DOD Business Systems Modernization

Military Departments Need to Strengthen Management of Enterprise Architecture Programs Gao ID: GAO-08-519 May 12, 2008

In 1995, GAO designated Department of Defense (DOD) business systems modernization as a high-risk program, and the program remains on the high-risk list today. A key to successful systems modernization is having and using an enterprise architecture as an authoritative frame of reference, or blueprint, for system investment decisions. To assist DOD in modernizing its business systems, Congress passed legislation consistent with prior GAO recommendations for DOD to develop and implement a business enterprise architecture (BEA). In response, DOD developed a corporate BEA that it intends to federate, or extend, to the military departments and defense agencies. To support GAO's legislative mandate to review DOD's BEA, GAO evaluated the status of the Air Force, Navy, and Army architecture programs. To accomplish this, GAO used its Enterprise Architecture Management Maturity Framework and associated evaluation method.

The enterprise architecture programs within the Departments of the Air Force, Navy, and Army have yet to advance to a level that can be considered fully mature. Specifically, all three departments are at the initial stage of GAO's architecture maturity framework. This means that they have not fully satisfied all the core elements associated with the framework's second stage (establishing the management foundation for developing, maintaining, and using the architecture) or any of the framework's higher stages: Stage 3 (developing the architecture), Stage 4 (completing the architecture), and Stage 5 (leveraging the architecture for organizational change). An organization generally needs to have achieved the fifth stage in the framework for it to have an effective architecture program because, at this stage, the management controls and structures are in place for using an approved architecture to guide and constrain system investments in a way that produces institutional results. Although each department is at Stage 1, the status of the programs vary considerably. Specifically, the Air Force far exceeds both the Navy and the Army, while the Navy generally exceeds the Army, in terms of the total percentage of core elements that are fully satisfied. Moreover, of the core elements that have not been fully satisfied by at least one of the three departments, most relate to architecture content, use, and measurement. Even though none of the departments have fully satisfied sufficient core elements to advance beyond Stage 1, the Air Force has at least partially satisfied all the core elements associated with Stages 2 and 3, as well as all but three core elements across all stages, and the Navy has at least partially satisfied all the core elements for Stage 2. In addition, the Air Force has made important progress in the last 2 years in maturing its architecture program, while the Navy's progress has been mixed, and the Army has not made any progress. Collectively, this means that DOD, as a whole, is not as well positioned as it should be to realize the significant benefits that a well-managed federation of architectures can afford its business systems modernization efforts. Individually, it means that the Air Force has a solid architectural foundation on which to continue building, while the Navy and, even more so, the Army has much to accomplish. According to Air Force officials, its progress owes largely to the architecture-related focus, commitment, and leadership of senior department executives, including the Secretary.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


GAO-08-519, DOD Business Systems Modernization: Military Departments Need to Strengthen Management of Enterprise Architecture Programs This is the accessible text file for GAO report number GAO-08-519 entitled 'DOD Business Systems Modernization: Military Departments Need to Strengthen Management of Enterprise Architecture Programs' which was released on May 12, 2008. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: United States Government Accountability Office: GAO: May 2008: DOD Business Systems Modernization: Military Departments Need to Strengthen Management of Enterprise Architecture Programs: GAO-08-519: GAO Highlights: Highlights of GAO-08-519, a report to congressional committees. Why GAO Did This Study: In 1995, GAO designated Department of Defense (DOD) business systems modernization as a high-risk program, and the program remains on the high-risk list today. A key to successful systems modernization is having and using an enterprise architecture as an authoritative frame of reference, or blueprint, for system investment decisions. To assist DOD in modernizing its business systems, Congress passed legislation consistent with prior GAO recommendations for DOD to develop and implement a business enterprise architecture (BEA). In response, DOD developed a corporate BEA that it intends to federate, or extend, to the military departments and defense agencies. To support GAO‘s legislative mandate to review DOD‘s BEA, GAO evaluated the status of the Air Force, Navy, and Army architecture programs. To accomplish this, GAO used its Enterprise Architecture Management Maturity Framework and associated evaluation method. What GAO Found: The enterprise architecture programs within the Departments of the Air Force, Navy, and Army have yet to advance to a level that can be considered fully mature. Specifically, all three departments are at the initial stage of GAO‘s architecture maturity framework. This means that they have not fully satisfied all the core elements associated with the framework‘s second stage (establishing the management foundation for developing, maintaining, and using the architecture) or any of the framework‘s higher stages: Stage 3 (developing the architecture), Stage 4 (completing the architecture), and Stage 5 (leveraging the architecture for organizational change). An organization generally needs to have achieved the fifth stage in the framework for it to have an effective architecture program because, at this stage, the management controls and structures are in place for using an approved architecture to guide and constrain system investments in a way that produces institutional results. Although each department is at Stage 1, the status of the programs vary considerably. Specifically, the Air Force far exceeds both the Navy and the Army, while the Navy generally exceeds the Army, in terms of the total percentage of core elements that are fully satisfied. Moreover, of the core elements that have not been fully satisfied by at least one of the three departments, most relate to architecture content, use, and measurement. Even though none of the departments have fully satisfied