Business Systems Modernization
DOD Continues to Improve Institutional Approach, but Further Steps Needed Gao ID: GAO-06-658 May 15, 2006For decades, the Department of Defense (DOD) has not been successful in repeated attempts to modernize its timeworn business systems and operations. In 1995, we first designated DOD's business systems modernization as "high risk," and we continue to designate it as such today. As our research on successful public and private sector organizations has shown, attempting a large-scale systems modernization program in a large organization such as DOD without, among other things, a well-defined enterprise architecture and the associated investment management controls for implementing it often results in systems that are duplicative, stovepiped, non-integrated, and unnecessarily costly to manage, maintain, and operate. In May 2001, we made recommendations to the Secretary of Defense that provided the means for effectively developing and implementing an enterprise architecture and limiting systems investments until the department had a well-defined architecture and a corporate approach to investment control and decision making. In July 2001, the department initiated a business management modernization program to, among other things, develop a business enterprise architecture and establish the investment controls needed to effectively implement it. This effort was begun as part of the Secretary of Defense's broad initiative to "transform the way the department works and what it works on." Between 2001 and 2005, we reported that the department's business management modernization program was not being effectively managed, concluding in 2005 that hundreds of millions of dollars had been spent on an architecture and investment management structures that had limited use. To assist DOD in addressing these modernization management challenges, Congress included provisions in the Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005 (the Act) that were consistent with our recommendations for developing a business enterprise architecture and associated enterprise transition plan, and establishing and implementing effective information technology (IT) business system investment management structures and processes. More specifically, the Act required the department to, among other things, (1) develop a business enterprise architecture, (2) develop a transition plan to implement the architecture, (3) include systems information in its annual budget submission, (4) establish a system investment approval and accountability structure, (5) establish an investment review process, and (6) approve and certify system modernizations costing in excess of $1 million. The Act further requires that the Secretary of Defense submit an annual report to congressional defense committees on its compliance with certain requirements of the Act not later than March 15 of each year from 2005 through 2009. Additionally, the Act directs us to submit to congressional defense committees--within 60 days of DOD's report submission--an assessment of DOD's actions taken to comply with these requirements. The objectives of our review were to (1) assess the actions by DOD to comply with the requirements of Section 2222 of Title 10, U.S. Code and (2) determine the extent to which DOD has addressed our prior recommendations. To accomplish this, we used our November 2005 report as a baseline of comparison, focusing on the steps the department has taken to address the areas of noncompliance that we cited in that report.
As part of DOD's incremental strategy for developing and implementing its architecture, transition plan, and tiered accountability framework for managing business systems, the department has taken steps over the last 6 months to further comply with the Act and otherwise improve its overall approach to business systems modernization. On March 15, 2006, DOD released a minor update to its business enterprise architecture (version 3.1), developed an updated enterprise transition plan, and issued its annual report to Congress describing steps taken to address the Act's requirements, among other things. The updated architecture and transition plan, as well as the report and related documentation, reflect steps taken to address a number of the areas that we previously reported as falling short of the Act's requirements and related guidance. However, additional steps are needed to fully comply with the Act and relevant guidance.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-06-658, Business Systems Modernization: DOD Continues to Improve Institutional Approach, but Further Steps Needed
This is the accessible text file for GAO report number GAO-06-658
entitled 'Business Systems Modernization: DOD Continues to Improve
Institutional Approach, but Further Steps Needed' which was released on
May 15, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Report to Congressional Committees:
May 2006:
Business Systems Modernization:
DOD Continues to Improve Institutional Approach, but Further Steps
Needed:
GAO-06-658:
GAO Highlights:
Highlights of GAO-06-658, a report to congressional committees.
Why GAO Did This Study:
For decades, the Department of Defense (DOD) has not been successful in
repeated attempts to modernize its business systems and operations. To
assist DOD, Congress included provisions in the Fiscal Year 2005 Ronald
W. Reagan National Defense Authorization Act that were consistent with
GAO‘s recommendations for developing a business enterprise architecture
and associated enterprise transition plan and establishing and
implementing effective information technology (IT) business system
investment management structures and processes. The Act further
requires that the Secretary of Defense submit an annual report to
congressional defense committees on its compliance with certain
requirements of the Act not later than March 15 of each year from 2005
through 2009. In response to the Act‘s mandate, GAO assessed the
actions by DOD to comply with the requirements of the Act and
determined the extent to which DOD has addressed GAO‘s prior
recommendations.
What GAO Found:
As part of DOD‘s incremental strategy for developing and implementing
its architecture, transition plan, and accountability framework for
managing business systems, the department has taken steps over the last
6 months to address a number of the areas that GAO previously reported
as falling short of the Act‘s requirements. However, additional steps
are needed to fully comply with the Act and relevant guidance. For
example:
* The architecture identifies an enterprisewide data standard to
support financial management and reporting functions. However, the data
elements”such as those associated with the planning, programming, and
budgeting business process”are not yet part of the architecture.
* The enterprise transition plan now includes an initiative aimed at
identifying capability gaps between the ’As Is“ and ’To Be“
architectural environments, and DOD continues to validate the inventory
of ongoing IT investments that formed the basis for the prior version
of the transition plan. However, the plan does not include, among other
things, a complete listing of the legacy systems that will not be part
of the target architecture, and it does not include system investment
information for all of the department‘s agencies and combatant
commands.
* The department‘s fiscal year 2007 IT budget submission was prepared
using a system that was reconciled with DOD‘s single authoritative
system inventory. This should improve the reliability of the budget
submission.
* The IT investment management structures and processes that DOD
previously defined are being refined and implemented across the
department. However, the investment review board that is to focus on IT
infrastructure and information assurance investments has still not been
established.
DOD has also taken steps to address 29 prior GAO recommendations to
strengthen the management of its business systems modernization through
the adoption of enterprise architecture and investment management best
practices. As a result of DOD‘s actions, 16 of the recommendations have
now been implemented and 13 are in the process of being implemented.
Notwithstanding DOD‘s incremental strategy for improving its
institutional approach to business systems modernization and complying
with the Act, the department has yet to create or establish milestones
for developing an enterprise architecture program management plan that
defines, among other things, what the increments of improvement are,
and how and when they will be accomplished, with particular emphasis
and clarity around the near-term increments. It is important for the
department to develop this plan as soon as possible because without it,
the department is less likely to accomplish intended improvements and
the Congress does not have the means to measure progress and hold the
department accountable for doing so.
What GAO Recommends:
GAO is recommending that the department submit its enterprise
architecture program management plan to defense congressional
committees. DOD commented that GAO‘s findings are fair, and it
expressed general agreement with GAO‘s recommendations.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-658].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Randolph C. Hite at (202)
512-3439 or hiter@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
DOD Is Taking Steps to Address Act's Requirements and Improve Approach
to Modernizing Business Systems:
DOD Is Implementing Our Prior Recommendations:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Prior Recommendations on DOD's Business Enterprise
Architecture and Investment Management:
Appendix III: Comments from the Department of Defense:
Appendix IV: Summary of Several Architecture Frameworks:
Appendix V: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: Roles and Responsibilities of Governance Entities:
Table 2: Business Transformation Agency Divisions:
Table 3: Core Business Missions and Associated Principal Staff
Assistants:
Table 4: Business Enterprise Priorities:
Figures:
Figure 1: Business Transformation Agency Organization:
Figure 2: Interdependent DODAF Views of an Architecture:
Abbreviations:
ASD(NII)/CIO: Assistant Secretary of Defense (Networks and Information
Integration)/Chief Information Officer:
BEA: Business Enterprise Architecture:
BTA: Business Transformation Agency:
CA: Certification Authority:
CIO: Chief Information Officer:
DBSMC: Defense Business Systems Management Committee:
DITPR: DOD Information Technology Portfolio Repository:
DOD: Department of Defense:
DODAF: Department of Defense Architecture Framework:
ETP: Enterprise Transition Plan:
FEA: Federal Enterprise Architecture:
FEAF: Federal Enterprise Architecture Framework:
FCP: Forward Compatible Payroll:
IRB: Investment Review Board:
IT: information technology:
NCES: Net-Centric Enterprise Services:
NSS: National Security Systems:
OMB: Office of Management and Budget:
SFIS: Standard Financial Information Structure:
SNAP-IT: Select and Native Programming Data System- Information
Technology:
United States Government Accountability Office:
Washington, DC 20548:
May 15, 2006:
Congressional Committees:
For decades, the Department of Defense (DOD) has not been successful in
repeated attempts to modernize its timeworn business systems[Footnote
1] and operations. In 1995, we first designated DOD's business systems
modernization as "high risk," and we continue to designate it as such
today.[Footnote 2] As our research on successful public and private
sector organizations has shown, attempting a large-scale systems
modernization program in a large organization such as DOD without,
among other things, a well-defined enterprise architecture[Footnote 3]
and the associated investment management controls for implementing it
often results in systems that are duplicative, stovepiped, non-
integrated, and unnecessarily costly to manage, maintain, and operate.
In May 2001, we made recommendations to the Secretary of Defense that
provided the means for effectively developing and implementing an
enterprise architecture and limiting systems investments until the
department had a well-defined architecture and a corporate approach to
investment control and decision making.[Footnote 4] In July 2001, the
department initiated a business management modernization program to,
among other things, develop a business enterprise architecture and
establish the investment controls needed to effectively implement it.
This effort was begun as part of the Secretary of Defense's broad
initiative to "transform the way the department works and what it works
on."
Between 2001 and 2005, we reported that the department's business
management modernization program was not being effectively managed,
concluding in 2005 that hundreds of millions of dollars had been spent
on an architecture and investment management structures that had
limited use.[Footnote 5]
To assist DOD in addressing these modernization management challenges,
Congress included provisions in the Ronald W. Reagan National Defense
Authorization Act for Fiscal Year 2005 (the Act)[Footnote 6] that were
consistent with our recommendations for developing a business
enterprise architecture and associated enterprise transition plan, and
establishing and implementing effective information technology (IT)
business system investment management structures and processes. More
specifically, the Act required the department to, among other things,
(1) develop a business enterprise architecture, (2) develop a
transition plan to implement the architecture, (3) include systems
information in its annual budget submission, (4) establish a system
investment approval and accountability structure, (5) establish an
investment review process, and (6) approve and certify system
modernizations costing in excess of $1 million. The Act further
requires that the Secretary of Defense submit an annual report to
congressional defense committees on its compliance with certain
requirements of the Act not later than March 15 of each year from 2005
through 2009. Additionally, the Act directs us to submit to
congressional defense committees--within 60 days of DOD's report
submission--an assessment of DOD's actions taken to comply with these
requirements.
As agreed with your offices, the objectives of our review were to (1)
assess the actions by DOD to comply with the requirements of Section
2222 of Title 10, U.S. Code and (2) determine the extent to which DOD
has addressed our prior recommendations. To accomplish this, we used
our November 2005 report[Footnote 7] as a baseline of comparison,
focusing on the steps the department has taken to address the areas of
noncompliance that we cited in that report.
We performed our work from January through May 2006 in accordance with
generally accepted government auditing standards. Details on our
objectives, scope, and methodology are contained in appendix I.
Results in Brief:
As part of DOD's incremental strategy for developing and implementing
its architecture, transition plan, and tiered accountability framework
for managing business systems, the department has taken steps over the
last 6 months to further comply with the Act and otherwise improve its
overall approach to business systems modernization. On March 15, 2006,
DOD released a minor update to its business enterprise architecture
(version 3.1), developed an updated enterprise transition plan, and
issued its annual report to Congress describing steps taken to address
the Act's requirements, among other things. The updated architecture
and transition plan, as well as the report and related documentation,
reflect steps taken to address a number of the areas that we previously
reported as falling short of the Act's requirements and related
guidance. However, additional steps are needed to fully comply with the
Act and relevant guidance. The following illustrate steps taken thus
far to improve management of the department's business systems
modernization effort and where further improvement is needed.
* The latest version of the architecture continues to specify DOD's
Standard Financial Information Structure (SFIS) as an enterprisewide
data standard for categorizing financial information to support
financial management and reporting functions. In addition, the
architecture now adds greater definition on standard processes, rules,
and data for intra-governmental ordering and billing. However, certain
SFIS data elements, such as those relating to the planning,
programming, and budgeting business process area, have yet to be
defined. According to DOD, these data elements will be in the next
version of the architecture. The latest version of the architecture
also does not yet include a systems standards profile to facilitate
data sharing among departmentwide business systems and promote
interoperability with departmentwide IT infrastructure systems.
Further, military services and defense agencies architectures have yet
to be aligned with the departmental architecture. Once such missing
scope and content is added, the architecture will be a more sufficient
frame of reference to optimally guide and constrain DOD-wide system
investment decision making.
* The enterprise transition plan now includes an initiative aimed at
identifying capability gaps between the "As Is" and "To Be"
architectural environments, and DOD continues to validate the inventory
of ongoing IT investments that formed the basis for the prior version
of the transition plan. Further, the plan provides information on
progress on major investments over the last 6 months--including key
accomplishments and milestones attained, and more information about the
termination of legacy systems. However, it still does not identify, for
example, all legacy systems that will not be part of the target
architecture, and it does not include system investment information for
all of the department's agencies and combatant commands. Once missing
content is added and all planned investments are validated by
capability gap analyses, the department will be better positioned to
sequentially manage the migration and disposition of existing business
processes and systems--and the introduction of new ones.
* The fiscal year 2007 IT budget submission was prepared using a system
that has been reconciled with DOD's single authoritative system
inventory. This should improve the completeness and reliability of the
budget submission.
* The IT investment management structures and processes that DOD
previously defined are being refined and implemented across the
department. For example, DOD reports that 226 business systems, which
represent about $3.6 billion in modernization funding, were approved by
the Defense Business Systems Management Committee (DBSMC). Further, it
reports that over 290 business systems have been identified for phase-
out/elimination. The extent to which these structures and processes
will be applied to the department's approximately 3,700 business
systems is still evolving. Further, an investment review board required
by the Act and DOD policy for IT infrastructure and information
assurance investments has yet to be established.
The Act's requirements concerning the architecture, transition plan,
budgetary disclosure, and investment management structures and
processes are consistent with our prior recommendations. In taking
steps to further comply with the Act, DOD has either implemented--or is
in the process of implementing--these 29 prior recommendations. More
specifically, the department has fully implemented 16 of the
recommendations and is in the process of implementing the remaining 13.
For example, the department has implemented our recommendation to issue
a policy governing the development, implementation, and maintenance of
an enterprise architecture. However, it has not implemented our
recommendation to develop a plan governing the development,
maintenance, and implementation of the enterprise architecture. Such a
plan would, at a minimum, define what the incremental improvements will
be, and how and when they will be accomplished. The plan would also
include what (and when) architecture and transition plan scope and
content--and architecture compliance criteria--will be added, with
particular emphasis and clarity around the near-term increments. It is
important for the department to develop this plan as soon as possible
because without it, the department is less likely to accomplish
intended improvements--and Congress will not have the means to measure
progress and hold the department accountable. According to DOD
officials, the department is committed to addressing our
recommendations but has yet to provide any time frames.
To further assist the department in strengthening its business systems
modernization efforts, to facilitate congressional oversight, and
promote departmental accountability, we are recommending that the
department submit its enterprise architecture program management plan
to defense congressional committees.
In its written comments on a draft of this report, signed by the Deputy
Under Secretary of Defense (Business Transformation) and reprinted in
appendix III, the department stated that our findings are a fair
representation of DOD's efforts to date, and while it does not agree
with all of our points, it recognizes that even in areas of
disagreement there is opportunity for dialog and learning. In this
regard, the department provided additional comments in two areas.
First, DOD recognized the importance of addressing our recommendations,
and stated that it is important that we make our recommendations
sufficiently specific to permit reasonable implementation and that we
provide prompt feedback on whether DOD's implementation actions are in
line with the recommendations. We agree and will continue to work
proactively and constructively with the department to facilitate their
implementation.
Second, DOD stated that it partially agreed with the recommendation in
the draft report, characterizing it as developing a departmentwide
enterprise architecture program management plan to gain control of the
department's IT environment. According to DOD, such a plan would far
exceed the current scope of business systems modernization, and thus
addressing it would require more time than our recommendation allowed.
We agree that the business enterprise architecture should be
departmentwide in scope and should allow the department to gain control
of its business IT environment. However, the recommendation in our
draft report was only aimed at developing an incremental plan that
would show what missing scope and content would be added in each
incremental version of the architecture and transition plan to
eventually have an architecture and transition plan that addressed the
full scope of the department's business IT environment and permitted
such control to be gained. It was not intended to be interpreted as
actually having this scope and content added to the transition plan in
the time frame specified. To further ensure that our recommendation is
properly interpreted and implemented, and to address DOD's concern
about the time frame that we cited, we have slightly modified the
recommendation.
Background:
DOD is a massive and complex organization. In fiscal year 2005, the
department reported that its operations involved $1.3 trillion in
assets and $1.9 trillion in liabilities; more than 2.9 million military
and civilian personnel; and $635 billion in net cost of operations. For
fiscal year 2006, the department received appropriations of about $403
billion.[Footnote 8] The department comprises a wide range of
organizations, including the military services and their respective
major commands and functional activities; numerous defense agencies and
field activities; and various combatant and joint operational commands,
which are responsible for military operations for specific geographic
regions or theaters of operations.
In support of its military operations, the department performs an
assortment of interrelated and interdependent business functions,
including logistics management, procurement, health care management,
and financial management. DOD recently reported that, in order to
support these business functions, it relies on 3,717 business systems.
For fiscal year 2006, DOD received approximately $15.5 billion--and for
fiscal year 2007, DOD has requested approximately $16 billion--in
appropriated funds to operate, maintain, and modernize its business
systems. As we have previously reported,[Footnote 9] DOD's systems
environment is overly complex and error prone, and is characterized by
(1) little standardization across the department; (2) multiple systems
performing the same tasks; (3) the same data stored in multiple
systems; and (4) the need for manual data entry into multiple systems.
