been meeting with Gartner to develop EA documentation. The team has conducted interviews with subject matter experts made up of OSI and ITS managers as well as Service Units. OSI is also embarking on related architecture projects such as: ? ? ? ? ? Information Architecture?User Experience as?is and possibly to?be (the Contractor will be delivering a report based on user studies and Web metrics); Information Architecture Services and Tools; Web/Delivery Architecture Web 2.0 delivery mechanisms and exploring software platforms and delivery options for a complete re?architecting/re? building of the Web environment in 2010; Search and Discovery Metasearch for LC home page and search engines; Metadata Group has established a Web site to share documents, has a charter and is finishing Use Cases for metadata requirements for multiple data sources and data used. The group is investigating automated tools (primarily open source); and Digital repository requirements.
?
OSI has brought on a project coordination contractor to provide project management, logistics support, and deliverable coordination and management for architecture?related projects. However, this fragmented approach does not represent a comprehensive EA as seen in other federal agencies. EA provides a high?level snapshot of IT systems and business processes and provides a framework for making IT investment decisions. An EA is a living process, requiring continuous maintenance. EA is intended to help guide wise IT decisions that support business processes, rather than requiring business processes to fit into IT models. According to the GAO, “An EA is a systematically derived snapshot—in useful models, diagrams, and narrative—of a given entity’s operations (business and systems); including how its operations are performed, what information and technology are used to perform the operations, where the operations are performed, who performs them, and when and why they are performed. The
25
architecture describes the entity in both logical terms (e.g., interrelated functions, information needs and flows, work locations, systems, and applications) and technical terms (e.g., hardware, software, data, communications, and security). EAs provide these perspectives for both the entity’s current (or “as?is”) environment and for its target (or “to be”) environment; they also provide a high?level capital investment roadmap for moving from one environment to the other.” For more information, see http://www.gao.gov/new.items/d03959.pdf. GAO has developed an Enterprise Architecture Management Maturity Framework (EAMMF) to evaluate Federal Enterprise Architectures (FEA). According to our evaluation, the Library is at Stage 1, which indicates that it is in the process of creating EA awareness. This is because the Library has initiated “some enterprise architecture activity, but these efforts are ad hoc and unstructured, lack institutional leadership and direction, and do not provide the management foundation necessary for successful enterprise architecture development as defined in stage 2.” See http://www.gao.gov/new.items/d06831.pdf for more information. GAO, OMB guidance, and federal CIO Council reports for developing an Enterprise Architecture are found at http://www.whitehouse.gov/omb/e?gov/fea/.) Recently, OMB developed a framework for FEA entitled the Federal Segment Architecture Methodology (FSAM), a systematic process that includes best practices from across the federal EA community. There are templates available on the FSAM Web site for this process. As defined in the OMB FEA Practice Guidance, there are core mission area, business service, and enterprise service segments. Below is a chart from FSAM guidance that shows how many of these pieces may be incorporated into a viable process. See http://www.fsam.gov/index.php for more information.
26
Table 3 FSAM Guidance
Although an EA is not a panacea for all IT issues, it does help bring a holistic view to the IT endeavor. Without an EA: 1. The Library cannot adequately link IT to the mission of the Library and provide a comprehensive framework to identify how IT assets directly enable the Library’s business processes and how those processes execute the Library’s mission. 2. There could be potential for interoperability problems between systems that could impact how the Library’s systems interface with each other. 3. It is harder to respond to changes because there is not a comprehensive reference for the Library to assess the impact changes will have on each component within the Library’s Enterprise Architecture or to ensure the components continue to run smoothly through change management. 4. It is harder to design new systems and modify existing systems because there is no frame of reference. 5. The Library may see fewer opportunities for economies of scale in purchasing. 6. It is harder to implement common security standards and security architectures. 7. The Library incurs additional technical risk by not having a technology infrastructure based on industry standard solutions and on trends of the future.