sufficient core elements to advance beyond Stage 1, the Air Force has at least partially satisfied all the core elements associated with Stages 2 and 3, as well as all but three core elements across all stages, and the Navy has at least partially satisfied all the core elements for Stage 2. In addition, the Air Force has made important progress in the last 2 years in maturing its architecture program, while the Navy‘s progress has been mixed, and the Army has not made any progress. Collectively, this means that DOD, as a whole, is not as well positioned as it should be to realize the significant benefits that a well-managed federation of architectures can afford its business systems modernization efforts. Individually, it means that the Air Force has a solid architectural foundation on which to continue building, while the Navy and, even more so, the Army has much to accomplish. According to Air Force officials, its progress owes largely to the architecture-related focus, commitment, and leadership of senior department executives, including the Secretary. Table: Percent of Framework Elements Fully Satisfied by Framework Maturity Stage: Military department: Air Force; All Stages: 61%; Stage 2: 78%; Stage 3: 83%; Stage 4: 38%; Stage 5: 50%. Military department: Navy; All Stages: 13%; Stage 2: 22%; Stage 3: 17%; Stage 4: 0%; Stage 5: 13%. Military department: Army; All Stages: 3%; Stage 2: 11%; Stage 3: 0%; Stage 4: 0%; Stage 5: 0%. Source: GAO analysis of agency data. [End of table] What GAO Recommends: Given the relative status and progress of the military departments‘ architecture programs, and GAO‘s existing recommendations for improving their maturity, GAO reiterates these existing recommendations and recommends that the Navy and Army reach out to the Air Force to learn from and apply its architecture-related lessons learned and experiences. In written comments, DOD agreed with GAO‘s recommendation. To view the full product, including the scope and methodology, click on [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-519]. For more information, contact Randolph C. Hite at (202) 512-3439 or hiter@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Maturity of Military Department Enterprise Architecture Programs Continues to Vary: Conclusions: Recommendation for Executive Action: Agency Comments: Appendix I: Objective, Scope, and Methodology: Appendix II: Comments from the Department of Defense: Appendix III: Brief History of Architecture Frameworks and Management Guidance: Appendix IV: Department of the Air Force Assessment: Appendix V: Department of the Navy Assessment: Appendix VI: Department of the Army Assessment: Appendix VII: GAO Contact and Staff Acknowledgments: Tables: Table 1: Summary of EAMMF Version 1.1 Core Elements Categorized by Group: Table 2: Percent of Framework Elements Fully, Partially, and Not Satisfied by the Military Departments in 2006: Table 3: Percent of Framework Elements Fully Satisfied, by Maturity Stage: Table 4: Percent of Architecture Framework Core Elements Satisfied, by Group: Table 5: Percent of Framework Elements at Least Partially Satisfied, by Stage: Table 6: Net Change in Percent of Framework Elements Satisfied from 2006 to 2008: Table 7: Stage 2 Evaluation Criteria: Table 8: Stage 3 Evaluation Criteria: Table 9: Stage 4 Evaluation Criteria: Table 10: Stage 5 Evaluation Criteria: Table 11: Federal Enterprise Architecture Reference Models: Table 12: OMB EA Assessment Framework Capability Areas: Figures: Figure 1: Summary of EAMMF Version 1.1: Maturity Stages, Critical Success Attributes, and Core Elements: Figure 2: Simplified Conceptual Depiction of the DOD EA Federation Strategy: Abbreviations: ASD(NII)/CIO: Assistant Secretary of Defense (Networks and Information Integration)/Chief Information Officer: BEA: business enterprise architecture: BMA: Business Mission Area: CIO: Chief Information Officer: DBSMC: Defense Business Systems Management Committee: DOD: Department of Defense: EA: enterprise architecture: EAMMF: Enterprise Architecture Management Maturity Framework; GIG: Global Information Grid: IT: information technology: OMB: Office of Management and Budget: [End of section] United States Government Accountability Office: Washington, DC 20548: May 12, 2008: Congressional Committees: For decades, the Department of Defense (DOD) has been challenged in modernizing its thousands of business systems. In 1995, we first designated DOD's business systems modernization program as high risk, and we continue to designate it as such today. As our research on public and private sector organizations shows, one key ingredient to a successful systems modernization program is having and using a well- defined enterprise architecture. Accordingly, we made recommendations to the Secretary of Defense in 2001 that included the means for effectively developing and implementing an enterprise architecture. [Footnote 1] Between 2001 and 2005, we reported on challenges that the department faced in its efforts to develop a business enterprise architecture (BEA) and made additional recommendations.[Footnote 2] To require DOD to address these and other modernization management challenges, Congress included provisions in the Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005[Footnote 3] that were consistent with our recommendations. In response, DOD adopted an incremental, federated approach to developing its BEA. We subsequently reported that this approach was consistent with best practices and that the initial version of the architecture provided a foundation on which to build and align the department's BEA with subsidiary architectures (i.e., military department and defense agency component-and individual program-level architectures).[Footnote 4] In light of the critical role that military department architectures play in DOD's federated BEA construct, you asked us to assess the status of the Departments of the Army, Navy, and Air Force enterprise architecture programs. To accomplish this, we used a standard data and document collection instrument to obtain key information about each department's architecture governance, content, use, and measurement. On the basis of the military departments' responses and supporting documentation, we analyzed the extent to which each satisfied the 31 core elements in our architecture maturity framework.[Footnote 5] We also compared the current status of each military department's program against the status that we reported in 2006.