In addition, our reports[Footnote 10] have continually shown that the
department's nonintegrated and duplicative systems contribute to fraud,
waste, and abuse. Of the 25 areas on our governmentwide high-risk list,
8 are DOD program areas, and the department shares responsibility for 6
other governmentwide high-risk areas.[Footnote 11] DOD's business
systems modernization is one of the high-risk areas, and it is an
essential enabler to addressing many of the department's other high-
risk areas. For example, modernized business systems are integral to
the department's efforts to address its financial, supply chain, and
information security management high-risk areas.
Enterprise Architecture and Information Technology Investment
Management Are Critical to Achieving Successful Systems Modernization:
Effective use of an enterprise architecture, or a modernization
blueprint, is a hallmark of successful public and private
organizations. For more than a decade, we have promoted the use of
architectures to guide and constrain systems modernization, recognizing
them as a crucial means to this challenging goal: agency operational
structures that are optimally defined in both the business and
technological environments. Congress, the Office of Management and
Budget (OMB), and the federal Chief Information Officer (CIO) Council
have also recognized the importance of an architecture-centric approach
to modernization. We, OMB, and the CIO Council have issued enterprise
architecture guidance.[Footnote 12] The Clinger-Cohen Act of
1996[Footnote 13] mandates that an agency's CIO develop, maintain, and
facilitate the implementation of an IT architecture. Further, the E-
Government Act of 2002[Footnote 14] requires OMB to oversee the
development of enterprise architectures within and across agencies. In
addition, we and OMB have issued guidance that emphasizes the need for
system investments to be consistent with these architectures.[Footnote
15]
A corporate approach to IT investment management is also characteristic
of successful public and private organizations. Recognizing this,
Congress developed and enacted the Clinger-Cohen Act of 1996,[Footnote
16] which requires OMB to establish processes to analyze, track, and
evaluate the risks and results of major capital investments in
information systems made by executive agencies.[Footnote 17] In
response to the Clinger-Cohen Act and other statutes, OMB has developed
policy and issued guidance for planning, budgeting, acquisition, and
management of federal capital assets.[Footnote 18] We have also issued
guidance in this area,[Footnote 19] which defines institutional
structures such as IRBs and associated processes, such as common
investment criteria.
Enterprise Architecture: A Brief Description:
An enterprise architecture provides a clear and comprehensive picture
of an entity, whether it is an organization (e.g., a federal
department) or a functional or mission area that cuts across more than
one organization (e.g., financial management). This picture consists of
snapshots of both the enterprise's current ("As Is") environment and
its target ("To Be") environment. These snapshots consist of "views,"
which are one or more architecture products (e.g., models, diagrams,
matrixes, and text) that provide logical or technical representations
of the enterprise. The architecture also includes a transition or
sequencing plan, which is based on an analysis of the gaps between the
"As Is" and "To Be" environments; this plan provides a temporal roadmap
for moving between the two environments, and incorporates such
considerations as technology opportunities, marketplace trends, fiscal
and budgetary constraints, institutional system development and
acquisition capabilities, legacy and new system dependencies and life
expectancies, and the projected value of competing investments.
The suite of products produced for a given entity's enterprise
architecture, including its structure and content, is largely governed
by the framework used to develop the architecture. Since the 1980s,
various architecture frameworks have been developed. Appendix IV
discusses these various frameworks.
The importance of developing, implementing, and maintaining an
enterprise architecture is a basic tenet of both organizational
transformation and systems modernization. Managed properly, an
enterprise architecture can clarify and help optimize the
interdependencies and relationships among an organization's business
operations (and the underlying IT infrastructure and applications) that
support these operations. To support effective architecture management
in the federal government, we have issued architecture management
guidance, as has the federal CIO Council and OMB.[Footnote 20] This
guidance recognizes that when an enterprise architecture is employed in
concert with other important management controls, such as portfolio-
based capital planning and investment control practices, architectures
can greatly increase the chances that an organization's operational and
IT environments will be configured to optimize mission performance. Our
experience with federal agencies has shown that investing in IT without
defining these investments in the context of an architecture often
results in systems that are duplicative, not well integrated, and
unnecessarily costly to maintain and interface.[Footnote 21]
IT Investment Management: A Brief Description:
IT investment management is a process for linking IT investment
decisions to an organization's strategic objectives and business plans.
Generally, it includes structures (including decision-making bodies
known as IRBs), processes for developing information on investments
(such as costs and benefits), and practices to inform management
decisions (such as whether a given investment is aligned with an
enterprise architecture). The federal approach to IT investment
management is based on establishing systematic processes for selecting,
controlling, and evaluating investments that provides a systematic way
for agencies to minimize risks while maximizing the returns of
investments.[Footnote 22]
* During the selection phase, the organization (1) identifies and
analyzes each project's risks and returns before committing significant
funds to any project and (2) selects those IT projects that will best
support its mission needs.
* During the control phase, the organization ensures that, as projects
develop and investment expenditures continue, the project continues to
meet mission needs at the expected levels of cost and risk. If the
project is not meeting expectations or if problems arise, steps are
quickly taken to address the deficiencies.
* During the evaluation phase, actual versus expected results are
compared once a project has been fully implemented. This is done to (1)
assess the project's impact on mission performance, (2) identify any
changes or modifications to the project that may be needed, and (3)
revise the investment management process based on lessons learned.
Consistent with our architecture management framework,[Footnote 23] our
investment management framework[Footnote 24] recognizes the importance
of an enterprise architecture as a critical frame of reference for
organizations making IT investment decisions, stating that only
investments that move the organization toward its target architecture-
-as defined by its sequencing plan--should be approved, unless a waiver
is provided or a decision is made to modify the architecture. Moreover,
this framework states that an organization's policies and procedures
should describe the relationship between its architecture and its
investment decision-making authority. Our experience has shown that
mature and effective management of IT investments can vastly improve
government performance and accountability, help to avoid wasteful IT
spending, and leverage opportunities to improve delivery of services to
the public.
DOD's Institutional Approach to Business Systems Modernization:
DOD's institutional approach to managing its business systems
modernization efforts has changed several times since 2001. Most
recently, in 2005, the department reassigned responsibility for
providing executive leadership for the direction, oversight, and
execution of its business transformation and systems modernization
efforts to several entities. These entities include the DBSMC, which
serves as the highest ranking governance body for business systems
modernization activities; the Principal Staff Assistants, who serve as
the certification authorities for business system modernizations in
their respective core business missions; the IRBs, which form the
review and decisionmaking bodies for business system investments in
their respective areas of responsibility; and the Business
Transformation Agency (BTA),[Footnote 25] which leads and coordinates
business transformation efforts across the department. Table 1 lists
these entities and their roles and responsibilities.
Table 1: Roles and Responsibilities of Governance Entities:
Entity: Defense Business Systems Management Committee;
Roles and responsibilities:
* Provides strategic direction and plans for the business mission area
in coordination with the warfighting and enterprise information
environment mission areas;
* Serves as approving authority for business system modernization;
* Approves business mission area transformation plans and coordinates
transition planning in a documented program baseline with critical
success factors, milestones, metrics, deliverables, and periodic
program reviews;
* Establishes key metrics and targets by which to track business
transformation progress;
* Establishes policies and approves the business mission area strategic
plan, the transition plan for implementation for business systems
modernization, the transformation program baseline, and the business
enterprise architecture;
* Executes a comprehensive communications strategy;
Membership: Chaired by the Deputy Secretary of Defense; Vice Chair is
the Under Secretary of Defense for Acquisition, Technology, and
Logistics. Includes senior leadership in the Office of the Secretary of
Defense, the military services' secretaries, and defense agencies'
heads, such as the Assistant Secretary of Defense (Networks and
Information Integration)/ Chief Information Officer (ASD(NII)/CIO), the
Vice Chairman of the Joint Chiefs of Staff, and the Commanders of the
U.S. Transportation Command and Joint Forces Command.
Entity: Principal Staff Assistants;
Roles and responsibilities:
* Support the DBSMC's management of enterprise business IT investments;
* Serve as the certification authorities accountable for the obligation
of funds for respective business system modernizations within
designated core business missions.[A];
* Provide the DBSMC with recommendations for system investment
approval;
Membership: Officials who report directly to the Secretary or Deputy
Secretary of Defense. These include the Under Secretaries of Defense;
the Assistant Secretaries of Defense; the General Counsel of the
Department of Defense; the Assistants to the Secretary of Defense; and
the Directors of the Office of the Secretary of Defense.
Entity: Investment Review Boards;
Roles and responsibilities:
* Serve as the oversight and investment decision-making bodies for
those business capabilities that support activities under their
designated areas of responsibility;
* Assess investments relative to their impact on end-to-end business
process improvements supporting warfighter needs;
* Certify that all business systems investments costing more than $1
million are integrated and compliant with the business enterprise
architecture;
Membership: Includes the Deputy Secretary of Defense; the Under
Secretary of Defense (Comptroller); Under Secretary of Defense for
Acquisition, Technology, and Logistics; Assistant Secretary of Defense
(Personnel and Readiness); ASD(NII)/CIO; military services; defense
agencies; and combatant commands.
Entity: Business Transformation Agency[B];
Roles and responsibilities:
* Serves as the day-to-day management entity of the business
transformation effort at the DOD enterprise level;
* Provides support to the executive governance bodies;
* Integrates the work of the Principal Staff Assistants in the areas of
business process reengineering, core business mission activities, and
IRB matters;
Membership: Operates under the authority, direction, and control of the
Under Secretary of Defense for Acquisition, Technology, and Logistics-
-the vice chair of the DBSMC. The day-to-day direction, management, and
oversight is provided cooperatively by the Deputy Under Secretary of
Defense (Business Transformation) and the Deputy Under Secretary of
Defense (Financial Management).
Source: DOD.
[A] The five core business missions are described in table 3.
[B] The organizational structure of the agency is outlined in figure 1
and the roles and responsibilities of the agency divisions are
described in table 2.
[End of table]
The BTA, established in 2005, is organized into eight divisions, one of
which is the office of the Defense Business Systems Acquisition
Executive--the component acquisition executive for DOD enterprise-level
systems and initiatives.[Footnote 26] Figure 1 outlines the
organizational structure of the agency and table 2 shows the roles and
responsibilities of the agency divisions.
Figure 1: Business Transformation Agency Organization:
[See PDF for image]
Source: DOD.
[A] This role is temporarily filled by the Deputy Under Secretary of
Defense for Business Transformation and the Deputy Under Secretary of
Defense for Financial Management.
[End of figure]
Table 2: Business Transformation Agency Divisions:
Office: Defense Business Systems Acquisition Executive;
Description:
* Develops, coordinates, and integrates projects, programs, systems,
and initiatives that provide DOD enterprisewide business capabilities
to the warfighter;
* Exercises acquisition executive oversight for DOD enterprise-level
business systems assigned by the DBSMC;
* Serves as the milestone decision authority for specific programs as
directed by the DBSMC, and as the DOD component acquisition executive
for business systems;
* Manages resources, including fiscal, personnel, and contracts for
assigned systems and programs.
Office: Enterprise Integration;
Description:
* Supports the integration of enterprise-level business capabilities;
* Ensures adoption of DOD- wide information and process standards, as
defined in the business enterprise architecture (BEA).
Office: Transformation Planning and Performance;
Description:
* Maintains and updates the department's BEA and corresponding
enterprise transition plan;
* Monitors the performance of enterprise programs and initiatives by
ensuring that they meet the milestones documented in the enterprise
transition plan;
* Includes the Milestone Assurance Team, which monitors the performance
of enterprise-level programs and initiatives.
Office: Transformation Priorities and Requirements;
Description:
* Serves as the primary link to the Principal Staff Assistants within
the Office of the Secretary of Defense as well as other DOD-level
organizations including the US Transportation Command, the Defense
Logistics Agency, and the Defense Finance and Accounting Service;
* Ensures that the functional priorities and requirements of these
organizations are reflected in both the BEA and the enterprise
transition plan, as well as in the guidance for business systems
investment management;
* Comprises a mix of senior leaders from both government and industry
that have experience in business processes and systems technology.
Office: Investment Management;
Description:
* Provides leadership in investment management for DOD enterprise-level
business systems;
* Supports and coordinates IRB processes and actions for certification;
* Reports on IRB certification status in congressional reports and
DBSMC meetings;
* Updates and defines IRB data elements in the DOD Information
Technology Portfolio Repository and conducts the systems inventory for
OMB.
Office: Warfighter Support Office;
Description:
* Identifies enterprise-level business issues that directly impact the
warfighter and works to resolve these issues via systems capability and
process improvements;
* Engages with joint staff and combatant commands to identify and
communicate requirements to the agency;
* Monitors business process and system improvement initiatives
sponsored by the agency and ensures their progress in accordance with
performance objectives.
Office: Information and Federation Strategy;
Description:
* Manages the information strategy, which encompasses integration
efforts, strategic planning, change management, and long-term internal
and external communications;
* Ensures that integrated best industry practices are applied to all
areas of strategic planning and communications for the agency.
Office: Agency Operations;
Description:
* Provides centralized support across the agency, such as
administrative services, personnel and staffing, contracting, budget,
IT, security, and training;
* Supports the monthly DBSMC meetings;
* Coordinates with external stakeholders;
* Establishes and maintains a central repository for records,
deliverables, and policies for the agency.
Source: DOD.
[End of table]
DOD's Business Enterprise Architecture: A Brief Description:
In 2005, DOD adopted a 6-month incremental approach to developing its
enterprise architecture as either a major release or a minor
release.[Footnote 27] DOD released version 3.0 of the business
enterprise architecture on September 28, 2005, describing it as the
initial baseline. According to DOD, this version was intended to
provide a blueprint to help ensure near-term delivery of the right
capabilities, resources, and materiel to the warfighter. To do so, this
version focused on six business enterprise priorities--which DOD states
are short-term objectives to achieve immediate results, within DOD's
five core business missions--to be addressed through identification of
corporate business needs and analysis of capability gaps (see table 3).
The core business missions transcend DOD's various functional areas
(e.g., planning, budgeting, IT, procurement, and maintenance) and are
intended to be the means through which end-to-end warfighter support is
delivered. Responsibility for the core business missions is assigned to
specific Principal Staff Assistants.
Table 3: Core Business Missions and Associated Principal Staff
Assistants:
DOD core business mission: Human Resources Management;
Description: This mission includes all human resources-related
processes necessary to recruit, train, and prepare personnel for
warfighter organizations. It also includes providing trained, healthy,
and ready personnel to combatant and combat support organizations, and
ensures timely and accurate access to compensation and benefits for all
DOD personnel;
Principal Staff Assistants: Under Secretary of Defense (Personnel and
Readiness).
DOD core business mission: Weapon System Lifecycle Management;
Description: This mission includes full life-cycle management of
defense acquisition of weapons systems and automated information
systems, including requirements, technology, development, production,
and sustainment;
Principal Staff Assistants: Under Secretary of Defense for Acquisition,
Technology, and Logistics.
DOD core business mission: Materiel Supply and Service Management;
Description: This mission includes the management of supply chains of
materiel supply and services to maintain the readiness of non-deployed
and deployed warfighters to support operations. It also includes all
aspects associated with acquiring, storing, and transporting all
classes of supplies;
Principal Staff Assistants: Under Secretary of Defense for Acquisition,
Technology, and Logistics.
DOD core business mission: Real Property and Installations Lifecycle
Management;
Description: This mission includes the provision of installations and
facilities to house military forces, to store and maintain military
equipment, and to serve as training and deployment platforms for
dispatching warfighter units;
Principal Staff Assistants: Under Secretary of Defense for Acquisition,
Technology, and Logistics.
DOD core business mission: Financial Management;
Description: This mission includes the provision of accurate and
reliable financial information in support of the planning, programming,
budgeting, and execution process to ensure adequate financial resources
for warfighting mission requirements. It also includes providing
information to reliably cost the conduct, output, and performance of
DOD operations and missions, and the programs to support them;
Principal Staff Assistants: Under Secretary of Defense (Comptroller).
Source: DOD.
[End of table]
Table 4 provides descriptions of the business enterprise priorities.
According to the department, these business enterprise priorities will
evolve and expand in future versions of the architecture.
Table 4: Business Enterprise Priorities:
Business Enterprise Priority: Personnel Visibility;
Description: Providing access to reliable, timely, and accurate
personnel information for warfighter mission planning.
Business Enterprise Priority: Acquisition Visibility;
Description: Providing transparency and access to acquisition
information that is critical to supporting life-cycle management of the
department's processes for delivering weapons systems and automated
information systems.
Business Enterprise Priority: Common Supplier Engagement;
Description: Aligning and integrating policies, processes, data,
technology, and people to simplify and standardize the methods that DOD
uses to interact with commercial and government suppliers.
Business Enterprise Priority: Materiel Visibility;
Description: Improving supply chain performance.
Business Enterprise Priority: Real Property Accountability;
Description: Acquiring access to real-time information on DOD real
property assets.
Business Enterprise Priority: Financial Visibility;
Description: Providing immediate access to accurate and reliable
financial information that will enhance efficient and effective
decision making.
Source: DOD.
[End of table]
In addition to focusing the scope of version 3.0 of the architecture on
these priorities within the five core business missions, the extent to
which each priority was to be addressed, according to DOD, was limited
to answering four key groups of questions:
* Who are our people, what are their skills, and where are they located?
* Who are our industry partners, and what is the state of our
relationship with them?
* What assets are we providing to support the warfighter, and where are
these assets deployed?
* How are we investing our funds to best enable the warfighting mission?
To produce a version of the architecture within this scope, DOD created
12 of the 26 recommended products included in the DOD Architecture
Framework--the structural guide that the department has established for
developing an architecture[Footnote 28]--including 7 products that the
framework designates as "essential." For example, one essential product
is the Operational Node Connectivity Description--a graphic showing
"operational nodes" (organizations), including a depiction of each
node's information exchange needs.