27
RECOMMENDATIONS
The Library needs to implement an Enterprise Architecture that could be coupled with a strategy and provide a roadmap for implementing technology in the future. To this end, the Library should: A. Follow the FSAM templates as a model for developing the architecture segments to avoid reinventing the wheel and use federal agency best practices for EA and use mainstream tools and processes; Management Response: Management partially agreed with our recommendation. ATech Comment: We are unclear as to the “partial” nature of management’s agreement with our recommendation, which was simply to use industry?established tools and best practices. Management did not indicate with which part of the recommendation it disagreed. B. Evaluate proposed plans for the development of an EA with EAMMF to ensure that the plans are in complete alignment; Management Response: Management partially agreed: “We will use EA metrics … which can include, and may largely coincide with, the EAMMF criteria.” ATech Comment: We disagree with management’s unwillingness to use proven, published criteria for this process. The Library intends to reinvent the wheel. We disagree with this approach when there are already significant existing bodies of knowledge and experience in this subject area. The EAMMF is flexible enough to accommodate the Library’s needs without needing to be reimagined. C. Keep the process for developing an EA in line with similar agencies to avoid developing a process that is too complex or out of scope with agencies of similar size; Management Response: Management agreed with our recommendation. ATech Comment: The Library should review the EA infrastructures of agencies with similar missions and technical requirements. D. Include all EA costs in a single budget line item for the entire Library to avoid creating a burdensome or costly process for system owners; and Management Response: Management partially agreed with our
28
recommendation. OSI will track all EA Program Office costs. Other costs can be accounted for in the Library’s different appropriations, but not contained in a single budget line item. ATech Comment: We disagree with management. We reiterate our recommendation that a centrally managed and significant project such as EA must be centrally funded. E. Involve all Service and Support Unit system/business process owners. Management Response: Management agreed with our recommendation.
29
FINDING 5 – CUSTOMER SERVICE
ITS Customer service needs improvement. 1. The Library has IT customer support issues. 2. ITS does not leverage tools such as Service Level Agreements or Performance Metrics. Customer Support Issues Our review indicated that beyond long?term strategic planning issues, ITS customers were experiencing significant customer service problems. We believe that this condition is related to the lack of long?term strategic planning in that ITS does not operate on a long?term plan to monitor or improve customer service. To avoid working with ITS, Service/Support Units often purchase their own equipment and software, procure IT contractor support, develop their own systems, or outsource development/hosting, and whenever possible deploy their own software and hardware. ITS customers say that the organization does not understand their business needs and requirements and provides inadequate support. Many customers believe that the quality of service and support they receive are based on personal relationships. Some customers believe that knowing certain individuals in ITS personally is what enables them to get the job done. People who are new to the Library have trouble obtaining help or finding the right people to answer their questions. Some customers reported limited or no contact with their ITS Research & Development (R&D) liaisons and perceive it is because they lack seniority. The Help Desk is the primary channel through which customers request new software and hardware and service for existing equipment. Some issues we found include: ? Help Desk tickets are not always properly assigned to the person providing the service or ordering the equipment/software. A search in December 2008 revealed that there were 800+ tickets assigned to the Chief of End User Computing. It is unlikely the Chief would be personally providing services. ? Help Desk tickets are not consistently reassigned when ITS employees or the contractors leave the Library or are assigned to a different position. ? A search in January 2009 showed 4,079 tickets in an “Open” status, with original dates ranging from 1989 to 2008, and 137 tickets opened from 1996 to 2008 showed as being in a “Hold” status. ? Approved requests for equipment or service are not always fulfilled and the requestors often receive no explanation why. Sometimes ITS will deliver equipment long after the requestors have purchased their own
30
?
equipment. Often, customers will find a way to perform the service themselves. Sometimes ITS will implement services without the requestor's knowledge. Customers are frustrated with the high number of tickets (a minimum of five) to provide new employees with system and telecommunications access and equipment.