[Footnote 6] We performed our work in the metropolitan area of Washington, D.C., from September 2007 through March 2008 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. Details on our objectives, scope, and methodology are provided in appendix I. Results in Brief: The military departments' respective enterprise architecture programs have yet to advance to a level that can be considered mature. To effectively establish and leverage enterprise architectures as instruments of organizational transformation, research by us and others show that architecture programs should be founded upon both an institutional commitment and a measured and verified organizational capability to properly develop, maintain, and use the architecture to affect operational and technological change. Our framework for managing and evaluating the status of architecture programs consists of 31 core elements related to architecture governance, content, use, and measurement that are associated with five stages of maturity. In 2006, we reported that the Departments of the Air Force, Navy, and Army were in the initial stage of our framework, and they remain so today. This means that they have not fully satisfied all the core elements associated with the framework's second stage (establishing the management foundation for developing, maintaining, and using the architecture); nor have they fully satisfied the core elements associated with Stage 3 (developing the architecture), 4 (completing the architecture), and 5 (leveraging the architecture for organizational change). As we have previously reported, an organization generally needs to have achieved Stage 5 in our framework for it to have an effective architecture program because, at this stage, the full complement of architecture products and supporting management controls and structures are in place to guide and constrain information technology (IT) investments in a way that produces institutional results. Although each of the departments remain at Stage 1 of our maturity framework, the current status of their architecture programs are not identical. Also, while each department has not fully satisfied a number of core elements, some of them are at least partially satisfied. Most of the core elements that have not been fully or partially satisfied relate to developing sufficient architecture content (sufficient scope, depth, understanding, integrity, and consistency of products). In addition, even though all three departments remain at Stage 1 of our framework, one department has made important progress since 2006. More specifically: * The Air Force's architecture program is more mature than the Navy's, which is more mature than the Army's. The three military departments have fully satisfied 61, 13, and 3 percent, and partially satisfied 29, 52, and 13 percent, of our framework's core elements, respectively. In addition, the Air Force and the Navy have at least partially satisfied the core elements associated with the framework's second stage (establishing the architecture management foundation), and the Air Force has partially satisfied the elements in the third stage (developing the architecture). * The Air Force has at least partially satisfied nearly all of the governance, content, use, and measurement-related core elements in our framework, while the Navy has at least partially satisfied most of the governance and content-related core elements. In contrast, the Army has only partially satisfied a few of the governance and use-related core elements and has not satisfied any of the content and measurement core elements. * The Air Force has made the most progress in the last 2 years in addressing our prior recommendations for satisfying our framework's core elements. For example, it has increased the percentage of core elements that are fully satisfied from 45 to 61 percent. In contrast, the Army has made the least progress, with its percentage of fully satisfied core elements remaining unchanged. As we have previously reported, the key to having a mature architecture program, and thereby realizing the benefits of an architecture-centric approach to IT investment decision making, is sustained executive leadership. This is because virtually all of the barriers to effectively developing and using architectures, such as parochialism, cultural resistance, adequate resources, and top management understanding, can be addressed through such leadership. In this regard, Air Force officials attributed their progress to the direct involvement and commitment of the Secretary of the Air Force. Because we have outstanding recommendations to the Secretary of Defense aimed at, among other things, having each of the military departments fully satisfy the core elements in our architecture framework, we are not making additional recommendations relative to our framework at this time. However, given the uneven status and progress of the respective military departments to date, opportunities exist for the Army and Navy to learn from the Air Force's experiences in maturing its architecture program. Therefore, we reiterate our outstanding recommendations and further recommend that the Secretary of Defense direct the Secretaries of the Navy and Army to ensure that their departments reach out to the Department of the Air Force to learn from and apply the lessons and experiences that have allowed the Air Force to make the progress it has in maturing its architecture program. In written comments on a draft of this report, signed by the Deputy Under Secretary of Defense (Business Transformation), and reprinted in appendix II, the department agreed with our recommendation. Background: DOD is a massive and complex organization. To illustrate, the department reported that its fiscal year 2007 operations involved approximately $1.5 trillion in assets and $2.1 trillion in liabilities, more than 2.9 million military and civilian personnel, and $544 billion in net cost of operations. In support of its military operations, the department performs an assortment of interrelated and interdependent business functions-- using thousands of business systems--related to major business areas such as weapon systems management, supply chain management, procurement, health care management, and financial management. The ability of these systems to operate as intended affects the lives of our warfighters both on and off the battlefield. As we have previously reported,[Footnote 7] the DOD systems environment that supports these business functions is overly complex; error-prone; and characterized by little standardization across the department, multiple systems performing the same tasks, the same data stored in multiple systems, and the need for data to be entered manually into multiple systems. Moreover, DOD recently reported that this systems environment is comprised of approximately 3,000 separate business systems. For fiscal year 2007, Congress appropriated approximately $15.7 billion to DOD; for fiscal year 2008, DOD has requested about $15.9 billion in appropriated funds to operate, maintain, and modernize these business systems and the associated infrastructures, of which approximately $11 billion was requested for the military departments. DOD's pervasive business system and related financial management deficiencies adversely affect its ability to assess resource requirements; control costs; ensure basic accountability; anticipate future costs and claims on the budget; measure performance; maintain funds control; prevent and detect fraud, waste, and abuse; and address pressing management issues. In fact, DOD currently bears responsibility, in whole or in part, for 15 of the 27 federal government's program areas that we have designated as high risk. [Footnote 8] Eight of these areas are specific to DOD[Footnote 9] and the department shares responsibility for 7 other governmentwide high- risk areas.