IT INVESTMENT MANAGEMENT
Social Security Administration Needs to Oversee Investments in Operations and Better Evaluate Performance
Report to Congressional Committees
United States Government Accountability Office
View GAO-25-107200. For more information, contact David B. Hinchman at hinchmand@gao.gov.
Highlights of GAO-25-107200, a report to congressional committees
Social Security Administration Needs to Oversee Investments in Operations and Better Evaluate Performance
Why GAO Did This Study
SSA relies extensively on IT to deliver retirement, disability, survivor, and family benefits programs to millions of Americans. In fiscal year 2024, SSA spent about $2.2 billion on IT.
GAO was asked to review SSA’s IT investment management process. This report assesses (1) the extent to which SSA’s IT investment management process complies with federal legislation, guidance, and relevant key practices; and (2) SSA’s efforts to evaluate its IT investments.
In performing its work, GAO analyzed SSA’s IT investment management processes and compared them to relevant provisions of federal IT acquisition legislation, federal guidance, and key practices. GAO also selected three mission-critical IT investments under development, and reviewed investment management documentation, including performance information, to determine if they were consistent with SSA’s procedures. GAO also reviewed the contents of IT IRB meeting minutes and compared them to the responsibilities stated in the board’s charter.
What GAO Recommends
GAO is making seven recommendations to SSA, including that it implement a process to oversee and review performance of investments in operations, and fully implement its process to evaluate performance of investments under development. SSA agreed with all seven recommendations.
What GAO Found
The Social Security Administration (SSA) has defined processes to manage IT investments under development that are consistent with relevant federal legislation, federal guidance, and key practices. However, the agency does not have a process to oversee investments in operations—including those in operations and maintenance (O&M), infrastructure, and cybersecurity. These investments accounted for $2 billion or about 90 percent of SSA’s IT budget in fiscal year 2024. SSA officials told GAO that, among other things, maintaining investments in O&M is necessary and the agency cannot have debates on whether to continue to fund them. Without a process for the IT investment review board (IRB) to oversee these investments, SSA lacks the enterprise-wide perspective to make the most appropriate strategic IT investment decisions. In addition, the agency is hampered in its ability to effectively manage the entire IT portfolio and identify opportunities for cost savings and efficiencies.
SSA has not fully evaluated investments under development and those in operations:
· While SSA has policies and procedures to oversee investments under development, it has not fully implemented them. SSA’s IT IRB meeting minutes for fiscal years 2022 to 2024 showed that the board primarily focused on funding allocations for the upcoming fiscal year and did not regularly discuss investment performance. SSA officials said that this was primarily due to the uncertain budget environment. However, without regular oversight, the IT IRB will not know whether the investments are meeting performance targets. The IRB also risks identifying corrective actions late, when they are more difficult and costly to address.
· SSA did not have complete performance documentation for three selected investments under development. Without complete and current performance data, SSA is unable to determine investment progress and value.
|
|
Performance measures identified |
Return on investment documentation |
Value realization documentation |
|
Investment 1 |
✔ Yes |
✘ No |
△ Partial |
|
Investment 2 |
✘ No |
✘ No |
✘ No |
|
Investment 3 |
✔ Yes |
△ Partial |
△ Partial |
✔ Yes = documentation existed and was complete/current; △ Partial = documentation existed but was not complete/current; ✘ No = documentation did not exist.
Source: GAO analysis of Social Security Administration documentation. | GAO-25-107200
· SSA also does not have a process to regularly review the performance of investments in O&M, as called for in federal guidance. Officials stated that they maintain performance information for investments in O&M which is available to project staff and executives. In addition, project staff are responsible for monitoring investment performance and raising issues as needed to leadership. However, SSA’s IT IRB meeting minutes did not show evidence of this. Until SSA defines and implements processes to review investments in O&M, it risks not knowing whether its multibillion-dollar IT investments continue to support agency needs.
Abbreviations
|
ADDS |
Analytics and Disability Decision Support |
|
CIO |
Chief Information Officer |
|
CPIC |
Capital Planning and Investment Control |
|
DCPS2 |
Disability Case Processing System 2 |
|
DME |
development, modernization, and enhancement |
|
FITARA |
Federal Information Technology Acquisition Reform Act |
|
HACPS |
Hearings and Appeals Case Processing System |
|
IMAGEN |
Intelligent Medical-Language Analysis Generation |
|
IT |
information technology |
|
ITIP |
Information Technology Investment Process |
|
IRB |
investment review board |
|
O&M |
operations and maintenance |
|
OMB |
Office of Management and Budget |
|
ROI |
return on investment |
|
SSA |
Social Security Administration |
This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.
June 26, 2025
Congressional Committees
The Social Security Administration (SSA) relies extensively on IT to deliver retirement, disability, survivor, and family benefits programs to millions of Americans.[1] For example, SSA uses IT systems to evaluate evidence to determine eligibility for benefits, and to maintain records for more than 70 million beneficiaries and recipients of SSA’s programs. To help ensure that the agency can fulfill its mission, SSA has been modernizing its IT infrastructure, systems, and services. In fiscal year 2024, SSA spent about $2.2 billion on IT investments and the associated IT support services.[2]
Improving the management of federal IT acquisitions and operations is a critical issue and has been on our High-Risk List since 2015.[3] Further, we have previously reported on aging IT systems across the federal government, which have become more costly to maintain. Given the size of its IT budget and the significance of IT to the agency’s mission, it is important that SSA manages its investments effectively.
You asked us to evaluate SSA’s IT investment management process. Our objectives were to (1) determine the extent to which SSA’s IT investment management process complies with federal legislation, guidance, and relevant key practices; and (2) assess SSA’s efforts to evaluate its IT investments.
To address our first objective, we compared SSA’s Capital Planning and Investment Control (CPIC) guidance and Information Technology Investment Process (ITIP) procedures against relevant provisions of federal IT acquisition reform legislation and Office of Management and Budget (OMB) guidance.[4] We compared SSA’s ITIP procedures against OMB guidance to determine if the procedures included activities and required documentation for the plan, select, control, and evaluate phases for investments under development. Additionally, we compared SSA guidance and procedures against relevant key practices for investment management from GAO’s IT Investment Management framework.[5]
We also analyzed agency documentation on SSA’s process for funding IT development, modernization, and enhancements (DME); and for investments in operations and maintenance (O&M). This included documentation on allocations to different investment categories, such as IT infrastructure and cybersecurity. In this report, we use the term “investments in operations” to collectively refer to investments that are not under development and therefore not subject to SSA’s ITIP. These include investments in O&M, IT infrastructure, cybersecurity, and management; and mission support services for human resources, financial management, and e-government.