Users have experienced lengthy delays in the approval process for new software. Sometimes the wait time is so lengthy that a new version of the software is released before the request is approved, thereby making the original request obsolete. Sometimes, tickets are closed without resolution of the reported software deployment problem and a new ticket must be opened. The Help Desk is staffed by contractors, whose quality is inconsistent. Help Desk contractors will often install the wrong versions of software and the customers will reinstall the software themselves. Customers have reported that instead of fixing a problem, the Help Desk contractors will frequently replace hard drives or recreate customer accounts. Library customers have said that they created their own IT support organizations because ITS did not meet their needs. For example: ? CRS created a network separate from ITS and procures its own equipment and software; ? LL outsourced the Global Legal Information Network (GLIN); ? NLS purchased its own servers and maintains a separate data center. NLS performs system development, Web development, and system hosting services in?house or with outside contractor support; ? LS insisted on managing and outsourcing the development of NAVCC Workflow Application. LS has also insisted that the development for the overall Library repository be outsourced. Many customers report that equipment available in the PC Store, operated by ITS, does not meet their needs. The list of items or support provided by ITS changes frequently. Customers have also reported that ITS does not maintain an inventory of spare parts for the supported equipment. We found no evidence of the distribution of end?user surveys, Help Desk surveys, or open informational meetings with customers to obtain feedback. The Operations Committee is attended only by the technology heads. The ITS R&D liaisons interact mostly with senior management and the Workstation Configuration Control (WCC) group has a limited membership. While the information provided at WCC meetings is useful, the meeting minutes are only disseminated to its members via email or access to a special drive. Members have reported it is more of a forum for announcements rather than discussion. The IOG also has limited membership, but has received the most positive feedback. The IOG is also the only group that 31
disseminates the meeting minutes on the Intranet Site and follows up with members when they do not attend meetings. ITS is currently developing a communications plan to improve information dissemination to the rest of the Library and within ITS. Service Level Agreements and Performance Metrics Most organizations use Service Level Agreements (SLA) to manage their customers’ expectations and set standards by which their service can be evaluated, and in turn, by which they can evaluate their own staff. For example, at the Library, the Office of Contracts and Grants Management (OCGM) publishes a listing of timeframes in which customers can expect their acquisitions to be completed. OCGM also uses these timeframes to assess its own performance, and further, to evaluate its staff. ITS does not use SLAs because it believes that they are best suited for contractors. ITS uses “Memoranda of Understanding” (MOU) and “Project Charters” as a way to assign roles and responsibilities. ITS customers, however, reported that the MOUs are one?way, mostly defining the customer’s responsibilities, but not assigning performance standards to ITS, the service provider, and further, do not guarantee service or support. SLAs represent a best practice for service providers, whether or not there is an exchange of funds. SLAs define service standards, manage customer expectations, and provide a yardstick by which service quality can be evaluated. SLAs can include metrics such as hours of support, call response time, and escalation procedures. These SLAs will help end users understand the service that they can expect. Higher levels will require additional resources. We believe that the publishing of SLAs will provide the end users with more understanding of the levels of support that they can expect. We also believe that ITS should join an organization such as the Help Desk Institute to obtain best practices for customer support and in operating a Help Desk. In addition, we suggest the use of the Information Technology Infrastructure Library (ITIL) for comprehensive documentation of best practices for IT service management. According to an article published by the Help Desk Institute, “We suggest the use of SLAs so that the end user’s have a basis for knowing what service to expect. Fundamentally, the service level agreement process provides a methodology for introducing and implementing reasonable expectations for the customer community and your Help Desk or Customer Support Center. SLAs serve as a guide for establishing good, sound business relationships.” For more information, please see http://www.thinkhdi.com/library/deliverfile.aspx?filecontentid=55. Without SLAs or performance metrics, ITS cannot understand or manage customer expectations. Without this feedback chain, ITS has no real way of knowing if it is meeting its support objectives and customer expectations. 32
With respect to IT issues, it appears that the Library acts as five separate businesses instead of a single institution. There are solo and sometimes duplicative system development projects going on throughout the Library without OSI and ITS' knowledge. There is also no true system integration. The Service/Support Units compete for IT resources instead of working together to coordinate economies of scale for software, hardware, equipment, Help Desk, and system development and outsourced hosting costs.
Because of a perceived reluctance by ITS to take on ownership of IT problems or projects, customers search for ways to work around or not notify ITS of pending projects. Others will attempt and then give up pursuing projects that could be a Library?wide benefit such as the deployment of Multi?Functional Devices (MFDs or combination printer/copier/scanners). Our review indicated that Integrated Support Services (ISS) took all of the appropriate steps, including involving ITS in the requirements phase of the current contract, to enable the scanning and networking functions of the machines now in place Library?wide. However, there is a stalemate between ITS and ISS as to who is responsible for networking these MFDs, leaving them to be used throughout the Library solely as copiers. At the end of a five?year contract, the Library will have paid a total of $5,782,870 without realizing the full functionality of these MFDs. We were unable to determine the incremental cost of leasing MFDs as opposed to plain copiers without MFD functionality.
RECOMMENDATIONS The Library needs to implement a formal process for soliciting customer feedback for recommendations, ideas, and complaints, and implement changes to improve customer service. Specifically, ITS should:
A. Implement Service Level Agreements to manage customer expectations; Management Response: Management partially agreed with our recommendation. ATech Comment: Once again, we are unclear as to the “partial” nature of management’s agreement with our recommendation. Service level agreements can be structured in any way the Library desires, and simply establish baseline service guidelines on which management and customers can rely. B. Review the PM, SDLC, IT Security, and Help Desk processes and obtain feedback from the Service/Support Units to improve efficiency and effectiveness; Management Response: Management agreed with our recommendation.
