Business Systems Modernization
Air Force Needs to Fully Define Policies and Procedures for Institutionally Managing Investments Gao ID: GAO-08-52 October 31, 2007In 1995, GAO first designated the Department of Defense's (DOD) business systems modernization program as "high-risk" and continues to do so today. In 2004, Congress passed legislation reflecting prior GAO recommendations that DOD adopt a corporate approach to information technology (IT) business systems investment management including tiered accountability for business systems at the department and component levels. To support GAO's legislative mandate to review DOD's efforts, GAO assessed whether the investment management approach of one of DOD's components--the Department of the Air Force (Air Force)--is consistent with leading investment management best practices. In doing so, GAO applied its IT Investment Management (ITIM) framework and associated methodology, focusing on the stages related to the investment management provisions of the Clinger-Cohen Act of 1996.
The Air Force has established the basic management structures needed to effectively manage its IT projects as investments, but has not fully implemented many of the related policies and procedures outlined in GAO's ITIM framework. Air Force has fully implemented three of the nine key practices that call for project-level management structures, policies, and procedures, and has not implemented any of the five practices that call for portfolio-level policies and procedures. Regarding project-level practices, it has established an IT investment board that is responsible for defining and implementing the department's business systems investment governance process, has developed procedures for identifying and collecting information about its business systems to support investment selection and control, and has assigned responsibility for ensuring that the information collected during project identification meets the needs of the investment management process. However, Air Force has not fully documented business systems investment policies and procedures for directing investment board operations, selecting new investments, reselecting ongoing investments, or integrating the investment funding and investment selection processes. In addition, it has not implemented any of the policies and procedures for developing and maintaining a complete business system investment portfolio. Air Force officials stated that they are aware of the absence of documented policies and procedures in certain areas of project-level and portfolio-level management and that they are currently working on guidance to address these areas. For example, officials stated that they had begun drafting portfolio-level policies and procedures. According to Air Force officials, the policies and procedures are expected to be completed and approved by December 2007. Until Air Force fully defines policies and procedures for both individual projects and portfolios of projects, it risks not being able to select and control these business system investments in a way that is consistent and complete, which in turn increases the chances that these investments will not meet mission needs in the most effective manner.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-08-52, Business Systems Modernization: Air Force Needs to Fully Define Policies and Procedures for Institutionally Managing Investments
This is the accessible text file for GAO report number GAO-08-52
entitled 'Business Systems Modernization: Air Force Needs to Fully
Define Policies and Procedures for Institutionally Managing
Investments' which was released on October 31, 2007.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
United States Government Accountability Office:
GAO:
October 2007:
Business Systems Modernization:
Air Force Needs to Fully Define Policies and Procedures for
Institutionally Managing Investments:
Business Systems Modernization:
GAO-08-52:
GAO Highlights:
Highlights of GAO-08-52, a report to congressional committees.
Why GAO Did This Study:
In 1995, GAO first designated the Department of Defense‘s (DOD)
business systems modernization program as ’high-risk“ and continues to
do so today. In 2004, Congress passed legislation reflecting prior GAO
recommendations that DOD adopt a corporate approach to information
technology (IT) business systems investment management including tiered
accountability for business systems at the department and component
levels. To support GAO‘s legislative mandate to review DOD‘s efforts,
GAO assessed whether the investment management approach of one of DOD‘s
components”the Department of the Air Force (Air Force)”is consistent
with leading investment management best practices. In doing so, GAO
applied its IT Investment Management (ITIM) framework and associated
methodology, focusing on the stages related to the investment
management provisions of the Clinger-Cohen Act of 1996.
What GAO Found:
The Air Force has established the basic management structures needed to
effectively manage its IT projects as investments, but has not fully
implemented many of the related policies and procedures outlined in
GAO‘s ITIM framework (see table). Air Force has fully implemented three
of the nine key practices that call for project-level management
structures, policies, and procedures, and has not implemented any of
the five practices that call for portfolio-level policies and
procedures. Regarding project-level practices, it has established an IT
investment board that is responsible for defining and implementing the
department‘s business systems investment governance process, has
developed procedures for identifying and collecting information about
its business systems to support investment selection and control, and
has assigned responsibility for ensuring that the information collected
during project identification meets the needs of the investment
management process. However, Air Force has not fully documented
business systems investment policies and procedures for directing
investment board operations, selecting new investments, reselecting
ongoing investments, or integrating the investment funding and
investment selection processes. In addition, it has not implemented any
of the policies and procedures for developing and maintaining a
complete business system investment portfolio.
Air Force officials stated that they are aware of the absence of
documented policies and procedures in certain areas of project-level
and portfolio-level management and that they are currently working on
guidance to address these areas. For example, officials stated that
they had begun drafting portfolio-level policies and procedures.
According to Air Force officials, the policies and procedures are
expected to be completed and approved by December 2007. Until Air Force
fully defines policies and procedures for both individual projects and
portfolios of projects, it risks not being able to select and control
these business system investments in a way that is consistent and
complete, which in turn increases the chances that these investments
will not meet mission needs in the most effective manner.
Table: Status of Air Force's Project-and Portfolio-Level Management
Capabilities:
Stage 2: Building the investment foundation: Instituting the investment
board;
Key practices executed: 1/2;
Stage 3: Developing a complete investment portfolio: Defining the
portfolio criteria;
Key practices executed: 0/2.
Stage 2: Building the investment foundation: Meeting business needs;
Key practices executed: 0/1;
Stage 3: Developing a complete investment portfolio: Creating the
portfolio;
Key practices executed: 0/1.
Stage 2: Building the investment foundation: Selecting an investment;
Key practices executed: 0/3;
Stage 3: Developing a complete investment portfolio: Evaluating the
portfolio;
Key practices executed: 0/1.
Stage 2: Building the investment foundation: Providing investment
oversight;
Key practices executed: 0/1;
Stage 3: Developing a complete investment portfolio: Conducting post
implementation reviews;
Key practices executed: 0/1.
Stage 2: Building the investment foundation: Capturing investment
information;
Key practices executed: 2/2;
Stage 3: Developing a complete investment portfolio: [Empty];
Key practices executed: [Empty].
Overall;
Key practices executed: 3/9;
Stage 3: Developing a complete investment portfolio: [Empty];
Key practices executed: 0/5.
Source: GAO.
[End of table]
What GAO Recommends:
GAO recommends that the Department of the Air Force fully define the
project and portfolio management policies and procedures discussed in
GAO‘s ITIM framework. In comments on a draft of this report, DOD stated
that the Air Force has begun to establish a project-level management
process that will be instituted in formal policies and is applying
DOD‘s portfolio management process in its decision making.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.GAO-08-52]. For more information, contact
Valerie Melvin at (202) 512-6304 or melvinv@gao.gov.
[End of section]
Contents:
Letter1:
Results in Brief:
Background:
Air Force Has Established the Structures Needed to Effectively Manage
Business System Investments but Has Not Fully Defined Many of the
Related Policies and Procedures:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objective, Scope, and Methodology:
Appendix II: Comments from the Department of Defense:
Appendix III: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: DOD and Air Force Business System Investment Tiers:
Table 2: Air Force Investment Management Governance Entities and
Responsibilities:
Table 3: Stage 2 Critical Processes--Building the Investment
Foundation:
Table 4: Summary of Policies and Procedures for Stage 2 Critical
Processes--Building the Investment Foundation:
Table 5: Stage 3 Critical Processes--Developing a Complete Investment
Portfolio:
Table 6: Summary of Policies and Procedures for Stage 3 Critical
Processes--Developing a Complete Investment Portfolio:
Figures:
Figure 1: Simplified DOD Organizational Structure:
Figure 2: Air Force Chief Information Officer Organizational Structure:
Figure 3: The Five ITIM Stages of Maturity with Critical Processes:
Figure 4: Working Relationships among DOD Business Investment
Management System Governance Entities:
Figure 5: Air Force Precertification Review and Approval Process:
Abbreviations:
CPM: certification process manager:
CIO: chief information officer:
DAS: Defense Acquisition System:
DOD: Department of Defense:
IT: information technology:
ITIM: Information Technology Investment Management:
JCIDS: Joint Capabilities Integration and Development System:
MAJCOM: Major Command:
OMB: Office of Management and Budget:
PPBE: Planning, Programming, Budgeting, and Execution:
United States Government Accountability Office:
Washington, DC 20548:
October 31, 2007:
Congressional Committees:
For decades, the Department of Defense (DOD) has been challenged in
modernizing its timeworn business systems.[Footnote 1] In 1995, we
designated DOD's business systems modernization program as high risk,
and we continue to designate it as such today.[Footnote 2] Our research
on public and private sector organizations shows that an essential
ingredient to a successful systems modernization program is having an
effective institutional approach to managing information technology
(IT) investments.
In May 2001, we recommended that the department establish a corporate
approach to investment control and decision making.[Footnote 3] Between
2001 and 2005, we reported that the department's business systems
modernization program was still not being effectively managed,[Footnote
4] and we made additional investment-related recommendations. Congress
subsequently included provisions in the Ronald W. Reagan National
Defense Authorization Act for Fiscal Year 2005[Footnote 5] that
reflected our recommendations, including those for establishing and
implementing effective business system investment management structures
and processes.
Between 2005 and 2007,[Footnote 6] we reported that DOD had made
important progress in establishing and implementing these structures
and processes; however, much remained to be accomplished. Most
recently,[Footnote 7] we reported that, according to DOD officials,
investment management practices are performed at the component level,
and that departmental policies and procedures established for
overseeing components' execution of these practices are sufficient.
However, DOD had not fully defined many of the related policies and
procedures outlined in GAO's IT Investment Management framework.