To address our second objective, we determined the extent to which SSA had implemented processes to identify and measure progress and value for investments under development and O&M. For fiscal years 2022 to 2024, we compared monthly IT investment review board (IRB) meeting minutes and related documentation to the board’s stated responsibilities in its charter, to determine the nature and extent of the board’s discussions and decisions on investments under development. We also reviewed SSA’s portfolio of investments under development to select three investments as case studies. We considered SSA’s five major IT investment areas and selected three investments from the disability modernization area.[6] We selected these investments based on (1) highest development funding levels for fiscal years 2023 to 2025; and (2) mission criticality. With respect to mission criticality, we considered the investments’ potential to improve SSA’s disability claims workload, a high-risk area that we have been monitoring since 2003.[7] The investments we selected are described below:
· Analytics and Disability Decision Support (ADDS)–Intelligent Medical-Language Analysis Generation (IMAGEN), a data analytics platform that uses advanced machine learning and predictive analytics to help SSA’s disability examiners make disability determinations;
· Disability Case Processing System 2 (DCPS2) Enhancements, which expands functionality for SSA’s cloud-based national disability case processing system; and
· Hearings and Appeals Case Processing System (HACPS), SSA’s national disability case hearings and appeals processing system.
These investments represent a nongeneralizable sample; as such, our findings cannot be used to make inferences about other investments in SSA’s IT portfolio. We did not select investments in operations as case studies because SSA does not have processes for overseeing these investments, as discussed in this report.
For each selected investment, we reviewed and analyzed documentation identified in SSA’s ITIP procedures, including investment proposals, performance measures, and value realization reports. We compared these documents with SSA’s ITIP to determine whether (1) the documentation existed, and if so, (2) it contained complete and current information.
For both objectives, we met with officials from SSA’s Office of the Chief Information Officer (CIO) and its Office of IT Financial Management and Support to understand the ITIP governance structure. This included IT IRB oversight responsibilities for investments under development and in operations. We also met with the Assistant Deputy Commissioner for Hearing Operations to better understand program-level oversight activities for investments under development. In April 2025, we met with senior officials from the Office of the CIO to determine the extent to which our findings were affected by any SSA organizational or policy changes introduced since January 2025 by the new administration. We concluded that no changes to our findings were required. See appendix I for a more detailed discussion of our objectives, scope, and methodology.
We conducted this performance audit from November 2023 to June 2025 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Background
SSA relies extensively on IT to carry out its core mission functions. Specifically, IT hardware, software, and systems are used to administer a wide range of SSA programs and support related administrative needs that include, among other things:
· managing SSA’s national customer service efforts, including telephone service and online appointment scheduling;
· maintaining records for the millions of beneficiaries and recipients of SSA’s programs, including Supplemental Security Income, Retirement, and Disability Insurance;
· evaluating evidence and making determinations of eligibility for benefits on new claims; and
· enabling individuals to report wages via telephone, website portal, or mobile application.
SSA’s IT modernization plans have outlined the agency’s efforts to replace decades-old legacy IT systems to support these core functions; improve IT development methods and processes, including cybersecurity; and address long-standing customer service challenges. The agency’s February 2025 Digital Modernization Strategy describes three tenets for IT modernization:
· set the target architecture based on a secure, forward looking, service-based and modular view;
· transform the organization towards a product operating model addressing the highest priority tracks; and
· expand access to digital data at SSA and use data and artificial intelligence as an enabler and accelerator.
Additionally, the strategy discusses nine objectives including expanding service options to the public and enhancing customer feedback mechanisms; and making IT improvements to support and simplify employees’ work, including eliminating investments in outdated technology and improving data quality to support decision-making.
SSA’s IT Budget
SSA’s annual IT budget supports systems, services, and staff for mission delivery; mission support; and IT infrastructure, security, and management.
Figure 1 below shows how SSA allocated its $2.2 billion fiscal year 2024 budget to these three areas.
From fiscal year 2014 to fiscal year 2024, SSA’s annual funding for IT has generally remained steady, when adjusted for inflation. Specifically, SSA spent about $1.9 billion on IT in fiscal year 2014 and about $2.2 billion in fiscal year 2024. Similarly, in May 2025, SSA officials reported that they plan to spend about $2.2 billion during fiscal year 2025 to support the agency’s IT needs.
Each year, SSA allocates its IT budget to fund:
· development, modernization, and enhancement (DME), which includes new or ongoing investments in IT development; modernization of legacy application systems; and enhancements to existing systems such as new components or capabilities; and
· maintenance of existing system operations, referred to as operations and maintenance (O&M). For example, O&M includes telecommunication costs, software maintenance on deployed IT systems, and required updates to existing infrastructure to address security issues.
SSA uses both DME and O&M funds to support the three categories of investments described above—mission delivery; mission support systems; and infrastructure, security, and management.
SSA data from fiscal year 2014 to fiscal year 2024, show that on average, about 35 percent of SSA’s IT budget was spent on DME, and about 65 percent was spent on O&M (see figure 2 below). From fiscal year 2022 to fiscal year 2024, SSA’s spending on O&M increased by about 40 percent, adjusted for inflation.
As shown in figure 2, SSA allocated $209 million, or about 10 percent of its fiscal year 2024 IT budget, to investments under development. This represents the portion of SSA’s IT budget subject to the agency’s ITIP procedures, as discussed in greater detail in this report. The remaining 90 percent of the IT budget—about $2 billion—was used to support investments in operations. This included continued funding for investments in O&M, as well as infrastructure and cybersecurity. These investments in operations are not subject to the agency’s ITIP procedures.
Federal Legislation and Guidance for IT Investment Management
IT investment management is an agency’s process for planning, selecting, controlling, and evaluating investments in a manner that minimizes risks, maximizes return on investment, and supports the agency’s mission. Federal IT acquisition reform legislation and OMB guidance provide a framework for this process.
In December 2014, Congress enacted federal IT acquisition reform provisions, commonly referred to as the Federal Information Technology Acquisition Reform Act, or FITARA.[8] The act established specific requirements for covered agencies pertaining to, among other things, enhancing CIO authority and transparency, and improving risk management and IT portfolio review.[9] As part of implementing FITARA, the heads of covered agencies are to ensure that the CIO has a significant role in all IT-related annual and multi-year planning, programming, budgeting, and execution decisions.[10]
Additionally, OMB’s Circular A-130 establishes general requirements for the planning; budgeting; governance; acquisition; and management of federal information, personnel, equipment, funds, IT resources, and supporting infrastructure and services.[11] For example, Circular A-130 requires agencies to develop robust analyses of alternatives when planning a new IT investment. This includes developing technical and risk analyses of alternative designs, and full lifecycle cost estimates of IT products and services.
OMB’s Circular A-11 and the related Capital Programming Guide provide direction on IT budget formulation and portfolio management, including processes to help ensure that the federal government gets optimal returns on its IT investments.[12] For example, agencies are required to document information such as investment benefits, current performance, and the results of regularly occurring operational analysis in a major IT investment’s business case. Operational analyses assess the ongoing performance of O&M investments, and are to document and address cost, schedule, and performance measures, including areas such as customer satisfaction. Regular operational analyses help the agency ensure that existing systems continue to meet the agency’s strategic goals and customers’ needs.
GAO’s IT Investment Management framework similarly defines governance structures, such as investment boards; and processes for developing information on investments (such as costs and benefits).[13] Additionally, this guidance identifies practices related to tracking investment performance to help inform management decisions.
GAO and Others Have Previously Identified SSA IT Investment Management Weaknesses
We and others have reported on the challenges SSA has faced in modernizing its IT systems to better serve customers, improve service delivery, and reduce potential fraud.
