A-44-09-29120 - Alternate Format

OFFICE OF
THE INSPECTOR GENERAL

SOCIAL SECURITY ADMINISTRATION

The Social Security Administration’s Information Technology Strategic Planning

June 2009

A-44-09-29120

CONGRESSIONAL RESPONSE
REPORT

June 29, 2009

The Honorable Max Baucus
Chairman
Committee on Finance
United States Senate
Washington, D.C. 20510

Dear Senator Baucus:

Your February 18, 2009 letter co-signed by Senator Grassley requested our assistance in evaluating the Social Security Administration’s (SSA) response to the Lockheed Martin study of the National Computer Center and SSA's efforts to strategically address future information system needs. Specifically, we were requested to assess the Agency’s overall future information system plans and provide the following information.

1. Has the Agency adequately developed a comprehensive Agency Information Infrastructure Plan that is designed to meet potential processing needs for the next 20 years and allows the Agency to recover quickly if one or more major components of its processing infrastructure fails or is destroyed?

2. Has the Agency obtained information on industry best practices of other data infrastructure systems of similar scope in terms of design, geographic location and redundancy, and has this information guided their decisions for information systems planning?

3. What steps is the Agency taking to prevent the current situation that plagues the NCC from recurring?

4. Determine the process and criteria being used by SSA to identify a new location for the NCC and the risks and benefits of that process and criteria.

I appreciate the opportunity to share our insights on these important matters and am pleased to provide you the enclosed report, which addresses your specific questions. To ensure SSA is aware of the information provided to your office, we are forwarding a copy of this report to the Agency. Also, I have sent a similar response to Senator Grassley.

If you have any questions concerning this matter, please call me at (410) 965-7427 or have your staff contact Wade Walters, Assistant Inspector General for External Relations, at (410) 594-2176.

Sincerely,

/s/
Patrick P. O’Carroll, Jr.
Inspector General

Enclosure

cc:
Michael J. Astrue

June 29, 2009

The Honorable Charles Grassley
Ranking Member
Committee on Finance
United States Senate
Washington, D.C. 20510

Dear Senator Grassley:

Your February 18, 2009 letter co-signed by Senator Baucus requested our assistance in evaluating the Social Security Administration’s (SSA) response to the Lockheed Martin study of the National Computer Center and SSA's efforts to strategically address future information system needs. Specifically, we were requested to assess the Agency’s overall future information system plans and provide the following information.

3. What steps is the Agency taking to prevent the current situation that plagues the NCC from recurring?

4. Determine the process and criteria being used by SSA to identify a new location for the NCC and the risks and benefits of that process and criteria.

I appreciate the opportunity to share our insights on these important matters and am pleased to provide you the enclosed report, which addresses your specific questions. To ensure SSA is aware of the information provided to your office, we are forwarding a copy of this report to the Agency. Also, I have sent a similar response to Senator Baucus.

If you have any questions concerning this matter, please call me at (410) 965-7427 or have your staff contact Wade Walters, Assistant Inspector General for External Relations, at (410) 594-2176.

Sincerely,

/s/
Patrick P. O’Carroll, Jr.
Inspector General

Enclosure

cc:
Michael J. Astrue

June 2009

Mission

By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA’s programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.

Authority

The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:

 Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.
 Promote economy, effectiveness, and efficiency within the agency.
 Prevent and detect fraud, waste, and abuse in agency programs and operations.
 Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
 Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.

To ensure objectivity, the IG Act empowers the IG with:

 Independence to determine what reviews to perform.
 Access to all information necessary for the reviews.
 Authority to publish findings and recommendations based on the reviews.

Vision

We strive for continual improvement in SSA’s programs, operations and management by proactively seeking new ways to prevent and deter fraud, waste and abuse. We commit to integrity and excellence by supporting an environment that provides a valuable public service while encouraging employee development and retention and fostering diversity and innovation.

Executive Summary
OBJECTIVE

Our objective was to review the Social Security Administration’s (SSA) plan to address its processing requirements 5 to 20 years in the future and what actions SSA has taken to meet those requirements. Specifically, we addressed a congressional inquiry concerning the Agency’s information technology (IT) strategic planning, disaster recovery, industry best practices, National Computer Center (NCC) infrastructure issues, and NCC replacement strategy.

BACKGROUND

In a February 18, 2009 letter co-signed by Senators Max Baucus and Charles Grassley, we were requested to assess the Agency’s overall future information system plans. Specifically, we were requested to provide the following information.

3. What steps is the Agency taking to prevent the current situation that plagues the NCC from recurring?

4. Determine the process and criteria being used by SSA to identify a new location for the NCC and the risks and benefits of that process and criteria.

Also, as a follow up to our report, The Social Security Administration’s Ability to Address Future Processing Requirements (A-44-09-19098), we updated the status of the Agency’s efforts to address the significant issues identified in Lockheed Martin’s (LM) NCC Feasibility Study.

RESULTS OF REVIEW

Our review of SSA’s IT strategic planning process and related documents found the following.

1. SSA did not have a comprehensive Agency Information Infrastructure Plan to meet potential processing needs for the next 20 years and that would allow the Agency to recover quickly if one or more major components of its processing infrastructure fails or is destroyed.

a. SSA has various IT strategic planning documents, but similar to other Federal agencies, they do not span 20 years. We found there was no requirement for SSA to have an Agency Information Infrastructure Plan that spans 20 years.
b. SSA’s IT strategic planning documents are task-oriented in nature and need to be more strategic.
c. SSA has an IT planning process, but the process is decentralized. SSA officials stated, “We agree that we need to strengthen our IT strategic planning process. We will address some of the concerns raised in the report with the release of the 2009-2014 IRM Strategic Plan. We do not agree that our decentralized IT planning process is undesirable, but we can make improvement in coordination, communication, and integration.”
d. SSA has a disaster recovery plan if the NCC becomes unavailable. However, the Agency’s current recovery plan depends heavily on the availability of a contracted facility, and it will take approximately 10 days to recover the systems required to perform the Agency’s essential functions.

2. SSA obtained information on industry best practices regarding data infrastructure systems by consulting with IT research firms. SSA consulted with these firms regarding such topics as Data Center outsourcing; Data Center staffing; management characteristics of effective Data Centers; next generation Data Center design; predicted infrastructure usage and upcoming technology; and infrastructure optimization. SSA management stated the Agency does not follow specific industry best practice documents, but its IT planning is based on experience and the best information available at the time. Moreover, SSA management stated that industry best practices were used in developing the Agency’s NCC replacement strategy. Although SSA management stated it uses the best available information when IT decisions are made, to date, we have been unable to obtain detailed cost estimates for all viable alternatives identified by LM in its NCC Feasibility Study.

3. SSA has taken the following steps to prevent the current situation that plagues the NCC from recurring.

a. SSA has initiated or completed projects recommended by LM to sustain existing operations at the NCC. Nonetheless, we believe the Agency should have taken action sooner because SSA and the General Services Administration (GSA) knew about some of the recurring issues at the NCC and Utility Building since 1989. Further, we believe the criticality of the building should be given a greater weight than the age of the building in determining whether a building is selected for renovation. SSA officials stated, “We disagree; we took action and funded significant projects to sustain the building.”
b. SSA reported the new NCC is being designed in accordance with the Uptime Institute’s Tier III Data Center standards. These standards provide redundancy to mechanical and electrical infrastructure systems. Tier III facilities have redundant capacity that allows for any planned site infrastructure maintenance and activities without disrupting the computer hardware operation. (See Appendix H for the Uptime Institute’s Tier Standards). The new Data Center will be designed to meet the Agency’s known infrastructure capacity needs based on anticipated trends and with the redundancy and flexibility for future modification and expansion without disruption to operations.

c. SSA will continue to perform preventive maintenance activities at the NCC.

In another OIG report, we noted that although the NCC concerns were not specifically considered as a part of the Durham Support Center (DSC) planning process, the DSC was designed and built to minimize the likelihood that the physical concerns identified at the NCC will be repeated. SSA should use a similar approach to prevent the new Data Center from encountering similar problems that occurred at the NCC over time.

4. In 2007, SSA commissioned the LM NCC Feasibility Study to identify infrastructure and data processing capacity issues. In 2008, LM completed its study and recommended 17 projects that SSA should undertake to sustain existing IT operations through the end of Calendar Year 2014. In addition, LM recommended SSA construct a new Data Center apart from SSA’s campus in Woodlawn, Maryland.

Based on LM’s recommendation, SSA decided to build a new Data Center
off-campus. The American Recovery and Reinvestment Act of 2009 (ARRA) provided SSA $500 million to replace the NCC. SSA’s ARRA plan states that Agency staff is working closely with GSA and will participate in the design and construction of the new Data Center. SSA developed minimum requirements for the location of its new Data Center. However, the Agency is still in the preliminary stages of the project, and GSA is not yet soliciting for construction sites. Detailed information is procurement-sensitive and will not be released publicly until GSA issues the formal solicitation.