The Fiscal Year 2005 National Defense Authorization Act directs DOD to,
among other things, establish and implement effective IT business
system investment management structures and processes. As agreed with
your offices and to support the legislative mandate that GAO assess
DOD's actions to comply with this requirement, the objective of our
review was to determine whether the investment management approach of
the Department of the Air Force (Air Force) is consistent with leading
investment management best practices. To accomplish our objective, we
analyzed documents and interviewed department officials to determine
whether Air Force has developed the structures, policies, and
procedures associated with executing those key practices in our IT
Investment Management (ITIM) framework[Footnote 8] that assist
departments and agencies in complying with the investment management
provisions of the Clinger-Cohen Act of 1996.[Footnote 9]
We performed our work at Air Force offices in Arlington, Virginia, from
February 2007 through September 2007 in accordance with generally
accepted government auditing standards. Details on our objective,
scope, and methodology are contained in appendix I.
Results in Brief:
Air Force has established the basic management structures needed to
effectively manage its IT projects as investments, but it has not fully
implemented many of the related policies and procedures that our ITIM
framework outlines. Air Force has fully implemented three of the nine
key practices that call for project-level management structures and
project-level policies and procedures. Specifically, it has (1)
established an investment review board that is responsible for business
system investment governance, (2) developed procedures for identifying
and collecting information about its business systems to support
investment selection and control, and (3) assigned responsibility for
ensuring that the information collected during project identification
meets the needs of the investment management process. However, Air
Force has not fully developed business system investment policies and
procedures related to the remaining six key project-level management
practices. For example, policies and procedures do not (1) address how
investments for systems in operations and maintenance are to be
governed; (2) define how systems in operations and maintenance will
support ongoing and future business needs; (3) specify how the full
range of cost, schedule, and performance data accessible to Air Force
is to be used in making selection (i.e., precertification) decisions;
(4) specify how reselection decisions (i.e., annual reviews) consider
investments that are in operations and maintenance; (5) describe how
funding decisions are integrated with the process of selecting an
investment; and (6) provide sufficient oversight and visibility into
investment management activities, including specifying how corrective
actions should be taken.
Further, Air Force has not implemented any of the five practices that
call for policies and procedures to develop and maintain a complete
business system portfolio. Specifically, it does not have documented
policies and procedures for (1) defining the portfolio criteria, (2)
creating the portfolio, (3) evaluating the portfolio, and (4)
conducting post-implementation reviews of business systems. In
addition, the Air Force has not assigned responsibility for managing
the portfolio criteria. According to ITIM, adequately documenting both
the policies and associated procedures that govern how an organization
manages its IT investment portfolios is important because doing so
provides the basis for having rigor, discipline, and repeatability in
how investments are selected and controlled across the entire
organization.
Air Force officials stated that they are aware of the absence of
documented policies and procedures in certain areas of project-level
and portfolio-level management; officials also stated that they are
currently working on new policies and procedures to address these areas
that they expect to issue by December 2007. Until Air Force defines
policies and procedures for both individual projects and portfolios of
projects--and assigns responsibility for managing its business system
portfolios--it risks selecting and controlling these business system
investments in a way that is not consistent and complete, which in turn
reduces the chances that these investments will meet mission needs in
the most effective manner.
To strengthen Air Force's business system management capability, we are
recommending that the agency fully define the policies and procedures
associated with project-level and portfolio-level investment management
and assign responsibility for managing its business system portfolios,
as discussed in our guidance for IT investment management.[Footnote 10]
In written comments on a draft of this report, signed by the Deputy
Under Secretary of Defense (Business Transformation) and reprinted in
appendix II, DOD partially concurred with the report's recommendations.
Relative to our recommendations concerning project-level management
policies and procedures, DOD stated that Air Force has begun to
establish a project-level management process that, while not codified
into formal policy, is documented in its investment review guide.
Further, it stated that Air Force is committed to formalizing its
policies as the processes expand and mature. Our report recognizes that
Air Force has drafted a business system investment management process.
However, we found that it lacks critical elements needed to effectively
carry out essential investment management activities. Until it fully
addresses all critical elements needed for investment management, Air
Force will be at risk of not being able to carry out investment
management activities in a consistent and disciplined manner. Relative
to our recommendations concerning portfolio-level management policies
and procedures, DOD stated that Air Force is applying DOD's IT
portfolio management process in its decision making. However, as our
report notes, Air Force has not implemented a process for managing its
business system portfolios. Until it implements such a process, Air
Force increases the risk of not selecting the mix of investments that
best supports its mission needs.
Background:
DOD is a massive and complex organization. To illustrate, the
department reported that its fiscal year 2006 operations involved
approximately $1.4 trillion in assets and $2.0 trillion in liabilities,
more than 2.9 million military and civilian personnel, and $581 billion
in net cost of operations. Organizationally, the department includes
the Office of the Secretary of Defense, the Chairman of the Joint
Chiefs of Staff, the military departments, numerous defense agencies
and field activities, and various unified combatant commands that are
responsible for either specific geographic regions or specific
functions. Figure 1 provides a simplified depiction of DOD's
organizational structure.
Figure 1: Simplified DOD Organizational Structure:
This figure is a chart showing the simplified DOD organizational
structure.
[See PDF for image]
Source: GAO, based on DOD documentation.
[A] The Chairman of the Joint Chiefs of Staff serves as the spokesman
for the commanders of the combatant commands, particularly for the
administrative requirements of their commands.
[End of figure]
In support of its military operations, DOD performs an assortment of
interrelated and interdependent business functions, including logistics
management, procurement, health care management, and financial
management. As we have previously reported,[Footnote 11] the systems
environment that supports these business functions is overly complex
and error prone, and is characterized by (1) little standardization
across the department, (2) multiple systems performing the same tasks,
(3) the same data stored in multiple systems, and (4) the need for data
to be entered manually into multiple systems.
Air Force's Mission, Organizational Structure, and Use of IT:
Air Force is a major component of DOD. Its mission is to deliver
options for the defense of the United States and its global interests
in air, space, and cyberspace. Air Force relies extensively on IT to
fulfill these competencies effectively and to meet its organizational
mission. It has 909 business systems; of these systems, 832 (91
percent) are in operations and maintenance. In fiscal year 2006, Air
Force was allocated approximately $651 million[Footnote 12] for its
business systems, of which about $406 million (62 percent) was
allocated to systems in operations and maintenance and $245 million (38
percent) was allocated to systems in development and/or modernization.
Air Force has created the Office of Warfighting Integration and Chief
Information Office to provide the IT and supporting infrastructure to
fulfill its mission. Among the goals of this organization are to:
* deliver the ability to direct forces while anticipating situations,
capabilities, and limitations;
* develop adaptive, trained airmen;
* shape enterprise investments;
* provide policy, standards, oversight, and training to enable airmen
to share and exploit accurate information any place and, anytime; and:
* transform the communications and information career field to lead Air
Force in leveraging information for its competitive advantage.
The Office of Warfighting Integration and Chief Information Office
consists of several organizations, as depicted in figure 2.
Figure 2: Air Force Chief Information Officer Organizational Structure:
This figure is a chart showing the organizational structure of an Air
Force Chief Information Officer.
[See PDF for image]
Source: Air Force.
[End of figure]
IT Investment Management Is Critical to Achieving Successful Systems
Modernization:
Successful public and private organizations use a corporate approach to
IT investment management. Recognizing this, Congress enacted the
Clinger-Cohen Act of 1996,[Footnote 13] which requires the Office of
Management and Budget (OMB) to establish processes to analyze, track,
and evaluate the risks and results of major capital investments in IT
systems made by executive agencies.[Footnote 14] In response to the
Clinger-Cohen Act and other statutes, OMB has developed policy and
issued guidance for the planning, budgeting, acquisition, and
management of federal capital assets.[Footnote 15] We have also issued
guidance in this area[Footnote 16] that defines institutional
structures, such as investment review boards; processes for developing
information on investments (such as costs and benefits); and practices
to inform management decisions (such as whether a given investment is
aligned with an enterprise architecture).
IT Investment Management: A Brief Description:
IT investment management is a process for linking IT investment
decisions to an organization's strategic objectives and business plans.
Consistent with this, the federal approach to IT investment management
focuses on selecting, controlling, and evaluating investments in a
manner that minimize risks while maximizing the return on
investment.[Footnote 17]
* During the selection phase, the organization (1) identifies and
analyzes each project's risks and returns before committing significant
funds to any project and (2) selects those IT projects that will best
support its mission needs.
* During the control phase, the organization ensures that projects, as
they develop and investment expenditures continue, meet mission needs
at the expected levels of cost and risk. If the project is not meeting
expectations or if problems arise, steps are quickly taken to address
the deficiencies.
* During the evaluation phase, expected results are compared with
actual results after a project has been fully implemented. This
comparison is done to (1) assess the project's impact on mission
performance, (2) identify any changes or modifications to the project
that may be needed, and (3) revise the investment management process
based on lessons learned.
Overview of GAO's ITIM Maturity Framework:
Our ITIM framework consists of five progressive stages of maturity for
any given agency relative to selecting, controlling, and evaluating its
investment management capabilities.[Footnote 18] (See fig. 3 for the
five ITIM stages of maturity.) This framework is grounded in our
research of IT investment management practices of leading private and
public sector organizations. The framework can be used to assess the
maturity of an agency's investment management processes and as a tool
for organizational improvement. The overriding purpose of the framework
is to encourage investment selection and control and to evaluate
processes that promote business value and mission performance, reduce
risk, and increase accountability and transparency. We have used the
framework in several of our evaluations,[Footnote 19] and a number of
agencies have adopted it.
ITIM's five maturity stages represent the steps toward achieving stable
and mature processes for managing IT investments. Each stage builds on
the lower stages; the successful attainment of each stage leads to
improvement in the organization's ability to manage its investments.