For example, in April 2012, we reported that SSA lacked comprehensive plans and performance measures to guide its IT modernization efforts.[14] We recommended that SSA develop comprehensive metrics, complete strategic planning, develop an enterprise architecture plan, and establish roles and responsibilities to better oversee modernization efforts. SSA neither agreed nor disagreed with the recommendations. SSA implemented two recommendations, but did not implement recommendations related to establishing performance measures for major IT investments in O&M or establishing an enterprise architecture plan to guide modernization efforts.
We reported in November 2022 that SSA expanded remote service delivery during COVID-19, but gaps remained in serving some populations.[15] We recommended that SSA develop a plan—with clear steps, goals, metrics, and timelines—for enabling claimants to apply for Supplemental Security Income benefits online. SSA agreed with this recommendation. As of March 2025, SSA reported that it was testing prototype applications, but has not yet estimated a completion date for implementing the application. Fully implementing this recommendation would enable more individuals to apply for benefits online and help conserve SSA staff resources.
In September 2024, we reported on SSA’s efforts to implement an electronic Social Security Number verification service, which was created to improve identity verification and reduce synthetic identify fraud.[16] We found that SSA did not follow its own guidance for estimating costs for this investment, and the agency’s cost estimation guidance did not consistently incorporate GAO leading practices, such as documenting the cost estimation process. We recommended that SSA (1) implement controls to ensure that all significant IT investments align with its investment management process, and (2) update its cost estimating guidance to incorporate GAO leading practices. SSA agreed with our recommendations. In April 2025, SSA reported that the agency is reviewing its cost estimation practices for IT investments and hopes to determine additional efficiencies and process improvements over the next six months.
SSA’s Office of the Inspector General also reported in September 2024 that the agency’s IT modernization program was not effectively designed or, in some instances, had not implemented or complied with its own processes to fully address federal requirements.[17] For example, SSA did not have an approved strategy or guidance for defining and implementing plans to modernize, replace, or retire its legacy IT systems. In some instances, SSA had not maintained documentation for modernization plans, execution, and related costs. Similarly, SSA had not determined whether investment cost and return on investment goals were met. SSA agreed with the report’s eight recommendations.
SSA Has Processes to Manage Investments Under Development but Not in Operations
SSA has defined processes to manage investments under development that are generally consistent with relevant federal legislation, guidance, and key practices. However, the agency does not have processes to oversee its other investments, which we refer to as investments in operations.[18] These investments accounted for about 90 percent of SSA’s overall IT budget in fiscal year 2024. In addition, while SSA has regularly updated its primary investment management guidance, it has not consistently updated the supporting procedures.
SSA Has Defined Processes for Investments Under Development
As discussed earlier, legislation and OMB guidance established requirements related to IT investment management, including CIO authorities and IT planning and budgeting.[19] Additionally, key practices identify essential governance structures to support an agency’s investment management process.[20] Our analysis shows that SSA has established processes to manage IT investments under development which are consistent with relevant provisions of federal legislation, OMB guidance, and key practices.
SSA’s ITIP policies and procedures specify roles and responsibilities for the CIO and agency executives which are consistent with FITARA and OMB guidance. Specifically, these documents state that the CIO is responsible for managing SSA’s IT budget and establishing IT capital planning and investment procedures. The CIO also chairs the IT IRB. SSA’s IT IRB charter establishes roles and responsibilities for the board, which is expected to meet monthly and make decisions on IT investment priorities, funding, and monitor investment performance.[21]
Table 1 identifies the key participants supporting SSA’s ITIP process and their responsibilities, as outlined in policies and procedures.
|
Participants |
Description |
Examples of responsibilities |
|
Chief Information Officer (CIO) |
Heads the Office of the CIO; chairs the IT investment review board (IRB). |
Manages SSA’s IT budget. Establishes IT capital planning and investment procedures. Ensures that IT investment teams follow capital planning and investment processes. |
|
IT IRB |
Decision-making body for SSA’s IT investment portfolio. Members are the CIO (chair) and include the Chief Financial Officer and deputy commissioners who lead SSA business units. |
Sets strategic IT investment priorities. Recommends annual investment priorities and funding amounts to Commissioner. Regularly monitors performance of IT investments, including cost, schedule, and risk. |
|
Program area lead |
Executive within each business unit or program area responsible for overseeing a collection of investments in the IT portfolio.a |
Manages IT investment process for the business unit, including ranking investment proposals for IT IRB consideration. Collaborates with IT IRB to finalize investment priorities and funding levels. Monitors progress of investments within the business unit. |
|
Business sponsor |
Identifies needs for new IT investments. |
Develops investment proposal, including estimates of investment cost and expected value. |
|
IT investment management team |
Assists business units and IT IRB in fulfilling investment management responsibilities. |
Office of the CIO/technical counterpart to program area lead. Provides subject matter expertise to IT IRB on investment performance. Administers investment management process. |
Source: GAO analysis of Social Security Administration (SSA) documents. | GAO‑25‑107200
aEach program area includes IT investments focused on a core function of the agency. For the purposes of investment management, the program areas are: Benefits; Benefits Modernization; Administrative Applications; Data and Business Intelligence; Disability, Hearing and Appeals; Earnings and Enumeration; Cybersecurity; Service Delivery; IT Governance and Other Support; Infrastructure; and Program Integrity.
OMB guidance and key practices call for agencies to establish and follow a systematic investment management approach to help ensure successful and repeatable investment decisions.[22] Consistent with this, SSA’s CPIC guidance and ITIP procedures define a systematic approach for (1) identifying a new IT business need, (2) selecting the optimal IT investment to meet that need, (3) overseeing the investment from initial development to deployment, and (4) evaluating the results of the investment (see figure 3).
Plan. OMB Circular A-130 requires agencies to develop robust analyses of alternatives when planning a new IT investment, including technical and risk analyses of alternative designs, and full lifecycle cost estimates of IT products and services.[23] Consistent with this guidance, SSA’s ITIP procedures require project teams to develop investment proposals, including an analysis of potential alternatives for implementing a solution, technical risks, and cost estimates. In addition, ITIP procedures require investment teams to establish performance measures, return on investment analysis, and estimates of expected value that the investment will deliver, which SSA refers to as value realization.[24] SSA officials stated that they established the value realization process in 2021 to monitor investments’ value in an organized and consistent way. Officials said that value realization is intended to support project teams in capturing and assessing value as the IT investment is developed and implemented over time.
Select. SSA has a process to select IT investments for development, consistent with OMB guidance and key practices.[25] SSA’s ITIP procedures describe multiple steps for the select phase. First, program area leads review investment proposals, consider potential costs and benefits to the agency, and alignment with agency goals and objectives. Program area leads then identify investment priorities with recommended funding amounts to present to the IT IRB. From all of the proposed investments, the CIO and IT IRB select a number of investments to pursue, to help ensure that potential investments align with agency priorities and available resources. Finally, the CIO presents this list to the SSA Commissioner for review and approval.