SSA estimates it will cost approximately $750 million for the facilities and equipment for the new Data Center. The Agency anticipates the new Data Center to be substantially completed by October 2013. Further, it expects to occupy the new Data Center in January 2014. However, this date is before any IT equipment is installed. A November 2008 Gartner report showed the average cost of building an 8,000 square foot Tier III Data Center was approximately $20.51 million ($2,564 per square foot). The Agency plans to build a 247,000 gross square foot Data Center. Using the Gartner report as a baseline, the new Data Center would cost approximately $633.4 million. We recognize that the Gartner report may not be directly comparable to the Agency’s current cost data for its new Data Center. Nevertheless, without independently verifiable detailed cost estimates for the new Data Center, the Agency’s estimates remain problematic. SSA officials stated, “We disagree; we base our estimate along with the GSA’s estimate on the recommended program elements of the EYP study.” Further, SSA officials stated, “The 247,000 gross square footage includes non-computer space. If you apply the Gartner estimate only to computer space in the new Data Center then the numbers would be in alignment.”

Further, based on SSA’s prior large construction and renovation projects and Gartner’s November 2008 report, we believe it is unlikely the current estimated schedule and costs related to the new Data Center will be met. SSA needs to reconcile these numbers and explain why there is a discrepancy.

CONCLUSION

Because SSA’s IT systems are critical to meeting its mission and goals and that mission impacts the lives of nearly all Americans, it is imperative that the Agency have a clear IT vision that anticipates its future needs. Further, SSA’s current IT strategic plans are short-term, tactical plans that do not provide a detailed description of how the Agency intends to address its IT processing needs 10 to 20 years into the future. We believe, as SSA progresses on implementing solutions to address its IT processing requirements, it needs to have a more strategic and integrated approach to its IT planning efforts.

To date, we have received three reports containing cost-related data. However, according to SSA, LM’s estimates were very preliminary and the focus of the LM study was to determine the condition of the facility and to determine whether there was a need for a new Data Center. It was not intended to be a cost estimate. SSA added that the GSA study was a follow-on to the LM study and its purpose was to define square footage needs which were used for cost estimation purposes in the Agency’s budget. Further, SSA stated that the BAH Alternative Analysis was not a construction cost estimate, was based on the GSA study cost estimates and only calculated life-cycle costs of the building for the sole purpose of determining the return on investment to the Government. According to SSA, it is not a construction cost estimate.

The Government Accountability Office (GAO) published a guide on best practices for developing and managing capital program cost. In its guide, GAO defines the basic characteristics for credible cost estimates and a reliable process for creating them. We have solicited for a contractor to evaluate SSA’s process for selecting the replacement strategy for the NCC, including the cost estimates for the various alternatives and the use of industry best practices.

As reliance on electronic processing and technology grows and the Agency’s workload increases, so does the need to ensure SSA’s IT infrastructure is designed to meet future needs. SSA needs to focus its efforts on (1) strengthening its IT strategic planning process and related documents; (2) identifying ways to accelerate planning, constructing and operating the new Data Center; (3) developing contingency plans for addressing its IT processing requirements and disaster recovery procedures in the event the DSC and/or the new Data Center are not operational within the scheduled time frames; (4) using industry best practices to aid in its IT strategic planning; and
(5) establishing controls and a detailed strategy for timely maintenance, repairs, upgrades and replacement of critical IT infrastructure in the new Data Center to prevent the current situation at the NCC from recurring.

Table of Contents
Page

BACKGROUND 1

RESULTS OF REVIEW 2

Question 1 2

SSA’s IT Strategic Planning Process 2

SSA’s IT Strategic Planning Documents 4

Disaster Recovery 6

Question 2 8

Question 3 9

NCC and Utility Building 10

SSA’s Actions to Address Current and Future Infrastructure and Capacity Issues 13

Question 4 17

CONCLUSIONS 20

APPENDICES

APPENDIX A – Acronyms
APPENDIX B – Scope and Methodology
APPENDIX C – Agency Information Technology Planning Process Overview
APPENDIX D – The Social Security Administration’s Information Technology Strategic Planning Documents
APPENDIX E – Primary Mission Essential Functions, Mission Essential Functions and Supporting Activities
APPENDIX F – Lockheed Martin Recommendations
APPENDIX G – Recurring Infrastructure Issues at the National Computer Center and its Utility Building
APPENDIX H – Uptime Institute’s Data Center Tier Classifications and Performance Standards
Background
OBJECTIVE

BACKGROUND

3. What steps is the Agency taking to prevent the current situation that plagues the NCC from recurring?

4. Determine the process and criteria being used by SSA to identify a new location for the NCC and the risks and benefits of that process and criteria.

Results of Review
Question 1

Has the Agency adequately developed a comprehensive Agency Information Infrastructure Plan that is designed to meet potential processing needs for the next 20 years and allows the Agency to recover quickly if one or more major components of its processing infrastructure fails or is destroyed?

SSA did not have a comprehensive Agency Information Infrastructure Plan to meet potential processing needs for the next 20 years and that would allow the Agency to recover quickly if one or more major components of its processing infrastructure fails or is destroyed.

a. SSA has various IT strategic planning documents, but similar to other Federal agencies, they do not span 20 years. We found there was no requirement for SSA to have an Agency Information Infrastructure Plan that spans 20 years.
b. SSA’s IT Strategic Plan documents are task-oriented in nature and need to be more strategic.
c. SSA has an IT planning process, but the process is decentralized. SSA officials stated, “We agree that we need to strengthen our IT strategic planning process. We will address some of the concerns raised in the report with the release of the 2009-2014 IRM Strategic Plan. We do not agree that our decentralized IT planning process is undesirable, but we can make improvement in coordination, communication, and integration.”
d. SSA has a disaster recovery plan if the NCC becomes unavailable. However, the Agency’s recovery plan depends heavily on the availability of a contracted facility, and it will take approximately 10 days to recover the systems required to perform the Agency’s essential functions.

SSA’S IT STRATEGIC PLANNING PROCESS

IT strategic planning is vital because it enables an agency to consider the resources, including staff, infrastructure and funding, that are needed to manage, support and pay for projects. Congress and the Office of Management and Budget (OMB) have recognized the importance of IT strategic planning and management, which describe an organization’s goals, the strategies it will use to achieve those goals, and performance measures. The Government Accountability Office (GAO) has reported that a key element to an agency’s success in modernizing its IT systems is IT strategic planning. The Clinger-Cohen Act requires that Federal agencies establish effective and efficient capital planning processes for selecting, managing and evaluating the results of all their major investments in information systems.

At SSA, most of the IT functions are divided between the Offices of the Chief Information Officer (OCIO) and Deputy Commissioner for Systems (DCS), while the Information Technology Advisory Board (ITAB) approves IT projects. The Office of Facilities Management (OFM), under the Deputy Commissioner for Budget, Finance and Management, develops the strategic direction of SSA’s space, including the primary computer center.

OCIO – Defines the Agency’s IT vision and strategy through such functions as IT capital planning and investment control, enterprise architecture and electronic Government initiatives. OCIO also provides advice to ITAB on such topics as IT systems strategies, budgets, investments, and acquisitions. OCIO worked with DCS to publish the IT Vision and is responsible for preparing, publishing and maintaining the Information Resources Management (IRM) Strategic Plan.

DCS – Responsible for systems acquisition, design, development, testing, validation, implementation and maintenance. In addition, DCS is responsible for the IT planning and ITAB websites as well as the systems planning and reporting system. Further, DCS oversees and provides Agency-wide support for the IT planning process.

OFM – Develops, updates and implements facilities policies. Additionally, OFM develops, implements and guides the strategic direction of the Agency’s space as well as building and realty management programs. Further, OFM is responsible for the daily operations, maintenance and repair of SSA's main complex and outlying buildings, including the NCC and its Utility Building.

ITAB - The governing body for SSA’s IT planning process and responsible for developing the Agency’s IT Plan. ITAB is chaired by the Chief Information Officer, and its membership comprises the Deputy Commissioner for SSA, all Deputy Commissioners for SSA’s components, and other Agency executives. ITAB reviews a variety of SSA’s IT projects, categorized by investment portfolios. Each investment portfolio contains a list of IT projects. These projects support one of the strategic objectives in the Agency’s Strategic Plan. Portfolio teams are led by an Agency executive who functions as the portfolio manager. The portfolio team coordinates with stakeholders to prioritize IT projects according to their role in achieving the related strategic objective. After IT projects are prioritized and presented to the ITAB, it must decide how the Agency’s resources will be assigned to the various IT projects. In making this decision, ITAB considers the portfolio priorities and the related cost-benefit analysis provided by the sponsoring components. Such information includes return on investment, full-time equivalent savings, dollar savings and cost avoidance. (See Appendix C for an overview of SSA’s IT planning process.)