With the exception of the first stage, each maturity stage is composed
of "critical processes" that must be implemented and institutionalized
in order for the organization to achieve that stage. These critical
processes are further broken down into key practices that describe the
types of activities that an organization should be performing to
successfully implement each critical process. It is not unusual for an
organization to be performing key practices from more than one maturity
stage at the same time. However, our research has shown that agency
efforts to improve investment management capabilities should focus on
implementing all lower stage practices before addressing the higher
stage practices.
Figure 3: The Five ITIM Stages of Maturity with Critical Processes:
This figure is a chart showing the five ITIM stages of maturity with
critical processes.
[See PDF for image]
Source: GAO.
[End of figure]
In the ITIM framework, Stage 2 critical processes lay the foundation
for sound IT investment management by helping the agency to attain
successful, predictable, and repeatable investment management processes
at the project level. Specifically, Stage 2 encompasses building a
sound investment management foundation by establishing basic
capabilities for selecting new IT projects. This stage also involves
developing the capability to control projects so that they finish
predictably within established cost and schedule expectations and
developing the capability to identify potential exposures to risk and
put in place strategies to mitigate that risk. Further, it involves
evaluating completed projects to ensure they meet business needs and
collecting lessons learned to improve the IT investment management
process. The basic management processes established in Stage 2 lay the
foundation for more mature management capabilities in Stage 3, which
represents a major step forward in maturity, in which the agency moves
from project-centric processes to a portfolio approach, evaluating
potential investments by how well they support the agency's missions,
strategies, and goals.
Stage 3 requires that an organization continually assess both proposed
and ongoing projects as parts of a complete investment portfolio--an
integrated and competing set of investment options. It focuses on
establishing a consistent, well-defined perspective on the IT
investment portfolio and maintaining mature, integrated selection (and
reselection), control, and post-implementation evaluation processes.
This portfolio perspective allows decision makers to consider the
interaction among investments and the contributions to organizational
mission goals and strategies that could be made by alternative
portfolio selections, rather than focusing exclusively on the balance
between the costs and benefits of individual investments. Organizations
that have implemented Stages 2 and 3 practices have capabilities in
place that assist in establishing selection; control; and evaluation
structures, policies, procedures, and practices that are required by
the investment management provisions of the Clinger-Cohen Act.[Footnote
20]
Stages 4 and 5 require the use of evaluation techniques to continuously
improve both the investment portfolio and the investment processes in
order to better achieve strategic outcomes. At Stage 4, an organization
has the capacity to conduct IT succession activities and, therefore,
can plan and implement the deselection of obsolete, high-risk, or low-
value IT investments. An organization with Stage 5 maturity conducts
proactive monitoring for breakthrough information technologies that
will enable it to change and improve its business performance.
DOD and Air Force Approach for Identifying, Funding, and Acquiring
System Investments:
DOD's major system investments (i.e., weapons and business systems) are
governed by three management systems that focus on defining needs,
budgeting for, and acquiring investments to support the mission--the
Joint Capabilities Integration and Development System (JCIDS); the
Planning, Programming, Budgeting, and Execution (PPBE) system; and the
Defense Acquisition System (DAS). In addition, DOD's business systems
are subject to a fourth management system, which, for purposes of this
report, we refer to as the Business Investment Management System. For
each of these systems, DOD relies on its component agencies to execute
the underlying policies and procedures. According to DOD, the four
management systems, collectively, are the means by which the
department--and its components--selects, controls, and evaluates its
business systems investments.
Joint Capabilities Integration and Development System:
JCIDS is a needs-driven, capabilities-based approach to identify
mission needs and meet future joint forces challenges. It is intended
to identify future capabilities for DOD; address capability gaps and
mission needs recognized by the Joint Chiefs of Staff or derived from
strategic guidance, such as the National Security Strategy
Report[Footnote 21] or Quadrennial Defense Review;[Footnote 22] and
identify alternative solutions by considering a range of doctrine,
organization, training, materiel, leadership and education, personnel,
and facilities solutions. According to DOD, the Joint Chiefs of Staff-
-through the Joint Requirements Oversight Council--has primary
responsibility for defining and implementing JCIDS. All JCIDS documents
are submitted to the Joint Chiefs of Staff, which determines whether
the proposed system has joint implications or is component-unique. If
it is designated as joint interest, then the Joint Requirements
Oversight Council is responsible for approving and validating the
documents. If it is not designated as having joint interests, the
sponsoring component is responsible for validation and approval.
Planning, Programming, Budgeting, and Execution:
PPBE is a calendar-driven approach that is composed of four phases that
occur over a moving 2-year cycle. The four phases--planning,
programming, budgeting, and executing--define how budgets for each DOD
component and the department as a whole are created, vetted, and
executed. As recently reported,[Footnote 23] the components start
programming and budgeting for addressing a JCIDS-identified capability
gap or mission need several years before actual product development
begins and before the Office of the Secretary of Defense formally
reviews the components' programming and budgeting proposals (i.e.,
Program Objective Memorandums). Once reviewed and approved, the
financial details in the Program Objective Memorandums become part of
the President's budget request to Congress. During budget execution,
components may submit program change proposals or budget change
proposals, or both (e.g., program cost increases or schedule delays).
According to DOD, the Under Secretary of Defense (Policy), the Director
for Program Analysis and Evaluation, and the Under Secretary of Defense
(Comptroller) have primary responsibility for defining and implementing
the PPBE system.
Defense Acquisition System:
DAS[Footnote 24] is a framework-based approach that is intended to
translate mission needs and requirements into stable, affordable, and
well-managed acquisition programs. It consists of five key program life-
cycle phases. These five phases are as follows:
Concept Refinement: Intended to refine the initial JCIDS-validated
system solution (concept) and create a strategy for acquiring the
investment solution. A decision is made at the end of this phase
(Milestone A decision) regarding whether to move to the next phase
(Technology Development).
Technology Development: Intended to determine the appropriate set of
technologies to be integrated into the investment solution by
iteratively assessing the viability of various technologies while
simultaneously refining user requirements. Once the technology has been
demonstrated in a relevant environment, a decision is made (Milestone B
decision) regarding whether to move to the next phase (System
Development and Demonstration).
System Development and Demonstration: Intended to develop a system or a
system increment and demonstrate through developer testing that the
system or system increment can function in its target environment. A
decision is made at the end of this phase (Milestone C decision)
regarding whether to move to the next phase (Production and
Deployment).
Production and Deployment: Intended to achieve an operational
capability that satisfies the mission needs, as verified through
independent operational test and evaluation, and ensures that the
system is implemented at all applicable locations.
Operations and Support: Intended to operationally sustain the system in
the most effective manner over its life cycle.
A key principle of DAS is that investments are assigned a category,
where programs of increasing dollar value and management interest are
subject to more stringent oversight. For example, Major Defense
Acquisition Programs[Footnote 25] and Major Automated Information
Systems[Footnote 26] are large, expensive programs subject to the most
extensive statutory and regulatory reporting requirements and unless
delegated, are reviewed by acquisition boards at the DOD corporate
level. Smaller and less risky acquisitions are generally reviewed at
the component executive or lower levels. Another key principle is that
DAS requires acquisition management under the direction of a milestone
decision authority.[Footnote 27] The milestone decision authority--
with support from the program manager and advisory boards, such as the
Defense Acquisition Board[Footnote 28] and the IT Acquisition
Board[Footnote 29]--determines the project's baseline cost, schedule,
and performance commitments. The Under Secretary of Defense for
Acquisition, Technology, and Logistics has primary responsibility for
defining and implementing DAS.
DOD relies on its components to execute these investment management
policies and procedures. To implement DOD's JCIDS process, the Air
Force has designated the Joint Staff Functional Capabilities Board to
review and approve operational capabilities. The Joint Staff Functional
Capabilities Board seeks to establish a common understanding of how a
capability will be used, who will use it, when it is needed, and why it
is needed to achieve a desired effect. Each capability is assessed
based on the effects it seeks to generate and the associated
operational risk of not having it. In addition, the Capabilities Review
and Risk Assessment process is being used to analyze concepts of
operation and assess their associated capabilities. This process uses a
phased approach to produce a prioritized list of capabilities,
capability gaps or shortfalls, and possible capability solutions. To
implement the PPBE process, Air Force officials stated that they use
their Annual Planning and Programming Guidance manual. Finally, to
implement DAS, Air Force has developed guidance that outlines a
systematic acquisition framework that mirrors the framework defined by
DOD and includes the same three event-based milestones and associated
five program life-cycle phases.
Business Investment Management System:
The Business Investment Management System is a calendar-driven approach
that is described in terms of governance entities, tiered
accountability, and certification reviews and approvals. This system
was initiated in 2005, when DOD reassigned responsibility for providing
executive leadership for the direction, oversight, and execution of its
business systems modernization efforts to several entities. These
entities and their responsibilities include the following:
* The Defense Business Systems Management Committee serves as the
highest-ranking governance body for business systems modernization
activities.
* The Principal Staff Assistants serve as the certification authorities
for business system modernizations in their respective core business
missions.
* The Investment Review Boards are chartered by the principal staff
assistants and are the review and decision-making bodies for business
system investments in their respective areas of
responsibility.[Footnote 30] The boards are also responsible for
recommending certification for all business system investments costing
more than $1 million.
* The component precertification authority is accountable for the
component's business system investments and acts as the component's
principal point of contact for communication with the Investment Review
Boards. The Air Force has designated its CIO to be the precertification
authority.
* The Business Transformation Agency is responsible for leading and
coordinating business transformation efforts across the department. The
agency is organized into seven directorates, one of which is the
Defense Business Systems Acquisition Executive--the component
acquisition executive for DOD enterprise-level (DOD-wide) business
systems and initiatives. This directorate is responsible for
developing, coordinating, and integrating enterprise-level projects,
programs, systems, and initiatives--including managing resources such
as fiscal, personnel, and contracts for assigned systems and programs.