33
C. Use best practices for service management from organizations such as the Help Desk Institute and ITIL and other organizations; Management Response: Management agreed with our recommendation. D. Instead of enhancing the current Help Desk system, implement a COTS enterprise Help Desk system that includes capabilities for customer feedback on calls, reporting on the closure rate of calls, types of calls, and other metrics. Since CRS purchased the latest version of Remedy, ITS should use the CRS contract for this or research other COTS options; Management Response: Management agreed with our recommendation. E. Negotiate a new Help Desk service contract to meet the different service level requirements of all Service and Support Units to eliminate duplicative Help Desk support services; Management Response: Management disagreed with our recommendation. Management believes, at this time, that having some services provided to certain staff at the service/support unit level is desirable. Having a distributed model of services instead of a centralized model does not necessarily mean there are duplicative costs. The CFO will address this recommendation in his study on duplicative costs. ATech Comment: The intent of this recommendation was to address the need for the Library to evaluate duplicative costs incurred by having distributed and independent help desk functions throughout its various offices. F. Develop a set of metrics for ongoing use to measure performance. These metrics should change and evolve over time as one area shows improvement; new metrics should be developed for other areas; and Management Response: Management agreed with our recommendation. G. Conduct regular customer surveys and open informational meetings. Management Response: Management agreed with our recommendation.
34
CONCLUSION
We believe that since the National Research Council issued the LC21 report in 2000, the IT support organizations at the Library of Congress have transformed themselves from IT support “shops,” to organizations which lead the country and the world in digital library technology. We were also impressed with the intelligence and technical savvy of the Library staff. It is now time for the Library to transform its management of IT from five separate businesses to a total institution. To remain a leader in the digital age, the Library must work collectively to address digital strategy, repository, and preservation; information retrieval; metadata standards; copyright deposits; IT cost accounting and metrics; IT leadership and governance; IT security; IT support/customer service; and IT investments. Many recommendations made in this report can be implemented at a low cost and can be accomplished with existing resources. Those requiring resources could be balanced against cost saving measures. We caution that the planning process should be agile rather than burdensome, and transparent to achieve maximum buy? in. We also advise the recommendations be implemented in coordination with all the Service and Support Units as some activities will reach across multiple reporting frameworks and appropriations. The GAO Executive Guide speaks about balance in planning, “CIOs recognize that balancing short?term successes with longer?term business change initiatives is key to keeping their business customers satisfied…These CIOs are careful not to get caught in the cycle of continual planning, but take steps to ensure effective progression from planning to implementation. They return to their plans iteratively, updating them as progress is made and business needs evolve.”5 We recommend the Library consult with the CIOs of organizations such as the Department of Education, George Mason University, the National Institutes of Health, the National Science Foundation, the Smithsonian, and the United States Patent and Trademark Offices on their IT strategic planning processes (see references 18?24 for the IT strategic plans of these organizations). The LC21 report made the following recommendations, which still hold true today: “…information technology can, should, and must be taken as a strategic asset of the Library as a whole and managed strategically from the very top.“ “…there needs to be serious strategic planning. Concrete projects must be established and undertaken to make real the Library’s ability to select, acquire, preserve, and manage digital content. These initiatives must reach across the whole interlinked set of processes from copyright registration through deposit to reader services.” We suggest that the Library continue work in these very critical areas and begin
5
The GAO Executive Guide, February 2001, Maximizing the Success of Chief Information Officers – Learning From Leading Organizations.
35
immediate implementation of our recommendations. An effective IT strategic planning process will provide the framework that is needed to assess costs and benefits, manage priorities, and plan for the future. The customer’s needs, both internal and external, should drive the requirements and be the foundation for determining project success.