In testimony before the House Committee on Ways and Means, Subcommittee on Social Security, the Chairman of the Social Security Advisory Board (SSAB) suggested that the state of the Agency’s Data Center operations, in part, is due to SSA’s decentralized IT investment process and inadequate long-range planning. The Chairman stated SSA’s decentralized IT governance process has resulted in a dilution of ownership and management of the Agency’s overall IT process. The Agency’s ability to deliver public service will increasingly depend on technology and governance of the IT process and must have strong leadership that is empowered to make critical decisions and is held accountable for those decisions. SSAB recommended the Agency restructure its governance process and centralize overall responsibility for all IT processes.

We believe the Agency’s IT strategic planning process could be improved. It is critical that SSA strengthen its IT planning process with a more integrated approach to ensure it has a clear IT vision for the future. We believe each component impacted by the Agency’s IT strategic plans should have a prominent role in the IT strategic planning process.

SSA’S IT STRATEGIC PLANNING DOCUMENTS

We found SSA does not have an Agency Information Infrastructure Plan. However, SSA has various IT strategic planning documents including a 2007 IRM Plan, IT Vision 2009-2014, and Fiscal Year (FY) 2009-2010 Agency IT Plan. Nonetheless, we found these plans generally did not provide a detailed description of how the Agency intends to address its future IT needs. (See Appendix D for details regarding SSA’s IT strategic planning documents.)

For example, in a prior OIG review, we determined SSA’s 2007 IRM Plan provided balanced and comprehensive coverage of its IRM and activities, but some improvements were needed.

Specifically, we reported SSA’s IRM Plan needed to provide a better description of how the Agency’s IRM activities will help accomplish the Agency’s mission, goals and objectives. The IRM Plan would also be more useful if it informed the reader of the Agency’s present position and what it sees as its future IT architecture. Finally, the IRM Plan should be structured in a way to better support the Agency’s Strategic Plan while providing possible solutions to its future challenges and constraints.

We also determined SSA does not have a comprehensive plan to meet potential processing needs for the next 20 years. Specifically, we found SSA’s IT strategic planning documents are short-term, tactical plans that do not discuss the Agency’s IT activities beyond FY 2014. Although the Agency's IT strategic planning documents do not span 20 years into the future, the Agency believes it is looking to the future. For example, the lease for its secondary support center expires in 2029, which Agency management reported it is already assessing.

Given that there is no specific guidance on the exact content and length of time for an Agency IT Strategic Plan, we reviewed the IRM Plans or IT Strategic Plans of 17 other Federal agencies to identify best practices regarding IT planning documents. Similar to SSA, we determined other Agencies’ plans did not span 20 years into the future but were limited to 6 years. (See Appendix B for a list of the Agencies and documents reviewed.)

SSAB believes the Agency’s prior strategic planning documents published in 1988 and 2000 outlined a long-range and comprehensive IT vision for the Agency, whereas SSA’s current planning documents tend to be narrowly focused and emphasize short-range problem solving. In previous strategic planning documents, changes in societal factors and business services were assessed, emerging technologies were appraised, and strategic recommendations were developed for implementation over the following 10 years. For example, in a 1988 Strategic Plan, the Agency envisioned that by the year 2000, service delivery would include automated enrollment for retirement benefits, the use of expert systems to support employee decisionmaking, and innovative self-service options using automated teller machine-like technology. Further, in 2000, SSA published a 2010 Vision, which discussed a full range of Internet services, videoconferencing, real-time language translation capability and enhanced telephone services.

SSAB further stated that SSA needs to return to long-range planning that envisions how the Agency will deliver service and what the supporting infrastructure must be to make this plan a reality. SSAB urged SSA to develop a 2020 vision stating, “The process must include a broad scan of environmental factors that will arise within the next decade, a thorough assessment of future technologies, a comprehensive review of all major business processes, and in-depth analyses of service delivery channels and opportunities for change or improvement.” SSAB believes short-term planning and implementation strategies are not sufficient for the type of technological changes SSA will need to make to meet future challenges.

We agree with SSAB that the Agency’s prior planning documents outlined a long-range IT vision and were more strategic, whereas SSA’s current planning documents are short-term, tactical plans. Our review of prior SSA strategic planning documents found SSA's current plans tend to focus more on solutions to existing problems, such as addressing the Agency's outdated telephone infrastructure, aging Data Center and IT infrastructure and addressing the hearing backlog. In contrast, the prior plans identified key trends and predictions to plan for the Agency's future processing needs. Additionally, the current plans do not always define the expected outcomes related to the various IT initiatives in terms of cost or time savings. Further, the prior plans spanned 10 or more years into the future, whereas the current plans only span up to 7 years into the future.

DISASTER RECOVERY

All agencies are required to have continuity of operations and disaster recovery plans to ensure mission-essential functions are available under all conditions. A system outage resulting from a disaster at the NCC would effectively shut down operations across the organization, including State disability determination services.

We found the Agency has a disaster recovery plan should a man-made or natural event affect the NCC to such an extent that normal production and computing services
can no longer function in the site. Restoration and recovery plans have been developed to ensure the most critical services are resumed and remain functional. However, the Agency’s plan depends heavily on the availability of a contracted, off-site data processing facility.

Based on disaster recovery testing performed over the past several years, it will take about 10 days to recover the systems that support SSA’s essential functions (see Appendix E for details regarding SSA’s primary mission essential functions, mission-essential functions, and supporting activities). Therefore, SSA’s ability to process critical workloads in the first 10 days after a disaster at the NCC would be reduced to manual intakes (paper documents) with no automated processing. Even after the systems are established at the contracted facility, only 34 percent of SSA’s systems processing capacity would be available.

As part of the Agency’s Information Technology Operations Assurance initiative, SSA is establishing a secondary site, the Durham Support Center (DSC), to process a portion of SSA’s workloads and mitigate the risks associated with NCC downtime. Each center will back up the data assets of the other. The Agency’s goal is by 2013, the critical workloads of one can be assumed by the other within 24 hours.

According to congressional testimony by SSA management in April 2009, within approximately 6 months, the Agency expects to be able to process about half its production workloads at the DSC, providing the necessary backup to the NCC. Additionally, by 2013, the DSC will be able to provide full backup and recovery for the Agency’s data and daily processing needs. We are assessing SSA’s disaster recovery process and DSC.

Question 2

Has the Agency obtained information on industry best practices of other data infrastructure systems of similar scope in terms of design, geographic location and redundancy, and has this information guided their decisions for information systems planning?

SSA officials stated they obtained best practices regarding data infrastructure systems through consultation with IT research firms, such as Gartner, Inc., Info-Tech Research Group, Corporate Executive Board, and Forrester Research, Inc. SSA consulted with these firms regarding such topics as Data Center outsourcing; Data Center staffing; management characteristics of effective Data Centers; next generation Data Center design; predicted infrastructure usage and upcoming technology; and infrastructure optimization.

In 2008, SSA conducted an informal survey of 13 Federal agencies to investigate what the best practices were for Data Center management and operations. Nine agencies responded. Per SSA, the respondents indicated they operated Data Centers with redundancy, failover, and hot sites. Seven of the nine respondents operated two or three Data Centers. The remaining two agencies only operated one Data Center.

SSA management stated the Agency does not follow any specific industry best practice documents. The Agency’s IT planning is based on experience and the best information available at the time. For example, the Agency reported it reviewed LM’s April 2004 Final Disaster Recovery Business Impact Analysis Report, to formulate plans for the DSC and LM’s February 2008 Final Feasibility Study to develop plans for the new Data Center.

Although SSA management stated it uses the best available information when IT decisions are made, to date, we have been unable to obtain detailed cost estimates for all viable alternatives identified by LM in its NCC Feasibility Study. Further, we have solicited for a contractor to evaluate SSA’s process for selecting the replacement strategy for the NCC, including the cost estimates for the various alternatives and the use of industry best practices. Furthermore, the contractor will evaluate SSA’s decisionmaking process to ensure the selected replacement strategy is cost-effective, efficient, and provides reasonable assurance SSA will have a Data Center that is in the right location, with the right capacity, and operational within the needed time frame. Given the time frame of the procurement process, our ability to fully respond to this inquiry was limited. Once we receive the contractor’s final analysis, we plan to issue a separate report to fully address the Committee’s inquiry.

Question 3

What steps is the Agency taking to prevent the current situation that plagues SSA’s National Computer Center from recurring?