Control. OMB’s Capital Programming Guide calls for agencies to regularly monitor the performance of investments in meeting expected outcomes.[26] Consistent with this, SSA’s ITIP procedures call for executive stakeholders to monitor investment cost, schedule, and performance through various methods during the control phase.[27] For example, SSA’s procedures state that stakeholders are to use information presented during oversight meetings to identify and correct poorly performing projects and better manage risk.
SSA’s policies and procedures describe the following control activities:
· Meetings between program area leads and project teams, where each lead ensures investments in the portfolio are meeting planned scope, schedule, and cost. According to SSA, this is an opportunity for leads to identify potential risks or issues to elevate to the IT IRB.
· Monthly IT IRB meetings with deputy commissioners.
· CIO quarterly meetings with program area leads to discuss performance of their investments. These meetings are also to inform the CIO’s quarterly risk rating for major IT investments, which is reported to OMB on the federal IT dashboard.
· Project teams’ monthly value realization updates to show actual investment performance against targets. As previously mentioned, SSA’s value realization process is intended to track investments’ actual value realized against targets throughout the investment lifecycle.
Evaluate. Consistent with OMB guidance, SSA’s ITIP procedures call for one-time post-implementation reviews of IT investments after development is completed.[28] The procedures state that SSA officials are to evaluate completed investments against standardized criteria in the following areas: mission impact; business assumptions; costs; return on investment and value; schedule; enterprise architecture; functional requirements; and risk management. SSA guidance directs officials to conduct these reviews 1 to 2 years after an IT system is fully deployed.
As previously noted, SSA has an IT investment management team that is responsible for assisting business units and the IT IRB in fulfilling their investment management responsibilities. According to Office of the CIO officials, there are also tools such as the ITIP Online tool, that are used to collect and manage the information needed to support the investment management process.
SSA Does Not Have Policies and Procedures to Manage Investments in Operations
OMB guidance requires that the CIO, in coordination with appropriate governance boards, establish effective mechanisms to evaluate the cost, schedule, and performance of all IT projects within its portfolio.[29] In addition, IT investment management key practices call for investment review boards to provide for the oversight of projects in all phases of the lifecycle, including operations and maintenance.[30] Consistent with this, SSA’s IT IRB charter specifies that the board is to, among other things, provide oversight of the agency’s IT investment portfolio.
However, SSA does not have policies and procedures for the IT IRB to manage investments in operations, which, as previously noted, include investments in O&M as well as those in infrastructure and cybersecurity. This is concerning given that, as previously discussed, SSA’s spending on investments in operations accounted for about $2 billion (90 percent) of its fiscal year 2024 IT budget.
SSA officials said that maintaining investments in O&M is necessary, and as such, the agency cannot have debates on whether to continue to fund them. Regarding investments in infrastructure, SSA officials said that the CIO is better positioned to make decisions about them due to their technical nature. The officials further pointed to the Special Expense Item process that supports the CIO’s direct budgetary approval of investments that do not fall under ITIP. Through this process, business units identify annual funding needs for IT resources including hardware, software and maintenance, and related contractor and agency labor. The CIO reviews and directly approves these funding requests.[31]
Nevertheless, OMB guidance calls for agencies to provide appropriate oversight of investments in operations. Without policies and procedures for the IRB to oversee these investments, SSA will lack the enterprise-wide perspective needed to make appropriate agencywide strategic IT investment decisions. In addition, SSA will be hampered in its ability to effectively manage the entire IT portfolio and identify opportunities for cost savings and efficiencies.
SSA Has Not Updated Its ITIP Procedures Consistently
Key practices for IT investment management note that the investment management process guide should be a key authoritative document that the organization uses to initiate and manage IT investment processes.[32] The investment management process guide serves as a comprehensive foundation for developing all other related procedures.
SSA has reviewed and updated its CPIC guidance regularly to reflect, for example, changes to organizational names or CPIC responsibilities, or to add new activities such as the value realization process. However, it has not similarly reviewed and updated its supporting ITIP procedures to align with its CPIC guidance.[33] For example, ITIP control phase procedures do not include activities related to risk management, a key area cited in the CPIC guidance. Additionally, ITIP procedures include activities that are no longer in the CPIC guidance. Specifically, SSA’s ITIP evaluate phase procedures include information on performing analyses of investments in O&M. However, SSA does not perform operational analyses, as we discuss in greater detail later in the report.
SSA officials acknowledged that ITIP has changed over time, and that the CPIC guidance and related ITIP procedures are not always aligned. SSA officials stated that senior agency and IT leadership changes over the last five years have contributed to inconsistences in documentation, as policies and procedures have been adjusted to meet new leadership expectations. Nevertheless, in September 2024, SSA officials stated that they did not have immediate plans to revise the CPIC guidance or supporting ITIP procedures.
Without updated and consistent guidance and procedures, SSA investment teams will be confused about their responsibilities and which ITIP procedures or activities are currently required. Further, without periodic reviews of all investment management policies and procedures, SSA officials cannot be assured that the guidance is current, consistent, and remains relevant and effective for managing limited IT resources.
SSA Has Not Fully Evaluated IT Investments
While SSA has defined processes to provide oversight and measure the performance of investments under development, the agency has not fully implemented these processes. Specifically, SSA’s IT IRB did not regularly discuss investment performance such as planned versus actual cost, schedule, and risk. SSA also did not have complete documentation for three selected investments under development. Further, SSA does not evaluate the performance of its investments in O&M.
SSA’s IT IRB Provided Limited Oversight of IT Investments Under Development
Although SSA has defined policies and procedures for its IT IRB to oversee investments under development, the IT IRB has not consistently implemented them. IT IRB meeting minutes and related documents for fiscal years 2022 through 2024 demonstrate this lack of implementation. Specifically, while the IRB generally held monthly meetings to discuss IT investments under development, these discussions primarily focused on funding allocations for the upcoming fiscal year. They did not include regular discussions of performance such as investments’ schedule, risks, and value realization; or corrective action plans for underperforming investments.
SSA officials said that the IRB’s focus on allocating funding was primarily due to the uncertain budget environment. Officials stated that as a result, funding adjustments were constantly being made and negotiating and approving these changes occupied much of the IRB’s time. Further, with about 40 ITIP investments—many of which include multiple IT projects— officials said that it would not be possible for the IRB to review investment performance on a regular basis. Instead, officials stated that program area leads are responsible for monitoring investment performance for their respective portfolios, and they brief senior executives on IT investment performance about twice per year.[34]
According to key practices, lower-level groups comprised of individuals from across the organization may carry out the responsibilities of the enterprise-wide IT IRB within their own business units. However, the board must still maintain visibility into these lower-level groups’ activities.[35] While the program area leads may monitor investment performance, the IT IRB meeting minutes from fiscal years 2022 to 2024 did not show regular discussions about investment performance, including information that may have been discussed during biannual program area reviews. Such discussions would have allowed the board to maintain visibility into the program area leads’ activities.
Without regular oversight of IT investments under development—including costs, schedule, and risks—the IRB will not know whether critical investments are meeting performance targets and achieving expected outcomes. Further, for underperforming projects, the IRB risks identifying corrective actions late, when they are more difficult and costly to address.