On March 15, 2006, DOD released version 3.1 of the business enterprise
architecture. According to program officials and our review of program
documentation, version 3.1 is a minor release and--similar to version
3.0--addresses enterprise-level business and strategic plans, goals,
objectives, and strategies. Program officials also noted that version
3.1 continues to be an outcome-based architecture that is focused on
six business enterprise priorities within DOD's five core business
missions, and that this version was developed following the same
methodology and architectural framework as version 3.0. Program
officials stated that the next release (version 4.0) will be similar to
version 3.1, because it will also be a minor release.
Fiscal Year 2005 National Defense Authorization Act Requirements:
Congress included six provisions in the Act[Footnote 29] that are aimed
at ensuring DOD's development of a well-defined business enterprise
architecture and associated enterprise transition plan, as well as the
establishment and implementation of effective investment management
structures and processes. The requirements are as follows:
(1) Develop a business enterprise architecture that:
* includes an information infrastructure that, at a minimum, would
enable DOD to:
- comply with all federal accounting, financial management, and
reporting requirements;
- routinely produce timely, accurate, and reliable financial
information for management purposes;
- integrate budget, accounting, and program information and systems;
and:
- provide for the systematic measurement of performance, including the
ability to produce timely, relevant, and reliable cost information;
- includes policies, procedures, data standards, and system interface
requirements that are to be applied uniformly throughout the
department; and:
- is consistent with OMB policies and procedures.
(2) Develop a transition plan for implementing the architecture that
includes:
* an acquisition strategy for new systems needed to complete the
enterprise architecture;
* a list and schedule of legacy business systems to be terminated;
* a list and strategy of modifications to legacy business systems; and:
* time-phased milestones, performance metrics, and a statement of
financial and non-financial resource needs.
(3) Identify each business system proposed for funding in DOD's fiscal
year budget submissions and include:
* information on each business system proposed for funding in that
budget;
* funds for current services and for business systems modernization;
and:
* the designated approval authority for each business system.
(4) Delegate the responsibility for business systems to designated
approval authorities within the Office of the Secretary of Defense.
(5) Require each approval authority to establish investment review
structures and processes, including a hierarchy of IRBs--each with
appropriate representation from across the department. The review
process must cover:
* review and approval of each business system by an IRB before funds
are obligated;
* at least an annual review of every business system investment;
* use of threshold criteria to ensure an appropriate level of review
and accountability;
* use of procedures for making architecture compliance certifications;
* use of procedures consistent with DOD guidance; and:
* incorporation of common decision criteria.
(6) Effective October 1, 2005, DOD may not obligate appropriated funds
for a defense business system modernization with a total cost of more
than $1 million unless the approval authority certifies that the
business system modernization:
* complies with the business enterprise architecture;
* is necessary to achieve a critical national security capability or
address a critical requirement in an area such as safety or security;
or:
* is necessary to prevent a significant adverse effect on an essential
project in consideration of alternative solutions, and the
certification is approved by the DBSMC.
Recent Review Indicates DOD Has Begun to Address Long-standing
Weaknesses in Institutional Approach to Business Systems Modernization:
Between May 2001 and July 2005, we have reported on DOD's efforts to
develop an architecture and to establish and implement effective
investment management structures and processes.[Footnote 30] These
reports identified serious problems and concerns about the department's
architecture program, the quality of the architecture and the
transition plan, and the lack of an investment management structure and
controls to implement the architecture. To address these concerns, we
made 34 recommendations to ensure that the architecture was well-
defined, managed, and implemented.
In response to our recommendations and requirements in the Act and as
described in the previous section, in 2005 DOD fundamentally changed
its institutional approach to architecture development, management, and
implementation. Consistent with our recommendations, DOD has also
adopted an incremental approach to developing a purpose-driven and
standards-based enterprise architecture, and it has established a
tiered accountability structure through a hierarchy of investment
oversight and decision-making entities for reviewing and approving
business system investments.
In November 2005,[Footnote 31] we reviewed DOD's efforts to satisfy the
six requirements cited in the Act. In our report and in
testimony,[Footnote 32] we stated that DOD had partially satisfied the
four legislative requirements relating to architecture development,
transition plan development, budgetary disclosure, and investment
review; it had satisfied the provision concerning designated approval
authorities; and it was in the process of satisfying the provision for
certification and approval of modernizations costing in excess of $1
million. We concluded that the department had made important progress
in establishing the kind of fundamental management structures and
processes that are needed to correct the long-standing and pervasive IT
management weaknesses that have led to our designation of DOD business
systems modernization as a high-risk program, and that this progress
provided a foundation on which to build. However, we also concluded
that much more remained to be accomplished to fully satisfy the Act's
requirements and address the department's IT management weaknesses,
particularly with regard to sufficiently developing the enterprise
architecture and transition plan and ensuring that investment review
and approval processes are institutionally implemented.
DOD Is Taking Steps to Address Act's Requirements and Improve Approach
to Modernizing Business Systems:
DOD continues to take incremental steps to comply with the remaining
five requirements of the Act and improve its business systems
modernization approach. On March 15, 2006, DOD released a minor update
to its business enterprise architecture (version 3.1), developed an
updated enterprise transition plan, and issued its annual report to
Congress describing steps taken and planned relative to the Act's
requirements, among other things. These steps address several of the
missing elements we previously identified relative to the legislative
provisions concerning the architecture, transition plan, budgetary
disclosure, investment review, and the reviews of systems costing in
excess of $1 million. DOD officials told us that additional steps are
intended to fully implement the Act's requirements and address our
prior concerns. According to program officials, this continued progress
is a reflection of DOD leadership's commitment to effective business
systems modernization. While this progress better positions the
department to address the business systems modernization high-risk
area, sustained leadership is essential to further improve its
modernization approach, fully address the Act's requirements, and
ultimately acquire and implement modernized business systems.
DOD Continues to Address Limitations in Prior Version of Architecture:
Version 3.1 of the business enterprise architecture, according to DOD's
most recent annual report to Congress, resolves several of the
architecture gaps identified in the prior version and introduces
several other minor improvements, but it does not include major content
changes. This version reflects steps taken by DOD to address some of
the missing elements, inconsistencies, and usability issues that we
identified in our prior report[Footnote 33] related to the Act's
requirements and related architecture guidance. According to DOD
officials, they are committed to incrementally evolving the
architecture's scope, content, internal alignment, and usability. Until
they do, however, the architecture's utility will be limited.
With regard to complying with federal accounting, financial management,
and reporting requirements, the architecture has much of the
information needed to achieve compliance with the Department of the
Treasury's United States Standard General Ledger,[Footnote 34] such as
the data elements or attributes that are needed to facilitate
information sharing and reconciliation with the Treasury. In addition,
the SFIS,[Footnote 35] which includes a standard accounting
classification structure, can allow DOD to standardize financial data
elements necessary to support budgeting, accounting, cost management,
and external reporting; it also incorporates many of the Standard
General Ledger's attributes.
Further, version 3.1 provides new business rules for intra-governmental
transactions[Footnote 36] that can be automated to enforce compliance
with federal accounting, financial management, and reporting
requirements. For example, version 3.1 includes the intra-governmental
transactions business rule
"ENT_Available_Reimbursable_Authority"[Footnote 37] to enforce
compliance with a Generally Accepted Accounting Principle standard that
funds to be paid can be received. Business rules are important because
they explicitly translate important business policies and procedures
into specific, unambiguous rules that govern what can and cannot be
done.
However, version 3.1 does not yet address the locations where specified
activities are to occur and where the systems are to be located.
Program officials agreed; however, they stated that the architecture is
not intended to include this level of detail because it is capabilities-
based rather than solutions-based, and they said that this information
will be contained either within the department's Global Information
Grid[Footnote 38] or in individual systems' program documentation. As
previously reported,[Footnote 39] we do not agree that information
pertaining to locations is only germane to the solutions-based
architectures, and the explicit linkage between the business enterprise
architecture and Global Information Grid is not apparent. The
identification of operationally significant and strategic business
locations, as well as the need for a business logistics model, is a
generally accepted best practice for defining the business operations
of an architecture.[Footnote 40] This is because the cost and
performance of implemented business operations and technology solutions
are affected by the location and therefore need to be examined,
assessed, and decided on in an enterprise context rather than in a
piecemeal, systems-specific fashion.
In addition, the architecture does not provide for compliance with all
federal accounting, financial, and reporting requirements. For example,
it does not apply the concept of tiered accountability to identify
which laws, policies, and regulations are relevant at the enterprise
level. Until it does, the department cannot effectively identify
overlaps in IT spending by the components[Footnote 41] and programs for
common functions or enterprise requirements. In addition, some business
rules are at inconsistent levels of detail within the architecture. For
example, some business rules are defined in high-level conceptual terms
(e.g., "ENT_Cost_Reporting") while others are defined more specifically
at an operational level (e.g., "ENT_DOD_Obligations_Against"). Until
standard enterprise-level operational rules are defined and developed,
DOD components will continue to implement operational procedures that
are inconsistent because they are based on their own unique
interpretations of the laws, policies, and regulations.
With regard to timely, accurate, and reliable financial information for
management purposes, we reported in November 2005[Footnote 42] that
SFIS had not been completed or implemented and that the architecture
had yet to include standard definitions of key terms in the
architecture--such as all enterprise-level terms. Since then, the
department has completed phase I of the SFIS initiative, which is
focused on standardizing general ledger and external financial
reporting requirements, and has incorporated associated definitions in
the architecture. In addition, the department continues to evolve the
integrated dictionary and include definitions and descriptions of many
terms used in the architecture. For example, the integrated dictionary
in version 3.1 includes a business enterprise priority dictionary from
which it is easy to find descriptions of business priorities such as
"acquisition visibility," "common supplier engagement," and "financial
visibility." Further, version 3.1 provides additional compliance based
on modifications to intra-governmental transaction concepts (e.g., a
standard capability for creating and routing requisitions, purchase
orders, billings, payments, and collections) to provide enhanced
visibility to buying and selling transactions between entities of the
federal government. This enhanced visibility facilitates easy access to
information about intra-governmental transactions, thereby supporting
the requirement to routinely produce timely information.
However, additional SFIS definition efforts remain under way, and the
department plans to further define key data elements and attributes
that are not yet in the architecture. For example, according to program
officials, data elements--such as those relating to the planning,
programming, and budgeting business process area--have yet to be
defined. According to DOD, these data elements will be in the next
version of the architecture. Further, although the integrated
dictionary contains definitions of many terms (e.g., business
capabilities, data objects, and system functions), it has yet to
contain definitions of key accounting and budget terms such as "balance
forwarded" and "receipt balances" that are used in the description of
the data object termed "Receipt Account Trial Balance and Ledgers."
According to DOD's architecture framework, the integrated dictionary
should enable the set of architecture products to stand alone, allowing
them to be read and understood with minimum reference to outside
resources. Program officials agreed and stated that both the SFIS and
the integrated dictionary will evolve and be incorporated into future
releases.
Moreover, version 3.1 does not identify and explicitly define all
business rules that would enable the financial information to be
verified and validated on the basis of timeliness, accuracy, and
reliability. For example, although a United States Standard General
Ledger transaction library[Footnote 43] was developed, its use as a
business rule in a business process model--or an enabler to an
operational activity to verify and validate the accuracy of transaction
postings (or the relationships among transactions)--is not explicitly
defined and identified in version 3.1. In addition, architectural
elements that are identified and intended to address this requirement
are not always well defined. For example, "review and certify financial
statement" is identified as a process in the integrated dictionary, but
depicted as an operational event in the process labeled "perform
financial reporting" in the operational event-trace description
product, which indicates when activities are to occur within
operational processes. In addition, "perform financial reporting" is
identified as both an event and a process in the integrated dictionary.
Beyond these definitional ambiguities, identified business rules are
not always allocated to specific systems in the architecture. For
example, business rules are not allocated to the Business Enterprise
Information Services--an enterprise-level automated reporting system
intended to provide timely, accurate, and reliable business information
across the department to support auditable financial statements and
provide detailed financial information visibility for management in
support of the warfighter; and to integrate budget, accounting, and
program information that is widely dispersed among systems and
organizations across the department. Such limitations constrain the
utility and effectiveness of the architecture in guiding and
constraining system development.
With regard to the integration of budgeting, accounting, and
programming information and systems, we reported in November
2005[Footnote 44] that the architecture did not include certain
elements--such as a fully defined and implemented SFIS--and all systems
needed to achieve integration. According to DOD, version 3.1
incorporates 59 SFIS phase 1 data elements and 109 business rules. In
addition, this version provides content relevant to the integration of
intra-governmental transaction functionality for reimbursable orders,
which is important in addressing the financial visibility and common
supplier engagement business enterprise priorities. This functional
integration can lead to the simplification of system and data
integration. Nevertheless, version 3.1 does not specify all systems
needed to achieve integration, as evidenced by instances in which the
architecture provides "placeholders" or generic references for yet-to-
be-defined systems (e.g., Financial Management System Entity). Program
officials agreed and stated that these systems would be added as
solutions are defined to address identified capability gaps.
In addition, although version 3.1 includes separate entity relationship
diagrams for the accounting, budget, and cost functional areas, it does
not describe the relationships of entities across the planning,
programming, budgeting, and execution process. According to the
architecture's overview and summary information, this overall business
process has yet to be fully developed, including definition around the
interdependencies that currently exist in the "As Is" planning,
programming, budgeting, and execution process. As a result, the
architecture does not yet support effective development of planning,
programming, budgeting, and execution systems.
With respect to the systematic measurement of performance--including
the ability to produce timely, relevant, and reliable cost information-
-version 3.1 adds features linking the architecture business
capabilities to systems and initiatives in the transition plan. For
example, the architecture indicates that the business capability termed
"financial reporting" will be enabled by the Business Enterprise
Information Services system. These linkages provide an alignment of
system investments with the architecture and thus can be used to
establish business performance measures for system investments. In
addition, the department has developed an initial baseline of
capability metrics in the updated transition plan, which according to
program officials will be used to measure progress towards achieving
capability outcomes.
However, version 3.1 still does not provide for the systematic
measurement of performance (i.e., the means by which the department can
measure the intended mission value to be delivered by the portfolio of
programs in the architecture). The architecture also does not include
standard methods to collect and evaluate performance data and SFIS data
elements that support systematic measurement of performance have yet to
be developed. Program officials acknowledged this missing content and
stated that they plan to include measurements and targets in future
releases.
In addition, version 3.1 does not describe business performance
shortfalls to be addressed based on a capability gap analysis between
the "As Is" and the "To Be" environments. Program officials stated that
such performance shortfalls, such as the inability to properly
eliminate intra-governmental transactions, are being identified through
a variety of sources (e.g., Inspector General and DOD Performance and
Accountability reports along with our own reports). However, they
agreed that there is a need to synthesize and prioritize these inputs
so that a better understanding can be obtained on the performance
shortfalls that have to be addressed through the "To Be" solutions.
With respect to policies, procedures, data standards, and system
interface requirements, version 3.1 requires that SFIS be established
as an enterprisewide data standard for categorizing financial
information along several dimensions (e.g., appropriation account,
budget program, organizational, transactional, trading partner, and
cost accounting) to support financial management and reporting
functions. Further, version 3.1 adds greater definition on standard
processes, rules, and data for intra-governmental ordering and billing.
However, as stated earlier, SFIS data elements have not been completely
defined and continue to evolve. In addition, the architecture has yet
to include a systems standards profile to facilitate data sharing among
departmentwide business systems and interoperability with
departmentwide IT infrastructure systems. Program officials
acknowledged that the architecture does not include a systems standards
profile and stated that they are working with the Assistant Secretary
of Defense (Networks and Information Integration)/Chief Information
Officer (ASD(NII)/CIO) to address this in future versions.
With regard to OMB policies and procedures, similar to version 3.0, the
latest version does not include a depiction of the "As Is"
architecture, which is essential to performing a gap analysis to
identify capability and system performance shortfalls that the
transition plan is to address. Also, it does not include either an "As
Is" or "To Be" depiction of all business processes, such as key aspects
of the planning, programming, budgeting, and execution processes; the
technology infrastructure; and security architecture. In response,
program officials stated that "As Is" environment analyses and
definitions have occurred and are planned on in an "as needed" and
"just enough" basis. For example, they described "As Is" analysis and
definition that has occurred at the system level for several of the
enterprise-level systems (e.g., DOD Real Property Information Systems),
and work under way to further understand the interdependencies that
exist in the current planning, programming, budgeting, and execution
business process as an essential part of developing the "To Be"
description of this process. While the "As Is" description is not
included in versions 3.0 and 3.1, according to a program official, the
"As Is" work is in fact now being used to perform a business capability
gap analysis and guide transformation based on the current set of
priorities. In our view, the issue is not whether each architecture
release includes all of the elements of an "As Is" environment, but
that the releases disclose at a minimum the "As Is" analyses that have
and that have not been performed. It is also in our view that DOD
should describe in the architecture releases the importance or
irrelevance of "As Is" analyses to the systems and initiatives in the
enterprise transition plan and the operational activities and business
processes in the target architecture.
In addition to these areas, version 3.1 has also yet to address other
limitations we previously reported. Specifically:
* Version 3.1 products are not yet fully integrated. For example, the
operational event-trace description product--which indicates when
activities are to occur within operational processes--is decomposed to
a greater level of detail than the corresponding operational activity
model, which shows the operational activities (or tasks) that are to
occur and the input and output process flows among these activities.
Program officials acknowledged this and stated that they are working to
improve the operational activity models for several business enterprise
priorities (e.g., Personnel Visibility and Financial Visibility). In
particular, the updated transition plan identifies business capability
outcome metrics for additional operational activities, such as "Manage
Vacancy Recruiting."