SSA has taken the following steps to prevent the current situation that plagues the NCC from recurring.

a. SSA initiated or completed projects recommended by LM to sustain existing operations at the NCC (see Appendix F for a status update of SSA’s corrective actions to address LM’s recommendations). Nonetheless, we believe the Agency should have taken action sooner because SSA and the General Services Administration (GSA) knew about some of the recurring issues at the NCC and Utility Building since 1989 (see Appendix G for the recurring issues). Further, we believe the criticality of the building should be given a greater weight than the age of the building in determining whether a building is selected for renovation. SSA officials stated, “We disagree; we took action and funded significant projects to sustain the building.”
b. SSA reported the new NCC is being designed in accordance with the Uptime Institute’s Tier III Data Center standards. These standards provide redundancy to mechanical and electrical infrastructure systems. Tier III facilities have redundant capacity that allows for any planned site infrastructure maintenance and activities without disrupting the computer hardware operation. (See Appendix H for the Uptime Institute’s Tier Standards). The new Data Center will be designed to meet

the Agency’s known infrastructure capacity needs based on anticipated trends and with the redundancy and flexibility for future modification and expansion without disruption to operations.
c. SSA will continue to perform preventive maintenance activities at the NCC.

In another OIG report, we noted that although the NCC concerns were not specifically considered as part of the DSC planning process, the DSC was designed to minimize the likelihood that the physical concerns identified at the NCC will be repeated. SSA should use a similar approach to prevent the new Data Center from encountering similar problems that occurred at the NCC over time.

NCC AND UTILITY BUILDING

The NCC was built in 1979 and occupied in May 1980. Since 1985, a number of reviews have been completed for the NCC and its Utility Building. These reviews identified recurring issues (see Appendix B for a list of the reports). Chart 1 summarizes the significant recurring issues these reviews identified (see Appendix G).

Chart 1: Significant Recurring Issues at the NCC and its Utility Building
Significant Issues Identified at the NCC and Utility Building Calendar Year
1989 1994 1998 2001 2007 2008 2009
Roof X X X X X
Lightning Protection Grid X X
Heating Ventilation and Air Conditioning (HVAC) System X X X X X X
Federal Pacific Electric (FPE) Panels (Riser Project) X X X X
Uninterruptible Power Supply (UPS) X X X
Fire Protection X X X X X
Facility Storage X X X
Plumbing X X X X X

As part of our prior and current reviews, we determined the Agency has planned, or taken some action to address, many of these issues. For example, SSA reported the main NCC roof was installed in 1994, and the Utility Building roof was replaced in 2007.
In March 2009, a contract was awarded to replace the NCC warehouse roof. The lightning protection system will be addressed as part of the NCC warehouse roof replacement project.

Agency representatives stated the HVAC equipment has been well-maintained and upgraded over the years. For example, the Agency reported it made chiller plant renovations in 1998 and air handler upgrades in 2003. SSA reported it had budget requests for air handler unit repairs in 2007 and cooling and water pumps in 2008. In addition, the Agency is regularly maintaining HVAC equipment, including air handler units throughout the NCC.

The Agency reported in the early 1990s that additional circuit breakers had been installed in FPE breaker panels because additional electrical capacity was needed for NCC equipment. Agency staff acknowledged the breakers were not installed in compliance with the National Electric Code. However, the ongoing Riser Project is expected to resolve this issue. The Agency reported it sent GSA $9.7 million in FY 2005 in a Reimbursable Work Authorization for the riser panel replacement project. However, the technical requirements involved in designing and planning the Project to meet the Agency’s needs were extensive. As a result, the completion of the design phase was time-consuming. SSA officials stated the contract was awarded in May 2009.

In 1999, a UPS hot tie installation provided redundancy for power requirements on the critical loads. In April 2009, a contract was awarded to purchase UPS replacement parts, which will be used to support an extension of the UPS maintenance contract through Fiscal Year (FY) 2015.

Although the Agency plans to defer installation of a fire suppression system, it reported there have been several budget requests in this area. Specifically, requests for a Utility Building fire protection project in 2005, a high sensitivity smoke alarm in 2006, a fire protection upgrade in 2007, and a fire alarm modification in 2008. Additionally, we confirmed SSA installed an FM200 in the tape storage silos in the NCC.

Further, the Agency reported plumbing is being managed under its normal maintenance program. SSA reported there have been several budget requests for plumbing-related items. For example, a request to upgrade the cathodic in 2004 and replace piping in 2006.

Building Renovation and Construction Projects

During our review, we evaluated the Agency’s long-range strategic planning for renovating the NCC and other buildings on SSA’s Headquarters’ campus. The Agency reported it discusses long-range renovation planning for SSA headquarters approximately every 5 years with GSA. In 2007, GSA and SSA representatives discussed renovations of the Altmeyer, West High and Low Rise, and the NCC buildings. According to SSA officials, the GSA Federal Building Fund lacked adequate funding; therefore, these buildings were not scheduled for renovation. Further, Agency representatives stated the NCC is one of the newer buildings on SSA’s campus. Typically, building renovation schedules are related to the facility’s age and condition. Consequently, the Operations and Annex buildings were renovated before the NCC (see Chart 2 below). However, as SSA realized that technology advancement was being rapidly introduced and required diversely different facility infrastructure system designs than in the NCC, the Agency commissioned the LM study in 2007 and responded to the findings in their 2008 report by moving the NCC ahead of the remaining three older buildings on campus yet to be renovated.

We believe that because the NCC is critical to SSA’s continuity of operations and mission, resources should have been committed to renovating and/or replacing the NCC before other buildings. The chart below summarizes the renovation schedule for the buildings on SSA’s Headquarters’ campus.

Chart 2: Building Renovation Schedule
Building Year Built Date of Last Renovation
Altmeyer 1960 Not Renovated
Operations 1960 Phase 1, 2001-2005; Phase 2, 2006-2007
Annex 1965 2000-2002
East High/Low Rise 1971 1996-1999
Supply 1971 Not Renovated
West High/Low Rise 1973 Not Renovated
NCC & Utility 1980 Not Renovated

We requested information for the Operations, Annex and East High/Low Rise Building renovation projects. The Agency referred us to GSA. To date, we have not received all the information regarding the actual and planned costs and schedule for these Buildings.

SSA’S ACTIONS TO ADDRESS CURRENT AND FUTURE INFRASTRUCTURE AND CAPACITY ISSUES

LM NCC Feasibility Study

LM recommended 17 projects that should be undertaken at SSA’s NCC and Utility Building to sustain existing IT operations through the end of Calendar Year 2014. Of the 17, LM recommended 3 projects the Agency should defer because of the NCC’s anticipated change in functional role.

Agency representatives explained it had initiated or implemented the feasible projects recommended by LM. The Agency representatives believe these projects will provide a positive return on investment to the Government. This includes the most significant recommended projects of replacing the NCC feeder cables, scheduling the planned outages for the riser panel replacement project, and securing the commitment of a maintenance contract for the UPS system through 2015. Also, SSA plans to continue performing preventive maintenance activities at the NCC. See Appendix F for a status update of SSA’s corrective actions to address LM’s recommendations.

SSA’s Building of a New Data Center

In 1983, SSA had a pre-feasibility plan developed by AEPA Architects Engineers, P.C. The study determined it was feasible (1) for SSA to construct a multipurpose office building, training center, records center and warehouse, or any combination thereof, at the SSA main campus site and (2) to expand the existing NCC and supply building.

The study indicated the NCC was designed to be expanded vertically by 2 floors to increase the building’s size by 180,000 gross square feet. It was anticipated that the NCC would need to be expanded because of the Agency’s anticipated growth in activities, changes in SSA’s mission, growth in population, program changes and new legislation. The total estimated cost of the computer center expansion at that time was $18 million.

In 2008, based on the LM NCC Feasibility Study, SSA officials decided to construct a new Data Center apart from the Agency’s Woodlawn, Maryland, campus to replace the NCC. Agency officials stated the current NCC is approximately 30 years old and was constructed based on the best practices at that time. SSA stated the planned Data Center is based on today's best practices. The new Data Center will be designed to meet all the Agency’s known infrastructure and capacity needs (including bandwidth and data storage) based on anticipated trends and with the flexibility for future modification and expansion without disruption to operations.

Further, the Agency reported the new Data Center will be built in accordance with the Uptime Institute’s Tier III Data Center standards. These standards provide redundancy to mechanical and electrical infrastructure systems. Tier III facilities have redundant capacity that allows for any planned site infrastructure maintenance and activities without disrupting the computer hardware operation. Therefore, the Agency believes it will avoid many of the issues in the current NCC, which was built before such standards existed.

