Information Technology: OPM Needs to Adopt Key Practices in Modernizing Legacy Financial System

What GAO Found

The U.S. Office of Personnel Management (OPM) has completed several phases of its effort to modernize its Trust Funds Federal Financial System (FFS). Among other activities, OPM defined the project's charter, selected a service provider, and gathered requirements. However, as shown below, OPM had to extend the planned completion date of two upcoming milestones by 1 year to October 2022 and October 2023. These milestones focus on the transition to the shared service provider and the new system. In addition, OPM increased the estimated cost of project development and implementation by $13.4 million to $71.9 million.

Status of the Office of Personnel Management's (OPM) Financial System Modernization

Legend:

_____ = milestones that have been completed

Source: GAO analysis of OPM's documentation and interviews. | GAO-22-104206

OPM attributed the delay to a variety of reasons, including poor documentation and insufficient staff expertise regarding the legacy system.

OPM partially implemented key practices for using a shared service provider. Specifically, while OPM performed risk assessments of the modernization, the assessments were not comprehensive or did not accurately reflect the risks the program was facing. Specifically, while OPM performed recommended assessments of the modernization, it did not address all known risks. For example, the risk assessment during Engagement Phase 2 did not reflect that OPM had not defined service level agreements for operations and maintenance; applicable guidance considers this omission a high risk at this stage. Further, while OPM conducted recommended reviews at the conclusion of each phase, in two cases the agency moved forward on the modernization without meeting defined exit criteria.

In addition, while OPM fully adopted leading information technology (IT) management practices for requirements management, it did not do so for cost and schedule estimation, and cybersecurity. Specifically:

• OPM did not fully adopt best practices for developing program cost and schedule estimates. As a result, its estimates were not reliable.
• OPM adopted one key cybersecurity practice for systems engineering and partially adopted four other practices. For example, although OPM had identified security expectations for the migration phase, the agency had not defined the level of service to be supplied by the shared service provider. Following these practices help ensure that security requirements and needs are addressed throughout the life cycle of the system.

Until the agency fully implements appropriate practices, OPM increases the risk that the program will incur schedule delays, cost overruns, unmet performance targets, and cybersecurity shortfalls.

Why GAO Did This Study

OPM's legacy financial system, FFS, helps manage over $1 trillion in combined assets and supports over 8 million federal employees and retirees. However, according to OPM, FFS is outdated and consists of unsupported software. In fiscal year 2017, OPM created the Trust Funds Modernization (TFM) Program to replace FFS. In 2019, the agency selected a shared service provider to provide the replacement system.

The House report accompanying the Consolidated Appropriations Act, 2020 included a provision for GAO to examine OPM's effort to modernize and replace FFS. This report (1) describes the status of OPM's effort to modernize and replace FFS; (2) evaluates the progress OPM has made in implementing key modernization practices for using a shared service provider; and (3) determines to what extent the TFM program has adopted leading practices for requirements management, cost and schedule estimation, and cybersecurity. To do so, GAO analyzed relevant TFM program documentation; assessed documentation against key modernization practices; and compared the program's requirements management, cost and schedule estimation, and cybersecurity to leading practices. GAO also interviewed OPM officials.

Comments are closed.