SSA Did Not Have Complete Performance Information for Selected Investments
OMB’s Capital Programming Guide states that agencies should establish performance measures for their investments to evaluate efficiency, effectiveness, and results. This guidance notes that performance measures enable an agency to measure progress toward program or strategic goals, identify ways to reduce risk, improve cost-effectiveness, and help the agency determine reinvestment priorities.[36]
In addition, OMB’s Capital Programming Guide describes different kinds of measures, including quantitative (or output-related) measures, and efficiency-related performance measures.[37] Effective efficiency measures can show, for example, that the agency can achieve the same level of service at lower cost, or significantly improve service levels relative to slightly higher costs.
As previously discussed, SSA’s ITIP planning phase calls for investment teams to document an investment proposal in which teams are to identify performance measures, develop estimates of return on investment, and track value realization against performance measures.[38] In addition, consistent with federal guidance, ITIP procedures direct project teams to regularly update this documentation during investment development to support investment oversight activities.
Overall, SSA did not have complete documentation for the three selected disability investments.[39] Specifically, two investments identified performance measures and one investment did not; one investment partially developed return on investment documentation and two investments did not; and two investments had partially developed value realization documentation and one investment did not. Table 2 provides a summary analysis of investment documentation.
|
|
ADDS–IMAGEN |
DCPS2 Enhancements |
HACPS |
|
Performance measures identified |
✔ Yes. SSA identified eight performance measures. |
✘ No. SSA did not identify performance measures for DCPS2 Enhancements. |
✔ Yes. SSA identified 14 performance measures. |
|
Return on investment (ROI) documentation |
✘ No. SSA did not prepare ROI documentation. |
✘ No. SSA did not prepare ROI documentation. |
△ Partial. SSA had general ROI estimates. However, the estimates did not reflect actual investment costs. |
|
Value realization documentation |
△ Partial. Documentation exists but does not show consistent tracking of actual performance data. |
✘ No. SSA did not provide value realization documentation for DCPS2 Enhancements. |
△ Partial. Documentation exists but does not show consistent tracking of actual performance data. |
✔ Yes = documentation existed and was complete/current; △ Partial = documentation existed but was not complete/current; ✘ No = documentation did not exist. ADDS=Analytics and Disability Decision Support; IMAGEN=Intelligent Medical-Language Analysis Generation; DCPS2=Disability Case Processing System 2; HACPS=Hearings and Appeals Case Processing System.
Source: GAO analysis of Social Security Administration (SSA) documentation. | GAO‑25‑107200
Additional details from the analysis of IT investment management documentation are discussed below, by investment.
Analytics and Disability Decision Support (ADDS)–Intelligent Medical-Language Analysis Generation (IMAGEN). SSA identified a total of eight quantitative performance measures for this data analytics platform that supports disability decisions. For example, several performance measures track use of ADDS–IMAGEN at disability offices, including number of users, and employees’ use of system features. Another measure compares case processing times when examiners use IMAGEN versus when they do not.[40] However, SSA did not prepare return on investment documentation for ADDS–IMAGEN, and value realization documentation showed inconsistent tracking of performance data over time. For example, SSA documentation showed actual monthly tracking data for six out of eight performance measures in 2022, four out of eight measures in 2023, and two out of eight measures in 2024. Additionally, SSA’s measure to compare case processing times when examiners use IMAGEN versus when they do not was tracked for only about one year.
DCPS2 Enhancements. SSA did not identify performance measures to evaluate the efficiency, effectiveness, and results of DCPS2 Enhancements consistent with federal guidance. For example, SSA did not establish performance measures and targets for improving claims processing times, which would help address SSA’s disability claims backlog. According to SSA documentation, the original DCPS2 investment was funded through direct CIO approval for fiscal years 2015 through 2022. As a new investment, DCPS2 Enhancements was subject to ITIP beginning in fiscal year 2023, and therefore should have had discrete performance measures, return on investment, and value realization documentation.
Hearings and Appeals Case Processing System (HACPS). SSA identified a total of 14 performance measures for its disability case hearings and appeals system, though not all of the measures were tracked from 2022 to 2024. SSA identified measures related to implementation of HACPS to the hearing offices, and use of HACPS functionality such as scheduling hearings. Other measures tracked the volume of case analysis records created in HACPS, and the percentage of cases that were both opened and closed in HACPS. SSA provided estimates for HACPS return on investment; however, the documentation did not reflect actual investment costs. Overall, SSA did not track monthly actual performance consistently. For example, in 2022, SSA actively tracked eight measures, though it did not consistently report monthly actual data for four of them. Similarly, in 2023, documentation showed that SSA actively tracked one measure for the full year, and inconsistently tracked five other measures. In 2024, SSA tracked monthly data for five measures.
SSA’s IT investment management team is to assist business units and the IT IRB with meeting their investment management responsibilities. The agency also has tools to facilitate the collection and management of investment management information. Nevertheless, SSA officials acknowledged challenges with tracking investment performance. With respect to identifying performance measures, officials said that it can be difficult for investment teams to identify useful performance measures during the early stages of a new investment. Officials said that teams are strongly encouraged to revisit and revise their performance measures at least annually, to ensure that the measures remain relevant as the investment progresses. Additionally, SSA did not provide reasons for why return on investment documentation was not created or maintained for the three selected investments.
Finally, SSA officials said that the value realization process is relatively new, and it is still being implemented. Officials said they established value realization policies and procedures to help ensure consistency across investments and have developed a standardized process and reporting format in a tool called ITIP Online. Investment teams are expected to enter actual performance data in ITIP Online at least monthly. Officials also said that the Office of the CIO provides investment teams various training options to better understand value realization and develop potential performance measures. These include group trainings, one-on-one training as requested, and on-demand videos on specific topics.
However, SSA is not requiring all investment teams to use the value realization process although ITIP procedures instruct them to do so. In December 2024, SSA officials said that for the time being, project teams with investments under development are encouraged, but not required, to use the value realization process and tools. According to officials, this is because they do not want to overburden teams with multiple reporting requirements. However, there was no evidence of SSA tracking actual performance data in other documentation for our selected investments under development.
Without clearly defined and relevant performance measures, SSA will be challenged to measure progress toward program or strategic goals, identify ways to reduce risk, improve cost-effectiveness, and help the agency determine reinvestment priorities. Further, without complete and current data that can be used to measure investments’ progress and value, SSA will not have the information it needs to effectively measure progress in meeting program or strategic goals and evaluate investment outcomes.
SSA Does Not Evaluate the Performance of Investments in O&M
As discussed earlier, SSA does not have policies and procedures to manage investments in operations, which totaled about $2 billion of SSA’s IT budget in fiscal year 2024 alone. In addition, the agency has not performed regular assessments of its investments in O&M as called for in OMB guidance. Specifically, OMB guidance calls for agencies to conduct an annual operational analysis for these investments to help ensure that they continue to meet agency needs. According to OMB’s guidance, this analysis should address factors such as how well the investment contributes to achieving the organization’s strategic goals, a comparison of current performance with a pre-established cost baseline, and appropriate levels of risk. However, SSA has not established these policies and procedures, whether through operational analysis or other regular reviews of O&M investments.