We reviewed reports issued by Gartner from 2007 to 2009 related to Data Centers, strategic planning and IT. Based on a February 2009 report, polling was conducted at a December 2008 Gartner Data Center Conference to gain insight into the attendees' most pressing issues and strategic plans. Approximately 96 percent of the respondents indicated they are planning a Data Center project involving renovation, upgrade, expansion, relocation or outsource in at least one of their Data Centers during the next 2 years. Gartner found from 2006 to 2008, the most popular action had changed from relocation to a new leased or owned facility (30 percent) to an expansion/upgrade (42 percent). Gartner reported that part of this shift can be attributed to the economy and management's belief that it is less expensive to renovate or upgrade than to move to a new facility. This is despite the fact that it is difficult and disruptive to upgrade a Data Center.

SSA estimates it will cost approximately $750 million for the facilities and equipment for the new Data Center. The Agency anticipates the new Data Center to be substantially completed by October 2013. Further, it expects to occupy the new Data Center in January 2014. However, this date is before installation of any IT equipment. A November 2008 Gartner report showed the average cost of building an
8,000-square foot Tier III Data Center was approximately $20.51 million ($2,564 per square foot). The Agency plans to build a 247,000-gross square foot Data Center. Using the Gartner report as a baseline, the new Data Center would cost approximately
$633.4 million. We recognize that the Gartner report may not be directly comparable to the Agency’s current cost data for its new Data Center. Nevertheless, without independently verifiable detailed cost estimates for the new Data Center, the Agency’s estimates remain problematic. SSA officials stated, “We disagree; we base our estimate along with the GSA’s estimate on the recommended program elements of the EYP study.” Further, SSA officials stated, “The 247,000 gross square footage includes non-computer space. If you apply the Gartner estimate only to computer space in the new Data Center then the numbers would be in alignment.”

Chart 3: Building Renovation/Construction Schedule
Renovation Projects
Building Total Costs Completion Date
Planned Actual Difference Planned Actual Difference
Operations $166 million unknown unknown February 2007 September 2007 8 months
Annex $60 million unknown unknown unknown January 2002 unknown
East High/Low Rise Buildings unknown unknown unknown unknown unknown unknown
Construction Project
DSC $14 million $44.26 million $30.26 million May 2008 January 2009 8 months

Although the Agency has decided to construct a new Data Center off campus, we are unable to determine whether this is the best use of taxpayer dollars because we have not been provided detailed cost estimates for all alternatives for replacing the NCC and its Utility Building. We have solicited for a contractor to evaluate SSA’s process for selecting the replacement strategy for the NCC, including the cost estimates for the various alternatives and the use of industry best practices. Furthermore, the contractor will evaluate SSA’s decisionmaking process to ensure the selected replacement strategy is cost-effective and efficient, and provides reasonable assurance that SSA will have a Data Center that is in the right location, with the right capacity, and operational within the needed timeframe.

SSAB strongly urged SSA to undertake a self-assessment that would identify the underlying factors that allowed the current NCC situation to occur. We believe SSA should identify the underlying factors and implement the necessary controls to prevent this situation from recurring. Despite the corrective actions planned or taken by the Agency at the NCC in response to the 2008 LM study and the repairs and upgrades over the past 15 years, we believe the Agency should have taken action much sooner regarding many of the issues at the NCC.

Question 4

Determine the process and criteria being used by SSA to identify a new location for the NCC and the risks and benefits of that process and criteria.

In 2007, SSA commissioned the LM NCC Feasibility Study to identify infrastructure and data processing capacity issues. In 2008, LM completed its study and recommended 17 projects that SSA should undertake to sustain existing IT operations through the end of Calendar Year 2014. In addition, LM recommended SSA construct a new Data Center with utility infrastructure away from SSA’s main campus.

Based on LM’s recommendation, SSA decided to build a new Data Center off campus. The American Recovery and Reinvestment Act of 2009 (ARRA) provided SSA $500 million to replace the NCC. As required by ARRA guidance, SSA developed a Program Specific Plan for the new Data Center. Nonetheless, the Agency is still in the preliminary stages of the NCC replacement project. The Agency stated the final criteria for selecting the site of the new Data Center is being developed. However, when attempting to secure funds for the NCC replacement project, the Agency provided information to the presidential transition team and others regarding the location for the new Data Center. The Agency stated the location for the new Data Center must meet the following minimum requirements.
• The location must be within 40 miles from SSA Headquarters in Woodlawn, Maryland.
• The location must be in a low-risk area for earthquakes, hurricanes and tornados.
• The location must be in an area not subject to continuing, severe climatic conditions.
• The location must be at or close to electrical utility services that provide at least two separately fed utility substations for power.
• The location must be at or close to Points of Presence for all three major carriers on GSA’s Networx Universal Contract.
• For ease of access during local or national emergencies, locations in close geographic proximity to SSA Headquarters would be given priority. For more distant locations, low traffic congestion will be an important consideration to facilitate movement of staff and data in and out of the facility.

In addition to the minimum requirements, the Agency reported it developed technical considerations for the placement of the NCC. The primary location factor is linked to the risks and costs associated with a transition to a site outside International Business Machine's (IBM) Geographically Dispersed Parallel Sysplex (GDPS) technology. Further, SSA identified key issues the Agency is considering when identifying the location of the new Data Center, such as minimizing the costs of moving equipment, relocation and/or travel of staff as well as connectivity after the Data Center moves.

SSA reported GSA is not soliciting for sites at this time. Further information is procurement sensitive and cannot be released publicly until GSA issues the formal solicitation. There is no legal requirement that GSA obtain competition in selecting sites for public buildings. It has not yet been determined whether public advertisement will be posted for this project. The Agency estimates site selection for the new Data Center will take place in the 2nd quarter of FY 2010.

The Agency reported the selection and acquisition of sites for the new Data Center will be performed pursuant to the provisions of 40 U.S.C. 3304 (formerly Section 5 of the Public Buildings Act of 1959, 40 U.S.C. 604), the National Environmental Policies Act of 1969, and the Uniform Relocation Assistance and Real Property Acquisition Policies Act of 1970. Further, SSA reported GSA maintains several in-house resources for best practices and will consult with, and use, the Uptime Institute guidelines for Tier III Data Centers (see Appendix H), and use contracted resources to identify project-specific criteria and assist in the site evaluation process.

Given the distance limitation of the GDPS technology, we requested information regarding (1) other tools or IT the Agency could use to expand the location radius of the new Data Center and (2) the Agency’s ability to move workloads from the NCC to the DSC, which is located over 300 miles away from SSA Headquarters. The Agency stated, “SSA has not conducted market research or solicited for information for such tools for this specific intent. Risk mitigation throughout the move—5 years from now—is key to the location of the new Data Center. Given the pace of plans to locate and build the facility there is little time to canvas the market and pilot tools which may or may not exist by 2014-2015.” Further, SSA stated, “GDPS was not used to move workloads to Durham. The workloads that have been and will be moved to Durham are discrete workloads that, from their inception, were designed for access via an independent wide area network connection. The workloads remaining in the NCC that will relocate to the NSC [National Support Center], are tightly integrated, designed to run within the same processing complex with other companion workloads and designed for access via synchronous, intra-computer interaction.”

Additionally, we have solicited for a contractor to evaluate SSA’s process for selecting the replacement strategy for the NCC, including the cost estimates for the various alternatives and the use of industry best practices. Furthermore, the contractor will evaluate SSA’s decisionmaking process to ensure the selected replacement strategy is cost-effective and efficient and provides reasonable assurance that SSA will have a Data Center that is in the right location, with the right capacity, and operational within the needed time frame.

Given the time frame of the procurement process, we were limited in our ability to fully respond to this inquiry. Once we receive the vendor’s final analysis, we plan to issue a separate report to fully address the Committee’s inquiry.

Conclusions
Because SSA’s IT systems are critical to meeting its mission and goals and that mission impacts the lives of nearly all Americans, it is imperative that the Agency have a clear IT vision that anticipates its future needs. Further, SSA’s current IT strategic plans are short-term, tactical plans that do not provide a detailed description of how the Agency intends to address its IT processing needs 10 to 20 years into the future. We believe as SSA progresses in implementing solutions to address its IT processing requirements, it needs to have a more strategic and integrated approach to its IT planning efforts.

Although the Agency has decided to construct a new Data Center and Utility Building off campus, we were unable to determine whether this is the best use of taxpayer dollars because we have not been provided detailed cost estimates for all alternatives for replacing the NCC and its Utility Building. To date, we have received three reports containing cost-related data. However, according to SSA, LM’s estimates were very preliminary, and the focus of the LM study was to determine the condition of the facility and determine whether there was a need for a new Data Center. It was not intended to be a cost estimate. SSA added that the GSA study was a follow-on to the LM study, and its purpose was to define square footage needs that were used for cost-estimation purposes in the Agency’s budget. Further, SSA stated that the BAH Alternative Analysis was not a construction cost estimate, was based on the GSA study cost estimates and only calculated life-cycle costs of the building for the sole purpose of determining the return on investment to the government. According to SSA, it is not a construction cost estimate.