36
APPENDIX A REFERENCES
1. Booz Allen & Hamilton, Management Review of the Library of Congress Final Report, May 7, 1996. (Part of OIG Hardcopy Collection.) Reference 1 Supplement, GAO Testimony Library of Congress Opportunities to Improve General and Financial Management, May 1996. 2. GAO Executive Guide: INFORMATION TECHNOLOGY INVESTMENT MANAGEMENT: A Framework for Assessing and Improving Process Maturity: Version 1.1, GAO?04?394G, March 2004. 3. GAO Executive Guide, Maximizing the Success of Chief Information Officers – Learning From Leading Organizations, February 2001. 4. GAO Executive Guide, Improving Mission Performance Through Strategic Information Management and TechnologyLearning from Leading Organizations (GAO/AIMD?94?115), May 1994. 5. GAO Guide, Assessing Risks and Returns: A Guide for Evaluating Federal Agencies' IT Investment Decisionmaking (GAO/AIMD?10.1.13), February 1997. 6. GAO Report, Federal Chief Information Officers Responsibilities, Reporting Relationships, Tenure, and Challenges, GAO?04?823, July 2004. 7. GAO Report, ENTERPRISE ARCHITECTURE: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation, GAO?06?831, August 2006. 8. GAO Report, Information Technology, FBI Needs an Enterprise Architecture to Guide its Modernization Activities, GAO?03?959, September 2003. 9. GAO Review, Objective 1: Library of Congress Collections Management, Opportunities to Improve Effectiveness through Digitization, September 2008 (Draft). 10. Thomas G. Kessler, Patricia A. Kelley, Federal IT Capital Planning and Investment Control. Public Manager, 37 (4), 56?60, 2008. 11. NRC, LC21 A Digital Strategy for the Library of Congress, Copyright 2000. 12. OMB Circular A–11, Part 6, Preparation and Submission of Strategic Plans, Annual Performance Plans, and Annual Program Performance Reports, July 2003.
37
13. OMB Circular A?II, Part 7, Preparation, Submission, and Execution of the Budget, Section 300, Planning, Budgeting, Acquisition, and Management of Capital Assets, July 2007. 14. OMB Memorandum, Information Technology Management Structure and Governance Framework, M?09?02, October 21, 2008. 15. OPM Interpretive Guidance for the Information Technology Management Series, GS2210, CG01?0001, June 2001.
16. Thomas Plant, Public Sector Strategic Planning: An Emergent Approach, Performance Improvement, 45.5: 5?6. ABI/INFORM Global, ProQuest, (2006). 17. US Code: Title 40, Subtitle III, Chapter 113, Subchapter II, § 11315, Agency Chief Information Officer. 18. Department of Education, Information Resource Management Strategic Plan FY 2007 – 2011. 19. George Mason University’s Information Technology Unit Responds to the Academic Unit 2010 Plans. 20. The Strategic Information Resources Management Plan of the National Archives and Records Administration, February 2008.
21. National Institutes of Health Center for Information Technology Strategic Plan, 2008 – 2012. 22. NSF Information Resource Management Plan, September 2008. 23. Smithsonian Information Technology Plan FY 2008–FY 2013. 24. United States Patent and Trademark Office, Office of the Chief Information Officer Strategic Information Technology Plan FY 2007–FY 2012.
25. OSI, Plan for Cyclical Investments in Technical Infrastructure FY 20102014, September 2008. 26. ITS Presentation, LC Enterprise Architecture Program Overview to Operations Committee, November 2008.
38
APPENDIX B ACRONYMS
AIU – Archive Interface Utility ALSI – Associate Librarian for Strategic Initiatives AP3 – Annual Performance Program Plan ASL – Associate Librarian C&A – Certification and Accreditation CCB? Configuration Control Board CFO – Chief Financial Officer CIO – Chief Information Officer CIPC – Capital Planning and Investment Control CMM – Capability Maturity Model COBIT – Control Objectives for Information and Related Technology COO – Chief Operating Officer COP – Copyright Office COSD – Committee on Strategic Direction COTS – Commercial?Off?The?Shelf CRS – Congressional Research Service DLCG – Digital Library Content Group EAMMF – Enterprise Architecture Management Maturity Framework FEA – Federal Enterprise Architecture FSAM – Federal Segment Architecture Management GAO – Government Accountability Office GIPRA – Government Performance and Results Act GPO – Government Printing Office ICP – Internal Control Program IOG – Internet Operations