[Footnote 10] DOD's business systems modernization is one of the high-risk areas, and it is an essential component for addressing many of the department's other high-risk areas. For example, modernized business systems are integral to the department's efforts to address its financial, supply chain, and information security management high- risk areas. A well-defined and effectively implemented enterprise architecture is, in turn, integral to the successful modernization of DOD's business systems. Enterprise Architecture Is Critical to Achieving Successful Systems Modernization: An enterprise architecture (EA) is a blueprint that describes an organization's or a functional area's current and desired state in both logical and technical terms, as well as a plan for transitioning between the two states. As such, it is a recognized tenet of organizational transformation and IT management in public and private organizations. Without an EA, it is unlikely that an organization will be able to transform business processes and modernize supporting systems to minimize overlap and maximize interoperability. For more than a decade, we have conducted work to improve agency architecture efforts. To this end, we developed the Enterprise Architecture Management Maturity Framework (EAMMF) that provides federal agencies with a common benchmarking tool for assessing the management of their EA efforts and developing improvement plans. Enterprise Architecture Description and Importance: An enterprise can be viewed as either a single organization or a functional area that transcends more than one organization (e.g., financial management or homeland security). An architecture can be viewed as the structure (or structural description) of any activity. Thus, EAs are systematically derived and captured descriptions depicted in models, diagrams, and narratives. More specifically, an architecture describes the enterprise in logical terms (such as interrelated business processes and business rules, information needs and flows, and work locations and users) as well as in technical terms (such as hardware, software, data, communications, security attributes, and performance standards). It provides these perspectives both for the enterprise's current, or "as-is," environment, and for its target, or "to-be," environment, and it provides a transition plan for moving from the "as-is" to the "to-be" environment. The importance of EAs is a basic tenet of both organizational transformation and IT management, and their effective use is a recognized hallmark of successful public and private organizations. For over a decade, we have promoted the use of architectures, recognizing them as a crucial means to a challenging end: optimized agency operations and performance. The alternative, as our work has shown, is the perpetuation of the kinds of operational environments that saddle many agencies today, in which the lack of integration among business operations and the IT resources that support them leads to systems that are duplicative, not well integrated, and unnecessarily costly to maintain and interface.[Footnote 11] Employed in concert with other important IT management controls (such as portfolio-based capital planning and investment control practices), architectures can greatly increase the chances that organizations' operational and IT environments will be configured to optimize mission performance. The concept of EAs originated in the mid-1980s; various frameworks for defining the content of these architectures have been published by government agencies and the Office of Management and Budget (OMB). Moreover, legislation and federal guidance requires agencies to develop and use architectures. (See appendix III for a brief description of architecture frameworks and related legislation and management guidance.) GAO's Enterprise Architecture Management Maturity Framework: In 2002, we developed version 1.0 of the EAMMF to provide federal agencies with a common benchmarking tool for planning and measuring their efforts to improve enterprise architecture management, as well as to provide OMB with a means for doing the same governmentwide. We issued an update of the framework (version 1.1) in 2003.[Footnote 12] This framework is an extension of A Practical Guide to Federal Enterprise Architecture, Version 1.0, published by the Chief Information Officers Council.[Footnote 13] Version 1.1 of the framework arranges 31 core elements (practices or conditions that are needed for effective enterprise architecture management) into a matrix of five hierarchical maturity stages and four critical success attributes that apply to each stage. Within a given stage, each critical success attribute includes between one and four core elements. Based on the implicit dependencies among the core elements, the EAMMF associates each element with one of five maturity stages (see fig. 1). The core elements can be further categorized by four groups: architecture governance, content, use, and measurement. EAMMF Stages: Stage 1: Creating enterprise architecture awareness. At Stage 1, either an organization does not have plans to develop and use an architecture, or it has plans that do not demonstrate an awareness of the value of having and using an architecture. While Stage 1 agencies may have initiated some enterprise architecture activity, these agencies' efforts are ad hoc and unstructured, lack institutional leadership and direction, and do not provide the management foundation necessary for successful enterprise architecture development as defined in Stage 2. Stage 2: Building the enterprise architecture management foundation. An organization at Stage 2 recognizes that the EA is a corporate asset by vesting accountability for it in an executive body that represents the entire enterprise. At this stage, an organization assigns architecture management roles and responsibilities and establishes plans for developing architecture products and for measuring program progress and product quality; it also commits the resources necessary for developing an architecture--people, processes, and