GAO published a guide on best practices for developing and managing capital program cost. In its guide, GAO defines the basic characteristics for credible cost estimates and a reliable process for creating them. We have solicited for a contractor to evaluate SSA’s process for selecting the replacement strategy for the NCC, including the cost estimates for the various alternatives and the use of industry best practices.

Appendices
APPENDIX A – Acronyms
APPENDIX B – Scope and Methodology
APPENDIX C – Agency Information Technology Planning Process Overview
APPENDIX D – The Social Security Administration’s Information Technology Strategic Planning Documents
APPENDIX E – Primary Mission Essential Functions, Mission Essential Functions and Supporting Activities
APPENDIX F – Lockheed Martin Recommendations
APPENDIX G – Recurring Infrastructure Issues at the National Computer Center and its Utility Building
APPENDIX H – Uptime Institute’s Data Center Tier Classifications and Performance Standards

Appendix A
Acronyms
ARRA American Recovery and Reinvestment Act of 2009
BER Building Engineering Report
COOP Continuity of Operations
CPIC Capital Planning and Investment Control
DCS Deputy Commissioner for Systems
DSC Durham Support Center
EA Enterprise Architecture
FPE Federal Pacific Electric
FY Fiscal Year
GAO Government Accountability Office
GDPS Geographically Dispersed Parallel Sysplex
GSA General Services Administration
HVAC Heating, Ventilation and Air Conditioning
IBM International Business Machine
IRM Information Resources Management
IT Information Technology
ITAB Information Technology Advisory Board
LM Lockheed Martin
MEF Mission-Essential Function
NCC National Computer Center
NRP National Response Plan
OCIO Office of the Chief Information Officer
OFM Office of Facilities Management
OIG Office of the Inspector General
OMB Office of Management and Budget
PMEF Primary Mission-Essential Function
PRA Paperwork Reduction Act of 1995
Pub. L. No. Public Law Number
SSA Social Security Administration
SSAB Social Security Advisory Board
SSN Social Security Number
UPS Uninterruptible Power Supply
U.S.C. United States Code

Appendix B
Scope and Methodology

To accomplish our objective, we:

• Reviewed relevant Federal laws, regulations and guidance.
• Reviewed prior Office of the Inspector General and Government Accountability Office reports related to information technology (IT) planning.
• Reviewed the Social Security Administration’s (SSA) IT strategic planning documents.
• Obtained and reviewed documentation on industry best practices for Data Centers.
• Reviewed Information Resources Management (IRM) and IT Strategic Plans of 17 other Federal agencies as follows.

• Department of Education IRM Strategic Plan, Fiscal Year (FY) 2007-2011, February 28, 2006
• Department of Energy IRM Strategic Plan, FY 2008-2010
• Department of the Interior IT Strategic Plan, FY 2007-2012
• Department of Health and Human Services IRM Strategic Plan, 2007-2012, February 27, 2007
• Department of Justice IT Strategic Plan, 2008-2013, February 28, 2008
• Department of Labor IT Strategic Plan FY 2005-2009, September 2005
• Department of State IT Strategic Plan, FY 2006-2010
• Department of Transportation IRM Strategic Plan, FY 2007-2012
• Farm Credit Administration IRM Plan, FY 2009-2014
• Federal Deposit Insurance Corporation IT Strategic Plan, 2008-2013
• Federal Reserve Board Division of IT Strategic Plan, FY 2007-2010, July 3, 2007
• General Services Administration (GSA) IT Strategic Plan, 2009-2011, August 2007
• Department of Agriculture, Green IT Strategic Plan, January 12, 2009
• Department of Defense Interim Information Assurance Strategic Plan, March 2008
• Department of Housing and Urban Development IT Strategic Plan, FY 2007-2012
• Department of Treasury IRM Plan, October 14, 2008
• National Aeronautics and Space Administration IRM Strategic Plan, September 2007
• Reviewed documentation pertaining to SSA’s new Data Center.
• Obtained and reviewed documentation to support the corrective actions planned or taken by SSA to address the significant issues identified in Lockheed Martin’s (LM) National Computer Center (NCC) Feasibility Study.
• Interviewed personnel from GSA and SSA’s Offices of Facilities Management, Chief Information Officer, Budget, and Systems.
• Reviewed prior GSA and LM reports pertaining to the NCC and its Utility Building including:

• GSA Engineering Survey of Second Floor—“Special Use Area,” SSA Computer Center Building, January 23, 1985;
• GSA Building Engineering Report, NCC Utility Building, September 12, 1989;
• GSA Building Engineering Report, National Computer and Utility Building, September 14, 1994;
• GSA Building Energy Audit & Chiller Optimization Report, NCC, June 19, 1995;
• GSA Generator Study for NCC at Utility Building, November 20, 1998;
• GSA Upgrade of Heating, Ventilation and Air Conditioning System, NCC Study Report, July 2001;
• GSA Building Engineering Report, Phase 1--Data Collection, SSA Woodlawn Facility, July 9, 2001;
• GSA Building Engineering Report, September 20, 2007;
• LM Final Feasibility Study, February 8, 2008; and
• GSA Feasibility Study for the SSA National Services Center, Data Center Facility, January 16, 2009.

We performed our review at SSA’s Headquarters in Baltimore, Maryland, between February and May 2009. The entities reviewed were the Offices of the Deputy Commissioner for Budget, Finance and Management; Deputy Commissioner for Systems; and Chief Information Officer. We conducted our review in accordance with the President’s Council on Integrity and Efficiency’s Quality Standards for Inspections.

Appendix C

Appendix D
The Social Security Administration’s Information Technology Strategic Planning Documents
The Social Security Administration (SSA) has various information technology (IT) strategic planning documents including a 2007 Information Resources Management (IRM) Strategic Plan, IT Vision 2009-2014, and Fiscal Year (FY) 2009-2010 Agency IT Plan.

2007 IRM Strategic Plan

Agencies must develop and maintain an IRM Plan, as required by the Paperwork Reduction Act of 1995 (PRA). According to the Office of Management and Budget (OMB), IRM Plans should support an agency’s Strategic Plan. OMB does not have guidance on the specific contents of an IRM Plan. However, an IRM Plan should be strategic in nature and address the requirements of Federal IRM, as expressed in the PRA and OMB Circular A 130.

SSA’s 2007 IRM Plan covers a 7-year period from FYs 2006 though 2012. The Agency reported it is revising its IRM Plan, which will cover FYs 2009 through 2014. SSA’s IRM Plan has been formulated to be a cornerstone of the Agency's IT investment strategy. It is a framework and a guiding principle assisting the Agency in making effective decisions regarding the delivery of technology for employees, the public and businesses.

The purpose of SSA’s IRM Plan is to

• describe how IRM activities help accomplish SSA’s mission, goals and objectives;
• ensure IRM decisions are integrated with organizational planning, budget, procurement, financial management, human resources management and program decisions;
• present an overview of SSA’s Enterprise Architecture (EA) that describes and documents both the current and desired relationships among business and management processes and IT; and
• serve as a key component of SSA’s IT capital planning and investment control (CPIC) process.

The IRM Plan defines strategies for achieving a variety of objectives, such as operating and maintaining IT infrastructure, securing data and IT resources, maintaining and enhancing existing applications, as well as building and/or acquiring new applications.

IT Vision 2009-2014

SSA’s IT Vision covers a 6-year period from FYs 2009 through 2014. In this document, the Agency outlined its strategic plan to provide 21st century services to the American people by reshaping policies and procedures to take maximum advantage of technology.

The Agency acknowledges that its future business process depends on effective technology. Therefore, the Agency must perform an overall assessment of its technical capabilities and plan for the appropriate use of new technologies. One of the challenges for SSA is to be aware of emerging technology and gauge if and when to adopt it. SSA's IT Vision document outlines the result of this assessment, the three interdependent strategic imperatives and the IT strategies for each.

The Agency's strategic principle is to use innovative technologies with a robust infrastructure to meet the changing needs of the American public. SSA reported it needs significant investment in IT for the following three imperatives.

• Strategic Imperative 1: Changing how we do business
 Actively seek input from the public, business partners, and internal users to define and optimize business processes.
 Ensure the software applications critical to the services we provide use streamlined and modern technologies that support a greater reliance on a self-service business model.
 Maintain a robust data exchange architecture that fully supports the growing demand for information sharing.

• Strategic Imperative 2: Building a stronger IT foundation
 Protect the sensitive information we maintain on every American and ensure that, in a disaster, we can fully recover our systems and continue to provide service on which our country depends.
 Provide secure and continuous critical systems availability to employees, citizens, Government agencies and businesses.
 Gain efficiencies and cost savings by offering high quality electronic services.
 Protect the environment and conserve energy in our use of technology.

• Strategic Imperative 3: Revamping software and databases
 Engineer software applications to provide flexibility for future expansion.
 Migrate to highly shareable and cost-effective databases and ensure the accuracy, privacy and integrity of our data.
 Support the transition from Common Business Oriented Language to more robust Web technology.

The IT Vision provides an estimated implementation timeline for major milestones associated with the Agency's three strategic imperatives. Although the timeline only covers FYs 2009 through 2014, SSA reported the initiatives typically span beyond this period. The Agency anticipates it will take between 5 and 10 years to plan, develop and implement these changes.

FY 2009-2010 Agency IT Plan

The Agency’s current IT Plan covers FYs 2009 and 2010. The Plan documents the allocation of the Agency’s IT resources within its eight portfolios. The primary factors that drive the focus of the Agency’s IT investment are the CPIC, Agency goals and objectives, President’s Management Agenda, and higher monitoring authorities.
Appendix E
Primary Mission Essential Functions, Mission Essential Functions and Supporting Activities

Mission Essential Functions (MEF) are the limited set of department and agency-level Government functions that must be continued after a disruption of normal activities. Primary Mission Essential Functions (PMEF) are a subset of the MEFs that directly support the eight functions the President and national leadership will focus on to lead and sustain the Nation during a catastrophic emergency. Federal Continuity Directive 1 requires the incorporation of continuity requirements into the daily operations of all agencies to ensure seamless and immediate continuation of PMEF capabilities, allowing critical Government functions and services to remain available to the public.

The Social Security Administration (SSA) has identified the following as its PMEFs, MEFs, and supporting activities.

PMEFs

1. Enumeration:
a. Assigning Social Security numbers (SSN)
b. Issuing replacement SSN cards
c. Enumeration at birth
d. Verifying SSNs
e. Providing SSNs to the Internal Revenue Service, law enforcement and border patrol
2. Administering Title II and XVI Claims for Benefits and Post-Entitlements for disability and retirement:
a. Claims intake
b. Eligibility determinations
c. Evidence collection
d. Initial payments
e. Certifying payments to the Department of the Treasury
f. Enabling the post-entitlement process
g. Processing changes of information
h. Performing benefit re-computations
i. Initiating overpayment recovery
j. Executing appeals process

MEFs

3. Earnings
a. Receiving earnings reports
b. Establishing and maintaining earnings records
c. Determining work history and calculating benefit payment amounts
d. Validating and updating the Master Earnings File
4. Informing the Public
a. Managing the national 800-number
b. Maintaining the SSA website
c. Staffing Internet requests
d. Handling press relations
e. Providing educational materials
5. Information and Technology Management
a. Maintaining the National Computer Center (NCC)
b. Maintaining a viable NCC Disaster Recovery Plan and the capability to implement it
c. Maintaining the information technology infrastructure including hardware (processors); system software; and telecommunications at SSA Headquarters and the Emergency Relocation Site/Alternate Facility
6. Administrative Management
a. Performing payroll operations
b. Maintaining critical employee health
c. Support and emergency services
d. Exercising hiring authority
e. Fulfilling labor management agreements
f. Providing workload tracking and control support
g. Performing financial operations
h. Maintaining building operations
7. Management Information
a. Providing executive management reports and statistical reports from operational data stores
8. Performance of SSA’s Responsibilities Under the National Response Plan (NRP)
a. Developing and implementing a strategy for the integration of the National Incident Management System into continuity of operations (COOP) and emergency response plans, policies and procedures
b. Establish and maintain a roster of trained personnel to perform SSA’s NRP functions

9. Performance of SSA’s COOP Responsibilities
a. Maintaining contact with other departments, agencies and Federal organizations, and the capability and plan to transfer the Headquarters COOP missions to another SSA component, if necessary.

The detailed components of all these critical workloads can change as new/enhanced/repaired SSA applications, systems and hardware are introduced into the information technology architecture.
Appendix F
Lockheed Martin Recommendations

Issue and
Status
Lockheed Martin (LM) Finding
LM
Recommendation Status Per Prior Office of the
Inspector General (OIG) Report Status Per Our Current Review
As of June 2009
Agency
Response OIG Review Agency
Response OIG Review
National Computer Center (NCC) Feeder Replacement

Completed The NCC feeder cables were identified as the most apparent single point of failure. Replace the feeder cables immediately. The Social Security Administration (SSA) awarded a contract to replace the feeder cables in September 2008. As of March 2009, the Agency reported the new feeder cables were installed, tested, energized and in use. Verified a contract had been awarded to replace the feeder cables and observed temporary cables being installed. The feeder cable replacement project has been completed. Confirmed the permanent feeder cables had been installed.
Federal Pacific Electric (FPE) Panel Replacement (Riser Project)

Ongoing The FPE panel breakers most likely will not open should an “over current” occur. Replace the FPE panels immediately. General Services Administration (GSA) completed a design for the Riser Project. SSA expected GSA to award a contract by March 2009. The project was scheduled to be completed over 3 holiday weekends in October 2009, February 2010 and May 2010. The contingency date is July 2010. Verified the project design was complete. The plans for the Riser Project remain on schedule. The contract was awarded in May 2009. SSA officials stated, “. . . the actual award date was May 20, 2009.”
Uninterruptible Power Supply (UPS) System Replacement

Ongoing The UPS service contract expires in September 2012. The UPS manufacturer has warned that, at present, failure of any large component cannot be repaired. Explore three options involving (1) extending the maintenance contract; (2) stockpiling replacement equipment and hiring personnel to maintain the UPS system; and (3) installing at least two new systems. The Agency is implementing the first and second options. Specifically, SSA received a list of UPS replacement parts which it expects to purchase in Fiscal Year (FY) 2009. The contractor agreed to perform maintenance through FY 2015 provided SSA purchased the recommended replacement parts. The third option was only necessary if the Agency did not receive funding for a new Data Center. Verified SSA received a list of UPS replacement parts. When purchased, these parts will be used to support an extension of the UPS maintenance contract through FY 2015. The extension of the maintenance contract will not occur until 2012 in conjunction with the expiration of the existing maintenance contract. The contract for the replacement parts was awarded in April 2009. The replacement of the UPS is not applicable. Verified a contract had been awarded in April 2009 to purchase the UPS replacement parts.
Roof Membrane and Roof Drains

Ongoing

The membrane and stone roofs above both the NCC and its Utility Building provide an environment for dirt and seeds to collect and grow into plants with extensive root systems. Repair the roof membrane and clear the roof drains as soon as possible. GSA completed a roof design in FY 2008 and expected to award a contract in March 2009. The NCC warehouse roof will not have stones on top. Also, the Utility Building roof was recently replaced with a roof that does not have stones on top. Therefore, the Agency believes the issue of “an environment of dirt and seeds to collect” has been eliminated.

Further, SSA reported the main NCC roof was installed in 1994 and does have stones on top. SSA staff removed all growth, cleared all drains and increased the frequency of inspections on the roofs for early identification of possible growth. Agency staff stated there are currently no leaks on the main NCC roof.

The Agency believes the replacement of the NCC warehouse and Utility Building roofs and increased inspection of the main NCC roof and drains addresses all the issues in the LM study.
Verified a Request for Proposal for the NCC warehouse roof replacement was issued in May 2008, a design was completed in September 2008, and a solicitation for offer was issued in November 2008. Also, we confirmed the Agency inspects the roof as part of its preventive maintenance schedule. In addition, we verified the Utility Building roof was replaced in Calendar Year 2007. The contract was awarded for the roof replacement project in March 2009. The Agency continues to perform inspections and maintenance on all roofs and drains as part of the scheduled preventive maintenance program. Verified a contract had been awarded in March 2009 to replace the NCC warehouse roof.
Lightning Protection Grid

Ongoing The roof lightning protection grid was damaged on the NCC and its Utility Building. Repair the lightning protection grid immediately. Completed repairs on the NCC and Utility Building roofs. The Utility Building roof lightning protection system was certified. The lightning protection system will be reevaluated when the warehouse roof repairs are completed. Observed some corrections the Agency made to repair the damage to the lightning protection grid. Also verified an inspection was completed and the Utility Building roof was certified in October 2007. In March 2009, GSA awarded a design contract for architect and engineering services. Verified a contract was awarded in March 2009 for the design of the lightning protection system for the NCC.

Appendix G
Recurring Infrastructure Issues at the National Computer Center and its Utility Building

Roof and Lightning Protection Grid
• In 1989, about 9 years after the National Computer Center (NCC) was occupied, the General Services Administration (GSA) issued a Building Engineering Report (BER) that identified the need to replace the roof on the Utility Building.
• In 1994, approximately 14 years after the NCC was occupied, GSA issued a BER that identified the need to replace the Utility Building and NCC roof.
• In 2001, approximately 21 years after the NCC was occupied, GSA issued a BER that identified the need to replace the Utility Building and NCC warehouse roof.
• In 2007, about 27 years after the NCC was occupied, GSA issued a BER that identified the need to repair the roof and lightning protection grid on the NCC.
• In 2008, about 28 years after the NCC was occupied, Lockheed Martin (LM) issued a Feasibility Study that identified the need to repair the roof and lightning protection grid on the NCC.