* Version 3.1 is not yet adequately linked to the component
architectures and transition plans, which is particularly important
given the department's federated approach to developing and
implementing the architecture. As we previously reported, a federated
architecture is composed of a set of coherent but distinct entity
architectures. The members of the federation collaborate to develop an
integrated enterprise architecture that conforms to the enterprise view
and to the overarching rules of the federation. In its March 15, 2006,
report to Congress, the department stated that integration will be an
ongoing goal. To accomplish this goal, program officials told us that a
federation strategy is being developed and will be implemented in
future versions of the architecture and transition plan. However, they
did not have an enterprise architecture development management plan
containing this strategy.
As we previously reported, the department has taken a 6-month
incremental approach to developing the business enterprise architecture
and meeting the Act's requirements. DOD officials told us that, as a
minor release, version 3.1 was not intended to include new priorities
or capabilities; but instead was intended to provide extension and
"clean up" of the preceding release. They further stated that this
approach of developing minor releases provides the department the means
by which to balance architecture maintenance and implementation.
We support DOD taking an incremental approach to developing the
business enterprise architecture, recognizing that adopting such an
approach is a best practice that we have advocated. In addition, we
believe that version 3.1 provides an improved foundation on which to
continue to build a more complete architecture.
However, although the department agreed to develop a near-term plan it
has not yet developed or established milestones for developing a near-
or a long-term plan that will provide details on what will be included
in these incremental architecture developments and what will not be
included, with particular emphasis and clarity around the near-term
increments. Without such a plan, the department is less likely to
accomplish intended improvements. In addition, once the missing scope,
content, and related shortcomings described is added, the architecture
will be a more sufficient frame of reference to optimally guide and
constrain DOD-wide system investment decision making.
DOD Has Made and Intends to Make More Improvements to Transition Plan:
According to the department's most recent annual report to Congress,
the March 15, 2006, version of its enterprise transition plan provides
information on progress on major investments over the last 6 months--
including key accomplishments and milestones attained, as well as new
information on near-term activities (i.e., within the next 6 months) at
both the enterprise and component levels. DOD also reports that this
latest version of the transition plan indicates which of the
limitations and gaps that we identified in the earlier plan have been
addressed. DOD has taken a number of steps to improve its enterprise
transition plan and address some of the missing elements that we
previously identified[Footnote 45] relative to the Act's requirements
and related transition planning guidance.
With respect to the development of an acquisition strategy, the March
2006 transition plan refines and updates the September 2005 transition
plan. As we previously reported, the September 2005 transition plan was
largely based on a bottom-up planning process in which ongoing programs
were examined and categorized in the plan around business enterprise
priorities and capabilities, including a determination as to which
programs would be designated and managed as DOD-wide programs versus
component programs. To improve on this plan, the department defines an
initiative that is based on shortfalls of current business
capabilities. For example, version 3.1 of the architecture includes an
initiative--referred to as the intra-governmental transactions
initiative--that was based on a current "As Is" business capability
shortfall relative to DOD's ability to properly eliminate intra-
governmental transactions. This shortfall was highlighted as a material
weakness in DOD's Fiscal Year 2005 Performance and Accountability
Report.
DOD continues to validate the inventory of ongoing IT investments that
formed the basis for the prior version of the transition plan.
Specifically, DOD intends future updates to the plan to continue to
introduce the results of ongoing and planned analyses of gaps between
its "As Is" and "To Be" architectural environments, in which capability
and performance shortfalls are described and investments (such as
transformation initiatives and systems) that are to address these
shortfalls are clearly identified. In fact, DOD officials stated that
they anticipate the scope and funding of some on-going programs in the
plan--such as the Defense Integrated Military Human Resources System
and the intra-governmental transactions initiative--to be revised to
align them to achieve a desired business capability. Program officials
stated that this evolution of the plan will be driven by (1)
identifying gaps between the architecture requirements and currently
planned program activities and (2) planning new systems and initiatives
to address gaps identified in priorities, capabilities, and existing
program activities. In particular, DOD plans to identify gaps (i.e.,
shortfalls) in the performance of its business capabilities in the next
version of the architecture and, as transformation efforts mature, DOD
will introduce a more top-down, capability-based approach.
With respect to the identification of legacy systems that will and will
not be part of the "To Be" architectural environment, including
modifications to these systems, the prior plan identified some, but not
all, of these systems. To address this limitation, the current plan
identifies a number of additional legacy systems that will be
terminated and thus will not be part of the target environment. For
example, the plan now includes a number of recently determined
termination dates for systems such as the Cash Reconciliation System,
Financial Reporting System, and Navy Prompt Payment Interest.
Furthermore, in its annual report to Congress, DOD noted that the
military services collectively have identified over 290 legacy systems
for elimination. DOD also indicated that this number is expected to
change over time as more systems come in for certification and
enterprise solutions are identified and refined. Moreover, the plan now
reflects legacy systems identified to date for enterprise and component
priorities and, according to officials, the list will continue to
evolve as investment decisions are made via the tiered accountability
investment review structure. For example, the Air Force has reassessed
the systems migrating to the target Expeditionary Combat Support
System, and this is reported in the March 2006 plan. Program officials
noted that this number will fluctuate as the scope of the Expeditionary
Combat Support System changes.
The March 2006 transition plan, however, does not yet include a number
of the elements we have previously identified.
* It does not include a complete listing of the legacy systems that
will not be part of the target architecture. In particular, the
termination dates for many legacy systems remain unknown, making it
unclear whether or not they will be part of the target environment. For
example, the plan does not provide specific dates for terminating
legacy systems such as the Personnel Records Management System, Defense
Departmental Reporting System, and Base Accounts Receivable System.
* The plan does not include system and budget information for 13 of its
15 defense agencies[Footnote 46] and for 8 of its 9 combatant
commands.[Footnote 47] Program officials told us that information for
these defense agencies and combatant commands is not included because,
similar to the September plan, it was focused on the largest business-
focused organizations in DOD, which they defined as those meeting tier
1 and tier 2 IRB certification criteria.[Footnote 48] According to the
officials, the majority of these organizations do not have investments
that meet the threshold criteria. Nevertheless, they appended that
additional components will be added as appropriate when they have large
business system investments planned. They also stated that the Defense
Information Systems Agency's IT infrastructure investments will not be
reflected in the enterprise transition plan because the capabilities
that these investments are intended to deliver are reflected in the
Global Information Grid rather than in the business enterprise
architecture. As we previously reported,[Footnote 49] exclusion of
Defense Information Systems Agency investments is particularly
limiting, given that this agency and its investments provide the
infrastructure services that business systems depend on to operate.
Without including information on the timing and content of these
investments, the critical relationship between infrastructure and
systems becomes blurred in many ways. For example, it becomes unclear
whether a new business system will be able to reuse existing
infrastructure components or services--thereby leveraging established
capabilities--or whether it will have to introduce duplicative
capabilities as part of the business system investment.
* The plan does not include a complete listing of the legacy systems
that will be part of the target architecture, nor does it include
explicit strategies for modifying those legacy systems identified in
the plan's system migration diagrams. In particular, the plan
identifies those legacy systems for which some of its functionality
will be migrated; however, it does not indicate whether or not these
systems will still be operational in the "To Be" environment or will
eventually be terminated. For example, although the plan identifies the
Cargo Movement Operations System as one where the functionality will
only be partially migrated, neither the plan nor version 3.1 of the
architecture indicate whether this system will continue to be a part of
the target environment.
With respect to milestones, performance metrics, and resource needs,
the plan identifies incremental milestones and resource needs for major
investments and performance metrics for certain investments. The plan
also identifies progress against program milestones that were depicted
in the September 2005 plan. For example, in an effort to improve
visibility into personnel activities, DOD reported that, for the
Defense Civilian Personnel Data System, it met the milestone to deploy
a data warehouse capability to facilitate data sharing. It also
reported that, for this system, it has set a September 2008 milestone
for developing an implementation strategy for integrating modules
supporting functionality that is currently provided by stand-alone
applications. However, it does not include other important information
needed to understand the sequencing of these business investments. In
particular, it does not include such information as organizational,
process, and technology improvements required to achieve identified
milestones. In addition, if an investment is dependent on Net-Centric
Enterprise Services (NCES)[Footnote 50] for its core services, it
should include the above information in establishing its deployment
milestone and detail any issue associated with the incremental
deployment of the NCES program.
Beyond these areas, the March 2006 plan has yet to completely define
specific business capabilities that are needed to support the business
enterprise priorities. For example, according to DOD, the Materiel
Visibility business enterprise priority requires additional
capabilities related to the supply chain planning process, but neither
these capabilities nor associated investments were in the plan. Program
officials agreed and stated that future versions of the architecture
and the transition plan will address the supply chain planning process,
as well as other yet-to-be-identified process requirements (i.e.,
capability gaps).
As we previously reported, the department is taking an incremental
approach to developing its enterprise transition plan. In doing so, the
department's latest plan improves on the prior plan, and program
officials stated that many of the missing elements that we identified
will be included in future iterations of the plan. This incremental
approach is both a best practice and is consistent with our previous
recommendation. However, the latest plan is still missing important
content and the department has yet to develop or establish milestones
for developing a near-or a long-term plan that will provide details on
what will be included in each incremental iteration of the enterprise
transition plan, with particular emphasis and clarity focused on the
near-term increments. Without such a plan, the department is less
likely to accomplish intended improvements. A transition plan is to be
an acquisition strategy that recognizes timing and technological
dependencies among planned systems investments, as well as other
considerations, such as market trends and return on investment. The
plan should enable the department to affirm that the set of programs in
the plan are the appropriate ones to fill the gap between where it is
now architecturally and where it wants to be. In addition, the plan
should not only define schedule milestones but also include commitments
for system capabilities and associated outcomes. Once missing content
is added and all planned investments are validated by capability gap
analyses, the department will be better positioned to sequentially
manage the migration and disposition of existing business processes and
systems--and the introduction of new ones.
DOD Is Addressing Issues Related to Reporting Business Systems:
DOD has taken steps to meet the Act's requirements[Footnote 51]
relative to the identification of all business systems in its IT budget
request. In particular, program officials told us that the DOD
Information Technology Portfolio Repository (DITPR) has been
established as the authoritative repository for certain information
about DOD's systems, such as system names and the responsible DOD
components. Further, this repository is being expanded to contain
information required for the certification, approval, and annual
reviews of these business system investments. To ensure consistency of
DOD's fiscal year 2007 IT budget submission with this authoritative
inventory, DOD has reconciled (and intends to continue reconciling)
DITPR with the database that it uses to prepare its IT budget
submissions, referred to as Select and Native Programming Data System-
Information Technology (SNAP-IT). According to program and military
service officials, DOD is taking steps to ensure that each system
investment is entered in DITPR and SNAP-IT, as appropriate, and it is
continually reconciling the information between the two to ensure
consistency.
To further improve the completeness and reliability of the fiscal year
2007 IT budget request, program officials told us that business system
investments greater than $1 million were broken out individually, but
that more needs to be done before smaller systems--those with
modernization funding less than $1 million over the future years'
defense program (fiscal years 2006-2011)--are individually visible in
the budget. DOD's steps should help ensure the completeness and
reliability of its IT budget submissions, and increase compliance with
the Act's requirements relative to DOD's IT budgetary disclosure.
DOD Has Efforts Under Way to Control its Business System Investments:
The Act specifies two basic requirements, effective October 1, 2005,
for obligation of funds for business system modernizations costing more
than $1 million. First, it requires that these modernizations be
certified by a designated "approval authority"[Footnote 52] as meeting
specific criteria.[Footnote 53] Second, it requires that the DBSMC
approve each certification. The Act also states that failure to do so
before the obligation of funds for any such modernization constitutes a
violation of the Anti-deficiency Act.[Footnote 54] In this regard, the
department reported in September 2005 that the DBSMC had approved 166
business system modernizations, and in March 2006 that an additional 60
business systems were approved by the DBSMC. According to DOD, these
226 business systems represent about $3.6 billion in modernization
investment funding.
A key element of the department's approach to reviewing and approving
business systems investments is the use of what it refers to as "tiered
accountability." DOD's tiered accountability approach involves an
investment control process that begins at the component level and works
its way through a hierarchy of review and approval authorities,
depending on the size and significance of the investment. In our
discussions with Army, Navy, and Air Force officials, they emphasized
that the success of the process depends on them to perform a thorough
analysis of each business system before it is submitted for higher-
level review and approval.
According to the department's March 2006 report, the investment review
and approval process has identified over 290 systems for phase-out/
elimination. Furthermore, in January 2006, the department eliminated
further development of the Forward Compatible Payroll System (FCP).
According to the department's fiscal year 2007 budget request selected
capital investment report, FCP was intended to address the military pay
problems that are generated by the existing obsolete military pay
system. However, in reviewing the program status, it was determined
that FCP would duplicate the functionality contained in the Defense
Integrated Military Human Resources System. Therefore, it was
unnecessary to continue investing in two military payroll systems.
According to the department's fiscal year 2007 IT budget request,
approximately $33 million was sought for fiscal year 2007 and about $31
million was estimated for fiscal year 2008 for FCP. Eliminating this
duplicative system will enable DOD to use this funding for other
priorities. The funding of multiple systems that perform the same
function is one reason the department has thousands of business
systems. Identifying and eliminating duplicative systems helps optimize
mission performance and accountability and supports the department's
transformation goals.
The department's March 2006 report to congressional defense committees
also notes that the investment review process has identified
approximately 40 business systems for which the requested funding was
reduced and the funding availability periods were shortened to less
than the number of years requested. Based on information provided by
the BTA program officials, there was a reduction of funding and the
number of years that funding will be available for 14 Army business
systems, 8 Air Force business systems, and 8 Navy business systems.
More specifically, the Army's Future Combat Systems Advanced
Collaborative Environment program requested funding of $100 million for
fiscal years 2006 to 2011, but the amount approved was reduced to
approximately $51 million for fiscal years 2006 to 2008. Similarly,
Navy's Military Sealift Command Human Resources Management System
requested funding of about $19 million for fiscal years 2006 to 2011,
but the amount approved was approximately $2 million for the first 6
months of fiscal year 2006. According to Navy officials, this system
initiative will be reviewed to ascertain whether it has some of the
same functionality as the Defense Civilian Personnel Data System.
Funding system initiatives for shorter time periods can help reduce the
financial risk by providing additional opportunities for monitoring a
project's progress against established milestones and help ensure that
the investment is properly aligned with the architecture and the
department's overall goals and objectives.
Besides limiting funding as part of the investment review and approval
process, this process is also resulting in conditions being place on
system investments. These conditions identify specific actions that
must be taken and the specific time frames attached to when the actions
must be completed. For example, in the case of the Army's Logistics
Modernization Program, a system initiative that we have previously
reported on, one of the noted conditions was that the Army had to
address the issues discussed in our report.[Footnote 55] In our May
2004 report, we recommended that the department establish a mechanism
that provides for tracking all business systems modernization
conditional approvals to provide reasonable assurance that all specific
actions are completed on time.[Footnote 56] The department's action is
consistent with the intent of our recommendation. Further, the military
service officials indicated that the tracking systems will be one of
the "tools" they will use as part of the required statutory annual
system reviews. In the case of the Army, officials noted that they had
requested an update on the status of each condition by April 7, 2006.
Notwithstanding the above described efforts to control the department's
business system investments, formidable challenges remain. In
particular, military service officials told us that the review of those
business systems that have modernization funding of less than $1
million represents the majority of the department's reported 3,717
business systems, and that reviews of these systems are only now being
started on an annual basis. In April 2006, the department issued
guidance entitled "Investment Certification and Annual Review Process
User Guidance," which complements the department's May 2005 guidance on
its IRB process. According to Air Force officials, the additional
guidance is intended to help ease the administrative burden associated
with performing the system reviews and further instill consistency
among the DOD components. However, the extent to which the structures
and processes will be applied to the department's 3,717 business
systems is still evolving. Given the large number of systems involved,
it is important that the system review and approval process be
effectively implemented for all systems. For example, we reported in
April 2005,[Footnote 57] that the Army, the Navy, and the Air Force
have 193; 1,512; and 166 logistics systems, respectively. Such large
numbers of systems indicate a real possibility for eliminating
unnecessary duplication and avoiding unnecessary spending.
DOD Has Not Established All Required Investment Review Boards:
The Act directs that DOD establish five IRBs, each responsible and
accountable for controlling certain business system investments to
ensure compliance and consistency with the business enterprise
architecture. Four of the five designated IRBs have been established,
the exception being an IRB chaired by the ASD(NII)/CIO. According to
the Act and the Deputy Secretary of Defense's March 19, 2005,
memorandum, the ASD(NII)/CIO-chaired IRB is responsible and accountable
for any business system that primarily supports IT infrastructure or
information assurance activities. According to ASD(NII)/CIO officials,
this IRB has not been established because the CIO does not have direct
control and accountability over any business systems, thus making this
IRB unnecessary. These officials further noted that if there is
specific infrastructure that would be necessary for a given business
system, a representative of the ASD(NII)/CIO office is a participant in
each of the other four IRBs.
The Act's requirement that modernizations costing more than $1 million
must be certified by a designated "approval authority" and subsequently
approved by the DBSMC prior to funds being obligated not only applies
to any business systems that constitute functional area applications
but also to any infrastructure that constitutes a business system. Our
analysis of the department's detailed fiscal year 2007 budget request
documents disclosed approximately $47 million of infrastructure
modernizations costing more than $1 million that are designated by DOD
in those documents as in support of the business mission area.
Investment in infrastructure is an integral part of both an enterprise
architecture and transition plan, and should, therefore, be subject to
the same investment management structures and processes as the
application systems that they support.
DOD Is Implementing Our Prior Recommendations:
The Act's requirements concerning the architecture, transition plan,
budgetary disclosure, and investment management structures and
processes--as discussed earlier--are consistent with our prior
recommendations. Over the last 5 years, we have made 34 recommendations
to assist the department in developing a well-defined and useful
business enterprise architecture and using it to gain control over its
ongoing business system investments. (See app. II for details on the
status of our recommendations.) DOD agreed with our recommendations and
stated its commitment to implement them. Of the 34 recommendations, DOD
had taken steps to fully implement 4 and 29 of our recommendations were
still open as of November 2005, meaning that DOD had yet to fully
implement them.[Footnote 58]
In its March 15, 2006, annual report to Congress, DOD restated its
commitment to address each of the remaining 29 open recommendations. It
also reported that it had fully implemented 23 of the open
recommendations and was in the process of implementing 6.
In taking steps to further comply with the Act, DOD has also taken (and
continues to take) actions to implement our open recommendations. Of
the 29 remaining recommendations, DOD has taken steps to fully
implement 16 and is in the process of implementing the remaining 13.
For example, DOD has fully acted on our recommendations to:
* issue a policy that directs the development, implementation, and
maintenance of an architecture and:
* establish a hierarchy of IRBs to gain control over ongoing IT
investments.
DOD is also taking steps related to, for example, our recommendations
to develop an architecture program management plan and adopt a
strategic approach to meeting the program's human capital needs.
However, additional steps are needed to fully implement these
recommendations.
* The department included a high-level, notional description of steps
it plans to take over the next year related to architecture
development, maintenance, and implementation. Program officials also
described in broad terms these plans orally to us. In particular, the
department intends to define and implement a metrics framework to
measure results in terms of operational performance improvement, add
scope and content to the architecture in 6-month increments, and define
and use criteria to gauge investment compliance with the architecture.
However, the department has yet to develop an enterprise architecture
program management plan to describe, among other things, what the
architecture and transition plan increments individually or
collectively will include and not include, and how the quality and
utility of these increments will be determined.
* Program officials told us that they have begun analyzing the
architecture program's workforce needs and capabilities using a three-
phase approach. Phase I--which according to DOD is complete--resulted
in the development of a knowledge and skills model for the program's
architecture and transition plan staff. The second phase is in
progress--according to DOD--and involves identifying and assessing the
knowledge and skills of the existing architecture and transition plan
staff. According to program officials, this phase will set overall
program needs and provide the basis for identifying gaps and
recommendations for filling the gaps. Phase III will implement the
recommendations. According to DOD, it has not yet established
milestones for Phase III.
Program officials, including the Special Assistant to the Deputy Under
Secretary of Defense (Business Transformation) and the Director of
Transformation Planning and Performance, stated that the department is
committed to addressing all of our open recommendations. However the
department has yet to establish milestones for addressing all our
recommendations. It is important that the department move swiftly in
doing so because these recommendations are aimed at strengthening
architecture management activities, adding missing content to
architecture products, and controlling ongoing and planned business
system investments. Until it does, the department will not be able to
effectively guide and constrain its business modernization efforts and
move away from non-integrated business systems development efforts.
Conclusions:
Since our last report, DOD has continued to make important progress in
defining and implementing institutional management controls (i.e.,
processes, structures, and tools), but much remains to be accomplished
relative to the National Defense Authorization Act for Fiscal Year 2005
requirements and relevant guidance. In particular, the business
enterprise architecture and the enterprise transition plan are still
missing important content and the business system investment process is
not yet fully established and institutionalized at all organizational
levels. DOD recognizes this and has stated its commitment to
incrementally improve its business systems modernization controls
relative to most of these areas. It is critically important that DOD
swiftly implement our open recommendations, including developing a well-
defined enterprise architecture program management plan, as we have
previously noted and recommended, and the department has agreed to do
so. However, the department has yet to develop this plan or establish
milestones for developing it. Until it does, the likelihood of
sustained incremental improvement to its modernization management
controls will be diminished and the means of holding the department
accountable for such improvement will be missing. Even with this plan
and the associated management control improvements, however, the more
formidable challenge facing the department is how well it can implement
these controls over the years ahead on each and every business system
investment. While not a guarantee, institutionalization of well-defined
modernization management controls can go a long way in addressing this
longer-term challenge.
Recommendations for Executive Action:
To further assist the department in institutionalizing well-defined
business systems modernization management controls, to facilitate
congressional oversight, and promote departmental accountability, we
recommend that the Secretary of Defense direct the Deputy Secretary of
Defense, as the chair of the DBSMC, to submit an enterprise
architecture program management plan to defense congressional
committees. At a minimum, the plan should define what the department's
incremental improvements to the architecture and transition plan will
be, and how and when they will be accomplished, including what (and
when) architecture and transition plan scope and content and
architecture compliance criteria will be added into which versions. In
addition, the plan should include an explicit purpose and scope for
each version of the architecture, along with milestones, resource
needs, and performance measures for each planned version, with
particular focus and clarity on the near-term versions.
Agency Comments and Our Evaluation:
In its written comments on a draft of this report, signed by the Deputy
Under Secretary of Defense (Business Transformation) and reprinted in
appendix III, the department stated that it appreciated our analysis of
its plans and activities and our associated recommendations, adding
that we continue to be a constructive player in the department's
efforts to transform its business operations and that it welcomes our
insights and looks forward to our future participation in its
transformation efforts. The department also stated that our assessment
and findings are a fair representation of DOD's efforts to date, and
while it does not agree with all of our points, it recognizes that even
in areas of disagreement there is opportunity for dialog and learning.
In this regard, the department provided additional comments in two
areas.
First, DOD recognized the importance of addressing our recommendations,
and stated that it has moved aggressively over the past year to do so.
It also stated that it is important that we make recommendations that
are sufficiently specific to permit reasonable implementation and that
we provide prompt feedback on whether DOD's implementation actions are
in line with the recommendations. We agree and will continue to work
proactively and constructively with the department to facilitate the
implementation of the recommendations in the future.
Second, DOD stated that it partially agreed with the recommendation in
the draft report, characterizing it as developing a departmentwide
enterprise architecture program management plan to gain control of the
department's IT environment. According to DOD, such a plan would far
exceed the current scope of business systems modernization, and thus
addressing it would require it to first explore the feasibility of such
a departmentwide approach and more time than our recommended July 31,
2006 date for providing the plan to defense congressional committees.
Accordingly, DOD stated that it would issue a formal position on our
recommendation by September 30, 2006.
We agree that the business enterprise architecture should be
departmentwide in scope and that its content should address, and thus
allow it to gain control of, the department's business IT environment,
which would include both business systems and supporting IT
infrastructure and shared services (e.g., information security).
However, the recommendation in our draft report was not aimed at adding
this scope and content to the architecture and transition plan by July
31, 2006. Rather, it was aimed at developing an incremental plan that
would show what missing scope and content would be added in each
incremental version of the architecture and transition plan to
eventually have an enterprise architecture that addressed the full
scope of the department's business IT environment. The exploration
activities that DOD identifies in its comments would thus be one aspect
of what would be done under this incremental program management plan.
Further, as we recommended, this plan would be much clearer and more
precise with respect to the purpose, scope, and content of the next
version of the architecture and transition plan, as well as the time
frames and resources for producing it, and understandably more notional
with respect to the later versions that perhaps require exploration
activities and further thought.
Because the plan that we recommended is fundamental to the continued
improvement of the architecture and transition plan and congressional
oversight, we believe that it needs to be developed and provided to
defense congressional committees expeditiously. However, to further
ensure that the intent of our recommendation is properly interpreted,
and to address DOD's concern about the time needed to address it, we
have slightly modified the recommendation to add clarifying language
and to exclude a date for the plan's submission to defense
congressional committees.
We are sending copies of this report to interested congressional
committees; the Director, Office of Management and Budget; the
Secretary of Defense; the Deputy Secretary of Defense; the Under
Secretary of Defense for Acquisition, Technology, and Logistics; the
Under Secretary of Defense (Comptroller); the Assistant Secretary of
Defense (Networks and Information Integration)/Chief Information
Officer; the Under Secretary of Defense (Personnel and Readiness); and
the Director, Defense Finance and Accounting Service. This report will
also be available at no charge on our Web site at [Hyperlink,
http://www.gao.gov].
If you or your staff have any questions on matters discussed in this
report, please contact me at (202) 512-3439 or hiter@gao.gov, or McCoy
Williams at (202) 512-9095 or williamsm1@gao.gov. Contact points for
our Offices of Congressional Relations and Public Affairs may be found
on the last page of this report. GAO staff who made major contributions
to this report are listed in appendix V.
Signed By:
Randolph C. Hite:
Director:
Information Technology Architecture and Systems Issues:
Signed By:
McCoy Williams:
Director:
Financial Management Assurance:
List of Committees:
The Honorable John Warner:
Chairman:
The Honorable Carl Levin:
Ranking Minority Member:
Committee on Armed Services:
United States Senate:
The Honorable Ted Stevens:
Chairman:
The Honorable Daniel K. Inouye:
Ranking Minority Member:
Subcommittee on Defense:
Committee on Appropriations:
United States Senate:
The Honorable Duncan L. Hunter:
Chairman:
The Honorable Ike Skelton:
Ranking Minority Member:
Committee on Armed Services:
House of Representatives:
The Honorable C.W. Bill Young:
Chairman:
The Honorable John P. Murtha:
Ranking Minority Member:
Subcommittee on Defense:
Committee on Appropriations:
House of Representatives:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
Our objectives were to (1) assess the actions by the Department of
Defense (DOD) to comply with the requirements of Section 2222 of Title
10, U.S. Code[Footnote 59] and (2) determine the extent to which DOD
has addressed our prior recommendations.
Consistent with the Act and as agreed with the staffs of congressional
defense committees, we used our November 2005 report (GAO-06-219) as a
baseline and evaluated DOD's efforts relative to the remaining five
requirements in the Act: (1) development of an enterprise architecture
that includes an information infrastructure enabling DOD to support
specific capabilities, such as data standards and system interface
requirements; (2) development of a transition plan for implementing the
enterprise architecture that includes specific elements, such as the
acquisition strategy for new systems; (3) inclusion of business systems
information in DOD's budget submission; (4) establishment of business
systems investment review processes and structures; and (5) approval of
defense business systems investments in excess of $1 million.
To determine whether the architecture addressed the requirements
specified in the Act, we reviewed version 3.1 of the business
enterprise architecture, which was released on March 15, 2006. This
review included analyzing the scope and content of version 3.1
architecture products to determine whether they addressed the missing
elements we identified in our November 2005 report. In addition, we
requested a traceability matrix demonstrating where in the architecture
each of the elements was addressed and interviewed program officials to
validate the information in this matrix. In reviewing the products, we
focused on the changes from version 3.0 and the traceability matrix
prepared by DOD. In addition, we interviewed key program officials,
including the Director of Transformation Planning and Performance;
Special Assistant to the Deputy Under Secretary of Defense (Business
Transformation); Chief Architect; and the Enterprise Transition Plan
Team lead, to obtain an understanding of the steps taken and planned to
address the missing elements we previously reported and to ascertain
the relationship between the architecture and the plan.
To determine whether the enterprise transition plan addressed the
requirements specified in the Act, we reviewed the updated enterprise
transition plan released on March 15, 2006, and included in DOD's March
15, 2006, annual report to Congress. This review included determining
whether the transition plan addressed the missing elements identified
in our November 2005 report, such as an acquisition strategy for new
systems and a statement of financial and non-financial resource needs.
Specifically, we requested a traceability matrix demonstrating where in
the transition plan each of the elements was addressed and interviewed
program officials to validate the information in this matrix. In
reviewing the plan, we focused on the changes from the September 30,
2005, version and the traceability matrix prepared by DOD. We
interviewed program officials, including the Director of Transformation
Planning and Performance; Special Assistant to the Deputy Under
Secretary of Defense (Business Transformation); Chief Architect; and
the Enterprise Transition Plan Team lead to obtain an understanding of
the steps taken and planned to address the missing elements we
previously reported, and to ascertain the relationship between the plan
and the architecture.
To determine whether DOD's fiscal year 2007 information technology (IT)
budget submission was prepared in accordance with the criteria set
forth in the Act, we reviewed and analyzed DOD's fiscal year 2007 IT
budget request. As part of our analysis, we determined the portion of
the budget request that related to the department's business systems
and related infrastructure. We reviewed the accompanying budget
exhibits and selected capital investment reports to obtain additional
information on specific business systems.
To determine whether DOD has established investment review structures
and processes and issued a standard set of investment review and
decision-making criteria, we reviewed applicable policies and
procedures issued by the department. In this regard, we interviewed
program officials to determine whether the one investment review board
(IRB) that we reported as not being established in our November 2005
report had since been established, and if not, the reasons why. We also
examined process documents to see whether they provide for key
requirements in the Act, such as annual reviews of every investment and
use of business enterprise architecture compliance criteria.
To determine whether the department was reviewing and approving
business system investments exceeding $1 million, we obtained from DOD
the list of business system investments certified by the IRBs and
approved by the Defense Business Systems Management Committee. Because
of time constraints, we selectively verified the information provided
by the department with the certification and approval information in
the budget request to identify any anomalies. We also analyzed the
fiscal year 2006 column of the fiscal year 2007 budget request to
ascertain the specific number of business systems earmarked for
modernization funding in excess of $1 million. We selected systems from
our analysis of the IT budget with DOD's list of systems to ascertain
if the business systems were certified and approved as stipulated by
the Act. For these selected systems, we obtained and reviewed
documentation related to the certification and approval process as
specified in the Act and outlined in the department's tiered
accountability concept. Furthermore, we met with representatives from
the Army, the Navy, and the Air Force to ascertain the specific actions
that were taken (or planned to be taken) in order to perform the annual
systems reviews as required by the Act.
To determine the extent to which DOD has addressed our open
recommendations, we met with program officials, including the Director
of Transformation Planning and Performance, Chief Architect, and the
Enterprise Transition Plan Team lead, to obtain an understanding of the
steps taken and planned to address our recommendations. We obtained and
analyzed documentation that described the specific corrective actions
taken. We reviewed program documentation, such as the March 15, 2006,
annual report, updated transition plan, and version 3.1 of the
architecture to determine whether DOD addressed our recommendations
related to architecture scope and content. We used our Enterprise
Architecture Management Maturity Framework, which describes the stages
of management maturity, to update the status of key elements of
architecture management best practices that DOD had not adopted. To
make this determination, we reviewed program documentation, such as
program policies and procedures, configuration and communications
plans, and charters for the governance bodies; and we compared them to
the elements in the framework. We also reviewed documentation regarding
DOD verification and validation activities in the architecture
development process. In addition, we reviewed the guidance establishing
the IRBs and describing the investment management process.
We did not independently validate the reliability of the cost and
budget figures provided by DOD, because the specific amounts were not
relevant to our findings.
We conducted our work at DOD headquarters offices in Arlington,
Virginia, from January through May 2006 in accordance with generally
accepted government auditing standards.
[End of section]
Appendix II: Prior Recommendations on DOD's Business Enterprise
Architecture and Investment Management:
GAO report information and recommendation: GAO-01-525: Information
Technology: Architecture Needed to Guide Modernization of DOD's
Financial Operations, May 17, 2001: (1) The Secretary of Defense
immediately designate DOD financial management modernization a
departmental priority and accordingly direct the Deputy Secretary of
Defense to lead an integrated program across the department for
modernizing and optimizing financial management operations and systems;
Implemented?: Yes: check;
GAO assessment: Previously implemented.
GAO report information and recommendation: GAO-01-525: Information
Technology: Architecture Needed to Guide Modernization of DOD's
Financial Operations, May 17, 2001: (2) The Secretary immediately issue
a DOD policy that directs the development, implementation, and
maintenance of an enterprise architecture (EA);
Implemented?: Yes: check;
GAO assessment: The Deputy Secretary of Defense issued a memorandum on
February 7, 2005, establishing the Defense Business Systems Management
Committee (DBSMC), whose responsibilities, among other things, include
the approval of the business enterprise architecture (BEA) and the
enterprise transition plan (ETP). On October 7, 2005, the Deputy
Secretary of Defense also issued a memorandum establishing the Business
Transformation Agency (BTA), which is responsible for maintaining and
updating the BEA and the ETP.
GAO report information and recommendation: GAO-01-525: Information
Technology: Architecture Needed to Guide Modernization of DOD's
Financial Operations, May 17, 2001: (3) The Secretary immediately
modify the Senior Financial Management Oversight Council's charter to;
* designate the Deputy Secretary of Defense as the Council Chair and
the Under Secretary of Defense (Comptroller) as the Council Vice-Chair;
* empower the Council to serve as DOD's EA steering committee, giving
it the responsibility and authority to ensure that a DOD EA is
developed and maintained in accordance with the DOD Architecture
Framework;
* empower the Council to serve as DOD's financial management investment
review board, giving it the responsibility and authority to (1) select
and control all DOD financial management investments and (2) ensure
that its investment decisions treat compliance with the EA as an
explicit condition for investment approval that can be waived only if
justified by a compelling written analysis; and;
* expand the role of the Council's System Compliance Working Group to
include supporting the Council in determining the compliance of each
system investment with the enterprise architecture at key decision
points in the system's development or acquisition life cycle;
Implemented?: Yes: check;
GAO assessment: In February 2005, the Deputy Secretary of Defense
established the DBSMC, as the highest ranking governance body
responsible for overseeing DOD business systems modernization efforts
and;
* designated the Deputy Secretary of Defense as the Chair and the Under
Secretary of Defense for Acquisition, Technology, and Logistics as Vice-
Chair;
* assigned the committee the responsibility of reviewing and approving
all major releases of the BEA and ETP and assigned the BTA the
responsibility for maintaining and updating the BEA in accordance with
DOD Architecture Framework;
* delegated, on March 19, 2005, the authority for the review, approval,
and oversight of the planning, design, acquisition, deployment,
operation, maintenance, and modernization of defense business systems
to the designated approval authority for each business area; [A] and;
* issued criteria for reviewing all business systems annually and for
certifying business system modernizations over $1 million. The
department's guidance recognizes that one of the key elements in
evaluating its business system investments is the importance of being
consistent with the BEA.
GAO report information and recommendation: GAO-01-525: Information
Technology: Architecture Needed to Guide Modernization of DOD's
Financial Operations, May 17, 2001: (4) The Secretary immediately make
the Assistant Secretary of Defense (Command, Control, Communications, &
Intelligence), in collaboration with the Under Secretary of Defense
(Comptroller), accountable to the Senior Financial Management Oversight
Council for developing and maintaining a DOD enterprise architecture;
In fulfilling this responsibility, the Assistant Secretary appoint a
chief architect for DOD business management modernization and establish
and adequately staff and fund an enterprise architecture program office
that is responsible for developing and maintaining a DOD-wide EA in a
manner that is consistent with the framework defined in the Chief
Information Officer (CIO) Council's published guide for managing
enterprise architectures. In particular, the Assistant Secretary should
take appropriate steps to ensure that the Chief Architect;
* obtains executive buy-in and support;
* establishes architecture management structure and controls;
* defines the architecture process and approach;
* develops the baseline architecture, the target architecture, and the
sequencing plan;
* facilitates the use of the architecture to guide business management
modernization projects and investments; and;
* maintains the architecture;
Implemented?: Yes: check;
GAO assessment: The BTA, whose management and oversight is provided
cooperatively by the Deputy Under Secretary of Defense (Business
Transformation) and the Deputy Under Secretary of Defense (Financial
Management) briefs the DBSMC monthly on, among other things, the status
of the BEA. The Assistant Secretary of Defense (Networks and
Information Integration)/DOD Chief Information Officer (ASD(NII)/CIO)
is a member of the DBSMC; In fulfilling this responsibility, the
department has appointed a Chief Architect under the BTA, and developed
a position description that outlines the roles and responsibilities of
the chief architect. In addition, in July 2001, it established a
program office and according to program officials, the department has
adequate staff and funding for developing and maintaining the
architecture. Moreover, the department has taken steps to;
* obtain executive buy-in and support, as evidence by the establishment
of the DBSMC;
* establish the architecture management structure and controls-
-such as establishing one division under the BTA to oversee
architecture development and maintenance, and another to oversee the
long-term internal and external communication activities;
* define the process and approach for developing the current version of
the architecture;
* develop the target or "To Be" architecture and the transition plan,
and intend to incorporate an "As Is" strategy in the next version of
the architecture;
* use the architecture to guide its business modernization projects and
investments; and;
* assign the BTA the responsibility for maintaining the architecture.
GAO report information and recommendation: GAO-01-525: Information
Technology: Architecture Needed to Guide Modernization of DOD's
Financial Operations, May 17, 2001: (5) The ASD(NII)/CIO report at
least quarterly to the Senior Financial Management Oversight Council on
the Chief Architect's progress in developing an EA, including the Chief
Architect's adherence to enterprise architecture policy and guidance
from the Office of Management and Budget (OMB), the CIO Council, and
DOD;
Implemented?: Yes: check;
GAO assessment: In February 2005, the Deputy Secretary of Defense
established the DBSMC. As mentioned earlier, the DBSMC is comprised of
senior executives from across DOD, including the ASD(NII)/ CIO and is
chaired by the Deputy Secretary of Defense; As stated earlier, the BTA,
whose management and oversight is provided cooperatively by the Deputy
Under Secretary of Defense (Business Transformation) and the Deputy
Under Secretary of Defense (Financial Management), briefs the DBSMC
monthly on--among other things--the status of DOD's efforts to develop,
implement, and maintain the architecture and the transition plan,
including adherence to relevant policies and guidance.
GAO report information and recommendation: GAO-01-525: Information
Technology: Architecture Needed to Guide Modernization of DOD's
Financial Operations, May 17, 2001: (6) The Senior Financial Management
Oversight Council report to the Secretary of Defense every 6 months on
progress in developing and implementing an EA;
Implemented?: Yes: check;
GAO assessment: In February 2005, the Deputy Secretary of Defense
established the DBSMC. As mentioned earlier, the DBSMC is chaired by
the Deputy Secretary of Defense, who is briefed monthly on the progress
of the architecture's development and implementation. According to the
DBSMC charter, the chair will report to the Secretary of Defense, as
appropriate.
GAO report information and recommendation: GAO-01-525: Information
Technology: Architecture Needed to Guide Modernization of DOD's
Financial Operations, May 17, 2001: (7) The Secretary reports every 6
months to the congressional defense authorizing and appropriating
committees on progress in developing and implementing an EA;
Implemented?:
Yes: check;
GAO assessment: Previously implemented.
GAO report information and recommendation: GAO-01-525: Information
Technology: Architecture Needed to Guide Modernization of DOD's
Financial Operations, May 17, 2001: (8) Until an enterprise
architecture is developed and the Council is positioned to serve as
DOD's financial management investment review board as recommended, the
Secretary of Defense limit DOD components' financial management
investments to the deployment of systems that have already been fully
tested and involve no additional development or acquisition costs; stay-
in-business maintenance needed to keep existing systems operational;
management controls needed to effectively invest in modernized systems;
and new systems or existing system changes that are congressionally
directed or are relatively small, cost effective, and low risk and can
be delivered in a relatively short time frame;
Implemented?: In Process: check;
GAO assessment: On June 2, 2005, the Under Secretary of Defense for
Acquisition, Technology, and Logistics set forth guidance that
identified the processes to establish and operate IRBs for the purpose
of reviewing all business system investments at least annually and for
certifying business system modernizations over $1 million as required
by the Fiscal Year 2005 National Defense Authorization Act.
Furthermore, in April 2006, the Deputy Under Secretary of Defense
(Business Transformation) and the Deputy Under Secretary of Defense
(Financial Management) issued BEA compliance guidance. Since the April
2006 guidance was issued after completion of our field work, we have
not had the opportunity to assess the guidance to ascertain if it
addresses the recommendation.
GAO report information and recommendation: GAO-03-458: DOD Business
Systems Modernization: Improvements to Enterprise Architecture
Development and Implementation Efforts Needed, February 28, 2003: (1)
The Secretary of Defense ensure that the enterprise architecture
executive committee members are singularly and collectively made
explicitly accountable to the Secretary for the delivery of the
enterprise architecture, including approval of each version of the
architecture;
Implemented?: Yes: check;
GAO assessment: Previously implemented.
GAO report information and recommendation: GAO-03-458: DOD Business
Systems Modernization: Improvements to Enterprise Architecture
Development and Implementation Efforts Needed, February 28, 2003: (2)
The Secretary of Defense ensure that the enterprise architecture
program is supported by a proactive marketing and communication
program;
Implemented?: In Process: check;
GAO assessment: Under the BTA, the department has established an
Information and Federation Strategy office whose responsibilities
include internal and external communications. In February 2006, this
office developed a communication strategy and communications plan;
Based on the best practices defined by the CIO Council's A Practical
Guide to Federal Enterprise Architecture, we found that the
communications plan adhered to some of the guidelines--such as
identifying key audiences, purpose, scope and function and identifying
communication tools and a number of outreach programs to be used when
conveying the message to the targeted audiences; However, the
department's plan and strategy does not fully adhere to the criteria
set forth by best practices. In particular, the plan lacked an
explanation of roles and responsibilities and does not include details
regarding evaluation, metrics, and feedback.
GAO report information and recommendation: GAO-03-458: DOD Business
Systems Modernization: Improvements to Enterprise Architecture
Development and Implementation Efforts Needed, February 28, 2003: (3)
The Secretary of Defense ensure that the quality assurance function
includes the review of adherence to process standards and reliability
of reported program performance, is made independent of the program
management function, and is not performed by subject matter experts
involved in the development of key architecture products;
Implemented?: Yes: check;
GAO assessment: The department has established a quality assurance
function, which is an embedded process within the overall architecture
development. This function includes the review of adherence to process
standards, as appropriate, and it reports to a BTA division that is
independent of the division responsible for developing and maintaining
the architecture. It is also authorized to elevate issues to the Under
Secretary of Defense for Acquisition, Technology, and Logistics.
GAO report information and recommendation: GAO-03-458: DOD Business
Systems Modernization: Improvements to Enterprise Architecture
Development and Implementation Efforts Needed, February 28, 2003: (4)
The Secretary gain control over ongoing IT investments by establishing
a hierarchy of investment review boards, each responsible and
accountable for selecting and controlling investments that meet defined
threshold criteria, and each composed of the appropriate level of
executive representatives, depending on the threshold criteria, from
across the department;
Implemented?: Yes: check;
GAO assessment: On March 19, 2005, the Deputy Secretary of Defense
delegated the authority for the review, approval, and oversight of the
planning, design, acquisition, deployment, operation, maintenance, and
modernization of defense business systems to the designated approval
authority for each business area. Additionally, on June 2, 2005, the
Under Secretary of Defense for Acquisition, Technology, and Logistics
set forth guidance that identified the processes to establish and
operate IRBs for the purpose of reviewing all business system
investments.
GAO report information and recommendation: GAO-03-458: DOD Business
Systems Modernization: Improvements to Enterprise Architecture
Development and Implementation Efforts Needed, February 28, 2003: (5)
The Secretary gain control over ongoing IT investments by establishing
a standard set of criteria to include (a) alignment and consistency
with the DOD enterprise architecture and (b) our open recommendations
governing limitations in business systems investments pending
development of the architecture;
Implemented?: Yes: check;
GAO assessment: As noted above, the Under Secretary of Defense for
Acquisition, Technology, and Logistics has issued criteria for
reviewing all business system investments. The guidance points out that
one of the key elements in evaluating the department's business system
investments is the importance of being consistent with the BEA.
Furthermore, in April 2006, the Deputy Under Secretary of Defense
(Business Transformation) and the Deputy Under Secretary of Defense
(Financial Management) issued BEA compliance guidance.
GAO report information and recommendation: GAO-03-458: DOD Business
Systems Modernization: Improvements to Enterprise Architecture
Development and Implementation Efforts Needed, February 28, 2003: (6)
The Secretary gain control over ongoing IT investments by directing
these boards to immediately apply these criteria in completing reviews
of all ongoing IT investments and to not fund investments that do not
meet these criteria unless they are otherwise justified by explicit
criteria waivers;
Implemented?: Yes: check;
GAO assessment: As noted above, the Under Secretary of Defense for
Acquisition, Technology, and Logistics has issued criteria for
reviewing all business system investments. The guidance points out that
one of the key elements in evaluating the department's business system
investments is the importance of being consistent with the BEA.
Furthermore, in April 2006, the Deputy Under Secretary of Defense
(Business Transformation) and the Deputy Under Secretary of Defense
(Financial Management) issued BEA compliance guidance, which the IRBs
have been directed to use.
GAO report information and recommendation: GAO-03-1018: DOD Business
Systems Modernization: Important Progress Made to Develop Business
Enterprise Architecture, but Much Work Remains, September 19, 2003:
(1) The Secretary of Defense or his appropriate designee define and
implement an effective investment management process to proactively
identify, control, and obtain DOD Comptroller review and approval of
expenditures for new and ongoing business systems investments exceeding
$1 million while the architecture is being developed and after it is
completed, and which includes clearly defined domain owners' roles and
responsibilities for selecting and controlling ongoing and planned
system investments;
Implemented?: Yes: check;
GAO assessment: On June 2, 2005, the Under Secretary of Defense for
Acquisition, Technology, and Logistics set forth guidance that is to be
used in reviewing all business system investments at least annually and
for certifying business system modernizations over $1 million as
required by the Fiscal Year 2005 National Defense Authorization Act. In
its March 15, 2006, report to congressional defense committees, the
department reported that the DBSMC had certified a total of 226
systems, which represents about $3.6 billion in modernization funding.
GAO report information and recommendation: GAO-03-1018: DOD Business
Systems Modernization: Important Progress Made to Develop Business
Enterprise Architecture, but Much Work Remains, September 19, 2003:
(2) The Secretary of Defense or his appropriate designee implement the
core elements in our Enterprise Architecture Framework for Assessing
and Improving Enterprise Architecture Management that we identify in
this report as not satisfied, including ensuring that minutes of the
meetings of the executive body charged with directing, overseeing, and
approving the architecture are prepared and maintained;
Implemented?: In Process: check;
GAO assessment: DOD has taken some actions to address the 31 elements
identified in GAO's Enterprise Architecture Framework for assessing and
improving enterprise architecture management. DOD has addressed 17 of
the 31 elements. For example, the BEA is an integral component of the
IT investment management process and the quality of the BEA products is
measured and reported. DOD has begun to address 7 additional elements.
For example, although the BEA plans call for developing metrics for
measuring progress, quality, and compliance, it does not call for
developing metrics for return on investment. DOD has yet to begin
addressing the remaining 7 elements. For example, architecture
descriptions have yet to address security and return on architecture
investment is not measured and reported.
GAO report information and recommendation: GAO-03-1018: DOD Business
Systems Modernization: Important Progress Made to Develop Business
Enterprise Architecture, but Much Work Remains, September 19, 2003: (3)
The Secretary of Defense or his appropriate designee update version 1.0
of the architecture to include the 340 Joint Financial Management
Improvement Program requirements that our report identified as omitted
or not fully addressed;
Implemented?: Yes: check;
GAO assessment: Previously implemented.
GAO report information and recommendation: GAO-03-1018: DOD Business
Systems Modernization: Important Progress Made to Develop Business
Enterprise Architecture, but Much Work Remains, September 19, 2003: (4)
The Secretary of Defense or his appropriate designee update version 1.0
of the architecture to include the 29 key elements governing the "As
Is" architectural content that our report identified as not being fully
satisfied;
Implemented?: In Process: check;
GAO assessment: Program officials stated that "As Is" environment
analyses and definitions have occurred--and are planned on in an "as
needed" and "just enough" basis. For example, they described "As Is"
analysis and definition that has occurred at the system level for
several of the enterprise-level systems (e.g., DOD Real Property
Information Systems), and work under way to further understand the
interdependencies that exist in the current planning, programming,
budgeting, and execution business process as an essential part of
developing the "To Be" description of this process. While not included
in versions 3.0 and 3.1, according to an official, the "As Is" work is
in fact now being used to perform a business capability gap analysis
and guide transformation based on the current set of priorities;
However, DOD has yet to disclose, at a minimum, the "As Is" analyses
that have and that have not been performed in the architecture
releases. In addition, DOD has yet to describe in the architecture
releases the importance and/or irrelevance of "As Is" analyses to the
systems and initiatives in the enterprise transition plan, and the
operational activities and business processes in the target
architecture.
GAO report information and recommendation: GAO-03-1018: DOD Business
Systems Modernization: Important Progress Made to Develop Business
Enterprise Architecture, but Much Work Remains, September 19, 2003: (5)
The Secretary of Defense or his appropriate designee update version 1.0
of the architecture to include the 30 key elements governing the "To
Be" architectural content that our report identified as not being fully
satisfied;
Implemented?: In Process: check;
GAO assessment: DOD issued BEA version 3.1 on March 15, 2006, which
addressed some limitations in the prior version that we reported.
However, version 3.1 is still missing certain scope and content. For
example, this version continues to specify DOD's Standard Financial
Information Structure (SFIS) as an enterprisewide data standard for
categorizing financial information to support financial management and
reporting functions. In addition, it adds greater definition on
standard processes, rules, and data for intra-governmental ordering and
billing. However, certain SFIS data elements, such as those relating to
the planning, programming, and budgeting business process area have yet
to be defined. In addition, the architecture has yet to include a
systems standards profile to facilitate data sharing among
departmentwide business systems and promote interoperability with
departmentwide IT infrastructure systems. Further, military services
and defense agencies architectures have yet to be aligned with this
departmental architecture.
GAO report information and recommendation: GAO-03-1018: DOD Business
Systems Modernization: Important Progress Made to Develop Business
Enterprise Architecture, but Much Work Remains, September 19, 2003: (6)
The Secretary of Defense or his appropriate designee update version 1.0
to ensure that "To Be" architecture artifacts are internally
consistent, to include addressing the inconsistencies described in this
report as well as including user instructions or guidance for easier
architecture navigation and use;
Implemented?: Yes: check;
GAO assessment: Version 3.1 of the architecture provides significant
improvements with regard to navigation and use and addresses the
internal consistency of the architecture artifacts that we previously
described.
GAO report information and recommendation: GAO-03-1018: DOD Business
Systems Modernization: Important Progress Made to Develop Business
Enterprise Architecture, but Much Work Remains, September 19, 2003: (7)
The Secretary of Defense or his appropriate designee update version 1.0
of the architecture to include (a) the 3 key elements governing the
transition plan content that our report identified as not being fully
satisfied and (b) those system investments that will not become part of
the "To Be" architecture, including time frames for phasing out those
systems;
Implemented?: In Process: check;
GAO assessment: DOD issued an updated enterprise transition plan on
March 15, 2006. This plan provides information on progress on major
investments over the last 6 months, including key accomplishments and
milestones attained. Further, the plan builds on the prior plan by
defining an initiative aimed at identifying capability gaps between the
"As Is" and "To Be" architectural environments, and DOD continues to
validate the inventory of ongoing IT investments that formed the basis
for the prior version of the transition plan. However, while the plan
includes more information about the termination of legacy systems, it
still does not identify, for example, all legacy systems that will not
be part of the target architecture--and it does not include system
investment information for all of the department's agencies and
combatant commands.
GAO report information and recommendation: GAO-03-1018: DOD Business
Systems Modernization: Important Progress Made to Develop Business
Enterprise Architecture, but Much Work Remains, September 19, 2003:
(8) The Secretary of Defense or his appropriate designee update version
1.0 of the architecture to address comments made by the verification
and validation contractor;
Implemented?: In Process: check;
GAO assessment: According to the verification and validation
contractor, of the 157 comments from version 3.0, 123 were deemed
potentially in scope for version 3.1. Of these 123 comments, they
stated that 85 were deferred to the next architecture release and 38
were to be addressed in version 3.1. The verification and validation
contractor is currently reviewing version 3.1 and has yet to report on
whether the 38 comments were addressed in version 3.1.
GAO report information and recommendation: GAO-03-1018: DOD Business
Systems Modernization: Important Progress Made to Develop Business
Enterprise Architecture, but Much Work Remains, September 19, 2003:
(9) The Secretary of Defense or his appropriate designee develop a well-
defined, near-term plan for extending and evolving the architecture and
ensure that this plan includes addressing our recommendations, defining
roles and responsibilities of all stakeholders involved in extending
and evolving the architecture, explaining dependencies among planned
activities, and defining measures of activity progress;
Implemented?: In Process: check;
GAO assessment: The department included a high-level, notional
description of steps it plans to take over the next year related to
architecture development, maintenance, and implementation in its most
recent annual report to Congress. In particular, the department intends
to define and implement a metrics framework to measure results in terms
of operational performance improvement, add scope and content to the
architecture in 6-month increments, and define and use criteria to
gauge investment compliance with the architecture. However, the
department has yet to develop a plan to describe, among other things,
what the architecture and transition plan increments individually or
collectively will include and not include, with particular emphasis and
clarity on near-term increments, the resources needed to produce the
increments, who will be responsible for producing them, and how the
quality and utility of these increments will be determined.
GAO report information and recommendation: GAO-03-1018: DOD Business
Systems Modernization: Important Progress Made to Develop Business
Enterprise Architecture, but Much Work Remains, September 19, 2003:
(10) The Secretary of Defense or his appropriate designee limit the
pilot projects to small, low-cost, low-risk prototype investments that
are intended to provide knowledge needed to extend and evolve the
architecture, and are not to acquire and implement production version
system solutions or to deploy an operational system capability;
Implemented?: In Process: check;
GAO assessment: According to program officials, the Office of the Under
Secretary of Defense for Business Transformation has prepared a draft
policy on initiatives that will serve to define a pilot project in
terms of size and scope, and detail the process for obtaining approval
and funding.
GAO report information and recommendation: GAO-04-615: DOD Business
Systems Modernization: Billions Continue to Be Invested with Inadequate
Management Oversight and Accountability, May 27, 2004: (1) The
Secretary of Defense direct the Under Secretary of Defense
(Comptroller) and the Assistant Secretary of Defense for Networks and
Information Integration to develop a standard definition for DOD
components to use to identify business systems;
Implemented?: Yes: check;
GAO assessment: This recommendation was absorbed into GAO-05-381
recommendation #2.
GAO report information and recommendation: GAO-04-615: DOD Business
Systems Modernization: Billions Continue to Be Invested with Inadequate
Management Oversight and Accountability, May 27, 2004: (2) The
Secretary of Defense direct the Assistant Secretary of Defense for
Networks and Information Integration to expand the existing IT Registry
to include all business systems;
Implemented?: Yes: check;
GAO assessment: On July 13, 2004, the ASD(NII)/CIO directed
establishment of the DOD Information Technology Portfolio Repository
(DITPR). According to BTA officials, all identified business systems
have been entered into the DITPR. As of April 2006, the department
reported that it had 3,717 business systems.
GAO report information and recommendation: GAO-04-615: DOD Business
Systems Modernization: Billions Continue to Be Invested with Inadequate
Management Oversight and Accountability, May 27, 2004: (3) The
Secretary of Defense direct the Under Secretary of Defense
(Comptroller) to establish a mechanism that provides for tracking all
business systems modernization conditional approvals to provide
reasonable assurance that all specific actions are completed on time;
Implemented?: Yes: check;
GAO assessment: The DITPR is being used to track and monitor investment
decisions. For example, if the DBSMC notes that a business system must
show how it is compliant with the SFIS, that action is maintained in
the DITPR and, on completion, the completion date is entered into DITPR.
GAO report information and recommendation: GAO-05-381: DOD Business
Systems Modernization: Billions Being Invested without Adequate
Oversight, April 29, 2005: (1) The Secretary of Defense direct that the
DOD CIO, in consultation with the domains, review the 56 systems
reclassified from business systems to national security systems to
determine how these should be properly reported in the fiscal year 2007
IT budget request;
Implemented?: Yes: check;
GAO assessment: The department has appropriately classified the 56
systems in its fiscal year 2007 IT budget request.
GAO report information and recommendation: GAO-05-381: DOD Business
Systems Modernization: Billions Being Invested without Adequate
Oversight, April 29, 2005: (2) The Secretary of Defense direct that the
Defense Business Systems Management Committee work with the investment
review boards to review the reported business systems inventory so
systems are defined in accordance with the definition specified in the
Fiscal Year 2005 Defense Authorization Act;
Implemented?: Yes: check;
GAO assessment: The department's business systems are reported in its
fiscal year 2007 budget request in accordance with the criteria
specified in the Act.
GAO report information and recommendation: GAO-05-381: DOD Business
Systems Modernization: Billions Being Invested without Adequate
Oversight, April 29, 2005: (3) The Secretary of Defense direct that the
DBSMC develop a comprehensive plan that addresses implementation of our
previous recommendations related to the BEA and the control and
accountability over business systems investments (at a minimum, the
plan should assign responsibility and estimated time frames for
completion);
Implemented?: In Process: check;
GAO assessment: DOD has documented a series of actions that address our
recommendations. In its March 15, 2006, report to Congress, DOD stated
that it had fully implemented our 23 open recommendations and was in
the process of implementing 6. We agree that DOD has taken actions to
implement our open recommendations, with 16 being implemented and 13 in
the process of being implemented. However, while DOD included a high-
level summary in its March 15, 2006 annual report to Congress, it did
not include information such as responsibilities, time frames, and
actions planned to address all of the recommendations that have yet to
be fully implemented.
GAO report information and recommendation: GAO-05-381: DOD Business
Systems Modernization: Billions Being Invested without Adequate
Oversight, April 29, 2005: (4) The Secretary of Defense direct that the
comprehensive plan we recommend be incorporated into the department's
second annual report due March 15, 2006, to defense congressional
committees, as required by the Fiscal Year 2005 Defense Authorization
Act to help facilitate congressional oversight;
Implemented?: In Process: check;
GAO assessment: In its March 15, 2006, annual report to Congress, the
department included a high-level summary that outlines the status of
our recommendations. However, as noted above, it did not fully satisfy
our recommendation.
GAO report information and recommendation: GAO-05-702: DOD Business
Systems Modernization: Long-standing Weaknesses in Enterprise
Architecture Development Need to Be Addressed, July 22, 2005: (1) The
Secretary of Defense should direct the Deputy Secretary of Defense, as
the chair of DBSMC and in collaboration with DBSMC members, to
immediately fully disclose the state of its BEA program to DOD's
congressional authorization and appropriations committees, including
its limited progress and results to date, as well as specific plans and
commitments for strengthening program management and producing
measurable results that reflect the department's capability to do so;
Implemented?: Yes: check;
GAO assessment: In its March 15, 2006, annual report to Congress, DOD
disclosed the current state of the BEA program by including key
milestones for fiscal years 2006 and 2007, accomplishments since
September 2005, and limitations of and gaps in the architecture and
transition plan. For example, in an effort to improve visibility into
personnel activities, in fiscal year 2006, DOD reported that it has
deployed a civilian personnel data warehouse to facilitate data
sharing. In addition, the department reported that termination and
migration dates had yet to be determined for a number of systems.
GAO report information and recommendation: GAO-05-702: DOD Business
Systems Modernization: Long-standing Weaknesses in Enterprise
Architecture Development Need to Be Addressed, July 22, 2005: (2) The
Secretary of Defense should direct the Deputy Secretary of Defense, as
the chair of the DBSMC and in collaboration with DBSMC members, to
ensure that each of our recommendations related to the BEA management
and content are reflected in the plans and commitments;
Implemented?: In Process: check;
GAO assessment: In its March 15, 2006, annual report to Congress, the
department included a high-level summary that outlines the status of
our recommendations. However, it did not include information such as
responsibilities, time frames, and actions planned to address all of
the recommendations that have yet to be fully implemented.
GAO report information and recommendation: GAO-05-702: DOD Business
Systems Modernization: Long-standing Weaknesses in Enterprise
Architecture Development Need to Be Addressed, July 22, 2005: (3) The
Secretary of Defense should direct the Deputy Secretary of Defense, as
the chair of the DBSMC and in collaboration with DBSMC members, to
ensure that plans and commitments provide for effective BEA workforce
planning, including assessing workforce knowledge and skills needs,
determining existing workforce capabilities, identifying gaps, and
filling these gaps;
Implemented?: In Process: check;
GAO assessment: Program officials told us that they have begun
analyzing the architecture program's workforce needs and capabilities
using a three-phase approach. Phase I, which according to DOD is
complete, resulted in the development of a knowledge and skills model
for the program's architecture and transition plan staff. The second
phase, which according to DOD is in progress, involves identifying and
assessing the knowledge and skills of the existing architecture and
transition plan staff. According to program officials, this phase will
set overall program needs and provide the basis for identifying gaps
and recommendations for filling the gaps. Phase III will implement the
recommendations. According to DOD, it has not yet established
milestones for Phase III.
Source: GAO.
[A] Approval authorities include the Under Secretary of Defense for
Acquisition, Technology, and Logistics; the Under Secretary of Defense
(Comptroller); the Under Secretary of Defense for Personnel and
Readiness; and the Assistant Secretary of Defense for Networks and
Information Integration/Chief Information Officer of the Department of
Defense. These approval authorities are responsible for the review,
approval, and oversight of business systems and must establish
investment review processes for systems under their cognizance.
[B] DOD defines the Global Information Grid as the globally
interconnected, end-to-end set of information, capabilities, associated
processes, and personnel for collecting, processing, storing,
disseminating, and managing information on demand to warfighters,
policy makers, and support personnel.
[C] Department of Defense Fiscal Year 2007 IT/NSS President's Budget,
Report on Defense Business Systems Modernization FY2005 National
Defense Authorization Act, Section 332 February 2006.
[End of table]
[End of section]
Appendix III: Comments from the Department of Defense:
Office Of The Under Secretary Of Defense:
3000 Defense Pentagon:
Washington, DC 20301-3000:
Acquisition Technology And Logistics:
Mr. Randolph C. Hite:
Director:
Information Technology Architecture and Systems Issues:
U.S. Government Accountability Office:
441 G Street, N. W. Washington, DC 20548:
Dear Mr. Hite:
This is the Department of Defense (DoD) response to the GAO draft
report, "Business Systems Modernization: DOD Continues to Improve
Institutional Approach, but Further Steps Needed," dated April 28,
2006, (GAO Code 310616/GAO-06-658).
GAO continues to be a constructive partner in the Department's efforts
to transform internal business operations. Analysis of our plans and
activities, as well as recommendations for refinement, provide
important learning on best practices as we move forward. We especially
appreciate the support and recognition for the Department's continued
progress in laying the groundwork for success.
We believe the GAO's assessments and findings represent a fair
representation of the Department's efforts to date. We do not agree on
all points, yet even in areas of disagreement, we recognize the
opportunity for dialog and learning on both sides. There are two
points, detailed below, on which we would like to comment:
Responsiveness to addressing GAO concerns: As noted by GAO, it is
vitally important that the Department move quickly to institutionalize
the changes, policies and procedures that have been recently instituted
in order to maximize the potential for overall success in transforming
business operations. To that end, the Department moved aggressively
over the past year to address not only GAO's recommendations, but also
innumerable other challenges and barriers encountered along the way.
While it is important that DoD respond to GAO's recommendations, it is
equally important that GAO make recommendations sufficiently specific
in scope that they can be reasonably implemented and that GAO provide
prompt feedback on whether our efforts are in line with their concerns.
New GAO Recommendation: Regarding the GAO's new recommendation that the
Department develop a department-wide enterprise architecture program
management plan to gain greater control of the Department's IT
environment, this far exceeds the scope of business systems
modernization. The Department will explore the feasibility of a
department-wide approach to this issue, and publish a formal position
on this recommendation by September 30, 2006. Our response to this
recommendation is enclosed.
The Department made important progress over the last year in reshaping
its approach to modernizing its business operations. With the
development of the Business Enterprise Architecture and Enterprise
Transition Plan, we now have the important tools necessary to guide our
transformation effort. With the implementation and institutionalization
of the Defense Business Systems Management Committee and Investment
Review Boards, we have brought the issues of business transformation to
the forefront of senior leadership attention across the Department.
Now, with the Business Transformation Agency in place, the Department's
focus is on delivering the promise that these important tools and
processes represent. We welcome GAO's insights and look forward to
their participation in our future efforts.
Signed By:
Paul A. Brinkley:
Deputy Under Secretary of Defense:
(Business Transformation):
Enclosure:
As Stated:
Gao Draft Report - Dated April 28, 2006 GAO CODE 310616/GAO-06-658:
"Business Systems Modernization: Dod Continues To Improve Institutional
Approach, But Further Steps Needed"
Department Of Defense Comments To The Recommendation:
Recommendation 1: The GAO recommended that the Secretary of Defense
direct the Deputy Secretary of Defense to submit an enterprise
architecture program management plan to defense congressional
committees by July 31, 2006. (p. 52/GAO Draft Report):
DOD Response: Partially Concurs. The Department will need time to
explore the feasibility of a Department-wide approach to this issue,
and will publish a formal position on this recommendation by September
30, 2006.
[End of section]
Appendix IV: Summary of Several Architecture Frameworks:
[End of section]
Various enterprise architecture frameworks are available for
organizations to follow. Although these frameworks differ in their
nomenclatures and modeling approaches, they consistently help define an
enterprise's operations in both (1) logical terms, such as interrelated
business processes and business rules, information needs and flows, and
work locations and users; and (2) technical terms, such as hardware,
software, data, communications, and security attributes and performance
standards. The frameworks help define these perspectives for both the
enterprise's current, or "As Is," environment and its target, or "To
Be," environment--as well as a transition plan for moving from the "As
Is" to the "To Be" environment.
For example, John A. Zachman developed a structure or framework for
defining and capturing an architecture.[Footnote 60] This framework
describes six windows or "perspectives" from which to view the
enterprise: those of (1) the strategic planner, (2) system user, (3)
system designer, (4) system developer, (5) subcontractor, and (6)
system itself. Zachman also proposed six models that are associated
with each of these perspectives; these models describe (1) how the
entity operates, (2) what the entity uses to operate, (3) where the
entity operates, (4) who operates the entity, (5) when entity
operations occur, and (6) why the entity operates. Zachman's framework
provides a conceptual schema that can be used to identify and describe
an entity's existing and planned components and their relationships to
one another before beginning the costly and time-consuming efforts
associated with developing or transforming the entity.
Since Zachman introduced his framework, a number of other frameworks
have been proposed. In August 2003, the department released version 1.0
of the DOD Architecture Framework (DODAF).[Footnote 61] The DODAF
defines the type and content of the architectural products, as well as
the relationships among the products that are needed to produce a
useful architecture. Briefly, it decomposes an architecture into three
primary views: operational, systems, and technical standards[Footnote
62] (see fig. 2). According to DOD, the three interdependent views are
needed to ensure that IT systems support operational needs and that
they are developed and implemented in an interoperable and cost-
effective manner.
Figure 2: Interdependent DODAF Views of an Architecture:
[See PDF for image]
Source: DOD Architecture Framework Version 1.0, Volume 1.
[End of figure]
In September 1999, the federal CIO's Council published the Federal
Enterprise Architecture Framework (FEAF), which is intended to provide
federal agencies with a common construct on which to base their
respective architectures and to facilitate the coordination of common
business processes, technology insertion, information flows, and system
investments among federal agencies. FEAF describes an approach,
including models and definitions, for developing and documenting
architecture descriptions for multiorganizational functional segments
of the federal government. Similar to most frameworks, FEAF's proposed
models describe an entity's business, the data necessary to conduct the
business, applications to manage the data, and technology to support
the applications.
In addition, the OMB established the Federal Enterprise Architecture
(FEA) Program Management Office to develop a federated enterprise
architecture in the context of five "reference models, and a security
and privacy profile that overlays the five models."
* The Business Reference Model is intended to describe the federal
government's businesses, independent of the agencies that perform them.
This model consists of four business areas: (1) services for citizens,
(2) mode of delivery, (3) support delivery of services, and (4)
management of government resources. It serves as the foundation for the
Federal Enterprise Architecture. The OMB expects agencies to use this
model as part of their capital planning and investment control
processes to help identify opportunities to consolidate information
technology investments across the federal government. Version 2.0 of
this model was released in June 2003.
* The Performance Reference Model is intended to describe a set of
performance measures for major information technology initiatives and
their contribution to program performance. According to OMB, this model
will help agencies produce enhanced performance information; improve
the alignment and better articulate the contribution of inputs, such as
technology, to outputs and outcomes; and identify improvement
opportunities that span traditional organizational boundaries. Version
1.0 of this model was released in September 2003.
* The Service Component Reference Model is intended to identify and
classify information technology service (i.e., application) components
that support federal agencies and promote the reuse of components
across agencies. This model is intended to provide the foundation for
the reuse of applications, application capabilities, components
(defined as "a self-contained business process or service with
predetermined functionality that may be exposed through a business or
technology interface"), and business services. According to OMB, this
model is a business-driven, functional framework that classifies
service components with respect to how they support business or
performance objectives. Version 1.0 of this model was released in June
2003.
* The Data Reference Model is intended to describe, at an aggregate
level, the types of data and information that support program and
business line operations and the relationships among these types. This
model is intended to help describe the types of interactions and
information exchanges that occur across the federal government. Version
2.0 of this model was released in November 2005.
* The Technical Reference Model is intended to describe the standards,
specifications, and technologies that collectively support the secure
delivery, exchange, and construction of service components. Version 1.1
of this model was released in August 2003.
* The Security and Privacy Profile is intended to provide guidance on
designing and deploying measures that ensure the protection of
information resources. OMB has released version 1.0 of the profile.
[End of section]
Appendix V: GAO Contact and Staff Acknowledgments:
GAO Contact:
Randolph C. Hite, (202) 512-3439 or hiter@gao.gov:
McCoy Williams, (202) 512-9095 or williamsm1@gao.gov:
Acknowledgments:
In addition to the contacts named above, key contributors to this
report were Darby Smith, Assistant Director; Neelaxi Lakhmani, Acting
Assistant Director; and Susan Czachor, Francis Dymond, Eric Essig,
Nancy Glover, Anh Le, John Martin, Mai Nguyen, Debra Rucker, and Andrea
Smith.
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125
Washington, D.C. 20548:
Public Affairs:
Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548:
According to DOD, major releases are to have substantially new
architecture content that incorporates emerging enterprise priorities
and capabilities in support of DOD enterprise systems and initiatives
and the IRBs. Minor releases are not to contain new enterprise
priorities or business capabilities, but instead are to provide
extension and "clean up" of the preceding releases.
FOOTNOTES
[1] Business systems are information systems that include financial and
non-financial systems and support DOD's business operations, such as
civilian personnel, finance, health, logistics, military personnel,
procurement, and transportation. See 10 U.S.C. § 2222 (j) (2).
[2] GAO, High-Risk Program, GAO-06-497T (Washington, D.C.: Mar. 15,
2006).
[3] An enterprise architecture, or modernization blueprint, provides a
clear and comprehensive picture of an entity, whether it is an
organization (e.g., federal department or agency) or a functional or
mission area that cuts across more than one organization (e.g.,
financial management). This picture consists of snapshots of the
enterprise's current "As Is" operational and technological environment
and its target or "To Be" environment, as well as a capital investment
roadmap for transitioning from the current to the target environment.
These snapshots further consist of "views," which are basically one or
more architecture products that provide conceptual or logical
representations of the enterprise.
[4] GAO, Information Technology: Architecture Needed to Guide
Modernization of DOD's Financial Operations, GAO-01-525 (Washington,
D.C.: May 17, 2001).
[5] See, for example, GAO-01-525; DOD Business Systems Modernization:
Improvements to Enterprise Architecture Development and Implementation
Efforts Needed, GAO-03-458 (Washington, D.C.: Feb. 28, 2003);
Information Technology: Observations on Department of Defense's Draft
Enterprise Architecture, GAO-03-571R (Washington, D.C.: Mar. 28, 2003);
Business Systems Modernization: Summary of GAO's Assessment of the
Department of Defense's Initial Business Enterprise Architecture, GAO-
03-877R (Washington, D.C.: July 7, 2003); DOD Business Systems
Modernization: Important Progress Made to Develop Business Enterprise
Architecture, but Much Work Remains, GAO-03-1018 (Washington, D.C.:
Sept. 19, 2003); DOD Business Systems Modernization: Limited Progress
in Development of Business Enterprise Architecture and Oversight of
Information Technology Investments, GAO-04-731R (Washington, D.C.: May
17, 2004); DOD Business Systems Modernization: Billions Being Invested
without Adequate Oversight, GAO-05-381 (Washington, D.C.: April 29,
2005); DOD Business Systems Modernization: Long-standing Weaknesses in
Enterprise Architecture Development Need to Be Addressed, GAO-05-702
(Washington, D.C.: July 22, 2005).
[6] Ronald W. Reagan National Defense Authorization Act for Fiscal Year
2005, Pub. L. No. 108-375, § 332, 118 Stat. 1811, 1851-1856 (Oct. 28,
2004) (codified in part at 10 U.S.C. § 2222).
[7] GAO, DOD Business Systems Modernization: Important Progress Made in
Establishing Foundational Architecture Products and Investment
Management Practices, but Much Work Remains, GAO-06-219 (Washington,
D.C.: Nov. 23, 2005).
[8] This amount does not include an additional $50 billion for military
operations in Iraq and Afghanistan.
[9] GAO, DOD Business Systems Modernization: Important Progress Made in
Establishing Foundational Architecture Products and Investment
Management Practices, but Much Work Remains, GAO-06-219 (Washington,
D.C.: Nov. 23, 2005).
[10] See, for example, GAO, Defense Inventory: Opportunities Exist to
Improve Spare Parts Support Aboard Deployed Navy Ships, GAO-03-887
(Washington, D.C.: Aug. 29, 2003); Military Pay: Army National Guard
Personnel Mobilized to Active Duty Experienced Significant Pay
Problems, GAO-04-89 (Washington, D.C.: Nov. 13, 2003); and DOD Travel
Cards: Control Weaknesses Resulted in Millions of Dollars of Improper
Payments, GAO-04-576 (Washington, D.C.: June 9, 2004).
[11] GAO-06-497T. The eight specific DOD high-risk areas are: (1)
approach to business transformation, (2) business systems
modernization, (3) contract management, (4) financial management, (5)
personnel security clearance, (6) supply chain management, (7) support
infrastructure management, and (8) weapon systems acquisition. The six
governmentwide high-risk areas are (1) disability programs, (2)
interagency contracting, (3) information systems and critical
infrastructure, (4) information sharing for homeland security, (5)
human capital, and (6) real property.
[12] CIO Council, A Practical Guide to Federal Enterprise Architecture,
Version 1.0 (Feb. 2001).
[13] The Clinger-Cohen Act of 1996, 40 U.S.C. § 11312 and 11315(b)(2).
[14] The E-Government Act of 2002, Public Law 107-347 (Dec. 17, 2002).
[15] OMB Capital Programming Guide, Version 1.0 (July 1997) and GAO,
Information Technology Investment Management: A Framework for Assessing
and Improving Process Maturity, GAO-04-394G (Washington, D.C.: March
2004).
[16] The Clinger-Cohen Act of 1996, 40 U.S.C. sections 11101-11704.
This Act expanded the responsibilities of OMB and the agencies that had
been set under the Paperwork Reduction Act with regard to IT
management. See 44 U.S.C. 3504(a)(1)(B)(vi) (OMB); 44 U.S.C. 3506(h)(5)
(agencies).
[17] We have made recommendations to improve OMB's process for
monitoring high-risk IT investments; see GAO, Information Technology:
OMB Can Make More Effective Use of Its Investment Reviews, GAO-05-276
(Washington, D.C.: April 15, 2005).
[18] This policy is set forth and guidance is provided in OMB Circular
No. A-11 (Nov. 2, 2005) (section 300), and in OMB's Capital Programming
Guide, which directs agencies to develop, implement, and use a capital
programming process to build their capital asset portfolios.
[19] GAO-04-394G.
[20] GAO, Information Technology: A Framework for Assessing and
Improving Enterprise Architecture Management (Version 1.1), GAO-03-584G
(Washington, D.C.: April 2003); and A Practical Guide to Federal
Enterprise Architecture, Version 1.0.
[21] See, for example, GAO, Homeland Security: Efforts Under Way to
Develop Enterprise Architecture, but Much Work Remains, GAO-04-777
(Washington, D.C.: Aug. 6, 2004); DOD Business Systems Modernization:
Limited Progress in Development of Business Enterprise Architecture and
Oversight of Information Technology Investments, GAO-04- 731R
(Washington, D.C.: May 17, 2004); Information Technology: Architecture
Needed to Guide NASA's Financial Management Modernization, GAO-04-43
(Washington, D.C.: Nov. 21, 2003); DOD Business Systems Modernization:
Important Progress Made to Develop Business Enterprise Architecture,
but Much Work Remains, GAO-03-1018 (Washington, D.C.: Sept. 19, 2003);
Business Systems Modernization: Summary of GAO's Assessment of the
Department of Defense's Initial Business Enterprise Architecture, GAO-
03-877R (Washington, D.C.: July 7, 2003); Information Technology: DLA
Should Strengthen Business Systems Modernization Architecture and
Investment Activities, GAO-01-631 (Washington, D.C.: June 29, 2001);
and Information Technology: INS Needs to Better Manage the Development
of Its Enterprise Architecture, GAO/AIMD-00-212 (Washington, D.C.: Aug.
1, 2000).
[22] GAO, Executive Guide: Improving Mission Performance Through
Strategic Information Management and Technology, GAO/AIMD-94-115
(Washington, D.C.: May 1994); Office of Management and Budget,
Evaluating Information Technology Investments, A Practical Guide
(Washington, D.C.: Nov. 1995); GAO, Assessing Risks and Returns: A
Guide for Evaluating Federal Agencies' IT Investment Decision-making,
GAO/AIMD-10.1.13 (Washington, D.C.: Feb. 1997); and GAO-04-394G.
[23] GAO-03-584G.
[24] GAO-04-394G.
[25] The Business Management Modernization Program's mission for
advancing departmentwide business transformation efforts, particularly
with regard to business systems modernization, has been absorbed into
the BTA.
[26] An enterprise-level system supports cross-organizational
requirements, rather than a single group or component within an agency
or organization. A DOD-wide system refers to a system for all of DOD.
For example, the Defense Civilian Personnel Data System is the system
that standardizes civilian human resource processes and promotes
efficiency of service delivery for all DOD civilian personnel. An
enterprise-level initiative refers to an initiative of an enterprise,
rather than a group or component within an agency or organization. At
DOD, an enterprise-level initiative can be an enterprise system,
program, project, activity, or a family of enterprise systems.
[27] According to DOD, major releases are to have substantially new
architecture content that incorporates emerging enterprise priorities
and capabilities in support of DOD enterprise systems and initiatives
and the IRBs. Minor releases are not to contain new enterprise
priorities or business capabilities, but instead are to provide
extension and ’clean up“ of the preceding releases.
[28] DOD, Department of Defense Architecture Framework, Version 1.0,
Volume 1 (Aug. 2003) and Volume 2 (Feb. 2004).
[29] Ronald W. Reagan National Defense Authorization Act for Fiscal
Year 2005, Pub. L. No. 108-375, § 332, 118 Stat. 1811, 1851-1856 (Oct.
28, 2004) (codified in part at 10 U.S.C. § 2222).
[30] GAO, Information Technology: Architecture Needed to Guide
Modernization of DOD's Financial Operations, GAO-01-525 (Washington,
D.C.: May 17, 2001); DOD Business Systems Modernization: Improvements
to Enterprise Architecture Development and Implementation Efforts
Needed, GAO-03-458 (Washington, D.C.: Feb. 28, 2003); Information
Technology: Observations on Department of Defense's Draft Enterprise
Architecture, GAO-03-571R (Washington, D.C.: Mar. 28, 2003); Business
Systems Modernization: Summary of GAO's Assessment of the Department of
Defense's Initial Business Enterprise Architecture, GAO-03-877R
(Washington, D.C.: July 7, 2003); DOD Business Systems Modernization:
Important Progress Made to Develop Business Enterprise Architecture,
but Much Work Remains, GAO-03-1018 (Washington, D.C.: Sept. 19, 2003);
DOD Business Systems Modernization: Limited Progress in Development of
Business Enterprise Architecture and Oversight of Information
Technology Investments, GAO-04-731R (Washington, D.C.: May 17, 2004);
DOD Business Systems Modernization: Billions Being Invested without
Adequate Oversight, GAO-05-381 (Washington, D.C.: April 29, 2005); DOD
Business Systems Modernization: Long-standing Weaknesses in Enterprise
Architecture Development Need to Be Addressed, GAO-05-702 (Washington,
D.C.: July 22, 2005).
[31] GAO-06-219.
[32] GAO-06-219; and Defense Management: Foundational Steps Being Taken
to Manage DOD Business Systems Modernization, but Much Remains to be
Accomplished to Effect True Business Transformation, GAO-06-234T
(Washington, D.C.: Nov. 9, 2005).
[33] GAO-06-219.
[34] The United States Standard General Ledger provides a uniform chart
of accounts and technical guidance used in standardizing federal agency
accounting.
[35] SFIS is the department's common financial business language.
[36] Intra-governmental transactions involve sales, services, or
transfers between two entities of the federal government.
[37] The ENT designation represents all business enterprise priorities.
[38] DOD defines the Global Information Grid as the globally
interconnected, end-to-end set of information, capabilities, associated
processes, and personnel for collecting, processing, storing,
disseminating, and managing information on demand to warfighters,
policy makers, and support personnel.
[39] GAO-06-219.
[40] See, for example, J. A. Zachman, "A Framework for Information
Systems Architecture," IBM Systems Journal 26, no. 3 (1987); Paula
Hagan, "Relating Elements of the Zachman Framework, Spewak's Enterprise
Architecture Planning, and DOD Products" (June 18, 2002); and B. Craig
Meyers and Patricia Oberndorf, "Managing Software Acquisition Open
Systems and COTS Products" (Addison-Wesley, 2001).
[41] DOD "components" include the military services, combatant
commands, defense agencies, and DOD field activities.
[42] GAO-06-219.
[43] This is a library of DOD standard accounting transactions that
result from specific business events (e.g., ordering depot-level repair
parts). It can be used as a baseline to institutionalize the United
States Standard General Ledger across components; and along with SFIS,
it provides a standard for DOD to update existing (and deploy new)
business systems.
[44] GAO-06-219.
[45] GAO-06-219.
[46] DOD included system and budget information for the Defense
Financial and Accounting Service and Defense Logistics Agency in the
transition plan. DOD did not include this information for the following
defense agencies: (1) Ballistic Missile Defense Organization, (2)
Defense Advanced Research Projects Agency, (3) Defense Commissary
Agency, (4) Defense Contract Audit Agency, (5) Defense Contract
Management Agency, (6) Defense Information Systems Agency, (7) Defense
Intelligence Agency, (8) Defense Legal Services Agency, (9) Defense
Security Cooperation Agency, (10) Defense Security Service, (11)
Defense Threat Reduction Agency, (12) National Imagery and Mapping
Agency, and (13) National Security Agency.
[47] DOD included system and budget information for the Transportation
Command in the transition plan. DOD did not include this information
for the (1) Central Command, (2) Joint Forces Command, (3) Pacific
Command, (4) Southern Command, (5) Space Command, (6) Special
Operations Command, (7) European Command, and (8) Strategic Command.
[48] As defined in the department's Investment Review Process Overview
and Concept of Operations for Investment Review Boards, tier 1 systems
include all systems that are classified as a "major automated
information system" or a "major defense acquisition program." A major
automated information system is a program or initiative that is so
designated by the ASD(NII)/CIO or that is estimated to require program
costs in any single year in excess of $32 million (fiscal year 2000
constant dollars), total program costs in excess of $126 million
(fiscal year 2000 constant dollars), or total life-cycle costs in
excess of $378 million (fiscal year 2000 constant dollars). A major
defense acquisition program is so designated by the Secretary of
Defense, or it is a program estimated by the Secretary of Defense to
require an eventual total expenditure for research, development, test,
and evaluation of more than $300 million (fiscal year 1990 constant
dollars) or an eventual total expenditure for procurement of more than
$1.8 billion (fiscal year 1990 constant dollars). Tier 2 systems
include those with modernization efforts of $10 million or greater but
that are not designated as a major automated information system or a
major defense acquisition program, or programs that have been
designated as IRB interest programs because of their impact on DOD
transformation objectives. The tier system includes another tier in
addition to these two: tier 3 systems are modernization efforts that
have anticipated costs greater than $1 million but less than $10
million.
[49] GAO-06-219.
[50] NCES is intended to provide capabilities that are key to enabling
ubiquitous access to reliable decision-quality information. NCES
capabilities can be packaged into four product lines: service-oriented
architecture foundation (e.g., security and information assurance),
collaboration (e.g., application sharing), content discovery and
delivery (e.g., delivering information across the enterprise), and
portal (e.g., user-defined Web-based presentation).
[51] The Ronald W. Reagan National Defense Authorization Act for Fiscal
Year 2005 specifies information that the department is to incorporate
in its budget request for fiscal year 2006 and each fiscal year
thereafter. Specifically, the Act states that each budget request must
include information on (1) each defense business system for which
funding is being requested; (2) all funds, by appropriation, for each
such business system, including funds by appropriation specifically for
current services (operation and maintenance) and systems modernization;
and (3) the designated approval authority for each business system.
[52] Approval authorities, including the Under Secretary of Defense for
Acquisition, Technology, and Logistics; the Under Secretary of Defense
(Comptroller); the Under Secretary of Defense for Personnel and
Readiness; the Assistant Secretary of Defense for Networks and
Information Integration/Chief Information Officer of the Department of
Defense; and the Deputy Secretary of Defense or an Under Secretary of
Defense, as designated by the Secretary of Defense, are responsible for
the review, approval, and oversight of business systems and must
establish investment review processes for systems under their
cognizance.
[53] A key condition identified in the Act includes certification by
designated approval authorities that the defense business system
modernization is (1) in compliance with the enterprise architecture;
(2) necessary to achieve critical national security capability or
address a critical requirement in an area such as safety or security;
or (3) necessary to prevent a significant adverse effect on a project
that is needed to achieve an essential capability, taking into
consideration the alternative solutions for preventing such an adverse
effect.
[54] 31 U.S.C. § 1341(a) (1) (A); see 10 U.S.C. § 2222(b).
[55] GAO-04-615 and Army Depot Maintenance: Ineffective Oversight of
Depot Maintenance Operations and System Implementation Efforts, GAO-05-
441 (Washington, D.C.: June 30, 2005).
[56] GAO-04-615.
[57] GAO-05-381.
[58] One of our recommendations was absorbed into another
recommendation, which resulted in a total of 29 remaining open
recommendations.
[59] Ronald W. Reagan National Defense Authorization Act for Fiscal
Year 2005, Public Law 108-375, § 332, 118 Stat. 1811, 1851-1856 (Oct.
28, 2004) (codified in part at 10 U.S.C. § 2222).
[60] J.A. Zachman, "A Framework for Information Systems Architecture,"
IBM Systems Journal 26, no. 3 (1987).
[61] DOD, Department of Defense Architecture Framework, Version 1.0,
Volume 1 (Aug. 2003) and Volume 2 (Feb. 2004).
[62] There are some overarching aspects of architecture that relate to
all three of the views. These overarching aspects--such as goals,
mission statements, and concepts of operations--are captured in the All-
view products.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