In October 2024, SSA officials acknowledged that the agency does not have a policy or a structured process for performing operational analysis or other performance reviews of investments in O&M. SSA officials stated that they nevertheless maintain information on these investments in their investment management tool, including cost and schedule information, that is available to project staff and SSA executives. Officials further noted that Assistant Commissioners are responsible for monitoring all IT investments in their respective portfolios, and for raising concerns about them to senior leadership. However, as previously discussed, IT IRB meeting minutes for fiscal years 2022 through 2024 did not show evidence of regular performance discussions or reviews.
Until the CIO defines and implements policies and procedures to perform regular operational analyses for SSA’s O&M investments, the agency risks not knowing whether its multibillion-dollar IT investments continue to meet their intended objectives and support agency needs.
Conclusions
SSA has defined policies and procedures to manage investments under development, which are generally consistent with federal legislation, guidance, and key practices. However, SSA has not consistently reviewed and updated this guidance to ensure that it remains relevant and aligned with current agency operations. Further, SSA has not defined policies and procedures to manage its investments in operations, including investments in O&M, and infrastructure and cybersecurity. As a result, there is no documented process to manage investments that represented about 90 percent of SSA’s fiscal year 2024 IT budget. Until the agency defines and implements a process to oversee investments in operations, it will lack the enterprise-wide perspective needed to make sound strategic IT investment decisions and identify opportunities for efficiencies and cost savings.
SSA also has not fully assessed the performance of its IT investments. By not following its own guidance on regular IT IRB oversight and monitoring performance of selected investments under development—including establishing performance measures and collecting performance data—SSA has no means of ensuring that these investments are tracking towards intended results. This also casts doubt on the effectiveness of controls to ensure the IRB carries it out its responsibilities. Finally, because SSA does not assess the performance of investments in O&M, the agency does not know if the billions of dollars spent annually on these investments are producing the intended results to support the agency’s critical information technology.
Recommendations for Executive Action
We are making seven recommendations to SSA. Specifically:
The Commissioner of SSA should direct the CIO to define and implement policies and procedures for the IT IRB to review and approve investments in operations as part of managing the entire portfolio. (Recommendation 1)
The Commissioner of SSA should direct the CIO to regularly review the agency’s investment management guidance and supporting procedures, and make changes as appropriate, to ensure that information and requirements are up-to-date and consistent across documents. (Recommendation 2)
The Commissioner of SSA should ensure that the IT IRB fully implements its investment oversight responsibilities for investments under development. (Recommendation 3)
The Commissioner of SSA should ensure that investment management documentation for the Analytics and Disability Decision Support–Intelligent Medical-Language Analysis Generation investment, including return on investment analysis and value realization reporting, is complete, accurate, and regularly updated to reflect actual investment progress and value. (Recommendation 4)
The Commissioner of SSA should ensure that investment management documentation for the Disability Case Processing System 2 Enhancements investment, including performance measures, return on investment analysis, and value realization reporting, is complete, accurate, and regularly updated to reflect actual investment progress and value. (Recommendation 5)
The Commissioner of SSA should ensure that investment management documentation for the Hearings and Appeals Case Processing System, including return on investment analysis and value realization reporting, is complete, accurate, and regularly updated to reflect actual investment progress and value. (Recommendation 6)
The Commissioner of SSA should direct the CIO to define and implement policies and procedures to perform operational analyses for investments in O&M consistent with OMB guidance. (Recommendation 7)
Agency Comments
We received written comments on a draft of this report from SSA. In its written comments, reproduced in appendix II, SSA agreed with all seven recommendations.
As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies of this report to the appropriate congressional committees, the Commissioner of SSA, and other interested parties. In addition, the report is available at no charge on the GAO website at https://www.gao.gov.
If you or your staff have any questions about this report, please contact me at hinchmand@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix III.
David B. Hinchman
Director, Information Technology and Cybersecurity
List of Committees
The Honorable Mike Crapo
Chairman
Committee on Finance
United States Senate
The Honorable Ron Wyden
Ranking Member
Committee on Finance
United States Senate
The Honorable Ron Estes
Chairman
Subcommittee on Social Security
Committee on Ways and Means
House of Representatives
The Honorable John B. Larson
Ranking Member
Subcommittee on Social Security
Committee on Ways and Means
House of Representatives
Our objectives were to (1) determine the extent to which Social Security Administration’s (SSA) IT investment management process complies with federal legislation, guidance, and relevant key practices; and (2) assess SSA’s efforts to evaluate its IT investments.
To address our first objective, we compared SSA’s Capital Planning and Investment Control (CPIC) guidance and Information Technology Investment Process (ITIP) procedures to the Federal Information Technology Acquisition Reform Act (FITARA), which includes Chief Information Officer (CIO) responsibilities for managing IT resources; Office of Management and Budget (OMB) Circular No. A-130: Managing Information as a Strategic Resource; and Circular No. A-11: Preparation, Submission, and Execution of the Budget, and its related Capital Programming Guide.[41] We also compared SSA guidance and procedures against relevant key practices for investment management from GAO’s IT Investment Management framework, specifically critical processes and activities related to governance and the investment evaluation phase.[42]
We compared SSA’s guidance on governance for ITIP and the IT investment review board’s (IRB) charter against significant CIO roles identified in FITARA, and key practices related to governance. We also compared SSA’s ITIP procedures against OMB guidance to determine that the procedures included activities and required documentation for the plan, select, control, and evaluate phases for investments under development. Further, we compared SSA’s CPIC guidance and ITIP procedures to key practices to determine the extent to which SSA’s documentation was current and consistent.
Additionally, we reviewed agency documentation on SSA’s process for funding IT development, modernization, and enhancements (DME); and for investments in operations and maintenance (O&M). We also analyzed SSA budget documentation to determine fiscal year 2024 allocations to different investment categories, including IT infrastructure and cybersecurity. In this report, we use the term “investments in operations” to collectively refer to investments that are not under development and therefore not subject to SSA’s ITIP. These include investments in O&M, IT infrastructure, cybersecurity, and management; and mission support services for human resources, financial management, and e-government.
To address our second objective, we determined the extent to which SSA had implemented processes to identify and measure progress and value for investments under development and in operations. Specifically, we compared the contents of monthly IT IRB meeting minutes and related documentation for fiscal years 2022 to 2024, to the board’s stated responsibilities in its charter. For example, we determined the extent to which the IRB discussed and made decisions related to performance of investments under development, including cost, schedule, and risk; value realization; and corrective actions for underperforming investments.
We also reviewed SSA’s portfolio of investments under development to select three investments as case studies. We considered SSA’s five major IT investment categories, all which are focused on modernization: benefits, data, disability, earnings and enumeration, and service delivery.[43] We selected three investments in the disability area based on (1) highest investment funding for development in fiscal years 2023 to 2025;[44] and (2) mission criticality. With respect to mission criticality, we considered investments’ potential to help improve the disability claims workload, a high-risk area we have monitored since 2003.[45] The investments we selected represent a nongeneralizable sample; as such, our findings cannot be used to make inferences about other investments in SSA’s IT portfolio. Based on our selection criteria, we determined that the selection of these investments was appropriate for our design and objectives and that the selection would generate valid and reliable evidence to support our work. We did not select investments in operations as case studies because SSA does not have processes for overseeing these investments, as discussed in this report.