Figure 4 provides a simplified illustration of the relationships among
these entities.
Figure 4: Working Relationships among DOD Business Investment
Management System Governance Entities:
This figure is a chart showing working relationships among DOD business
investment management system governance entities.
[See PDF for image]
Source: GAO, based on DOD documentation.
[End of figure]
According to DOD, in 2005 it also adopted a tiered accountability
approach to business transformation. Under this approach,
responsibility and accountability for business system investment
management is allocated among DOD (i.e., Office of the Secretary of
Defense) and the component agencies, based on the amount of
development/modernization funding involved and the investment's "tier."
DOD is responsible for ensuring that all business systems with a
development/modernization investment in excess of $1 million are
reviewed by the Investment Review Boards for compliance with the
business enterprise architecture, certified by the principal staff
assistants, and approved by the Defense Business Systems Management
Committee. Components are responsible for certifying development/
modernization investments with total costs of $1 million or less. All
DOD development and modernization efforts are assigned a tier on the
basis of the acquisition category or the size of the financial
investment, or both. According to DOD, a system is given a tier
designation when it passes through the certification process. Table 1
describes the five investment tiers and identifies the associated
reviewing and approving entities for DOD and the Air Force.
Table 1: DOD and Air Force Business System Investment Tiers:
Tier: Tier 1;
Description: Major Automated Information Systems and Major Defense
Acquisition Programs;
Reviewing/Approving entities: Certified by Investment Review Boards and
Defense Business Systems Management Committee; precertified by Air
Force CIO.
Tier: Tier 2;
Description: Systems exceeding $10 million in total
development/modernization costs, but not designated Major Automated
Information Systems or Major Defense Acquisition Programs;
Reviewing/ Approving entities: Certified by Investment Review Boards
and Defense Business Systems Management Committee; precertified by Air
Force CIO.
Tier: Tier 3;
Description: Systems exceeding $1 million and up to $10 million in
total development/modernization costs;
Reviewing/Approving entities: Certified by Investment Review Boards and
Defense Business Systems Management Committee;
precertified by Air Force CIO.
Tier: Tier 4;
Description: All other business systems (i.e., those systems with
development/modernization costs of $1 million or less);
Reviewing/Approving entities: Certified by Air Force CIO.
Tier: Tier 5;
Description: Systems in operations and maintenance or sustainment;
Reviewing/Approving entities: Approved by Air Force CIO.
Sources: DOD and Air Force.
[End of table]
DOD's business investment management system includes two types of
reviews for business systems: certification and annual reviews.
Certification reviews apply to new modernization projects with total
costs over $1 million. These reviews focus on program alignment with
the business enterprise architecture and must be completed before
components obligate funds for programs. The annual reviews apply to all
business programs and are undertaken to determine whether the system
development effort is meeting its milestones and addressing its
Investment Review Board certification conditions.
* Certification reviews and approvals: Tier 1 through 3 business system
investments in development and modernization are certified at two
levels--component-level precertification and DOD-level certification
and approval. At the component level, program managers prepare, enter,
maintain, and update information about their investments in the Air
Force data repository. The component precertification authority
validates that the system information is complete and accessible on the
Air Force data repository, reviews system compliance with the business
enterprise architecture and enterprise transition plan, and verifies
the economic viability analysis. This information is then transferred
to DOD's IT Portfolio Repository.[Footnote 31] The precertification
authority asserts the status and validity of the investment information
by submitting a component precertification letter to the appropriate
Investment Review Board for its review.
* Annual reviews: Tier 1 through 4 business system investments are
reviewed annually at the component and DOD-levels. At the component
level, program managers annually review and update information on all
tiers of system investments that are identified in their data
repository. For Tier 1 through 3 systems that are in development or
being modernized, information is updated on cost, milestone, and risk
variances and actions or issues related to certification conditions.
The precertification authority then verifies and submits the
information for these business system investments for DOD's Investment
Review Board review in an annual review assertion letter. The letter
addresses system compliance with the DOD business enterprise
architecture and the enterprise transition plan and includes investment
cost, schedule, and performance information.[Footnote 32]
At the DOD level, the Investment Review Boards annually review
investments for certified Tier 1 through 3 business systems that are in
development or are being modernized. These reviews focus on program
compliance with the business enterprise architecture, program cost and
performance milestones, and progress in meeting certification
conditions. The Investment Review Boards can revoke an investment's
certification when the system has significantly failed to achieve
performance commitments (i.e., capabilities and costs). When this
occurs, the component must address the Investment Review Board's
concerns and resubmit the investment for certification.
Air Force's Precertification Process:
As stated earlier, DOD relies on its components to execute investment
management policies and procedures. Air Force has developed a
precertification process, which is intended to ensure that new or
existing systems undergo proper scrutiny prior to being precertified by
the Air Force CIO. First, the certification package is to be prepared
by the Program Manager and reviewed by the Major Command (MAJCOM) and
functional portfolio managers.
The package is then to be provided to the Air Force Certification
Process Manager, who is to review the package for completeness based on
certification requirements and transmit the package to the
Certification Review Team--which is composed of subject matter experts-
-to assess compliance with their relevant areas of expertise, such as
the business enterprise architecture and information assurance. Once
the certification review is complete, the package is to be sent to the
Senior Working Group. This group is responsible for reviewing the
package and approving or disapproving the package. Finally, the
Precertification Authority is to precertify the system for submission
to the relevant Investment Review Board.
Table 2 lists decision-making personnel involved in Air Force's
investment management process and provides a description of their key
responsibilities.
Table 2: Air Force Investment Management Governance Entities and
Responsibilities:
Entity: Precertification Authority;
Roles and responsibilities:
* Air Force Precertification Authority has the responsibility and
authority to precertify any modernization investment in excess of $1
million and certify any modernization investment less than or equal to
$1million (Tier 4);
Composition: The Secretary of the Air Force has the CIO as the Air
Force Business Investment Approval Authority and Precertification
Authority.
Entity: Senior Working Group;
Roles and responsibilities:
* The Senior Working Group functions as the Investment Review Board at
the component level. It provides cross-functional review and
recommendations to the Air Force Precertification Authority regarding
certification and annual review of business system investments;
* The Senior Working Group provides guidance for Air Force
modernization efforts. It also supports the CIO in ensuring compliance
with public law and federal, DOD, and Air Force directives regulating
the management and operation of IT investments;
Composition: The Senior Working Group members are composed of general
officers and senior executive service members from headquarter
functional organizations. It is chaired by a representative from the
Office of the CIO and has representation from various Air Force
departments such as financial management and acquisition.
Entity: Certification Review Team;
Roles and responsibilities:
* The Certification Review Team is comprised of subject matter experts
tasked with reviewing each certification package for compliance with
enterprise architecture, funding, information assurance, joint
requirements, and the enterprise transition plan;
Composition: The review team consists of Subject Matter Experts on
Enterprise Architecture, Funding, Information Assurance, Joint
Requirements, and the Enterprise Transition Plan.
Entity: Certification Process Manager;
Roles and responsibilities:
* The Air Force Certification Process Manager is responsible for
executing the certification and annual review processes. In support of
this effort, the Certification Process Manager tracks certification
conditions, and communicates and documents certification decisions;
Composition: The Air Force Certification Process Manager has a unit
within the Office of the CIO tasked with supporting investment
activities.
Entity: Functional Portfolio Manager;
Roles and responsibilities:
* Functional portfolio managers (functional CIOs) are responsible for
managing the Air Force functional portfolios;
* Managers are responsible for establishing a cross-functional
investment review board to conduct portfolio management activities;
Composition: These managers consist of Air Force's various functional
portfolios, which include Acquisition, Financial Management, Human
Resource Management, and Logistics.
Entity: Major Command Portfolio Manager;
Roles and responsibilities:
* MAJCOM Portfolio Managers are responsible for managing a MAJCOM
portfolio that includes the subject business system;
* Managers are responsible for reviewing investment management
documentation (e.g., Balanced Scorecard, Functions Gap/Redundancy
Assessment, Architecture Alignment) on submitted initiatives, reviewing
certification packages, and approving or disapproving the certification
package;
* Managers are responsible for establishing a cross-mission investment
review board, which conducts portfolio management activities across the
mission areas;
Composition: These managers consist of Air Force's various major
commands. These include Air Combat Command, Air Education and Training
Command, Air Force Materiel Command, Air Force Reserve Command, Air
Force Space Command, Air Force Special Operations Command, Air Mobility
Command, Pacific Air Forces, and U.S. Air Forces in Europe.
Entity: System Program Manager;
Roles and responsibilities:
* The Program Manager is responsible for managing a business system.
Program managers are responsible for complete, current, and accurate
information contained in the Air Force data repository relevant to
their systems. They are also responsible for completing initial
certification packages and modifying certification packages to address
issues from all levels of review;
Composition: These managers are responsible for the development,
implementation, and maintenance of their individual systems.
Source: GAO analysis of Air Force data.
[End of table]
Figure 5 shows the relationship among the key players in Air Force's
precertification review and approval process.
Figure 5: Air Force Precertification Review and Approval Process:
This figure is a chart showing the Air Force precertification review
and approval process.
[See PDF for image]
Source: GAO, based on Air Force documentation.
[End of figure]
Air Force Has Established the Structures Needed to Effectively Manage
Business System Investments but Has Not Fully Defined Many of the
Related Policies and Procedures:
DOD relies on its components to execute investment management policies
and procedures.[Footnote 33] However, while Air Force has established
the basic management structures needed to effectively manage its IT
projects as investments, it has not fully implemented many of the
related policies and procedures outlined in our ITIM framework.