Group IT – Information Technology ISS – Integrated Support Services ITIL – Information Technology Infrastructure Library ITIM – Information Technology Infrastructure Management Model ITSG – IT Security Group ITS – Information Technology Services ITVRSP – IT vision, strategy and research program Library or LC – Library of Congress LC21 report – LC21: A Digital Strategy for the Library of Congress LCR – Library of Congress Regulation LL – Law Library LS – Library Services MDEP – Management Decision Package MFD – Multi?Functional Device MOU – Memorandum of Understanding NAVCC – National Audio?Visual Conservation Center NDIIPP – National Digital Information Infrastructure Preservation Program
39
NDLP – National Digital Library Program NIST – National Institute of Standards and Technology NLS or NLSBPH – National Library Service for the Blind and Physically Handicapped NRC ? National Research Council PART – Program Assessment Rating Tool OCFO – Office of the Chief Financial Officer OIG – Office of the Inspector General OMB – Office of Management and Budget OPM – Office of Personnel Management OSEP – Office of Security and Emergency Preparedness OSI – Office of Strategic Initiatives SAM ?QFS – Storage and Archive Manager – Quick File System SLA – Service Level Agreement SPO – Strategic Planning Office TPS – Teaching with Primary Sources VPN – Virtual Private Network WCC – Workstation Configuration Control WCM – Workstation Configuration Management
40
APPENDIX C PROPOSED FY 2009 IT BUDGETS
Proposed FY 2009 OSI Budget & IT Budgets for other Service & Support Units
Office of Strategic Initiatives Proposed Budget OSI Fulltime & Other government salaries (without Benefits) OSI Non?Pay Total OSI Budget without ITS Breakdown of ITS Directorate Proposed Budgets ITS Pay Fulltime & Other government salaries without Benefits ITS Non?Pay Total ITS Budget Total OSI Fulltime & Other Pay without Benefits Total Non?Pay Office of Strategic Initiatives Total Breakdown of OSI Directorate Proposed Budgets Digital Initiatives: $13,284,000 Pay ? FT Permanent & Other $9,686,000 Non Pay Information Technology Services: $27,108,000 Pay Fulltime (FT), Other, Benefits $30,225,000 Non Pay National Digital Information Infrastructure: Teaching With Primary Sources: $1,209,000 Pay FT Other, Benefits $5,961,000 Non Pay Office of Strategic Initiatives Total with Benefits Proposed IT Support Budgets For OSI/ITS Customers Copyright Congressional Research Service Law Library Library Services Human Resource Services Integrated Support Services Office of The Chief Financial Officer Office of The Librarian Office of The Inspector General Office of Security And Emergency Preparedness Total For Office of Strategic Initiatives/Information Technology Services Customers Breakdown of Service/Enabling Infrastructure Units Proposed IT Budgets" Copyright IT government support salaries without Benefits IT contractor support: Oracle 8.1 And Analytics Implementation COP Repository Feasibility Study eCo support Contractors (Catapult, Central Printing, Adobe)
$11,146,000 $23,158,000 $34,304,000 $21,762,000 $30,225,000 $51,987,000 $32,908,000 $53,383,000 $86,291,000 $22,970,000 $57,333,000 $7,511,000 $7,170,000 $94,984,000 $5,756,576 $7,770,530 $1,989,792 $11,969,843 $1,498,073 $1,560,411 $3,381,000 $675,973 $117,219 $283,450 $35,002,867 $2,171,502 $1,400,000 $300,000 $720,479
$293,450 To $35,012,867 One Time One Time
41
Proposed FY 2009 OSI Budget & IT Budgets for other Service & Support Units
Help Desk Metasearch Project Hardware Purchase/Replacement: Pre?Product Environment Scanners Video Cards Vendor support (E.G. Maintenance On Servers/Network) Seibel And Scanners Software Purchase/License IT Training/Conferences (Eco Training, Accuate & MS Project Course, Voyager Conference) Copyright Total Congressional Research Service IT government support salaries (without Benefits) IT contractor support: Hardware Purchase/Replacement Vendor support (E.G. Maintenance On Servers/Network) Software Purchase/License IT Training/Conferences Congressional Research Service Total Law Library IT government support salaries (W/O Benefits) IT contractor support For GLIN Hardware Purchase/Replacement (Non?GLIN) Vendor support For GLIN Software Purchase/License (Non?GLIN) IT Training/Conferences: Law Library Total Library Services IT government