The three IT investments we selected for review are described below.
Analytics and Disability Decision Support (ADDS)–Intelligent Medical-Language Analysis Generation (IMAGEN). ADDS–IMAGEN is a data analytics platform that uses advanced machine learning and predictive analytics to help SSA’s disability examiners make more efficient and accurate disability determinations. Specifically, ADDS–IMAGEN supports the review of medical evidence against SSA disability policies. According to SSA documentation, ADDS–IMAGEN helped examiners resolve about 265,000 disability cases during fiscal year 2024. SSA began this investment in October 2017 and expects to complete it in March 2027. SSA has spent about $100 million on ADDS–IMAGEN through fiscal year 2024.
Disability Case Processing System 2 (DCPS2) Enhancements. This investment funds enhancements to DCPS2, SSA’s cloud-based national disability case processing system, which SSA implemented in 2022.[46] According to SSA documentation, SSA is enhancing DCPS2 workload management tools, expanding correspondence features, and improving system integration with ADDS–IMAGEN. According to SSA, this investment also intended to help address the backlog of initial disability claims. SSA began the DCPS2 Enhancements investment in October 2023 and has spent about $40 million from fiscal year 2023 to fiscal year 2024. SSA expects to complete the investment in September 2026.
Hearings and Appeals Case Processing System (HACPS). HACPS is a national processing system to support SSA’s disability case hearings and appeals process. SSA began developing HACPS in October 2017 and deployed the system in May 2022. Starting in fiscal year 2023, SSA began requiring all hearing offices and national hearing centers to use HACPS to manage appeals cases and schedule hearings. SSA plans to improve HACPS scheduling and reporting capabilities. SSA has spent about $171 million on HACPS through fiscal year 2024 and expects to complete the investment in September 2026.
For each of the three selected investments, we reviewed and analyzed required documentation identified in SSA’s ITIP guidance for tracking investment progress and value. These included investment proposals; documentation on planned and actual costs; analyses of return on investment; information on identified performance measures, and value realization status reports. We compared these documents with SSA’s ITIP procedures and determined whether (1) the documentation existed, and if so, (2) it contained complete and current information needed for investment oversight.
For both objectives, we met with officials from SSA’s Office of the CIO and its Office of IT Financial Management and Support, whose staff provided demonstrations of two tools they use to track information on investments under development and O&M: ITIP Online and the Investment Management Tool. SSA officials also provided information on the ITIP process and associated roles and responsibilities, including those of the CIO and IT IRB, oversight of investment performance for investments under development and O&M, and current challenges or organizational tradeoffs in managing and overseeing investments. During our review, we also met with the Assistant Deputy Commissioner for Hearing Operations—who also serves as the Disability, Hearings, and Appeals program area lead—to better understand program-level oversight activities for investments under development, how performance measures are identified and used in the value realization process. In April 2025, we met with senior officials from the Office of the CIO to determine the extent to which our findings were affected by any SSA organizational or policy changes introduced since January 2025 by the new administration. We concluded that no changes to our findings were required.
We conducted this performance audit from November 2023 to June 2025, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
GAO Contact
David B. Hinchman, hinchmand@gao.gov.
Staff Acknowledgments
In addition to the contact named above, Sabine Paul (Assistant Director), Heather A. Collins (Analyst in Charge), Joseph Andrews, Alina Budhathoki, Chris Businsky, Gilberto Cotto, Jr., Donna Epler, Erin Godtland, William (Tyler) Hodges, Anh-Thi Le, Evan Nelson Senie, Shannon Murphy, Walter Vance, and Adam Vodraska made significant contributions to this report.
The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.
Order by Phone
The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm.
Place orders by calling (202) 512-6000, toll free (866) 801-7077,
or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.
Connect with GAO
Connect with GAO on X,
LinkedIn, Instagram, and YouTube.
Subscribe to our Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.
To Report Fraud, Waste, and Abuse in Federal Programs
Contact FraudNet:
Website: https://www.gao.gov/about/what-gao-does/fraudnet
Automated answering system: (800) 424-5454
Media Relations
Sarah Kaczmarek, Managing Director, Media@gao.gov
Congressional Relations
A. Nicole Clowers, Managing Director, CongRel@gao.gov
General Inquiries
[1]SSA manages three major benefit programs: (1) Old-Age and Survivors Insurance, which provides retirement benefits to eligible older individuals and their families and to survivors of deceased workers; (2) Disability Insurance, which provides benefits to individuals who can no longer work because of physical or mental impairments; and (3) Supplemental Security Income, which provides benefits for aged, blind, or disabled individuals with limited income and resources.
[2]SSA’s annual IT budget includes non-labor costs associated with IT investments; internal labor costs (payroll); and external labor costs (e.g., contractors).
[3]GAO, High-Risk Series: Heightened Attention Could Save Billions More and Improve Government Efficiency and Effectiveness, GAO‑25‑107743 (Washington, D.C.: Feb. 25, 2025).
[4]For federal IT acquisition reform legislation, see the Federal Information Technology Acquisition Reform Act provisions of the Carl Levin and Howard P. ‘Buck’ McKeon National Defense Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, div. A, title VIII, subtitle D, 128 Stat. 3292, 3438-50 (Dec. 19, 2014); for federal guidance, see Office of Management and Budget, Circular No. A-11: Preparation Submission, and Execution of the Budget, Section 55—Information Technology Investments (July 25, 2024); Capital Programming Guide v.3.1: Supplement to Office of Management and Budget Circular A-11, Planning, Budgeting, and Acquisition of Capital Assets (July 25, 2024); Circular No. A-130: Managing Information as a Strategic Resource, (July 28, 2016); and Memorandum M-15-14: Management and Oversight of Federal Information Technology (June 10, 2015).
[5]GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, GAO‑04‑394G (Washington, D.C.: Mar. 1, 2004).
[6]According to OMB guidance, a major IT investment is one that requires special management attention because of its importance to the mission or function to the government; has significant program or policy implications; has high executive visibility; has high development, operating, or maintenance costs; has an unusual funding mechanism; or because it is otherwise defined as major by the agency.
[8]FITARA was part of the Carl Levin and Howard P. ‘Buck’ McKeon National Defense Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, div. A, title VIII, subtitle D, 128 Stat. 3292, 3438-50 (Dec. 19, 2014). FITARA builds upon the Clinger-Cohen Act of 1996, which required agency heads to designate CIOs to lead reforms that would help better manage technology spending, among other things. 44 U.S.C. § 3506, 40 U.S.C. §§ 11312 and 11313.
[9]We have issued numerous reports on agencies’ efforts to address the requirements of FITARA including, GAO, Information Technology: Key Attributes of Essential Federal Mission-Critical Acquisitions, GAO‑20‑249SP (Washington, D.C.: Sept. 8, 2020); and Information Technology: Departments Need to Improve Chief Information Officers’ Review and Approval of IT Budgets, GAO‑19‑49 (Washington, D.C.: Nov. 13, 2018).
[10]OMB has issued guidance for agencies on implementing FITARA, see Office of Management and Budget, Memorandum M-15-14: Management and Oversight of Federal Information Technology (June 10, 2015).
[11]Office of Management and Budget, Circular No. A-130: Managing Information as a Strategic Resource (July 28, 2016).
[12]Office of Management and Budget, Circular No. A-11: Preparation, Submission, and Execution of the Budget, Section 55—Information Technology Investments (Washington, D.C.: July 25, 2024); and Capital Programming Guide v. 3.1 (Washington, D.C.: July 25, 2024).
[14]GAO, Social Security Administration: Improved Planning and Performance Measures Are Needed to Help Ensure Successful Technology Modernization, GAO‑12‑495 (Washington, D.C.: Apr. 26, 2012).
[15]GAO, Social Security Administration: Remote Service Delivery Increased during COVID-19, but More Could Be Done to Assist Vulnerable Populations, GAO‑23‑104650 (Washington, D.C.: Nov. 17, 2022). We noted in our report that only applicants who file concurrently for Disability Insurance and Supplemental Security Income are able to apply online.
[16]GAO, Social Security Administration: Actions Needed to Help Ensure Success of Electronic Verification Service, GAO‑24‑106770 (Washington, D.C.: Sept. 10, 2024).
[17]Social Security Administration, Office of the Inspector General, Audit Report: Legacy Systems Modernization and Movement to Cloud Services (Baltimore, MD: Sept. 26, 2024). This audit was performed by an independent certified public accounting firm; the Office of the Inspector General provided technical and administrative oversight.
[18]We use the term “investments in operations” to collectively refer to investments that are not under development and therefore not subject to SSA’s ITIP. These include investments in O&M, IT infrastructure, cybersecurity, and management; and mission support services for human resources, financial management, and e-government.
[19]Federal Information Technology Acquisition Reform provisions of the Carl Levin and Howard P. ‘Buck’ McKeon National Defense Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, div. A, title VIII, subtitle D, 128 Stat. 3292, 3438-50 (Dec. 19, 2014); Office of Management and Budget, Circular No. A-11: Preparation, Submission, and Execution of the Budget, Section 55—Information Technology Investments (Washington, D.C.: July 25, 2024), and Capital Programming Guide v. 3.1 (Washington, D.C.: July 25, 2024).
[21]According to its charter, the IT IRB’s voting members include the CIO, Chief Financial Officer, and all Deputy Commissioners and equivalents. In February 2025, SSA closed the Office of Transformation and Office of Civil Rights and Equal Opportunity; each office had a member on the IRB. In addition, in April 2025, senior officials from the Office of the CIO informed us of other organizational changes that will affect the number of members on the board.
[22]Office of Management and Budget, Circular No. A-11: Preparation, Submission, and Execution of the Budget, Section 55—Information Technology Investments (Washington, D.C.: July 25, 2024), and Capital Programming Guide v. 3.1 (Washington, D.C.: July 25, 2024); and GAO‑04‑394G.
[23]Office of Management and Budget, Circular No. A-130: Managing Information as a Strategic Resource (July 28, 2016).
[24]SSA’s value realization process is intended to track investments’ actual value realized against targets throughout the investment lifecycle.
[25]Office of Management and Budget, Circular No. A-11: Preparation, Submission, and Execution of the Budget, Section 55—Information Technology Investments (Washington, D.C.: July 25, 2024); and Capital Programming Guide v. 3.1 (Washington, D.C.: July 25, 2024); and GAO‑04‑394G.
[26]Office of Management and Budget, Capital Programming Guide v. 3.1 (Washington, D.C.: July 25, 2024).
[27]The control phase occurs from system development through implementation, and, as a result, can last many months or years depending on the size and scope of the investment.
[28]Office of Management and Budget, Circular No. A-11: Preparation, Submission, and Execution of the Budget, Section 55–Information Technology Investments (Washington, D.C.: July 25, 2024); and Capital Programming Guide v. 3.1 (Washington, D.C.: July 25, 2024).
[29]Office of Management and Budget, Circular No. A-130: Managing Information as a Strategic Resource (July 28, 2016).
[31]During our review, we did not evaluate SSA’s Special Expense Item procedures or review individual requests for IT resources.
[33]SSA’s ITIP guidance is intended to provide more information for implementing procedures outlined in the CPIC guide. There are four ITIP guidance documents, one for each phase of the process: plan, select, control, and evaluate.
[34]Referred to as “program area reviews,” these meetings are for program area leads to present high-level investment performance information to SSA’s deputy commissioners.
[36]Office of Management and Budget, Capital Programming Guide v. 3.1 (Washington, D.C.: July 25, 2024).
[37]OMB guidance notes that output measures—that is, the resulting activities or products of a program—can be useful, but agencies must make a reasonable connection between outputs and outcomes. Outcomes describe the intended result of carrying out a program or activity.
[38]As previously discussed, SSA’s value realization process is intended to track investments’ actual value realized against targets throughout the investment lifecycle.
[39]See appendix I for full descriptions of these investments.
[40]SSA established a target of five percent improvement in case processing time when examiners use IMAGEN versus when they do not.
[41]For federal IT acquisition reform legislation, see the Federal Information Technology Acquisition Reform Act provisions of the Carl Levin and Howard P. ‘Buck’ McKeon National Defense Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, div. A, title VIII, subtitle D, 128 Stat. 3292, 3438-50 (Dec. 19, 2014); for federal guidance, see Office of Management and Budget, Circular No. A-11: Preparation Submission, and Execution of the Budget, Section 55—Information Technology Investments (July 25, 2024); Capital Programming Guide v.3.1: Supplement to Office of Management and Budget Circular A-11, Planning, Budgeting, and Acquisition of Capital Assets (July 25, 2024); Circular No. A-130: Managing Information as a Strategic Resource, (July 28, 2016); and Memorandum M-15-14: Management and Oversight of Federal Information Technology (June 10, 2015).
[42]GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, GAO‑04‑394G (Washington, D.C.: Mar. 1, 2004). We also reviewed, but did not use, selected CMMI practices in the areas of governance, managing performance and measurement, and risk. We found that the CMMI practices generally reflected the concepts in GAO’s IT Investment Management framework and OMB guidance. ISACA, CMMI Model V3.0 (Apr. 6, 2023). CMMI Model and ISACA© [2023]. All rights reserved. Used with permission.
[43]According to OMB guidance, a major IT investment is one that requires special management attention because of its importance to the mission or function to the government; has significant program or policy implications; has high executive visibility; has high development, operating, or maintenance costs; has an unusual funding mechanism; or because it is otherwise defined as major by the agency.
[44]At the time of our review, SSA had nine investments under development in the disability major IT area. Collectively, the three investments we selected accounted for about 70 percent of SSA’s IT investments in the disability area for fiscal years 2023 to 2025.
[45]GAO High-Risk Series: Heightened Attention Could Save Billions More and Improve Government Efficiency and Effectiveness, GAO‑25‑107743 (Washington, D.C.: Feb. 25, 2025).
[46]According to agency documentation, SSA deployed DCPS2 to all state disability determination service centers and related federal sites, replacing all independently operated legacy systems. SSA documents state that they spent about $255 million on DCPS2 from fiscal year 2015 to fiscal year 2022.