Skip to main content
(G A O website.)

VETERANS AFFAIRS:

Action Needed to Address Continuing IT Management Challenges

Statement of Carol C. Harris, Director, Information Technology and Cybersecurity

GAO-25-107963. Published: Dec 12, 2024. Publicly Released: Dec 11, 2024.

VETERANS AFFAIRS

Action Needed to Address Continuing IT Management Challenges

Statement of Carol C. Harris, Director,
Information Technology and Cybersecurity

Testimony

Before the Subcommittee on Technology Modernization, Committee on Veterans' Affairs, House of Representatives

For Release on Delivery Expected at 8:00 a.m. ET

Thursday, December 12, 2024

GAO-25-107963

United States Government Accountability Office

Highlights

For more information, contact Carol C. Harris at (202) 512-4456 or HarrisCC@gao.gov.

Highlights of GAO-25-107963, a testimony before the Subcommittee on Technology Modernization, Committee on Veterans' Affairs, House of Representatives

December 12, 2024

VETERANS AFFAIRS

Action Needed to Address Continuing IT Management Challenges

Why GAO Did This Study

VA depends on critical IT systems to manage benefits and provide care to millions of veterans and their families.  The department’s investment in IT is substantial—VA obligated about $21 billion in fiscal years 2022 through 2024 for a range of IT products, systems, and services.

Due in part to its IT challenges, in 2015, GAO added VA health care to its High-Risk List and in 2019 added VA acquisition management. GAO has conducted numerous reviews of VA IT management. GAO has also reported on critical factors leading to successful IT acquisitions.

GAO was asked to testify on (1) VA’s acquisition and management of IT and (2) critical factors leading to successful IT acquisitions. GAO summarized its recent reports on VA IT issues. It also followed up on the status of the implementation of relevant recommendations. In addition, GAO summarized its prior report on critical success factors.

What GAO Recommends

GAO has made a total of 20 recommendations in recent reports to improve VA’s IT acquisitions and management. These recommendations address health care and financial management systems, IT governance, and IT procurement. VA agreed with all 20 recommendations but has not yet implemented them.

What GAO Found

GAO has previously reported on the challenges and setbacks that the Department of Veterans Affairs (VA) has experienced in acquiring major IT systems.

·         After three unsuccessful attempts between 2001 and 2018, the department undertook a fourth effort—the Electronic Health Record Modernization program—to modernize its legacy health information system. In 2020, VA began implementing this new system. However, in 2023, VA announced it was halting further deployments and instead was prioritizing making improvements at the five sites using the system. VA’s surveys had shown that users were dissatisfied with the system. Specifically, about 79 percent (1,640 of 2,066) of users disagreed that the system enabled quality care. In its 2023 report, GAO made 10 recommendations to VA in areas such as user satisfaction, system trouble reports, and change management. VA concurred with all 10 recommendations but has yet to implement them.  

·         In 2016, VA established its Financial Management Business Transformation initiative, its third attempt to replace aging financial and acquisition systems with one integrated system. In 2021, GAO reported that full implementation of the new system was not expected until 2027 at a 10-year life cycle cost of $2.98 billion. As GAO reported in July 2024, full implementation was moved to 2030 and estimated life cycle costs were escalated to $7.7 billion. GAO’s 2021 and 2024 reports made a total of three recommendations to VA on cost and schedule estimating and its efforts to manage risks. VA has not yet implemented these recommendations.

GAO has also made numerous recommendations on VA’s IT governance, software licenses, and cloud computing. However, none of these have been implemented yet. Implementation is pivotal to remedying VA’s weaknesses.

To help agencies deliver results with their IT initiatives, GAO previously reported on the critical factors that led to successful IT acquisitions across the federal government.

Common Critical Success Factors

Program officials were actively engaged with stakeholders.

Program staff had the necessary knowledge and skills.

Senior department and agency executives supported the programs.

End users and stakeholders were involved in the development of requirements.

End users participated in testing of system functionality prior to formal end user acceptance testing.

Government and contractor staff were stable and consistent.

Program staff prioritized requirements.

Program officials maintained regular communication with the prime contractor.

Programs received sufficient funding.

Source: GAO analysis of agency data.  |  GAO-24-107963

Consideration of these critical factors, along with leading practices in iterative product delivery, could help VA achieve successful IT acquisitions. Many of GAO’s recommendations are consistent with these critical success factors.

Letter

 

Chairman Rosendale, Ranking Member Cherfilus-McCormick, and Members of the Subcommittee:

Thank you for the opportunity to discuss our work on the challenges that the Department of Veterans Affairs (VA) faces as it works to improve its IT capabilities. As you know, VA depends on critical underlying IT systems to manage benefits and provide care to millions of veterans and their families. The department operates and maintains an IT infrastructure that is intended to provide the backbone necessary to meet the day-to-day operational needs of its medical centers, veteran-facing systems, benefits delivery systems, memorial services, and all other systems supporting the department’s mission. As a result, according to the Federal Procurement Data System (FPDS), VA has obligated over $21 billion on contracts to procure a range of IT products, systems, and services between fiscal years 2022 and 2024.[1]