Relative to its business system investments, Air Force has implemented
three of nine practices that call for project-level structures,
policies, and procedures, and has not defined any of the five practices
that call for portfolio-level policies and procedures. Air Force
officials stated that they are aware of the absence of documented
policies and procedures, and they are currently working on guidance to
address these areas. For example, these officials stated that they have
drafted policies and procedures to establish portfolio-level practices
and are currently obtaining the necessary approvals. Air Force plans to
complete and approve these policies and procedures by December 2007.
According to our framework, adequately documenting both the policies
and the associated procedures that govern how an organization manages
its IT investment portfolio is important because doing so provides the
basis for having rigor, discipline, and repeatability in how
investments are selected and controlled across the entire organization.
Until Air Force has fully defined policies and procedures for both
individual projects and the portfolio of projects, it risks selecting
and controlling these business system investments in an inconsistent,
incomplete, and ad hoc manner, which in turn could reduce the chances
that these investments will meet mission needs in the most effective
manner.
Air Force Has Begun to Build a Foundation for Project-Level Investment
Management but Has Not Yet Fully Defined Key Policies and Procedures:
At ITIM Stage 2, an organization has attained repeatable and successful
IT project-level investment control processes and basic selection
processes. Through these processes, the organization can identify
project expectation gaps early and take the appropriate steps to
address them. ITIM Stage 2 critical processes include (1) defining
investment board operations, (2) identifying the business needs for
each investment, (3) developing a basic process for selecting new
proposals and reselecting ongoing investments, (4) developing project-
level investment control processes, and (5) collecting information
about existing investments to inform investment management decisions.
Table 3 describes the purpose of each of these Stage 2 critical
processes.
Table 3: Stage 2 Critical Processes--Building the Investment
Foundation:
Critical process: Instituting the investment board;
Purpose: To define and establish an appropriate investment management
structure and the processes for selecting, controlling, and evaluating
investments.
Critical process: Meeting business needs;
Purpose: To ensure that investments support the organization's business
needs and meet users' needs.
Critical process: Selecting an investment;
Purpose: To ensure that a well-defined and disciplined process is used
to select new proposals and reselect ongoing investments.
Critical process: Providing investment oversight;
Purpose: To review the progress of investments, using predefined
criteria and checkpoints, in meeting cost, schedule, risk, and benefit
expectations and to take corrective action when these expectations are
not being met.
Critical process: Capturing investment information;
Purpose: To make information available to decision makers to evaluate
the impacts and opportunities created by proposed (or continuing)
investments.
Source: GAO.
[End of table]
Within these five critical processes are nine key practices required
for effective project-level management. Air Force has fully defined the
policies and procedures for three of these nine practices.
Specifically, Air Force has established a management structure by
instituting a business system Investment Review Board, called the
Senior Working Group. This group is composed of senior executives from
the functional business units, including the Office of the Air Force
Chief Information Officer, and the members are responsible for
establishing and implementing investment policies. In addition, Air
Force has established policies and procedures for capturing information
about its IT projects and systems and submitting, updating, and
maintaining this information in its data repository. Finally, it has
assigned the Certification Process Manager the responsibility of
ensuring that specific investment information contained in the Air
Force data repository is accurate and complete.
However, the Air Force's policies and procedures associated with the
remaining six project-level management practices are missing critical
elements needed to effectively carry out essential investment
management activities. For example:
* Policies and procedures for directing the Investment Review Board's
operations do not define how investments that are in operations and
maintenance are to be governed by the Investment Review Board. In
addition, procedures do not specify how the business investment
management process is coordinated with other DOD management systems.
Without clearly defined guidance and visibility into all investments
with an understanding of decisions reached through other management
systems, Air Force cannot be assured that consistent investment
management decisions are being made.
* Policies and procedures do not define how systems in operations and
maintenance will support ongoing and future business needs. This
increases the risk that Air Force will continue to maintain legacy
investments that no longer support current organizational objectives.
* Policies and procedures for selecting new systems do not specify how
the full range of cost, schedule, and performance data are being
considered in making selection (i.e., precertification) decisions.
Without documenting how factors such as cost, schedule, and performance
are considered when making precertification decisions, Air Force cannot
ensure that it consistently and objectively selects system investments
that best meet the department's needs and priorities.
* Policies and procedures do not include a structured method that
defines how the criteria will be evaluated when the precertification
authority makes reselection decisions. In addition, policies and
procedures do not define an approach to annually reviewing systems in
operations and maintenance. Given that Air Force spends millions of
dollars annually in operating and maintaining business systems, this is
significant. Without an understanding of how the precertification
authority is to consider these investments when making reselection
decisions, Air Force's ability to make informed and consistent
reselection and termination decisions is limited.
* Policies and procedures do not specify how funding decisions are
integrated with the process of selecting an investment. Without
considering budget constraints and opportunities, Air Force risks
making investment decisions that do not effectively consider the
relative merits of various projects and systems when funding
limitations exist.
* Policies and procedures do not provide for sufficient oversight and
visibility into investment management activities. Air Force has
predefined criteria for adherence to cost, schedule, and performance
milestones, but does not have policies and procedures that guide the
implementation of corrective actions when program expectations are not
met. Without such policies and procedures, the agency risks investing
in systems that are duplicative, stovepiped, nonintegrated, and
unnecessarily costly to manage, maintain, and operate.
Table 4 summarizes our findings relative to Air Force's execution of
the nine key practices that call for the policies and procedures needed
to manage IT investments at the project level.
Table 4: Summary of Policies and Procedures for Stage 2 Critical
Processes--Building the Investment Foundation:
Critical process: Instituting the investment board;
Key practice: 1. An enterprisewide IT investment board composed of
senior executives from IT and business units is responsible for
defining and implementing the organization's IT investment governance
process;
Rating: Executed;
Summary of evidence: Air Force has established an investment board--the
Senior Working Group--composed of senior executives from the functional
business units, including the office of the Air Force Chief Information
Officer. The board is responsible for establishing and implementing
policies governing the organization's investment process.
Critical process: [Empty];
Key practice: 2. The organization has a documented IT investment
process directing each investment board's operations;
Rating: Not executed;
Summary of evidence: Air Force has an IT investment process for
directing its investment board, which explains the roles and
responsibilities of the board and the individuals involved. Air Force
assigns the Investment Review Board accountability for systems
throughout the investment life cycle, including investments that are in
the operations and maintenance phase. However, Air Force's policies and
procedures do not define the process by which these systems will be
reviewed by the Investment Review Board. In addition, according to our
ITIM guidance, the department's investment guidance should specify the
manner in which investment-related processes will be coordinated with
other organizational plans, processes, and documents. However, Air
Force's Investment Review Guide does not specify how the business
investment management system is coordinated with other DOD management
systems, such as JCIDS, PPBE, and DAS.
Critical process: Meeting business needs;
Key practice: 1. The organization has documented policies and
procedures for identifying IT projects or systems that support the
organization's ongoing and future business needs;
Rating: Not executed;
Summary of evidence: Although Air Force has begun to review systems in
operations and maintenance, it does not have policies and procedures
for ensuring that these systems support ongoing and future business
needs. Air Force guidance dictates that investments undergoing the
certification process must demonstrate that they support ongoing and
future business needs by complying with the Enterprise Transition Plan
and Business Enterprise Architecture. However, Air Force certification
guidance does not apply to system investments in operations and
maintenance, which account for about 60 percent of Air Force's overall
IT budget.
Critical process: Selecting an investment;
Key practice: 1. The organization has documented policies and
procedures for selecting a new investment;
Rating: Not executed;
Summary of evidence: While the Investment Review Guide defines Air
Force's roles and responsibilities for certifying and approving
investments and includes predefined criteria, such as meeting cost,
schedule, and performance milestones, for selecting investments, it
does not contain a structured approach for how precertification
decisions are reached. For example, the guidance does not specify how
factors, such as cost, schedule, and performance data, are to be used
in making precertification decisions.
Critical process: [Empty];
Key practice: 2. The organization has documented policies and
procedures for reselecting ongoing investments;
Rating: Not executed;
Summary of evidence: Air Force's Investment Review Guide defines Air
Force's approach for annually reviewing investments. However, this
guidance does not include a structured method that defines how the
criteria, such as meeting cost, schedule and performance milestones,
will be evaluated when the precertification authority makes reselection
decisions. In addition, the Investment Review Guide only addresses
systems in development/ modernization (Tier 1 through 4) and does not
define an approach for annually reviewing systems in operations and
maintenance.
Critical process: [Empty];
Key practice: 3. The organization has documented policies and
procedures for integrating funding with the process of selecting an
investment;
Rating: Not executed;
Summary of evidence: Air Force policies and procedures do not specify
how investment funding and selection are to be integrated nor how the
precertification authority is to use funding information to make
certification or approval decisions.
Critical process: Providing investment oversight;
Key practice: 1. The organization has documented policies and
procedures for management oversight of IT projects and systems;
Rating: Not executed;
Summary of evidence: Air Force does not have documented policies and
procedures for overseeing the management of IT projects and systems.
For example, while Air Force has predefined criteria and checkpoints
for meeting cost, schedule, and performance milestones, and requires
the development of corrective actions when a project deviates from
milestones, it does not have policies and procedures that guide
implementation of corrective actions. Further, Air Force may certify a
system and impose conditions that must be met in order to obligate
system funding. However, there are no policies and procedures that
define the process for tracking conditions until they are resolved.
Critical process: Capturing investment information;
Key practice: 1. The organization has documented policies and
procedures for identifying and collecting information about IT projects
and systems to support the investment management process;
Rating: Executed;
Summary of evidence: The Air Force Investment Review Guidance describes
the procedures for submitting, updating, and maintaining information in
its data repository.