tools. Specifically, a Stage 2 organization has designated a chief architect and established and staffed a program office responsible for EA development and maintenance. Further, it has established a committee or group that has responsibility for governance (i.e., directing, overseeing, and approving architecture development and maintenance). This committee or group membership has enterprisewide representation. At Stage 2, the organization either has plans for developing or has started developing at least some architecture products, and it has developed an enterprisewide awareness of the value of enterprise architecture and its intended use in managing its IT investments. The organization has also selected a framework and a methodology that will be the basis for developing the architecture products and has selected a tool for automating these activities. Stage 3: Developing the enterprise architecture. An organization at Stage 3 focuses on developing architecture products according to the selected framework, methodology, tool, and established management plans. Roles and responsibilities assigned in the previous stage are in place, and resources are being applied to develop actual products. At this stage, the scope of the architecture has been defined to encompass the entire enterprise, whether organization-based or function-based. Although the products may not be complete, they are intended to describe the organization in terms of business, performance, information/data, service/application, and technology (including security explicitly in each), as provided for in the framework, methodology, tool, and management plans.[Footnote 14] Further, the products are to describe the current ("as-is") and future ("to-be") states and the plan for transitioning from the current to the future state (the sequencing plan). As the products are developed and evolve, they are subject to configuration management. Further, through the established enterprise architecture management foundation, the organization is tracking and measuring its progress against plans, identifying and addressing variances, as appropriate, and then reporting on its progress. Stage 4: Completing the enterprise architecture. An organization at Stage 4 has completed its architecture products, meaning that the products have been approved by the EA steering committee (established in Stage 2) or an investment review board and by the Chief Information Officer (CIO). The completed products collectively describe the enterprise in terms of business, performance, information/data, service/application, and technology for both its current and future operating states; the products also include a plan for transitioning from the current to the future state. Further, an independent agent has assessed the quality (i.e., completeness and accuracy) of the architecture products. Additionally, evolution of the approved products is governed by a written EA maintenance policy approved by the head of the organization. Stage 5: Leveraging the enterprise architecture to manage change. An organization at Stage 5 has secured senior leadership approval of the architecture products and a written institutional policy stating that IT investments must comply with the architecture, unless granted an explicit compliance waiver. Further, decision makers are using the architecture to identify and address ongoing and proposed IT investments that are conflicting, overlapping, not strategically linked, or redundant. As a result, Stage 5 entities avoid unwarranted overlap across investments and ensure maximum systems interoperability. Maximum interoperability, in turn, ensures the selection and funding of IT investments with manageable risks and returns. Also, at Stage 5, the organization tracks and measures EA benefits or return on investment, and adjustments are continuously made to both the architecture management process and the enterprise architecture products. EAMMF Attributes: Attribute 1: Demonstrates commitment. Because the EA is a corporate asset for systematically managing institutional change, the support and sponsorship of the head of the enterprise are essential to the success of the architecture effort. An approved enterprise policy statement provides such support and sponsorship by promoting institutional buy-in and encouraging resource commitment from participating components. Equally important in demonstrating commitment is vesting ownership of the architecture in an executive body that collectively owns the enterprise. Attribute 2: Provides capability to meet commitment. The success of the EA effort depends largely on the organization's capacity to develop, maintain, and implement the enterprise architecture. Consistent with any large IT project, these capabilities include providing adequate resources (i.e., people, processes, and technology), defining clear roles and responsibilities, and defining and implementing organizational structures and process management controls that promote accountability and effective project execution. Attribute 3: Demonstrates satisfaction of commitment. Satisfaction of the organization's commitment to develop, maintain, and implement an EA is demonstrated by the production of artifacts (e.g., the plans and products). Such artifacts demonstrate follow through--actual EA production. Satisfaction of commitment is further demonstrated by senior leadership approval of enterprise architecture documents and artifacts; such approval communicates institutional endorsement and ownership of the architecture and the change that it is intended to drive. Attribute 4: Verifies satisfaction of commitment. This attribute focuses on measuring and disclosing the extent to which efforts to develop, maintain, and implement the EA have fulfilled stated goals or commitments of the enterprise architecture. Measuring such performance allows for tracking progress that has been made toward stated goals, allows appropriate actions to be taken when performance deviates significantly from goals, and creates incentives to influence both institutional and individual behaviors. Figure 1 illustrates the EAMMF's maturity stages, attributes, and core elements. Figure 1: Summary of EAMMF Version 1.1: Maturity Stages, Critical Success Attributes, and Core Elements: [See PDF for image] This figure is a table containing a summary of EAMMF Version 1.1: Maturity Stages, Critical Success Attributes, and Core Elements. Maturation increases from stage one through stage five. The following information is depicted: Attribute 1: Demonstrates commitment; Stage 1: Creating EA awareness: [Empty]; Stage 2: Adequate resources exist. Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA. Stage 3: Developing EA products: Building the EA management foundation: Written and approved organization policy exists for EA development. Stage 4: Completing EA products: Written and approved organization policy exists for EA maintenance. Stage 5: Leveraging the EA to manage change: Written and approved organization policy exists for IT investment compliance with EA. Attribute 2: Provides capability to meet commitment; Stage 1: Creating EA awareness: [Empty]; Stage 2: Building the EA management foundation: Program office responsible for EA development and maintenance exists. Chief architect exists. EA is being developed using a framework, methodology, and automated tool. Stage 3: Developing EA products: EA products are under configuration management. Stage 4: Completing EA products: EA products and management processes undergo independent verification and validation. Stage 5: Leveraging the EA to manage change: Process exists to formally manage EA change.EA is integral component of IT investment management process. Attribute 3: Demonstrates satisfaction of commitment; Stage 1: Creating EA awareness: [Empty]; Stage 2: Building the EA management foundation: EA plans call for describing both the ’as-is“ and the ’to-be“ environments of the enterprise, as well as a sequencing plan for transitioning from the ’as- is“ to the ’to-be.“ EA plans call for describing both the ’as-is“ and the ’to-be“ environments in terms of business, performance, information/data, application/service, and technology. EA plans call for business, performance, information/data, application/service, and technology descriptions to address security. Stage 3: Developing EA products: EA products describe or will describe both the ’as-is“ and the ’to-be“ environments of the enterprise, as well as a sequencing plan for transitioning from the ’as-is“ to the ’to- be.“ Both the ’as-is“ and the ’to-be“ environments are described or will be described in terms of business, performance, information/data, application/service, and technology. Business, performance, information/data, application/service, and technology descriptions address or will address security. Stage 4: Completing EA products: EA products describe both the ’as-is“ and the ’to-be“ environments of the enterprise, as well as a sequencing plan for transitioning from the ’as-is“ to the ’to-be.“ Both the ’as- is“ and the ’to-be“ environments are described in terms of business, performance, information/data, application/service, and technology. Business, performance, information/data, application/service, and technology descriptions address security.Organization CIO has approved current version of EA. Committee or group representing the enterprise or the investment review board has approved current version of EA. Stage 5: Leveraging the EA to manage change: EA products are periodically updated. IT investments comply with EA.Organization head has approved current version of EA. Attribute 4: Verifies satisfaction of commitment; Stage 1: Creating EA awareness: [Empty]; Stage 2: Building the EA management foundation: EA plans call for developing metrics for measuring EA progress, quality, compliance, and return on investment. Stage 3: Developing EA products: Progress against EA plans is measured and reported. Stage 4: Completing EA products: Quality of EA products is measured and reported. Stage 5: Leveraging the EA to manage change: Return on EA investment is measured and reported. Compliance with EA is measured and reported. Source: GAO. Note: Each stage includes all elements of previous stages. [End of figure] EAMMF Groups: The framework's 31 core elements can also be placed in one of four groups of architecture-related activities, processes, products, events and structures. The groups are architecture governance, content, use, and measurement. Each is defined below. * Governance refers to core elements that provide the management structures and processes needed to guide and direct the architecture program. * Content refers to core elements that provide for the scope, depth, integrity, understanding, and consistency of products and artifacts that make up the architecture. * Use refers to core elements that provide for an architecture-centric approach to IT investment management (i.e., treating architecture as the authoritative frame of reference in guiding and constraining IT investments). * Measurement refers to core elements that provide for determining and disclosing progress in developing, maintaining, and using the architecture, including measurement against plans, process standards, and product quality standards. These groups are generally consistent with the capability area descriptions in the OMB EA assessment tool.[Footnote 15] For example, OMB's completion capability area addresses ensuring that architecture products describe the agency in terms of processes, services, data, technology, and performance and that the agency has developed a transition strategy. Similarly, our content group includes developing and completing these same EA products. In addition, OMB's results capability area addresses performance measurement, as does our measurement group, and OMB's use capability area addresses many of the same elements in our governance and use groups. Table 1 lists the core elements according to EAMMF group. Table 1: Summary of EAMMF Version 1.1 Core Elements Categorized by Group: Group: Governance; Core element: Adequate resources exist (Stage 2). Group: Governance; Core element: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA (Stage 2). Group: Governance; Core element: Program office responsible for EA development and maintenance exists (Stage 2). Group: Governance; Core element: Chief architect exists (Stage 2). Group: Governance; Core element: EA being developed using a framework, methodology, and automated tool (Stage 2). Group: Governance; Core element: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan (Stage 2). Group: Governance; Core element: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology (Stage 2). Group: Governance; Core element: EA plans call for business, performance, information/data, application/service, and technology to address security (Stage 2). Group: Governance; Core element: Written and approved policy exists for EA development (Stage 3). Group: Governance; Core element: Written and approved policy exists for EA maintenance (Stage 4). Group: Governance; Core element: Organization CIO has approved EA (Stage 4). Group: Governance; Core element: Committee or group representing the enterprise or the investment review board has approved current version of EA (Stage 4). Group: Governance; Core element: Written and approved organization policy exists for IT investment compliance with EA (Stage 5). Group: Governance; Core element: Organization head has approved current version of EA (Stage 5). Group: Content; Core element: EA products are under configuration management (Stage 3). Group: Content; Core