We and VA’s Office of Inspector General (OIG) have reported on VA’s challenges with managing its major IT acquisitions, including its financial management system and electronic health record modernization initiatives, which have experienced schedule delays.[2] In 2015, we added Managing Risks and Improving VA Health Care (VA Health Care) to our High-Risk List because of system-wide challenges, including major modernization initiatives.[3] We also added VA Acquisition Management to our High-Risk List in 2019 due to, among other things, challenges with managing its acquisition workforce and inadequate strategies and policies.[4] Both remain high-risk areas.[5]

In addition, we added Improving the Management of IT Acquisitions and Operations to our list of high-risk areas in 2015.[6] We added this area because federal IT investments were too frequently failing or incurring cost overruns and schedule slippages while contributing little to mission-related outcomes. For example, we reported that the federal government had spent billions of dollars on failed IT investments, including at VA.[7] This area also remains high-risk.[8]

In this statement, I will summarize our prior reports on (1) VA’s acquisition and management of IT and (2) critical factors leading to successful IT acquisitions.

In developing this testimony, we reviewed our recently issued reports on VA’s efforts to modernize systems, to address legislation and federal guidance, and to address our biennial high-risk series. We also incorporated information on the department’s actions in response to recommendations we made in our previous reports. In addition, we reviewed our past reports on leading acquisition practices. The reports cited throughout this statement include detailed information on the scope and methodologies.[9]

We conducted the work on which this statement is based in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We conducted our related work on iterative development leading practices from August 2022 to July 2023 in accordance with all sections of GAO’s Quality Assurance Framework that are relevant to our objectives. The framework requires that we plan and perform the engagement to obtain sufficient and appropriate evidence to meet our stated objectives and to discuss any limitations in our work. We believe that the information and data obtained, and the analysis conducted, provide a reasonable basis for any findings and conclusions in this product.

Background

Over the last three decades, Congress has enacted several laws to help federal agencies improve the management of IT investments. In addition, the federal government has also undertaken multiple initiatives to address persistent issues with IT acquisitions and operations. For example:

·         The Clinger-Cohen Act of 1996 requires agency heads to appoint chief information officers (CIO) and specifies many of their responsibilities with regard to IT management.[10] Among other things, CIOs are responsible for implementing and enforcing applicable government-wide and agency IT management principles, standards, and guidelines and assuming responsibility and accountability for IT investments. In addition, CIOs of covered agencies such as VA are also responsible for monitoring the performance of IT programs and advising the agency head whether to continue, modify, or terminate such programs.[11]

·         In December 2014, Congress enacted IT acquisition reform legislation, commonly referred to as the Federal Information Technology Acquisition Reform Act or FITARA.[12] FITARA was intended to enable Congress to monitor covered agencies’ increased efficiency and effectiveness of IT investments, as well as for holding agencies accountable for reducing duplication and achieving cost savings. FITARA, among other things, required VA and other covered executive branch agencies to improve their IT acquisitions by requiring CIO involvement in these acquisition processes.[13] One way that the law enhances the authority of covered agency CIOs is by requiring them to review and approve contracts for IT. Specifically, FITARA requires that agency CIOs review and approve IT contracts prior to award, unless that contract is associated with a non-major investment.[14]

·         The Making Electronic Government Accountable by Yielding Tangible Efficiencies (MEGABYTE) Act of 2016 further enhanced CIOs’ ability to manage software licenses. The act required agency CIOs to establish an agency software licensing policy and a comprehensive software inventory to track and maintain licenses, among other requirements.[15] In accordance with the MEGABYTE Act requirements, in June 2016, the Office of Management and Budget (OMB) issued a memorandum that provided software license management guidance to covered agencies.[16]

·         VA’s FITARA approval process guidance from August 2020 requires the CIO or other authorized representative to review the acquisition strategies of VA’s IT and IT-related procurements prior to solicitation and contract award.[17] This process is intended to ensure that the CIO has visibility into and accountability over all IT across the department. If the estimated costs are at least $15 million, the CIO is responsible for the FITARA review. For acquisitions with estimated total contract lifecycle costs under $15 million, VA guidance allows the CIO to delegate the FITARA review and approval to another appropriate official.

VA Requested about $6 Billion for IT in Fiscal Year 2025

Since 2007, VA has been operating a centralized organization, the Office of Information and Technology, in which most key functions intended for effective management of IT are performed. This office is led by the Assistant Secretary for Information and Technology, also known as VA’s CIO. It is responsible for providing strategy and technical direction, guidance, and policy related to how IT resources are to be acquired and managed for the department. It also is responsible for working with its business partners—such as the Veterans Health Administration—to identify and prioritize business needs and requirements for IT systems. Further, the Office of Information and Technology has responsibility for managing the majority of VA’s IT-related functions.

VA’s budget request for fiscal year 2025 is about $6.2 billion in total for the Office of Information and Technology, which includes over $4.5 billion for operations and maintenance, nearly $1.7 billion for staffing and administrative support, and about $960,000 for new development.[18] Included in the 2025 budget request are several key areas:

·         $134.5 million for infrastructure readiness,

·         $97.8 million for supply chain management, and

·         $51.9 million for the Financial Management Business Transformation (FMBT) program.