Critical process: [Empty];
Key practice: 2. An official is assigned responsibility for ensuring
that the information collected during project and systems
identification meets the needs of the investment management process;
Rating: Executed;
Summary of evidence: The Air Force Investment Review Guidance assigns
the Program Manager responsibility to ensure investment information
contained in its data repository is accurate and complete. The guidance
also assigns the Certification Process Manager with responsibility for
verifying these data.
Source: GAO.
[End of table]
Air Force officials stated that they are aware of the absence of
documented procedures in certain areas of project-level management, and
plan to issue new policies and procedures addressing these areas by
December 2007. However, until Air Force fully documents IT investment
management policies and procedures for Stage 2 activities and specifies
the linkages between the various related processes, and describes how
system investments in operations and maintenance are to be governed, it
risks not being able to carry out investment management activities in a
consistent and disciplined manner. Moreover, the Air Force risks
selecting investments that will not effectively meet its mission needs.
Air Force Has Assigned Responsibility but Has Not Defined the Policies
and Procedures Associated with Effective Portfolio-Level Management:
At Stage 3, an organization has defined critical processes for managing
its investments as a portfolio or a set of portfolios.[Footnote 34]
Portfolio management is a conscious, continuous, and proactive approach
to allocating limited resources among competing initiatives in light of
the investments' relative benefits. Taking a departmentwide perspective
enables an organization to consider its investments comprehensively, so
that collectively the investments optimally address the organization's
missions, strategic goals, and objectives. Managing IT investments as
portfolios also allows an organization to determine its priorities and
make decisions about which projects to fund on the basis of analyses of
the relative organizational value and risks of all projects, including
projects that are proposed, under development, and in operation.
Although investments may initially be organized into subordinate
portfolios--on the basis of, for example, business lines or life-cycle
stages--and managed by subordinate investment boards, they should
ultimately be aggregated into enterprise-level portfolios.
According to ITIM, Stage 3 involves four critical processes (1)
defining the portfolio criteria; (2) creating the portfolio; (3)
evaluating (i.e., overseeing) the portfolio; and (4) conducting post-
implementation reviews. Within these critical processes are five key
practices that call for policies and procedures to ensure effective
portfolio management. Table 5 summarizes the purpose of each of the
critical processes.
Table 5: Stage 3 Critical Processes--Developing a Complete Investment
Portfolio:
Critical process: Defining the portfolio criteria;
Purpose: To ensure that the organization develops and maintains
portfolio selection criteria that support its mission, organizational
strategies, and business priorities.
Critical process: Creating the portfolio;
Purpose: To ensure that investments are analyzed according to the
organization's portfolio selection criteria and to ensure that an
optimal investment portfolio with manageable risks and returns is
selected and funded.
Critical process: Evaluating the portfolio;
Purpose: To review the performance of the organization's investment
portfolio(s) at agreed- upon intervals and to adjust the allocation of
resources among investments as necessary.
Critical process: Conducting post-implementation reviews;
Purpose: To compare the results of recently implemented investments
with the expectations that were set for them and to develop a set of
lessons learned from these reviews.
Source: GAO.
[End of table]
Air Force has begun to establish a governance structure for portfolio-
level management, but it has not executed any of the five practices
within the Stage 3 critical processes that call for policies and
procedures associated with effective portfolio-level management.
Specifically, Air Force has assigned the Senior Working Group the
responsibility of establishing a governance forum to oversee business
system portfolio activities. However, the Senior Working Group has not
developed and approved charters outlining the roles and
responsibilities to be assigned to subordinate Investment Review Boards
that are intended to establish and manage the portfolios.
In addition, Air Force has not fully defined policies and procedures
needed to effectively execute portfolio management practices.
Specifically, Air Force does not have policies and procedures for
defining the portfolio criteria or creating and evaluating the
portfolio. In addition, while DOD has policies and procedures for
conducting post-implementation reviews for Tier 1 systems as part of
the Defense Acquisition System, Air Force has not established policies
or procedures for conducting post-implementation reviews for systems in
the remaining tiers. Finally, Air Force has not established procedures
detailing how lessons learned from these reviews are to be used during
investment reviews as the basis for management and process
improvements. Table 6 summarizes the rating for each critical process
required to manage investments as a portfolio and summarizes the
evidence that supports these ratings.
Table 6: Summary of Policies and Procedures for Stage 3 Critical
Processes--Developing a Complete Investment Portfolio:
Critical process-: Defining the portfolio criteria;
Key practice-: 1. The organization has documented policies and
procedures for creating and modifying IT portfolio selection criteria;
Rating-: Not executed;
Summary of evidence: While Air Force has assigned the Major Command and
Functional Investment Review Boards responsibility for creating and
modifying portfolio criteria (e.g., prioritization and investment trade-
offs) for business system investments, it has not yet finalized draft
policies, procedures, or criteria for conducting IT portfolio
selection. According to Air Force officials, the policies and
procedures are expected to be finalized and approved by December 2007.
Key practice-: Critical process-Creating the portfolio: 2.
Responsibility is assigned to an individual or group for managing the
development and modification of the IT portfolio selection criteria;
Rating-: Critical process-Creating the portfolio: Not executed;
Summary of evidence: Critical process-Creating the portfolio: Air Force
has assigned responsibility for overseeing portfolio management to the
Senior Working Group. However, although Air Force officials stated that
subordinate Major Command and Functional Investment Review Boards are
to be responsible for managing specific portfolios, it has yet to
officially assign responsibility to these groups.
Critical process-: Creating the portfolio;
Key practice-: 1. The organization has documented policies and
procedures for analyzing, selecting, and maintaining the investment
portfolios;
Rating-: Not executed;
Summary of evidence: Air Force is currently revising its instruction on
the IT portfolio management process, to include policies and procedures
for analyzing, selecting, and maintaining the investment portfolios.
However, Air Force officials could not identify a date for when the
instruction would be finalized and approved.
Critical process-: Evaluating the portfolio;
Key practice-: 1. The organization has documented policies and
procedures for reviewing, evaluating, and improving the performance of
its portfolio(s);
Rating- : Not executed;
Summary of evidence: While the Major Command and Functional Investment
Review Board draft charters state that they are responsible for
reviewing factors associated with portfolio management, such as
architecture alignment, capability delivery, and risk, there are no
policies and procedures indicating how they should use these factors
and project indicators--such as cost, schedule, and risk--to review,
evaluate, and improve their portfolios.
Critical process-: Conducting post-implementation reviews;
Key practice-: 1. The organization has documented policies and
procedures for conducting post-implementation reviews;
Rating-: Not executed;
Summary of evidence: While DOD requires post-implementation reviews for
Tier 1 systems as part of DAS, Air Force has not developed policies or
procedures for conducting such reviews for systems in the remaining
tiers. Moreover, there are no policies and procedures directing the Air
Force Senior Working Group, which is accountable for Air Force business
system investments, to consider information gathered and to develop
lessons learned from these post-implementation reviews.
Source: GAO.
[End of table]
Air Force officials are aware that they need to develop the appropriate
portfolio management processes, and in this regard, have drafted some
portfolio management guidance, such as the Air Force Operational
Support Portfolio Investment Review Process. According to Air Force
officials, this guidance is expected to be completed and approved by
December 2007. Until policies and procedures for managing business
systems investment portfolios are defined and implemented, Air Force is
at risk of not consistently selecting the mix of investments that best
supports the department mission needs and ensuring that investment-
related lessons learned are shared and applied departmentwide.
Conclusions:
Given the importance of business systems modernization to Air Force's
mission, performance, and outcomes, it is vital for the department to
adopt and employ an effective institutional approach to managing
business system investments. However, while the department acknowledges
these shortcomings and the importance of addressing them and has
established aspects of such an approach, it is lacking important
elements, such as policies and procedures needed for project-level and
portfolio-level investment management. This means that Air Force lacks
an institutional capability to ensure that it is investing in business
systems that best support its strategic needs and that ongoing projects
meet cost, schedule, and performance expectations. Until Air Force
develops this capability, the department will be impaired in its
ability to optimize business mission area performance and
accountability.
Recommendations for Executive Action:
To strengthen Air Force's business system investment management
capability and address the weaknesses discussed in this report, we
recommend that the Secretary of Defense direct the Secretary of the Air
Force to ensure that well-defined and disciplined business system
investment management policies and procedures are developed and issued.
At a minimum, this should include project-level management policies and
procedures that address the six key practices areas:
* Specifying how systems that are in operations and maintenance will be
reviewed and specifying how Air Force's business investment management
system is coordinated with JCIDS, PPBE, and DAS.
* Ensuring that systems in operations and maintenance are aligned with
ongoing and future business needs.
* Selecting investments, including specifying how factors, such as
cost, schedule, and performance data are to be used in making
certification decisions.
* Reselecting ongoing investments, including specifying how factors,
such as cost, schedule, and performance data are to be used in making
reselection decisions during the annual review process and providing
for the reselection of investments that are in operations and
maintenance.
* Integrating funding with the process of selecting an investment,
including specifying how the precertification authority is using
funding information in carrying out decisions on system certification
and approvals.
* Overseeing IT projects and systems, including specifying policies and
procedures that guide the implementation of corrective actions when
program expectations are not met.
These well-defined and disciplined business system investment
management policies and procedures should also include portfolio-level
management policies and procedures that address the following five
areas:
* Creating and modifying IT portfolio selection criteria for business
system investments.
* Defining the roles and responsibilities for the development and
modification of the IT portfolio selection criteria.
* Analyzing, selecting, and maintaining business system investment
portfolios.
* Reviewing, evaluating, and improving the performance of the
portfolio(s) by using project indicators, such as cost, schedule, and
risk.
* Conducting post-implementation reviews for all investment tiers and
directing the investment boards to consider the information gathered to
develop lessons learned from these reviews.