support salaries (without Benefits) Technology Policy IT contractor support (Tech Audit) TP SubTotal Automation Planning Liaison Office: IT contractor support Hardware Purchase/Replacement Vendor support Software Purchase/License IT Training/Conferences: Automation Planning Liaison Office SubTotal National Library Service For The Blind Physically Handicapped: $700,000 $15,000 $75,000 $12,800 $2,970 $49,000 $259,324 $50,500 $5,756,576 $4,560,530 $1,300,000 $600,000 $1,200,000 $100,000 $10,000 $7,770,530 $915,975 $997,002 $745 $63,847 $12,223 $0 $1,989,792 $6,514,093 $100,000 100,000 $35,000 $170,685 $23,200 $255,965 $20,000 $504,850 One Time (Includes salaries for the Automation Contacts, Does not include Future NAVCC FTEs) One Time Hardware $73,580 Note 1: includes Software Maintenance on in?house developed software applications. Note 2: Just completed major upgrade to systems due to the Digital Conversion and implementing a new Website This Year. Office considers figure unusually high for
IT contractor support
$1,108,900
42
Proposed FY 2009 OSI Budget & IT Budgets for other Service & Support Units
a typical year. Due to Workstation Configuration Management (WCM) initiative, NLS is aggressively replacing computer hardware not certified for windows XP. Purchasing additional PC's due to WCM repair process and new it security requirements. Figure high for a typical year. Expense includes a $30k payment made every three years to its for hardware replacement for our digital archiving system and $10k maintenance that was prepaid in FY 2008 . Due to WCM initiative, we are getting our software licenses in order. Making purchases to support engineering for the DTB player (such as CAD software). Figure considered unusually high for a typical year. Total Contract value was $400,000 for 2 year support
Hardware Purchase/Replacement
$141,000
Vendor support (E.G. Maintenance On Servers/Network)
$40,000
Software Purchase/License IT Training/Conferences BPH SubTotal National AudioVisual Conservation Center: IT contractor support ? NAVCC Software Applications Hardware Purchase/Replacement Vendor support (E.G. Maintenance On Servers/Network) Software Purchase/License IT Training/Conferences National AudioVisual Conservation Center Sub Total Library Services Total Human Resource Services IT government support salaries (W/O Benefits) IT contractor support Hardware Purchase/Replacement Vendor support (E.G. Maintenance On Servers/Network, Which May Not Apply To COP.) Software Purchase/License IT Training/Conferences Human Resource Services Total Integrated Support Services IT government support salaries (without Benefits) IT contractor support Hardware Purchase/Replacement Vendor support (E.G. Maintenance On Servers/Network) Software Purchase/License IT Training/Conferences Integrated Support Services Total Office of The Chief Financial Officer
$85,500 $25,500 $1,400,900 $200,000 $2,750,000 $500,000 $0 $0 $3,450,000 $11,969,843 $519,978 $0 $14,724 $893,102 $58,880 $11,389 $1,498,073 $371,411 $770,000 $37,000 $0 $281,000 $101,000 $1,560,411
43
Proposed FY 2009 OSI Budget & IT Budgets for other Service & Support Units
IT government support salaries (without Benefits) IT contractor support For Momentum Hardware (Significantly More Spent In Past Years.) Vendor support Software Purchase/License IT Training/Conferences Office of the Chief Financial Officer Total Office of The Librarian IT government support salaries (without Benefits) IT contractor support Hardware Purchase/Replacement Vendor support Software Purchase/License (No Annual Fees) IT Training/Conferences Office of the Librarian Total Office of The Inspector General IT government support salaries (without Benefits) IT contractor support Hardware Purchase/Repair Software Purchase/License Vendor support IT Training/Conferences Office of the Inspector General Total Office of Security Emergency Preparedness IT government support salaries (without Benefits) IT contractor support For MC Dean IT Related Library's Police Communications Center (PCC) For One?Year Period Ending May 1, 2009. Hardware Purchase/Repair Vendor support & Software For Personnel Security Program Office Database" IT Training/Conferences Office of Security Emergency Preparedness Total $606,069 $2,757,722 $1,000 $0 $0 $16,209 $3,381,000 $624,430 $0 $34,543 $0 $15,000 $2,000 $675,973 $116,419 $0 $800 $0 $0 $117,219 $178,450 $50,000 $25,000 $25,000 $5,000 $283,450 To $35,000 To $293,450