In addition to the requested funding for VA’s Office of Information and Technology, VA’s budget request included a separate funding request of approximately $894 million for the Electronic Health Record Modernization (EHRM) program, one of VA’s significant IT modernization efforts. This amount included approximately:

·         $375.0 million for the electronic health record contract,

·         $191.1 million for infrastructure support, and

·         $327.9 million for program management.

VA Has Historically Faced Challenges in Its Efforts to Modernize IT Systems

VA has experienced longstanding challenges in managing its IT projects and programs, raising questions about the efficiency and effectiveness of its operations and its ability to deliver intended outcomes needed to help advance the department’s mission. In particular, efforts to modernize VA’s existing health information system and its financial and acquisition management systems have been particularly challenging.

·         VA’s existing health information system is the Veterans Health Information Systems and Technology Architecture (VistA), which includes the department’s legacy electronic health record (EHR) system, to manage health care for its patients. VistA, which has been in operation for more than 30 years, is technically complex, costly to maintain, and does not fully support the need to exchange health data with other organizations, such as Department of Defense (DOD) and private health care providers.

We have reported on a patchwork of initiatives undertaken to improve interoperability (i.e., the ability to exchange and use electronic health information) and modernize electronic health records across the department.[19] For example, VA has pursued four efforts over two decades to modernize VistA.[20] The first three efforts—HealtheVet, the integrated Electronic Health Record (iEHR), and VistA Evolution—reflect varying approaches that the department considered between 2001 and 2018 to achieve a modernized electronic health record system. However, these approaches were abandoned due to concerns about project planning, high costs, and taking too long to deliver capabilities. EHRM is the fourth and current effort in progress.

·         VA’s core financial system is approximately 30 years old and is not integrated with other relevant IT systems, which results in inefficient operations and requires complex manual work-arounds. Further, it does not provide real-time integration between financial and acquisition information across VA.

We and the VA OIG have reported on VA’s efforts to replace its legacy system.[21] Two previous attempts to replace this legacy system—the Core Financial and Logistics System (CoreFLS) and the Financial and Logistics Integrated Technology Enterprise (FLITE)—failed after years of development and hundreds of millions of dollars in cost. The current approach is implementing the Integrated Financial and Acquisition Management System (iFAMS). These three efforts reflect varying approaches that the department has taken to achieve modernized financial management and acquisition systems. They also reflect the department’s weaknesses that were identified in project management and cost and schedule estimating.

We have previously reported on these and other IT management challenges at the department that have resulted in delays, restarts, and substantial cost increases for these large investments with much work remaining. Challenges have also led to project terminations without delivering intended improvements.[22]

VA’s Management of IT Has Contributed to Its High-Risk Designations

In our most recent update about the High-Risk List from April 2023, we concluded that VA had continued to face system-wide challenges in managing its health care.[23] With respect to IT challenges, VA made progress in the area of leadership commitment by establishing governance structures for major IT efforts including electronic health record and financial management modernization. However, the department has only partially met the remaining criteria used to assess progress (capacity, action plan, monitoring, demonstrated progress).[24] For example, VA’s action plan included some actions, milestones, and measures to show progress toward reaching its goals; however, it lacked certain details such as corrective actions, milestones, or performance measures related to deploying its EHR system.

Recent GAO Reports Highlighted VA’s Challenges with Modernizing and Managing Its IT

We have issued a number of reports that discuss challenges that VA has faced over many years in its efforts to modernize its IT systems and improve its IT management. These include challenges with modernizing its health information system, replacing its financial and acquisition management systems, procuring IT-related assets and activities consistent with FITARA, tracking software licenses, and implementing five key cloud computing procurement requirements.

Efforts to Replace VistA Continue to Be Affected by Management Issues

The fourth and current initiative began in June 2017 when VA initiated the EHRM program to replace VistA. According to the Secretary, this fourth modernization initiative is intended to minimize customization and system differences that currently exist within the department’s medical facilities and ensure the consistency of processes and practices within VA and DOD. VA awarded an EHRM contract in May 2018 for a maximum of approximately $10 billion over 10 years and began to acquire the same Oracle Health system as DOD.[25] VA’s contract also includes requirements for Oracle Health to:

·         conduct reviews and assessments of medical facilities to determine facility needs prior to deployment (e.g., technology infrastructure);

·         provide services, including project management, change management, training, and testing; and

·         host and deploy EHRM across the VA enterprise.

As part of this large acquisition program, VA began deployment of the new EHR at the Mann-Grandstaff VA Medical Center in October 2020. However, the department identified issues with the initial deployment, which led to a strategic review of the program. The strategic review identified eight challenge areas for EHRM, as well as plans and progress towards addressing these challenges.[26] After the review, VA deployed the new system to four additional locations:

·         Jonathan M. Wainwright Memorial VA Medical Center (Walla Walla) in March 2022,

·         VA Central Ohio Health Care System (Columbus) in April 2022, and

·         Roseburg VA Health Care System and VA Southern Oregon Rehabilitation Center and Clinics (White City) in June 2022.[27]

In June 2022, VA announced that it would be pausing future deployments of the system until 2023 to allow time for improvements to the system. Subsequently, in October 2022, VA delayed deployments to address technical and other system performance issues. In April 2023, VA announced that it planned to halt future deployments of the new EHR system to prioritize making improvements at the five initial sites using the system.

VA reported obligating about $9.42 billion on EHRM from fiscal year 2018 through the first quarter of fiscal year 2023 with few deployments complete. Additional deployments will not resume until the department is confident that the new EHR system is effectively functioning at the deployed sites.

In May 2023, we reported that the EHRM program had not fully implemented change management activities consistent with leading practices.[28] In addition, most users had expressed dissatisfaction with the new system. Specifically, VA’s 2021 and 2022 surveys showed that users were not satisfied with the system’s performance or training. About 79 percent (1,640 of 2,066) of users disagreed or strongly disagreed that the system enabled quality care. In addition, about 89 percent (1,852 of 2,074) of users disagreed or strongly disagreed that the system made them as efficient as possible. Further, VA has not established targets (i.e., goals) to assess user satisfaction and did not adequately identify and resolve system issues within timeliness goals. The department also did not conduct an independent operational assessment consistent with leading software verification and validation practices.

Accordingly, we made 10 recommendations to VA to address these issues on change management, user satisfaction, resolution of system trouble tickets, and independent operational assessment deficiencies. VA concurred with all 10 recommendations but has yet to implement them. We continue to monitor these open recommendations to ensure the department is well positioned when it resumes deployments at future sites. We also have ongoing work to determine the progress VA has made to improve the EHR system at the initial deployment sites and to describe user feedback on the system.

VA’s Financial Management Business Transformation Program Should Improve Plans to Mitigate Risk

In 2016, VA established FMBT, the department’s third attempt to replace its aging financial and acquisition systems with one integrated system—iFAMS—to meet financial management goals and requirements. iFAMS is to allow the department to track and report how funds are used to deliver benefits, care, and services.

In March 2021, we reported that the program had begun implementing the first deployment of certain capabilities of iFAMS at the National Cemetery Administration on November 9, 2020.[29] Full implementation of iFAMS across all of VA was not expected until 2027, at an estimated 10-year life cycle cost of $2.98 billion.

We stressed in our March 2021 report that following IT management best practices on major transformation efforts, such as the FMBT program, can help build a foundation for ensuring responsibility, accountability, and transparency. We found that VA had generally met such practices for program governance, Agile project management, and testing and defect management. However, the department had not fully met certain best practices for developing and managing cost and schedule estimates for iFAMS.

Reliable cost and schedule estimates provide a road map for project execution and are critical elements to delivering large-scale IT systems. Without reliable estimates, VA management may not have the information necessary for informed decision-making. Further, following cost and schedule best practices helps minimize the risk of cost overruns and schedule delays and would better position the FMBT program for effective and successful implementation on future deployments. Consequently, we made two recommendations in our March 2021 report to VA. Specifically, we recommended that VA ensure that the FMBT program’s cost and schedule estimates were consistent with IT management best practices. VA concurred with the recommendations, but the department has yet to implement them.

Further, we recently reported in July 2024 that FMBT’s total life cycle cost estimates have continued to grow from an estimated $2.5 billion in 2019 to $7.7 billion in 2023.[30] A large part of the estimated increase is due to an expansion of the time period covered (from 14 to 32 years) to include system support costs throughout its useful life. Thus, the program’s cost estimate now extends through the end of fiscal year 2047. As of April 2024, the targeted date for full implementation is 2030. However, we previously reported that this date is questionable due to changes in requirements and schedule delays dependent upon integration with other paused or delayed VA IT modernization efforts.[31] Further, we identified 11 risks and two issues on FMBT management’s risk register about iFAMS integration with EHRM, Supply Chain Modernization efforts, and Veterans Benefits Management Systems. We found that FMBT’s risk response plans did not include specific, detailed actions for most of the identified risks and issues related to iFAMS integration with these other major systems.

Integration risk response plans that do not include detailed, specific actions increase the risk that a program will not timely identify and take appropriate action to mitigate its identified risks and exposes the program to potential delays and additional costs. We recommended that VA ensure that risk owners related to the FMBT program develop integration risk response plans that contain detailed and specific mitigation actions. VA concurred with the recommendation but has yet to implement it. We continue to monitor the program’s progress on the total of three recommendations made in this area.

VA’s IT-Related Assets and Activities Were Not Consistently Procured with CIO Approval

As previously mentioned, VA’s FITARA approval process guidance requires the CIO or other authorized representative to review and approve all IT and IT-related acquisition strategies prior to solicitation and contract award. CIO approval processes may be used to increase the CIO’s visibility into the agency’s IT assets and activities. If this process is applied inconsistently across IT procurements, however, the CIO’s opportunity to provide input on current and planned IT acquisitions and programs would be constrained, increasing risk. Consequently, this lack of visibility could result in IT contract actions that are duplicative or poorly conceived.

In March 2023, we reported that VA procured IT and IT-related assets and activities that were often not approved by its CIO.[32] Specifically, VA awarded 11,644 new contract actions categorized as IT between March 2018 and the end of fiscal year 2021. VA did not provide evidence of CIO approval for 4,513 (or 39 percent) of these contract actions.

Our further review of 26 selected IT contract actions from fiscal year 2021 found that 12 had documentation showing approval by appropriate agency officials at the required level of authority. The remaining 14 contract actions lacked CIO approval documentation.