Agency Comments and Our Evaluation:
In written comments on a draft of this report, signed by the Deputy
Under Secretary of Defense (Business Transformation) and reprinted in
appendix II, DOD partially concurred with the report's recommendations.
The department further stated that our recommendations and feedback
were helpful in guiding its business transformation and related
improvement efforts.
Regarding our recommendation that DOD direct Air Force to ensure that
well-defined and disciplined business system investment management
policies and procedures are developed and issued, DOD stated that Air
Force has a well-defined business system investment management process
that, while not codified into formal policy, has been documented in
investment review guides. Further, it stated that Air Force is
committed to formalizing its policies as the processes expand and
mature. Our report recognizes that Air Force has drafted a business
system investment management process. However, as our report states,
the draft review guide lacks critical elements needed to effectively
carry out essential investment management activities. Until Air Force
completes and issues IT investment management policies and procedures
that fully address these elements, it risks not being able to carry out
investment management activities in a consistent and disciplined
manner.
Regarding our recommendation that DOD direct Air Force to ensure that
the well-defined and disciplined business system investment management
policies and procedures also include portfolio-level management
policies and procedures, the department stated that DOD Instruction
8115.02 defines the DOD IT portfolio management process, which Air
Force is applying in its decisionmaking. However, as our report notes,
Air Force has not implemented a process for managing its business
system portfolios. Until Air Force defines and implements such a
process, it is at risk of not consistently selecting the mix of
investments that best supports the Air Force's mission needs and
ensuring that investment-related lessons learned are shared and applied
departmentwide.
We are sending copies of this report to interested congressional
committees; the Director, Office of Management and Budget; the
Secretary of Defense; the Deputy Secretary of Defense; the Secretary of
Air Force; the Air Force Chief Information Officer, and the Under
Secretary of Defense for Acquisition, Technology, and Logistics. Copies
of this report will be made available to other interested parties on
request. This report will also be available at no charge on our Web
site at [hyperlink, http://www.gao.gov].
Should you or your staffs have any questions on matters discussed in
this report, please contact me at (202) 512-6304 or melvinv@gao.gov.
Contact points for our Offices of Congressional Relations and Public
Affairs may be found on the last page of this report. GAO staff who
made major contributions to this report are listed in appendix III.
Signed by:
Valerie C. Melvin:
Director, Human Capital and Management:
Information Systems Issues:
List of Committees:
The Honorable Carl Levin:
Chairman:
The Honorable John McCain:
Ranking Member:
Committee on Armed Services:
United States Senate:
The Honorable Daniel Inouye:
Chairman:
The Honorable Ted Stevens:
Ranking Member:
Subcommittee on Defense:
Committee on Appropriations:
United States Senate:
The Honorable Ike Skelton:
Chairman:
The Honorable Duncan Hunter:
Ranking Member:
Committee on Armed Services:
House of Representatives:
The Honorable John P. Murtha:
Chairman:
The Honorable C.W. Bill Young:
Ranking Member:
Subcommittee on Defense:
Committee on Appropriations:
House of Representatives:
[End of section]
Appendix I: Objective, Scope, and Methodology:
Our objective was to determine whether the investment management
approach of the Department of the Air Force (a major Department of
Defense (DOD) component) is consistent with leading investment
management best practices. Our analysis was based on the best practices
contained in GAO's Information Technology Investment Management (ITIM)
framework and the framework's associated evaluation methodology, and
focused on Air Force's establishment of policies and procedures for
business system investments needed to assist organizations in complying
with the investment management provisions of the Clinger-Cohen Act of
1996 (Stages 2 and 3).
To address our objective, we asked Air Force to complete a self-
assessment of its investment management process and provide the
supporting documentation. We then reviewed the results of the
department's self-assessment of Stages 2 and 3 organizational
commitment practices--meaning those practices related to structures,
policies, and procedures--and compared them with our ITIM framework. We
focused on Stages 2 and 3 because these stages represent the processes
needed to meet the standards of the Clinger-Cohen Act, and they
establish the foundation for effective acquisition management. We also
validated and updated the results of the self-assessment through
document reviews and interviews with officials, such as the Air Force
Chief Information Officer and Certification Process Manager. In doing
so, we reviewed written policies, procedures, and guidance and other
documentation providing evidence of executed practices, including the
Air Force Information Technology Investment Review Guide, Air Force
Operations of Capabilities Based Acquisition System Instruction, Air
Force IT Investment Architecture Compliance Guide, Senior Working Group
charter and meeting minutes, the Investment Review Board Concept of
Operations and Guidance, and the Business Transformation Guidance.
We compared the evidence collected from our document reviews and
interviews with the key practices in ITIM. We rated the key practices
as "executed" on the basis of whether the department demonstrated (by
providing evidence of performance) that it had met all of the criteria
of the key practice. A key practice was rated as "not executed" when we
found insufficient evidence of all elements of a practice being fully
performed or when we determined that there were significant weaknesses
in Air Force's execution of the key practice. In addition, we provided
Air Force with the opportunity to produce evidence for the key
practices rated as "not executed."
We conducted our work at the Air Force offices in Arlington, Virginia,
from February 2007 through September 2007 in accordance with generally
accepted government auditing standards.
[End of section]
Appendix II: Comments from the Department of Defense:
Office Of The Under Secretary Of Defense:
3000 Defense Pentagon:
Washington, DC 20301-3000:
ACQUISITION, TECHNOLOGY AND LOGISTICS:
October 18, 2007:
Ms. Valerie C. Melvin:
Director, Human Capital and Management Information Systems Issues:
U.S. Government Accountability Office:
441 G Street, N.W.:
Washington, DC 20548:
Dear Ms. Melvin:
This is the Department of Defense (DoD) response to the GAO draft
report GAO-08-52, "Business Systems Modernization: Air Force Needs to
Fully Define Policies and Procedures for Institutionally Managing
Investments," dated September 17, 2007 (GAO Code 310635).
The Department partially concurs with GAO's first recommendation. The
Air Force has established a well-defined business system investment
management process that, while not codified into formal policy, has
been documented in its investment review guides. Furthermore, the Air
Force is committed to formalizing its policies as the processes expand
and mature.
The Department also partially concurs with the second recommendation.
DoD Instruction 8115.02 defines the DoD Information Technology (IT)
portfolio management process and the Air Force is applying this process
in its decision- making. This process is also maturing.
GAO continues to be a valuable and constructive partner in the
Department's business transformation efforts. The recommendations and
feedback provided will help to further guide DoD's process of continual
improvement. We look forward to your participation in our future
efforts.
Signed by:
Paul A. Brinkley:
Deputy Under Secretary of Defense:
(Business Transformation):
GAO Draft Report Dated September 17, 2007 GAO-08-52 (GAO CODE 310635):
"Business Systems Modernization: Air Force Needs To Fully Define
Policies And Procedures For Institutionally Managing Investments":
Department Of Defense Comments To The Gao Recommendation:
Recommendation 1: The GAO recommended that the Secretary of Defense
direct the Secretary of the Air Force to ensure that well-defined and
disciplined business system investment management policies and
procedures are developed and issued. At a minimum, these should include
project-level management policies and procedures that address:
* How systems that are in operations and maintenance will be reviewed
and specifying how Air Force's business investment management system is
coordinated with Joint Capabilities Integration and Development System
(JCIDS), Planning, Programming, Budgeting and Execution (PPBE), and
Defense Acquisition System (DAS).
* Ensuring that systems in operations and maintenance are aligned with
ongoing and future business needs.
* Selecting investments, including specifying how factors, such as
cost, schedule, and performance data are to be used in making
certification decisions.
* Reselecting ongoing investments, including specifying how factors,
such as cost, schedule, and performance data are to be used in making
reselection decisions during the annual review process and providing
for the reselection of investments that are in operations and
maintenance.
* Integrating funding with the process of selecting an investment,
including specifying how the pre-certification authority is using
funding information in carrying out decisions on system certification
and approvals.
* Overseeing Information Technology (IT) projects and systems,
including specifying policies and procedures that guide the
implementation of corrective actions when program expectations are not
met.
(p. 38/GAO Draft Report):
DOD Response: Partially concur:
The Department partially concurs. The Air Force does have a well-
defined and disciplined business system investment management system
process documented in investment review guides. The process is maturing
but has not been codified in formal policies. The documented investment
review and architecture guides are in use and distributed throughout
the Air Force. The business system investment review process is
expanding to capture investments in the warfighting and enterprise
infrastructure environment mission areas. These processes will be
instituted in formal policies.
Recommendation 2: The GAO recommended that the Secretary of Defense
direct the Secretary of the Air Force to ensure that the above well-
defined and disciplined business system investment management policies
and procedures also include portfolio- level management policies and
procedures that address:
* Creating and modifying IT portfolio selection criteria for business
system investments.
* Defining roles and responsibilities for the development and
modification of the IT portfolio selection criteria.
* Analyzing, selecting, and maintaining business system investment
portfolios.
* Reviewing, evaluating, and improving the performance of the
portfolio(s) by using project indicators, such as cost, schedule, and
risk.
* Conduct post-implementation reviews for all investment tiers and
directing the investment boards to consider the information gathered to
develop lessons learned from these reviews.
(p. 38/GAO Draft Report):
DOD Response: Partially concur:
DoD instruction 8115.02 defines the DoD IT portfolio management
process. This process is maturing and the Air Force is applying
portfolio management discipline in their information technology
decision making.
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
Valerie C. Melvin, (202) 512-6304 or melvinv@gao.gov:
Staff Acknowledgments:
In addition to the contact person named above, key contributors to this
report were Tonia Johnson, Assistant Director; Idris Adjerid; Sharhonda
Deloach; Nancy Glover; and Freda Paintsil.