44
APPENDIX D – NLS IT SECURITY EXPENSES
IT Security Expenses for the NLS
Year/Description of expense FY 2006 Work involved in creating initial PICS C&A Work involved in estimate for PICS POAM fixes Work involved in IT security test ? accommodating blind staff problems Process IT security wavier documentation Lost work due to VPN problems & inefficiencies TOTAL FY 2006 FY 2007 PICS C&A Annual update PICS Phase 2 ? research/documentation creation to accommodate IT security rules Total NLS Hours 245 20 15 30 60 370 40 NLS Staff Hardware Cost Cost $16,057 $1,344 $1,008 $1,934 $3,786 $24,129 $2,816 $0 Consultant Cost $4,000 $4,000 $500 $3,500 $12,000 TOTAL COST $36,129
75
$5,279 $8,447 $2,112 $6,430 $3,254 $2,010 $2,112
$49,236
$10,000 $500
PICS Phase 2 ? effort involved in accommodating IT security rules 120 PICS Phase 2 ? hardware purchased as a result of IT security accommodations 30 Workstation Configuration management (WCM) preparations 100 Research into possible use of VMware Process IT security waiver documentation Work involved in IT security test ? accommodating blind staff problems Preparations/Research for Comprehensive Mailing List System and Blind and Physically Handicapped Inventory Control System (CMLS/BPHICS) and C&A Effort and expenses associated with ensuring NLS computer room compliant with IT security rules (platform, lock) 52 30 30
100
$7,039
35
$2,109
$3,500
45
IT Security Expenses for the NLS
Year/Description of expense Lost work due to VPN problems & inefficiencies TOTAL FY 2007 FY 2008 Production Inventory Control System (PICS) C&A Annual update Re Estimate PICS Plan of Action and Milestones (POAM) fixes Effort to set up firewall rules for NLS producers PICS Phase 2 ? Impacts of accommodating IT security rules (coding) 240 PICS Phase 2 ? redo C&A package 200 Effort spent working on acquiring NLS test networks Acquisition of Network hardware to accommodate test networks Process IT security wavier documentation 150 50 $12,556 $10,184 $2,961 $3,792 $30,000 $59,670 $17,502 $55,000 Total NLS Hours 60 672 40 40 40 NLS Staff Hardware Cost Cost $3,818 $45,425 $2,917 $2,917 $2,917 $52,736 Consultant Cost $4,000 $14,500 TOTAL COST $112,661
60 Effort spent on Workstation Configuration management (WCM) preparations for 64 bit engineering workstations 315 Work involved in IT security test ? accommodating blind staff problems 35 Effort spent on Workstation Configuration management (WCM) preparations ? software inventory, documentation(outside of regular XP upgrade) 510 Lost work due to VPN problems & inefficiencies 70 TOTAL FY 2008 FY 2009 – estimated: PICS C&A Annual updates PICS ? redo C&A to include download website 1750 50 160
$19,532 $2,210
$500
$31,124 $4,122 $112,735 $3,532 $9,994
$30,000
$15,000 $8,000 $138,170 $8,000
$280,905
46
IT Security Expenses for the NLS
Year/Description of expense Effort to maintain firewall rules for NLS producers Total NLS Hours NLS Staff Hardware Cost Cost $1,348 Consultant Cost TOTAL COST
35 Effort spent on Workstation Configuration management (WCM) Implementation (outside of regular XP upgrade) 500 Process IT security wavier documentation 40 Extra computers to deal with possible problems with WCM rebuilds (extra computers, lost staff time) 90 Work involved in IT security test ? accommodating blind staff problems 35 Effort spent on Workstation Configuration Management (WCM) preparations for 64 bit engineering workstations 70 Time spent by NLS staff testing applications as part of WCM requirements Lost work due to VPN problems & inefficiencies TOTAL FY 2009 Items pending funding: Fixing PICS POAM items Possible Future expenses: C&A on CMLS/BPHICS C&A on XESS C&A on Network Database C&A on READS C&A on IMS TOTAL Pending Funding Overall TOTAL FY 2009 GRAND TOTAL FYs 20062009 plus pending funding
$29,906 $2,701
$17,000
$5,479 $2,245
$8,000
$500
$4,927
140 45 1165 1165 2792
$8,789 $1,639 $70,561 ? ? ? ? ? ? $0 $70,561 $252,851
$8,000 ? ? ? ? ? $0 $8,000 $90,736
$15,000 $6,000 $46,500 $438,000 ? ? ? ? ? $438,000 $484,500 $649,170
$125,061 0 ? ? ? ? ? $438,000 $563,061 $992,756*
* There is a $1 discrepancy due to rounding.
47
PAGE INTENTIONALLY LEFT BLANK
48
APPENDIX E – LIBRARY RESPONSE TO REPORT
49
doc_161027935.pdf