SSA reported the main NCC roof was installed in 1994 and the Utility Building roof was replaced in Calendar Year 2007. The replacement of the NCC warehouse roof is in-process. The lightning protection system will be addressed as part of the NCC warehouse roof replacement project.

Heating, Ventilation and Air Conditioning (HVAC) System
• In 1989, about 9 years after the NCC was occupied, GSA issued a BER that identified the need to replace chillers and pumps.
• In 1994, approximately 14 years after the NCC was occupied, GSA issued a BER that identified the need to modify existing and install new air handling units.
• In 2001, about 21 years after the NCC was occupied, GSA issued a BER that reported the need to replace all air handling units because they had reached the end of their useful life.
• Also in 2001, GSA issued an HVAC system report that identified numerous problems, such as damaged air handling equipment, poor indoor air quality, and maintenance problems because of equipment failing or not functioning properly.
• In 2007, about 27 years after the NCC was occupied, GSA issued a BER that reported unacceptable indoor air quality and aged and outdated equipment.
• In 2008, about 28 years after the NCC was occupied, LM issued a Feasibility Study that reported potential mold, poor indoor air quality, insufficient cooling in the Data Center, and identified the need to replace the HVAC system.
• In 2009, approximately 29 years after the NCC was occupied, GSA issued a Feasibility Study that reported the system was at the end of its useful life.

Agency representatives stated the equipment has been well-maintained and upgraded over the years. For example, the Agency reported it made chiller plant renovations in 1998 and air handler upgrades in 2003. Most recently, SSA reported budget requests were submitted for air handler unit repairs in 2007 and for cooling and water pumps in 2008. In addition, the Agency is performing regular maintenance on HVAC equipment, including air handler units throughout the NCC.

Federal Pacific Electric (FPE) Panels
• In 1994, approximately 14 years after the NCC was occupied, GSA issued a BER that identified the need to replace the FPE panels.
• In 2007, approximately 27 years after the NCC was occupied, GSA issued a BER that reported the FPE panels were obsolete.
• In 2008, approximately 28 years after the NCC was occupied, LM issued a Feasibility Study that identified the need to replace the FPE panels.
• In 2009, approximately 29 years after the NCC was occupied, GSA issued a Feasibility Study that identified the need to replace the FPE panels.
The Agency reported in the early 1990s, additional circuit breakers had been installed in FPE breaker panels because additional electrical capacity was needed for the Data Center equipment. Agency staff acknowledged the added breakers were not installed in compliance with the National Electric Code.
However, the Riser Project is expected to resolve this issue. SSA reported that it sent GSA $9.7 million in FY 2005 in a Reimbursable Work Authorization for the Riser Project. However, due to extensive design and planning, the Project has not yet been completed. SSA officials stated the contract was awarded in May 2009.

Uninterruptible Power Supply (UPS)
• In 2001, approximately 21 years after the NCC was occupied, GSA issued a BER that identified the need to replace the UPS batteries within the following 5 years as they exceeded their useful life.
• In 2008, approximately 28 years after the NCC was occupied, LM issued a Feasibility Study that identified the need to replace the UPS system as the failure of any large component could no longer be repaired.
• In 2009, approximately 29 years after the NCC was occupied, GSA issued a Feasibility Study that reported the UPS suffered a failure and was at the end of its useful life.

The Agency reported a UPS hot tie installation occurred in 1999 that provides redundancy for power requirements on the critical loads. Most recently, a contract was awarded in April 2009 for the purchase of UPS replacement parts, which will be used to support an extension of the UPS maintenance contract through FY 2015.

Fire Protection
• In 1994, approximately 14 years after the NCC was occupied, GSA issued a BER that identified the need to replace missing sprayed-on fireproofing.
• In 2001, approximately 21 years after the NCC was occupied, GSA issued a BER that identified the need to repair damaged and missing fireproofing.
• In 2007, approximately 27 years after the NCC was occupied, GSA issued a BER that reported the fire protection system was not in compliance with applicable code and the fire sprinkler system was worn, damaged, and corroded.
• In 2008, approximately 28 years after the NCC was occupied, LM issued a Feasibility Study that identified the need to install a fire suppression system.
• In 2009, approximately 29 years after the NCC was occupied, GSA issued a Feasibility Study that reported the Agency’s current sprinkler system, if activated, would be detrimental to the IT equipment and electrical infrastructure in the Data Center.

Although the Agency plans to defer the installation of a fire suppression system, SSA reported there have been several budget requests in this area. Specifically, requests for a Utility Building fire protection project in 2005, a high sensitivity smoke alarm in 2006, a fire protection upgrade in 2007, and a fire alarm modification in 2007 and 2008. Additionally, we confirmed SSA installed an FM200 within the tape storage silos in the Data Center.

Facility Storage
• In 2001, approximately 21 years after the NCC was occupied, GSA issued a HVAC system report that identified the need to clean out mechanical equipment rooms being used for storage.
• In 2007, approximately 27 years after the NCC was occupied, GSA issued a BER that identified the need to remove stored items from electrical closets and work areas and separate battery rooms from storage rooms.
• In 2008, approximately 28 years after the NCC was occupied, LM issued a Feasibility Study that reported adequate storage does not exist and therefore items are improperly stored in closets and mechanical rooms.

Plumbing
• In 1989, about 9 years after the NCC was occupied, GSA issued a BER that identified the need to provide plumbing fixtures for handicapped use.
• In 1994, approximately 14 years after the NCC was occupied, GSA issued a BER that identified the need to replace all existing plumbing fixtures including handicapped accessible fixtures.
• In 2007, approximately 27 years after the NCC was occupied, GSA issued a BER that identified aged, worn, and noncompliant plumbing fixtures.
• In 2008, approximately 28 years after the NCC was occupied, LM issued a Feasibility Study that reported corrosion of pipes, build-ups in pipes and pipe failures in the facility were evident. Also, LM reported the plumbing system was over 30 years old.
• In 2009, approximately 29 years after the NCC was occupied, GSA issued a Feasibility Study that reported the plumbing system is near the end of its useful life and replacement will be required in the near future. Further, GSA reported an insufficient number of plumbing fixtures based on increased personnel.
The Agency reported plumbing is being managed under its normal maintenance program. SSA reported there have been several budget requests for plumbing related items. For example, a request to upgrade the cathodic in 2004 and replace piping in 2006.

Appendix H
Uptime Institute’s Data Center Tier Classifications and Performance Standards

DISTRIBUTION SCHEDULE

Commissioner of Social Security
Office of Management and Budget, Income Maintenance Branch
Chairman and Ranking Member, Committee on Ways and Means
Chief of Staff, Committee on Ways and Means
Chairman and Ranking Minority Member, Subcommittee on Social Security
Majority and Minority Staff Director, Subcommittee on Social Security
Chairman and Ranking Minority Member, Committee on the Budget, House of Representatives
Chairman and Ranking Minority Member, Committee on Oversight and Government Reform
Chairman and Ranking Minority Member, Committee on Appropriations, House of Representatives
Chairman and Ranking Minority, Subcommittee on Labor, Health and Human Services, Education and Related Agencies, Committee on Appropriations,
House of Representatives
Chairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate
Chairman and Ranking Minority Member, Subcommittee on Labor, Health and Human Services, Education and Related Agencies, Committee on Appropriations, U.S. Senate
Chairman and Ranking Minority Member, Committee on Finance
Chairman and Ranking Minority Member, Subcommittee on Social Security Pensions and Family Policy
Chairman and Ranking Minority Member, Senate Special Committee on Aging
Social Security Advisory Board

Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations (OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of Technology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal controls, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts financial and performance audits of the Social Security Administration’s (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA’s financial statements fairly present SSA’s financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA’s programs and operations. OA also conducts short-term management reviews and program evaluations on issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as liaison to the Department of Justice on all matters relating to the investigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.
Office of the Counsel to the Inspector General
OCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Also, OCIG administers the Civil Monetary Penalty program.
Office of External Relations
OER manages OIG’s external and public affairs programs, and serves as the principal advisor on news releases and in providing information to the various news reporting services. OER develops OIG’s media and public information policies, directs OIG’s external and public affairs programs, and serves as the primary contact for those seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal and external organizations, and responds to Congressional correspondence.
Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security. OTRM also coordinates OIG’s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the focal point for OIG’s strategic planning function, and the development and monitoring of performance measures. In addition, OTRM receives and assigns for action allegations of criminal and administrative violations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides technological assistance to investigations.