[End of section]
Footnotes:
[1] Business systems are information systems that include financial and
nonfinancial systems and support DOD's business operations, such as
civilian personnel, finance, health, logistics, military personnel,
procurement, and transportation.
[2] GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.:
January 2007).
[3] GAO, Information Technology: Architecture Needed to Guide
Modernization of DOD's Financial Operations, GAO-01-525 (Washington,
D.C.: May 17, 2001).
[4] See, for example, GAO, DOD Business Systems Modernization: Long-
standing Weaknesses in Enterprise Architecture Development Need to Be
Addressed, GAO-05-702 (Washington, D.C.: July 22, 2005); DOD Business
Systems Modernization: Billions Being Invested without Adequate
Oversight, GAO-05-381 (Washington, D.C.: Apr. 29, 2005); DOD Business
Systems Modernization: Limited Progress in Development of Business
Enterprise Architecture and Oversight of Information Technology
Investments, GAO-04-731R (Washington, D.C.: May 17, 2004); DOD Business
Systems Modernization: Important Progress Made to Develop Business
Enterprise Architecture, but Much Work Remains, GAO-03-1018
(Washington, D.C.: Sept. 19, 2003); and GAO-01-525.
[5] Ronald W. Reagan National Defense Authorization Act for Fiscal Year
2005, Pub. L. No. 108-375, § 332, 118 Stat. 1811, 1851-1856 (Oct. 28,
2004) (codified in part at 10 U.S.C. §2222).
[6] GAO, Business Systems Modernization: DOD Needs to Fully Define
Policies and Procedures for Institutionally Managing Investments, GAO-
07-538 (Washington, D.C.: May 11, 2007); Defense Business
Transformation: A Comprehensive Plan, Integrated Efforts, and Sustained
Leadership Are Needed to Assure Success, GAO-07-229T (Washington, D.C.:
Nov. 16, 2006); Business Systems Modernization: DOD Continues to
Improve Institutional Approach, but Further Steps Needed, GAO-06-658
(Washington, D.C.: May 15, 2006); and DOD Business Systems
Modernization: Important Progress Made in Establishing Foundational
Architecture Products and Investment Management Practices, but Much
Work Remains, GAO-06-219 (Washington, D.C.: Nov. 23, 2005).
[7] GAO-07-538.
[8] We rated the key practices as "executed" on the basis of whether
the agency demonstrated (by providing evidence of performance) that it
had met all of the criteria of the key practice. A key practice was
rated as "not executed" when we found insufficient evidence of any
elements of a practice being fully performed or when we determined that
there were significant weaknesses in Air Force's execution of the key
practice.
[9] GAO, Information Technology Investment Management: A Framework for
Assessing and Improving Process Maturity, GAO-04-394G (Washington,
D.C.: March 2004).
[10] GAO-04-394G.
[11] GAO-06-658.
[12] According to Air Force program officials, the total amount spent
on its business systems includes the amount spent on the Operational
Support IT Business Mission Area, Warfighting Mission Area, and
Enterprise Information Environment. Approximately $651 million reflects
the budget for the Operational Support IT mission area business systems
and does not include the amount budgeted for the Warfighting Mission
Area and Enterprise Information Environment business systems.
[13] The Clinger-Cohen Act of 1996, 40 U.S.C. 11101-11704. This act
expanded the responsibilities of OMB and the agencies that had been set
under the Paperwork Reduction Act with regard to IT management. See 44
U.S.C. 3504(a)(1)(B)(vi) (OMB); and 44 U.S.C. 3506(h)(5) (agencies).
[14] We have made recommendations to improve OMB's process for
monitoring high-risk IT investments; see GAO, Information Technology:
OMB Can Make More Effective Use of Its Investment Reviews, GAO-05-276
(Washington, D.C.: Apr. 15, 2005).
[15] This policy is set forth and guidance is provided in OMB Circular
A-11 (Nov. 2, 2005) (section 300) and in OMB's Capital Programming
Guide, which directs agencies to develop, implement, and use a capital
programming process to build their capital asset portfolios.
[16] See, for example, GAO-04-394G; GAO, Information Technology: A
Framework for Assessing and Improving Enterprise Architecture
Management (Version 1.1), GAO-03-584G (Washington, D.C.: April 2003);
and Assessing Risks and Returns: A Guide for Evaluating Federal
Agencies' IT Investment Decision-making, GAO/AIMD-10.1.13 (Washington,
D.C.: February 1997).
[17] GAO-04-394G; GAO/AIMD-10.1.13; GAO, Executive Guide: Improving
Mission Performance Through Strategic Information Management and
Technology, GAO/AIMD-94-115 (Washington, D.C.: May 1994); and Office of
Management and Budget, Evaluating Information Technology Investments, A
Practical Guide (Washington, D.C.: November 1995).
[18] GAO-04-394G.
[19] GAO, Information Technology: Centers for Medicare and Medicaid
Services Needs to Establish Critical Investment Management
Capabilities, GAO-06-12 (Washington, D.C.: Oct. 28, 2005); Information
Technology: HHS Has Several Investment Management Capabilities in
Place, but Needs to Address Key Weaknesses, GAO-06-11 (Washington,
D.C.: Oct. 28, 2005); Information Technology: FAA Has Many Investment
Management Capabilities in Place, but More Oversight of Operational
Systems Is Needed, GAO-04-822 (Washington, D.C.: Aug. 20, 2004); Bureau
of Land Management: Plan Needed to Sustain Progress in Establishing IT
Investment Management Capabilities, GAO-03-1025 (Washington, D.C.:
Sept. 12, 2003); Information Technology: Departmental Leadership
Crucial to Success of Investment Reforms at Interior, GAO-03-1028
(Washington, D.C.: Sept. 12, 2003); United States Postal Service:
Opportunities to Strengthen IT Investment Management Capabilities, GAO-
03-3 (Washington, D.C.: Oct. 15, 2002); and Information Technology: DLA
Needs to Strengthen Its Investment Management Capability, GAO-02-314
(Washington, D.C.: Mar. 15, 2002).
[20] The Clinger-Cohen Act of 1996, 40 U.S.C. §§ 11311-11313.
[21] The National Security Strategy Report required by 50 U.S.C. 404a
is a comprehensive report on the national security strategy of the
United States submitted by the President to Congress.
[22] See 10 U.S.C. 118. The Quadrennial Defense Review is a
comprehensive examination of the national defense strategy, force
structure, force modernization plans, infrastructure, budget plan, and
other elements of the defense program and policies of the United States
with a view toward determining and expressing the defense strategy of
the United States and establishing a defense program for the next 20
years.
[23] GAO, Best Practices: An Integrated Portfolio Management Approach
to Weapon System Investments Could Improve DOD's Acquisition Outcomes,
GAO-07-388 (Washington, D.C.: Mar. 30, 2007).
[24] As described in DOD Directive 5000.1, May 12, 2003 and DOD
Instruction 5000.2, May 12, 2003.
[25] A Major Defense Acquisition Program is an acquisition program that
is estimated by the Under Secretary of Defense for Acquisition,
Technology, and Logistics to require an eventual total expenditure for
research, development, and test and evaluation of more than $365
million (fiscal year 2000 constant dollars) or, for procurement, of
more than $2 billion (fiscal year 2000 constant dollars).
[26] A Major Automated Information System is a program or initiative
that is so designated by the Assistant Secretary of Defense (Networks
and Information Integration)/Chief Information Officer or that is
estimated to require program costs in any single year in excess of $32
million (fiscal year 2000 constant dollars), total program costs in
excess of $126 million (fiscal year 2000 constant dollars), or total
life-cycle costs in excess of $378 million (fiscal year 2000 constant
dollars).
[27] According to DOD, the milestone decision authority is the
designated individual who has overall responsibility for an investment.
This person has the authority to approve an investment's progression in
the acquisition process and is responsible for reporting cost,
schedule, and performance results. For example, the milestone decision
authority for a Major Defense Acquisition Program, when not delegated
to the component level, is the Under Secretary of Defense for
Acquisition, Technology, and Logistics, and the milestone decision
authority for a Major Automated Information System is the Assistant
Secretary of Defense (Networks and Information Integration)/Chief
Information Officer or a designee.
[28] The Defense Acquisition Board--chaired by the Under Secretary of
Defense for Acquisition, Technology, and Logistics--conducts reviews
for Major Defense Acquisition Programs at major program milestones and
documents the decisions resulting from the review in an Acquisition
Decision Memorandum.
[29] The IT Acquisition Board--chaired by the Assistant Secretary of
Defense (Networks and Information Integration)/Chief Information
Officer--conducts reviews for Major Automated Information System at
major program milestones and documents the decision(s) resulting from
the review in an Acquisition Decision Memorandum.
[30] The four Investment Review Boards are (1) financial management,
established by the Deputy Under Secretary of Defense for Financial
Management; (2) weapon systems life-cycle management and materiel
supply and services management; (3) real property and installations
life-cycle management, both established by the Under Secretary of
Defense (Acquisition, Technology, and Logistics); and (4) human
resources management, established by the Under Secretary of Defense for
Personnel and Readiness.
[31] DOD's IT Portfolio Repository is DOD's authoritative repository
for certain information about DOD's business systems, such as system
names and the responsible DOD components that are required for the
certification, approval, and annual reviews of these business system
investments.
[32] In addition, each component precertification authority submits a
list of system names to the Investment Review Boards on a semiannual
basis, to include Tier 4 systems and systems in operations and
maintenance that have been reviewed at the component level.
[33] These investment management policies and procedures include
precertifying Tier 1 through 3 business system investments by the
component. These systems are then reviewed and certified by DOD. Tier 4
systems are certified by the components.
[34] Investment portfolios are integrated agencywide collections of
investments that are assessed and managed collectively on the basis of
common criteria.
GAO's Mission:
The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, DC 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, Jarmong@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, DC 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, DC 20548:
