U.S. Secret Service: Action Needed to Address Gaps in IT Workforce Planning and Management Practices
Highlights
What GAO Found
The U.S. Secret Service (Secret Service) Chief Information Officer (CIO) fully implemented 11 of 14 selected information technology (IT) oversight responsibilities, and partially implemented the remaining 3. The CIO partially implemented the responsibilities to establish a process that ensures the Secret Service reviews IT contracts; ensure that the component's IT policies align with the Department of Homeland Security's (DHS) policies; and set incremental targets to monitor program progress. Additional efforts to fully implement these 3 responsibilities will further position the CIO to effectively manage the IT portfolio.
Of the 15 selected practices within the 5 workforce planning and management areas, the Secret Service fully implemented 3 practices, partly implemented 8, and did not implement 4 (see table). Within the strategic planning area, the component partly implemented the practice to, among other things, develop IT competency needs. While the Secret Service had defined general core competencies for its workforce, the Office of the CIO (OCIO) did not identify all of the technical competencies needed to support its functions. As a result, the office was limited in its ability to address any IT competency gaps that may exist. Also, while work remains to improve morale across the component, the Secret Service substantially implemented the employee morale practices for its IT staff.
The U.S. Secret Service's Implementation of 15 Selected Leading Practices Associated with 5 Workforce Planning and Management Areas for Its Information Technology Workforce
Workforce area |
Overall area rating |
Number of practices fully implemented |
Number of practices partly implemented |
Number of practices not implemented |
1. Strategic planning |
Minimally implemented |
0 |
2 |
1 |
2. Recruitment and hiring |
Minimally implemented |
0 |
1 |
2 |
3. Training and development |
Minimally implemented |
0 |
2 |
1 |
4. Employee morale |
Substantially implemented |
2 |
1 |
0 |
5. Performance management |
Substantially implemented |
1 |
2 |
0 |
Total |
|
3 |
8 |
4 |
Source: GAO analysis of data provided by U.S. Secret Service officials. | GAO-19-60.
Secret Service officials said the gaps in implementing the workforce practices were due to, among other things, their focus on reorganizing the IT workforce within OCIO. Until the Secret Service fully implements these practices for its IT workforce, it may be limited in its ability to ensure the timely and effective acquisition and maintenance of the component's IT infrastructure and services.
Of the two selected IT project monitoring practices, DHS and the Secret Service fully implemented the first practice to monitor the performance of the Information Integration and Technology Transformation (IITT) investment. In addition, for the second practice—to monitor projects on incremental development metrics—the Secret Service fully implemented the practice on one of IITT's projects and partially implemented it on another. In particular, OCIO did not fully measure post-deployment user satisfaction with the system on one project. OCIO plans to conduct a user satisfaction survey of the system by September 2018, which should inform the office on whether the system is meeting users' needs.
Why GAO Did This Study
Commonly known for protecting the President, the Secret Service also plays a leading role in investigating and preventing financial and electronic crimes. To accomplish its mission, the Secret Service relies heavily on the use of IT infrastructure and systems. In 2009, the component initiated the IITT investment—a portfolio of programs and projects that are intended to, among other things, improve systems availability and security in support of the component's business operations.
GAO was asked to review the Secret Service's oversight of its IT portfolio and workforce. This report discusses the extent to which the (1) CIO implemented selected IT oversight responsibilities, (2) Secret Service implemented leading IT workforce planning and management practices, and (3) Secret Service and DHS implemented selected performance monitoring practices for IITT. GAO assessed agency documentation against 14 selected component CIO responsibilities established in DHS policy; 15 selected leading workforce planning and management practices within 5 topic areas; and two selected leading industry project monitoring practices that, among other things, were, in GAO's professional judgment, of most significance to managing IITT.
Recommendations
GAO is making 13 recommendations, including that the Secret Service establish a process that ensures the CIO reviews all IT contracts, as appropriate; and identify the skills needed for its IT workforce. DHS concurred with all recommendations and provided estimated dates for implementing each of them.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
United States Secret Service | The Director should ensure that the CIO establishes and documents an IT acquisition review process that ensures the CIO or the CIO's delegate reviews all contracts containing IT, as appropriate. (Recommendation 1) |
In response to our recommendation, in April 2019 the Secret Service established a policy that specifies that the CIO must approve all Secret Service IT purchases, including hardware, software, and services. The policy also identifies how Secret Service staff are to submit IT purchase requests for review and outlines the approval sequence for such purchases. As part of this, the policy states that the final approver--called the Secret Service Approver--will not approve any requisitions that do not have the required CIO approval. By establishing this policy and process, the Secret Service CIO should be better informed of all IT purchases made by the component. The CIO should also be better positioned to ensure that such purchases are a cost-effective use of resources and are aligned with the component's missions and goals.
|
United States Secret Service | The Director should update the enterprise governance policy to specify (1) the CIO's current role and responsibilities on the Executive Resources Board, to include developing and reviewing the IT budget formulation and execution; and (2) the Deputy CIO's role and responsibilities on the Enterprise Governance Council. (Recommendation 2) |
In response to our recommendation, the Secret Service has taken important steps to address this recommendation. In particular, in April 2021, the Secret Service updated its Enterprise Governance Council charter to outline the roles and responsibilities of all board members, including senior designees from the OCIO. Next, in January 2022, the Secret Service established a charter for its Enterprise Resource Board (which was previously named the Executive Resources Board) and it outlined the roles and responsibilities of all board members, including senior designees from the OCIO. Then, in February 2022, Secret Service provided its Planning, Programming, Budget, Executive and Evaluation policy directive, which reflects the CIO's responsibilities for developing and reviewing IT budget formulation and execution. Lastly, in August 2023, the Secret Service updated its overarching Secret Service Enterprise Governance policy directive to align with the new and updated OCIO roles and responsibilities that are documented in the charters and policy directive. As a result, the OCIO has improved its ability to develop and review the component's IT budget. Further, the Secret Service is better positioned to ensure that all members understand their roles and responsibilities on the board and council and will perform them as expected.
|
United States Secret Service | The Director should ensure that the Secret Service develops a charter for its Executive Resources Board that specifies the roles and responsibilities of all board members, including the CIO. (Recommendation 3) |
In response to our recommendation, in January 2022, Secret Service officials finalized a charter for its Board (which was renamed to the Enterprise Resource Board charter). The charter identifies the general roles and responsibilities of all board members, including a senior representative from the Office of the CIO. By formally identifying member's roles and responsibilities in the charter, the Secret Service will be better positioned to ensure that all members understand their roles and responsibilities and will perform them as expected.
|
United States Secret Service | The Director should ensure that the CIO includes product quality and post-deployment user satisfaction metrics in the modular outcomes and target measures that the CIO sets for monitoring agile projects. (Recommendation 4) |
In response to our recommendation, the Secret Service updated its acquisition policy to inform program staff that they should refer to DHS post-implementation review guidance when conducting a post-implementation review six to 18 months after a system's deployment. The DHS document provides guidance on the post-implementation review process, including identifying certain elements and data sources that should be assessed during this type of review. Further, the guidance strongly recommends that, for agile programs, staff should assess the systems against product quality and post-deployment user satisfaction metrics. As a result, the Secret Service has better assurance that its future agile programs will measure product quality and post-deployment user satisfaction.
|
United States Secret Service | The Director should ensure that the CIO identifies all of the required knowledge and skills for the IT workforce. (Recommendation 5) |
In response to our recommendation, the Secret Service provided documentation that demonstrates that it had identified the required knowledge and skills for its IT workforce. In particular, in 2021 and 2022, the Secret Service OCIO provided position description documents for the 12 occupational series within the Secret Service's IT workforce that identified the required knowledge and skills for each occupational series. As a result, the OCIO has improved its ability to identify and address competency gaps within its workforce.
|
United States Secret Service | The Director should ensure that the CIO regularly analyzes the IT workforce to identify its competency needs and any gaps it may have. (Recommendation 6) |
From 2018 to December 2020, in response to our recommendation, the Secret Service worked with a contractor to develop updated staffing models for its IT workforce. The contractor also determined competency gaps and additional IT workforce staffing needs by conducting an assessment of current and desired workload. The assessment indicated a need for additional staff for the Secret Service IT workforce. In addition, in May 2022, Secret Service officials provided a directive that states that Secret Service should reassess the component's workforce requirements every 3-5 years. Further, the directive states that they should assess workforce analyses results and determinations following any changes in technology, organizational structure, or the mission. As a result, the OCIO has improved its ability to determine whether its IT workforce has the necessary knowledge and skills to meet its mission and goals. In addition, regular assessments of the IT workforce's staffing needs should increase the likelihood that the Secret Service is able to appropriately identify the number of IT staff it needs to meet its mission and programmatic goals.
|
United States Secret Service | The Director should ensure that, after OCIO completes an analysis of the IT workforce to identify any competency and staffing gaps it may have, the Secret Service updates its recruiting and hiring strategies and plans to address those gaps, as necessary. (Recommendation 7) |
As referenced in recommendation six, the Secret Service conducted an analysis of the IT workforce to identify competency and staffing gaps. Secret Service officials stated that, following this analysis, the Secret Service adjusted its recruiting and hiring strategies to address staffing gaps in its IT workforce. Specifically, the officials provided excerpts from the Secret Service's National Recruitment Strategy that demonstrated these adjustments, such as placing more emphasis on using digital and social media platforms for recruitment. As a result, the OCIO has better assurance that its recruiting and hiring strategies are addressing the IT workforce's competency and staffing gaps.
|
United States Secret Service | The Director should ensure that the Office of Human Resources (1) develops and tracks metrics to monitor the effectiveness of the Secret Service's recruitment activities for the IT workforce, including their effectiveness at addressing skill and staffing gaps; and (2) reports to component leadership on those metrics. (Recommendation 8) |
In July 2024, Secret Service officials stated that the Secret Service is transitioning to a new hiring solution that will be largely automated. The officials said the new solution will allow for end-to-end hiring and better tracking of applications, to include its recruitment efforts. Further, the officials said the new end-to-end hiring solution should be in place by December 31, 2024. As such, we will continue to monitor the Secret Service's efforts to implement this recommendation.
|
United States Secret Service | The Director should ensure that the Office of Human Resources and OCIO adjust their recruitment and hiring plans and activities, as necessary, after establishing and tracking metrics for assessing the effectiveness of these activities for the IT workforce. (Recommendation 9) |
Secret Service officials stated that the service is transitioning to a new end-to-end hiring solution, which could be used to produce metrics that track the results of its recruitment activities for the IT workforce. The officials added that the new end-to-end hiring solution should be in place by December 31, 2024. As such, as of July 2024, the component was not yet able to demonstrate that its Office of Human Resources and OCIO have adjusted their recruitment and hiring plans and activities based on the results of any performance metrics. We will continue to monitor the Secret Service's effort.
|
United States Secret Service | The Director should ensure that the CIO (1) defines the required training for each IT workforce group, (2) determines the activities that OCIO will include in its IT workforce training and development program based on its available training budget, and (3) implements those activities. (Recommendation 10) |
DHS concurred with this recommendation, and in response, the Secret Service established a standard operating procedure document that identifies, among other things, recommended training and certifications for each OCIO workforce group (e.g., network management, cyber security). However, this procedure document does not identify required training for each group. In July 2024, Secret Service officials stated that the OCIO is in the process of developing a training program for its IT workforce. Specifically, the officials stated that they established a Training Coordinator position within the OCIO and the Training Coordinator will manage the development and implementation of the training program. As part of this effort, the officials said the Secret Service will update the standard operating procedure document to also define the required training for each IT workforce group. The officials added that they expect to fully implement the training program for its IT workforce by September 30, 2026. As such, we will continue to monitor the Secret Service's efforts to implement this recommendation.
|
United States Secret Service | The Director should ensure that the CIO ensures that the IT workforce completes training specific to their positions (after defining the training required for each workforce group). (Recommendation 11) |
DHS concurred with this recommendation. While the Secret Service OCIO has identified the recommended training and certifications for each OCIO division, the OCIO has not yet identified the required training for each of these divisions as stated in recommendation ten. However, in July 2024, Secret Service officials stated that they will update the standard operating procedure document to also define the required training for each IT workforce group. In addition, the officials stated that they also plan to utilize DHS's IT Career Path for IT job occupations series and individual development plans to ensure that IT workforce staff are receiving training aligned with their job responsibilities. The officials added that they expect to address this recommendation by September 30, 2026. As such, we will continue to monitor the Secret Service's efforts to implement this recommendation.
|
United States Secret Service | The Director should ensure that the CIO collects and assesses performance data (including qualitative or quantitative measures, as appropriate) to determine how the IT training program contributes to improved performance and results (once the training program is implemented). (Recommendation 12) |
DHS concurred with this recommendation. In July 2024, Secret Service officials stated that they currently do not have a system to collect and assess performance training data. However, they said the Secret Service expects to have a new learning management system that can collect training completion data and user feedback in place sometime in fiscal year 2025. The officials added that the OCIO plans to conduct surveys to gather employee feedback on the to be implemented training program and the OCIO has hired two analysts who will be involved in tracking metrics and analyzing the performance of the training program. The officials stated that they intend to address this recommendation by September 30, 2027. As such, we will continue to monitor the component's efforts to implement this recommendation.
|
United States Secret Service | The Director should ensure that the CIO updates the performance plans for each occupational series within the IT workforce to include the relevant technical competencies, once identified, against which IT staff performance should be assessed. (Recommendation 13) |
In July 2020, the Secret Service OCIO provided the updated performance plans for the occupational series within the Secret Service's IT workforce that included the relevant technical competencies against which IT staff performance should be assessed. As a result, the OCIO has improved its ability to provide IT staff with a complete assessment of their performance. In addition, Secret Service management now have more insight into the extent to which IT staff are meeting their relevant technical competencies.
|