Full visibility into the procurement of VA’s IT assets and activities will help to ensure that the CIO is able to provide input on current and planned IT acquisitions. According to VA officials, their contracting systems lack an automated control that would remind contracting officers of CIO review and approval requirements. Accordingly, we recommended that VA implement automated controls into relevant contracting systems to help ensure that IT and IT-related assets and activities are appropriately identified for VA’s approval process. The department agreed with our recommendation, but it has not yet reported progress.

VA Did Not Determine Over- or Under-Purchasing of Widely Used Software Licenses

Each year, the federal government spends more than $100 billion on IT and cyber-related investments, including the purchase of software licenses. Federal agencies, including VA, annually purchase thousands of software licenses from vendors. Key activities for assessing the appropriate number of software licenses are (1) tracking licenses currently in use and (2) regularly comparing the inventory of software licenses currently in use to purchase records. Conducting such activities can help avoid purchasing too many licenses—referred to as over-purchasing—or purchasing too few licenses that may result in additional fees—referred to as under-purchasing.

In January 2024,[33] we reported that VA had not fully determined the over- or under-purchasing of its widely used software licenses as of October 2023.[34] Specifically, for the five most widely used software licenses, the agency provided screenshots of count data by product, but it did not provide documentation of tracking the appropriate number of licenses for each item of software currently in use. In addition, VA did not compare software licenses purchased with licenses that were currently in use, and thus, had not determined if it had over- or under-purchased these licenses. Until VA consistently tracks their software licenses that are currently in use and compares their inventories of software licenses with known purchases, they are likely to miss opportunities to reduce costs on duplicative or unnecessary licenses. Accordingly, we made two recommendations to VA to consistently track software license usage and compare their inventories with purchased licenses. VA concurred with our recommendations, but it has not yet implemented them.

VA Did Not Address All Cloud Computing Procurement Requirements

Purchasing IT services through a cloud service provider enables agencies to avoid paying directly for all the computing resources that would typically be needed to provide such services. As such, cloud computing offers federal agencies a means to buy services more quickly and possibly at a lower cost than building, operating, and maintaining these computing resources themselves. Along with its potential to transform agencies’ use of IT, cloud computing also presents specific challenges that may impede agencies’ ability to realize the full benefits of cloud-based solutions.

In our September 2024 government-wide review on cloud computing procurement, we found that VA fully addressed two of the five cloud computing procurement requirements established by OMB.[35] Specifically, we analyzed whether VA had established policies and guidance that addressed the five key cloud computing procurement requirements that help ensure successful cloud implementation.

VA addressed the requirements related to ensuring the agency’s CIO oversaw modernization, as well as iteratively improving agency policies and guidance. VA’s guidance also partially addressed OMB’s requirement for having cloud service level agreements in place. However, VA did not have guidance in place that addressed the requirements for standardizing cloud contract service level agreements and ensuring continuous visibility in high value asset contracts. Accordingly, we made four recommendations to VA to address the three requirements, and VA concurred with our recommendations. The four recommendations remain open.

Considering Leading Practices Could Better Position VA’s Major Acquisitions for Success

Given the magnitude of VA’s annual IT budget and the challenges that we have identified above, it is important that the department consider all available opportunities to ensure that its IT investments are acquired in the most effective manner possible. We have previously reported on a number of critical factors that can be employed to help ensure the success of major IT acquisitions. In addition, we have reported on the value of iterative development as a leading practice for accelerating the delivery of results in complex acquisitions and enabling outcomes that better meet users’ most critical needs. These practices serve as the basis for many of our current recommendations to improve federal agencies’ critical initiatives. As such, VA can rely on these and other leading acquisition practices, such as the use of project management controls for cost, schedule, risk management, and incremental development.

GAO Identified Common Critical Factors for Successful Acquisitions

In 2011, we identified seven successful acquisitions and nine common factors critical to their success.[36] We noted that (1) the factors support OMB’s objective of improving the management of large-scale IT acquisitions across the federal government and (2) wide dissemination of these factors could complement OMB’s efforts. Specifically, we reported that the seven successful acquisitions were those that best achieved their respective cost, schedule, scope, and performance goals.[37] Notably, all of these were smaller increments, phases, or releases of larger projects. The common factors critical to the success of three or more of the seven acquisitions are generally consistent with those developed by private industry and are identified in table 1.

Table 1: Common Critical Success Factors

Program officials were actively engaged with stakeholders.

Program staff had the necessary knowledge and skills.

Senior department and agency executives supported the programs.

End users and stakeholders were involved in the development of requirements.

End users participated in testing of system functionality prior to formal end user acceptance testing.

Government and contractor staff were stable and consistent.

Program staff prioritized requirements.

Program officials maintained regular communication with the prime contractor.

Programs received sufficient funding.

Source: GAO analysis of agency data.  |  GAO‑25‑107963

These critical success factors will not necessarily ensure that organizations will successfully acquire IT systems because many factors contribute to that outcome. Nonetheless, these critical factors support the objective of improving the management of large-scale IT acquisitions and increase the potential for achieving more IT acquisition efficiencies.

GAO has Reported on the Value of Using Iterative Development for Complex Acquisitions

Congress has expressed continuing interest in monitoring and improving federal IT investments, which are often developed in long, sequential phases. Additionally, OMB has emphasized the need for agencies to deliver investments in smaller increments to reduce risk and deliver capabilities more quickly. For example, one approach for iterative development is Agile software development, which has been adopted by many federal agencies including VA. Our regular assessments of major federal acquisition programs continue to find that programs often take significantly longer, cost more than initially estimated, and in some cases, fail to deliver promised capability to end users—and VA is certainly no exception.[38]

As we reported in July 2023, we have found that leading companies use an iterative approach to rapidly develop complex products with hardware and software components that are relevant and responsive to their users’ most critical needs.[39] This process of iterative development is structured around continuous cycles of design modeling and simulation, validation, and delivery. Through this process, product teams engage in continuous user engagement and testing to refine a product’s design, until they arrive at a minimum viable product—one with the initial set of capabilities needed for users to recognize value.[40] After delivery of these capabilities, companies solicit feedback from users to inform development of the next set of capabilities. This iterative approach not only increases agility and enables rapid delivery, but it also ensures product capabilities remain effective and relevant to users’ evolving needs. The value of iterative development is a lesson VA and other federal agencies can take from leading companies.

As the systems and capabilities the government seeks to acquire become increasingly complex, VA and other agencies risk being caught unprepared with antiquated acquisition structures and business processes that are ill-equipped to meet changing demands. To avoid this outcome, we have previously recommended that several agencies, including the Department of Defense, the Department of Homeland Security, and the National Aeronautics and Space Administration, update their acquisition policies to fully incorporate our leading practices.[41] These recommendations, and agencies’ ongoing efforts to implement them, provide an additional blueprint for VA as it charts a path forward for its modernization efforts.

In conclusion, the challenges facing VA have resulted in delayed and costly modernization initiatives that have yet to deliver on promised system improvements. Additionally, the department has been challenged in improving its IT governance and procurement processes. Improving these processes would provide greater transparency and cost saving opportunities. Considering critical success factors, along with leading practices in iterative product delivery, could help VA better manage its large, critical IT acquisitions.

We have made 20 recommendations to VA in the reports summarized in this testimony. As of today, VA has not implemented any of the 20 recommendations. If the department continues to experience the challenges that we have previously identified and does not take actions to address our recommendations, it may jeopardize its ability to effectively support its IT programs and provide critical services to veterans.

Chairman Rosendale, Ranking Member Cherfilus-McCormick, and Members of the Subcommittee, this concludes my prepared statement. I would be happy to answer any questions that you may have at this time.

GAO Contact and Staff Acknowledgments

If you or your staff have any questions about this testimony, please contact Carol C. Harris at (202) 512-4456 or harriscc@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement.

GAO staff who made key contributions to this testimony include Jennifer Stavros-Turner (Assistant Director), Meredith Raymond (Analyst-in-Charge), Suellen Foth, Donna Epler, Anh-Thi Le, Teague Lyons, and Scott Pettis.

This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.

GAO’s Mission

The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.

Order by Phone

The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm.

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.

Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.

Connect with GAO

Connect with GAO on Facebook, Flickr, X, and YouTube.
Subscribe to our RSS Feeds or Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.

To Report Fraud, Waste, and Abuse in Federal Programs

Contact FraudNet:

Website: https://www.gao.gov/about/what-gao-does/fraudnet

Automated answering system: (800) 424-5454 or (202) 512-7700

Congressional Relations

A. Nicole Clowers, Managing Director, ClowersA@gao.gov, (202) 512-4400, U.S. Government Accountability Office, 441 G Street NW, Room 7125, Washington, DC 20548

Public Affairs

Sarah Kaczmarek, Managing Director, KaczmarekS@gao.gov, (202) 512-4800, U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548

Strategic Planning and External Liaison

Stephen J. Sanford, Managing Director, spel@gao.gov, (202) 512-4707
U.S. Government Accountability Office, 441 G Street NW, Room 7814, Washington, DC 20548



[1]FPDS is the federal government’s central database of information on federal procurement actions. Agencies are generally required to report contract actions to FPDS. See 41 U.S.C. § 1122, 1712. See also, Federal Funding Accountability and Transparency Act of 2006, Pub. L. No. 109-282, 31 U.S.C. § 6101 note. According to the August 2024 FPDS Government User’s Manual, FPDS can identify who bought what, from whom, for how much, when, and where.

[2]For examples of GAO’s past reports in this area, see: GAO, Financial Management Systems: VA Should Improve Its Risk Response Plans, GAO‑24‑106858 (Washington, D.C.: July 23, 2024); Electronic Health Records: VA Needs to Address Management Challenges with New System, GAO‑23‑106731 (Washington, D.C.: May 18, 2023); VA Financial Management System: Additional Actions Needed to Help Ensure Success of Future Deployments, GAO‑22‑105059 (Washington, D.C.: Mar. 24, 2022); and Electronic Health Records: VA Needs to Address Data Management Challenges for New System, GAO‑22‑103718 (Washington, D.C.: Feb. 1, 2022). For examples of the VA Office of Inspector General’s past reports in this area, see: Department of Veterans Affairs, Office of Inspector General, VA Needs to Strengthen Controls to Address Electronic Health Record System Major Performance Incidents, Report #22-03591-231 (Sept. 23, 2024); Lessons Learned for Improving the Integrated Financial and Acquisition Management System’s Acquisition Module Deployment, Report #23-00151-117 (July 10, 2024); and Improvements Needed in Integrated Financial and Acquisition Management System Deployment to Help Ensure Program Objectives Can Be Met, Report #21-01997-69 (Mar. 28, 2023).

[3]VA’s IT issues were highlighted in our 2015 high-risk report and subsequent high-risk reports. See GAO, High-Risk Series: An Update, GAO‑15‑290 (Washington, D.C.: Feb. 11, 2015); High-Risk Series: Progress on Many High-Risk Areas, While Substantial Efforts Needed on Others, GAO‑17‑317 (Washington, D.C.: Feb. 15, 2017); High-Risk Series: Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas, GAO‑19‑157SP (Washington, D.C.: Mar. 6, 2019); High-Risk Series: Dedicated Leadership Needed to Address Limited Progress in Most High-Risk Areas, GAO‑21‑119SP (Washington, D.C.: Mar. 2, 2021); and High-Risk Series: Efforts Made to Achieve Progress Need to Be Maintained and Expanded to Fully Address All Areas, GAO‑23‑106203 (Washington, D.C.: Apr. 20, 2023).

[5]GAO, High-Risk Series: Efforts Made to Achieve Progress Need to Be Maintained and Expanded to Fully Address All Areas, GAO‑23‑106203 (Washington, D.C.: Apr. 20, 2023).

[7]GAO, Information Technology: Management Improvements Are Essential to VA’s Second Effort to Replace Its Outpatient Scheduling System, GAO‑10‑579 (Washington, D.C.: May 27, 2010) and Information Technology: Actions Needed to Fully Establish Program Management Capability for VA’s Financial and Logistics Initiative, GAO‑10‑40 (Washington, D.C.: Oct. 26, 2009).

[9]GAO, Cloud Computing: Agencies Need to Address Key OMB Procurement Requirements, GAO‑24‑106137 (Washington, D.C.: Sept. 10, 2024); Financial Management Systems: VA Should Improve Its Risk Response Plans, GAO‑24‑106858 (Washington, D.C.: July 23, 2024);  Federal Software Licenses: Agencies Need to Take Action to Achieve Additional Savings, GAO‑24‑105717 (Washington, D.C.: Jan. 29, 2024); Leading Practices: Iterative Cycles Enable Rapid Delivery of Complex, Innovative Products, GAO‑23‑106222 (Washington, D.C.: July 27, 2023); Electronic Health Records: VA Needs to Address Management Challenges with New System, GAO‑23‑106731 (Washington, D.C.: May 18, 2023); IT Management: VA Needs to Improve CIO Oversight of Procurements. GAO‑23‑105719 (Washington, D.C.: Mar. 30, 2023); Leading Practices: Agency Acquisition Policies Could Better Implement Key Product Development Principles, GAO‑22‑104513 (Washington, D.C.: Mar. 10, 2022); Veterans Affairs: Ongoing Financial Management System Modernization Program Would Benefit from Improved Cost and Schedule Estimating, GAO‑21‑227 (Washington, D.C.: Mar. 24, 2021); and Information Technology: Critical Factors Underlying Successful Major Acquisitions, GAO‑12‑7 (Washington, D.C.: Oct. 21, 2011).

[10]The requirement for agencies to designate a CIO is codified at 44 U.S.C. § 3506(a)(2)(A). See also 40 U.S.C. § 11315, Agency Chief Information Officer.

[11]40 U.S.C. § 11315(c).

[12]Federal Information Technology Acquisition Reform provisions of the Carl Levin and Howard P. ‘Buck’ McKeon National Defense Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, division A, title VIII, subtitle D, 128 Stat. 3292, 3438-50 (Dec. 19, 2014).

[13]The provisions apply to VA and the other agencies covered by the Chief Financial Officers Act of 1990, 31 U.S.C. § 901(b). However, FITARA has generally limited application to the Department of Defense. The 24 Chief Financial Officers Act of 1990 agencies are the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, Justice, Labor, State, the Interior, the Treasury, Transportation, and Veterans Affairs; the Environmental Protection Agency; the General Services Administration; the National Aeronautics and Space Administration; the National Science Foundation; the Nuclear Regulatory Commission; the Office of Personnel Management; the Small Business Administration; the Social Security Administration; and the U.S. Agency for International Development.

[14]According to the Office of Management and Budget (OMB), a major IT investment is a system or an acquisition requiring special management attention because it has significant importance to the mission or function of the government; significant program or policy implications; high executive visibility; high development, operating, or maintenance costs; an unusual funding mechanism; or is defined as major by the agency’s capital planning and investment control process. In contrast, OMB states that non-major investments are those that do not meet the criteria of major IT investments.

[15]Pub. L. No. 114-210, 130 Stat. 824 (July 29, 2016), codified at 40 U.S.C. § 11302 note.

[16]Office of Management and Budget, Category Management Policy 16-1: Improving the Acquisition and Management of Common Information Technology: Software Licensing, M-16-12 (Washington, D.C.: June 2, 2016).

[17]Department of Veterans Affairs, Federal Information Technology Acquisition Reform Act: Acquisition Compliance Standard Operating Procedure (Washington, D.C.: Aug. 6, 2020).

[18]U.S. Department of Veterans Affairs FY 2025 Budget Submission, Information Technology Programs and Electronic Health Record Modernization Vol. 5 of 5, March 2024.

[19]GAO‑23‑106731; GAO‑22‑103718; GAO, Electronic Health Records: VA Has Made Progress in Preparing for New System, but Subsequent Test Findings Will Need to Be Addressed, GAO‑21‑224 (Washington, D.C.: Feb. 11, 2021); Electronic Health Records: Ongoing Stakeholder Involvement Needed in the Department of Veterans Affairs’ Modernization Effort, GAO‑20‑473 (Washington, D.C.: June 5, 2020); Electronic Health Records: VA Needs to Identify and Report System Costs, GAO‑19‑125 (Washington, D.C.: July 25, 2019); VA Health IT Modernization: Historical Perspective on Prior Contracts and Update on Plans for New Initiative, GAO‑18‑208 (Washington, D.C.: Jan. 18, 2018); and Electronic Health Records: Outcome-Oriented Metrics and Goals Needed to Gauge DOD’s and VA’s Progress in Achieving Interoperability, GAO‑15‑530 (Washington, D.C.: Aug. 13, 2015).

[21] VA OIG, Issues at VA Medical Center Bay Pines, Florida and Procurement and Deployment of the Core Financial and Logistics System (CoreFLS), 04-01371-177 (Washington, D.C.: Aug. 11, 2004); GAO‑10‑40 and VA OIG, Audit of the FLITE Strategic Asset Management Pilot Project, 09-03861-238 (Washington, D.C.: Sept. 14, 2010); GAO‑24‑106858, and GAO‑22‑105059.

[22]For example, VA’s Scheduling Replacement Project was terminated in September 2009 after spending an estimated $127 million over 9 years. See GAO‑10‑579.

[24]GAO uses five criteria to assess progress in addressing high-risk areas: (1) leadership commitment, (2) agency capacity, (3) an action plan, (4) monitoring efforts, and (5) demonstrated progress.

[25]VA contracted with Cerner Government Services, Inc. for the department’s new EHR system in May 2018. Subsequently, in June 2022, Cerner Government Services, Inc. was acquired by Oracle Corporation and began formally identifying itself as Oracle Health, which is the name we use throughout this report.

[26]VA summarized the results of its strategic review in the Electronic Health Record Comprehensive Lessons Learned report. Department of Veterans Affairs, Electronic Health Record Comprehensive Lessons Learned (Washington, D.C.: July 2021). The eight challenge areas described in the report are improving the veteran experience, ensuring patient safety, providing extended training to the frontline employees, building confidence at VA sites, implementing organizational and program improvements, making governance effective, improving operational efficiencies, and centralizing data management for workers and veterans.

[27]These sites are within the Veterans Health Administration’s Veterans Integrated Services Network 20 (VISN 20) and VISN 10. The Veterans Health Administration is divided into areas called Veterans Integrated Services Networks (VISNs). There are currently 18 VISNs throughout the Veterans Health Administration based on geographic location. VISNs provide oversight and guidance to the VA Medical Centers and VA Health Care Systems within their area and are sometimes called a “network.” VISN 20 includes medical centers and community-based outpatient clinics in the states of Alaska, Washington, Oregon, most of Idaho, and one county each in Montana and California. VISN 10 serves veterans in the Ohio, Indiana, and Michigan areas.

[31]For instance, the Supply Chain Modernization project was intended to provide a cloud-based platform to manage the flow of goods, services, and information internally between agency personnel and externally between personnel and customers. However, VA canceled its solicitation in July 2024 due to budget constraints and changing leadership priorities.

[34]For the purposes of this report, the phrase “most widely used software licenses” refers to the licenses that come from a specific vendor and means the aggregate number of software licenses an agency uses that originate with a particular vendor.

[37]The seven investments were (1) the Department of Commerce’s Decennial Response Integration System, (2) the Department of Defense’s Defense Global Combat Support System-Joint (Increment 7), (3) the Department of Energy’s Manufacturing Operations Management Project, (4) the Department of Homeland Security’s Western Hemisphere Travel Initiative, (5) the Department of Transportation’s Integrated Terminal Weather System, (6) the Department of the Treasury’s Customer Account Data Engine 2, and (7) VA’s Occupational Health Record-keeping System.

[40]In government acquisitions, this is akin to the initial set of capabilities suitable to be fielded in an operational environment.

[41]We are continuing this body of work to further explore leading practices in related areas, such as developing business cases and managing product portfolios. In addition, our guide for assessing Agile software development—an iterative development approach that focuses on early and continuous delivery of working software—describes agencies’ existing authority to use modular contracting for iterative acquisitions. Modular contracting is intended to reduce program risk and incentivize contractor performance while meeting the government’s need for timely access to rapidly changing technology; it can also be divided into smaller acquisition increments. GAO, Agile Assessment Guide: Best Practices for Adoption and Implementation [Reissued with revisions on Dec. 15, 2023], GAO‑24‑105506 (Washington, D.C.: Nov. 28, 2023).