Summary - A-44-09-29120

Report Summary

Social Security Administration Office of the Inspector General

June 2009

Congressional Response Report: The Social Security Administration's Information Technology Strategic Planning

(A-44-09-29120)

Objective

To review the Social Security Administration’s (SSA) plan to address its processing requirements 5 to 20 years in the future and what actions SSA has taken to meet those requirements. Specifically, we addressed a congressional inquiry concerning the Agency’s information technology (IT) strategic planning, disaster recovery, industry best practices, National Computer Center (NCC) infrastructure issues, and NCC replacement strategy.

Background

A February 18, 2009 letter co-signed by Senators Max Baucus and Charles Grassley requested that we assess SSA’s overall future information system plans. Also, as a follow up to our report, The Social Security Administration’s Ability to Address Future Processing Requirements, we updated the status of SSA’s efforts to address the significant issues identified in Lockheed Martin’s NCC Feasibility Study.

To view the full report, visit http://www.ssa.gov/oig/ADOBEPDF/A-44-09-29120.pdf

Our Findings

SSA has various IT strategic planning documents, but similar to other Federal agencies, they do not span 20 years. The documents are task-oriented in nature and need to be more strategic. Also, SSA has an IT planning process, but it is decentralized. Further, SSA has a disaster recovery plan if the NCC becomes unavailable. However, the Agency’s plan depends heavily on the availability of a contracted facility.
SSA obtained information on industry best practices by consulting with IT research firms. The Agency does not follow specific industry best practice documents, but its IT planning is based on experience and the best information available at the time. Industry best practices were used in developing SSA’s NCC replacement strategy.
SSA has initiated or completed projects to sustain existing operations at the NCC and will continue to perform preventive maintenance activities. Further, the new NCC is being designed in accordance with the Uptime Institute’s Tier III data center standards.
SSA decided to build a new data center off campus. SSA developed minimum requirements for the location of its new data center. However, SSA is still in the preliminary stages of the project, and GSA is not yet soliciting for construction sites.

Matters for Consideration

SSA needs to focus its efforts on (1) strengthening its IT strategic planning process and related documents; (2) identifying ways to accelerate planning, constructing and operating the new data center; (3) developing contingency plans for addressing its IT processing requirements and disaster recovery procedures in the event the Durham Service Center and/or new data center are not operational in the scheduled time frames; (4) using industry best practices to aid in its IT strategic planning; and (5) establishing controls and a detailed strategy for timely maintenance, repairs, upgrades and replacement of critical IT infrastructure in the new data center to prevent the situation at the NCC from recurring.