element: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan (Stage 3). Group: Content; Core element: Both "as-is" and "to-be" environments are described or will be described in terms given in Stage 2 (Stage 3). Group: Content; Core element: These descriptions address or will address security (Stage 3). Group: Content; Core element: EA products and management processes undergo independent verification and validation (Stage 4). Group: Content; Core element: EA products describe "as-is" environment, "to-be" environment, and sequencing plan (Stage 4). Group: Content; Core element: Both "as-is" and "to-be" environments are described in terms given in Stage 2 (Stage 4). Group: Content; Core element: These descriptions address security (Stage 4). Group: Content; Core element: Process exists to formally manage EA change (Stage 5). Group: Content; Core element: EA products are periodically updated (Stage 5). Group: Use; Core element: EA is integral component of IT investment management process (Stage 5). Group: Use; Core element: IT investments comply with EA (Stage 5). Group: Measurement; Core element: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment (Stage 2). Group: Measurement; Core element: Progress against EA plans is measured and reported (Stage 3). Group: Measurement; Core element: Quality of EA products is measured and reported (Stage 4). Group: Measurement; Core element: Return on EA investment is measured and reported (Stage 5). Group: Measurement; Core element: Compliance with EA is measured and reported (Stage 5). Source: GAO. [End of table] DOD's Efforts to Adopt a Federated Approach to Architecting All of Its Mission Areas: DOD is pursing a federated strategy to develop and implement the many and varied architectures across the department's four mission areas-- Warfighting,[Footnote 16] Business,[Footnote 17] DOD Intelligence, [Footnote 18] and Enterprise Information Environment.[Footnote 19] According to officials in the Office of the Assistant Secretary of Defense (Networks and Information Integration)/Chief Information Officer (ASD(NII)/CIO), they have issued a strategy for evolving DOD's Global Information Grid (GIG)[Footnote 20] architecture that is to provide a comprehensive architectural description of the entire DOD enterprise, including all mission areas and the relationships between and among all levels of the enterprise (e.g., mission areas, components, and programs). Figure 2 provides a simplified, conceptual depiction of DOD's EA federation strategy. Figure 2: Simplified, Conceptual Depiction of the DOD EA Federation Strategy: [See PDF for image] This figure is a Simplified, Conceptual Depiction of the DOD EA Federation organizational chart, as follows: Department Layer: Global Information Grid. Mission Area Layer (fed by Department Layer): * Warfighting Mission Area; - Warfighting EA. * Business Mission Area; - Business EA. * Intelligence Mission Area; - Intelligence EA. * Enterprise Information Environment Mission Area; - Enterprise Information Environment EA. Component Layer (Fed by Mission Area Layer): * Service; * Agency; * Combat Command. Program Layer (fed by Component Layer): * Individual programs. Source: GAO analysis of DOD data. [End of figure] ASD(NII)/CIO officials stated that the goal of this strategy is to improve the ability of DOD's mission areas, components, and programs to share architectural information. In this regard, officials stated that the DOD EA federation strategy will define federation and integration concepts, alignment (i.e., linking and mapping) processes, and shared services. The first Business Mission Area (BMA) federation strategy was released in September 2006, according to ASD(NII)/CIO officials. Its purpose is to expand on the DOD EA federation strategy and provide details on how various aspects of the federation will be applied within the department's BMA. In this regard, the BMA strategy cites the following four goals: * establish a capability to search for data in member architectures that may be relevant for analysis, reference, or reuse; * develop a consistent set of standards for architecture configuration management that will enable users to determine the development status and quality of data in various architectures; * establish a standard methodology for specifying linkages among existing component architectures that were developed using different tools and that are maintained in independent repositories; and: * develop a standard methodology to reuse capabilities described by various architectures. To assist in accomplishing these goals, the strategy described three concepts that are to be applied: 1. Tiered accountability provides for architecture development at each of the department's organizational levels. 2. Net-centricity provides for seamless and timely accessibility to information where and when needed via the department's interconnected network environment. 3. Federating DOD architectures provides for linking or aligning subordinate and parent architectures via the mapping of common architectural information. This concept advocates subordinate architecture alignment to the parent architecture. DOD Roles and Responsibilities for Business Enterprise Architecture Development and Use: In 2005, DOD reassigned responsibility for directing, overseeing, and executing its business transformation and systems modernization efforts to the Defense Business Systems Management Committee (DBSMC) and the Business Transformation Agency. The DBSMC is chaired by the Deputy Secretary of Defense and serves as the highest-ranking governance body for business systems modernization activities. According to its charter, the DBSMC provides strategic direction and plans for the BMA in coordination with the Warfighting and the Enterprise Information Environment Mission Areas. The DBSMC is also responsible for reviewing and approving the BEA and the Enterprise Transition Plan. The Business Transformation Agency operates under the authority, direction, and control of the DBSMC and reports to the Under Secretary of Defense for Acquisition, Technology, and Logistics in the incumbent's capacity as the vice chair of the DBSMC. Oversight for this agency is provided by the Deputy Under Secretary of Defense for Business Transformation, and day-to-day management is provided by the director. The Business Transformation Agency's primary responsibility is to lead and coordinate business transformation efforts across the department. In particular, it is responsible for (1) maintaining and updating the department's architecture, (2) ensuring that functional priorities and requirements of various defense component organizations are reflected in the architecture, and (3) ensuring the adoption of DOD- wide information and process standards as defined in the architecture. Under DOD's tiered accountability approach to systems modernization, components are responsible for defining their respective component architectures and transition plans. Similarly, program managers are responsible for developing program-level architectures and transition plans and ensuring integration with the architectures and transition plans developed and executed at the enterprise and component levels. Summary of GAO's Prior Reviews on Business Enterprise Architecture and Military Department Architectures: Between May 2001 and July 2005, we reported on DOD's efforts to develop an architecture and identified serious problems and concerns with the department's architecture program, including the lack of specific plans outlining how DOD would extend and evolve the architecture to include the missing scope and detail.[Footnote 21] To address these concerns, in September 2003,[Footnote 22] we recommended that DOD develop a well- defined, near-term plan for extending and evolving the architecture and ensure that this plan would address our recommendations: defining roles and responsibilities of all stakeholders involved in extending and evolving the architecture, explaining dependencies among planned activities, and defining measures of progress for the activities. In response to our recommendations, in 2005, DOD adopted a 6-month incremental approach to developing its architecture and released version 3.0 of the BEA and the associated transition plan in September 2005, describing them as the initial baselines. Since then, DOD has released three updated versions of both--version 3.1, released on March 15, 2006; version 4.0, released on September 28, 2006; and version 4.1, released on March 15, 2007. As we have previously reported,[Footnote 23] these incremental versions have provided additional content and clarity and resolved limitations that we identified in the prior versions. For example, version 4.1 improved the Financial Visibility business enterprise priority area by including the Standard Financial Information Structure data elements and business rules to support cost accounting and reporting. In addition, version 4.1 addressed, to varying degrees, missing elements, inconsistencies, and usability issues that we previously identified. In August 2006,[Footnote 24] we reported that the Departments of the Air Force, Navy, and Army had fully satisfied about 45, 32, and 3 percent, and partially satisfied 26, 39, and 42 percent, respectively, of the 31 core elements in our architecture maturity framework (see table 2). Table 2: Percent of Framework Elements Fully, Partially, and Not Satisfied by the Military Departments in 2006: Military departments: Air Force; Fully satisfied: 45%; Partially satisfied: 26%; Not satisfied: 29%. Military departments: Navy; Fully satisfied: 32; Partially satisfied: 39; Not satisfied: 29. Military departments: Army; Fully satisfied: 3; Partially satisfied: 42; Not satisfied: 55. Source: GAO analysis of agency data. [End of table] By comparison, other major federal departments and agencies that we reviewed had, as a whole, fully satisfied about 67 percent of the framework's core elements. Among the key elements that all three military departments had not fully satisfied were developing architecture products that describe their respective target architectural environments and developing transition plans for migrating to a target environment. Furthermore, while the military departments had partially satisfied between 26 and 42 percent of the core elements in our framework, we reported that partially satisfied elements were not necessarily easy to satisfy fully, such as those that address architecture content; and thus, partials can have serious implications for the quality and usability of an architecture. To assist the military departments in addressing their EA challenges and managing their programs, we recommended that they develop and implement plans for fully satisfying each of the conditions in our framework. DOD generally agreed with our findings and recommendations. In April 2007,[Footnote 25] we reported that DOD's BMA federation strategy provided a foundation on which to build and align DOD's parent BEA with its subordinate architectures (i.e., component-and program- level architectures). In particular, we found that this strategy (1) stated the department's federated architecture goals; (2) described federation concepts that are to be applied; and (3) included high-level activities, capabilities, products, and services that are intended to facilitate implementation of the concepts. However, we also reported that DOD had yet to define the details needed to execute the strategy, such as how the architecture federation was to be governed; how alignment with the DOD federation strategy and other potential mission- area federation strategies was to be achieved; how component architectures' alignment with incremental versions of the BEA was to be achieved; how shared services would be identified, exposed, and subscribed to; and what milestones would be used to measure progress and results. As a result, we concluded that much remained to be decided and accomplished before DOD would have in place the means to create a federated architecture and thus be able to fully satisfy both our prior recommendations and legislative requirements aimed at adopting an architecture-centric approach to departmentwide business systems investment management. In May 2007,[Footnote 26] we concluded that while DOD has made progress in developing the BEA, much remained to be accomplished. In particular, we reported that DOD had yet to extend and evolve its corporate BEA through the development of aligned, subordinate architectures for each of its component organizations, and while it had developed a strategy for federating the BEA in this manner, this strategy lacked the detail needed for it to be fully effective. We also reported that this situation was compounded by the known immaturity of the military departments' architecture efforts. Accordingly, we recommended that DOD include in its annual report to Congress on compliance with section 332 of the Fiscal Year 2005 National Defense Authorization Act the results of assessments by its BEA independent verification and validation contractor on the completeness, consistency, understandability, and usability of its federated family of business mission architectures, including the associated transition plans. DOD agreed with this recommendation. Maturity of Military Department Enterprise Architecture Programs Continues to Vary: Each of the military departments' enterprise architecture programs is at the initial stage of our maturity framework, meaning that each has not fully satisfied all of the core elements associated with the framework's second stage (establishing the management foundation for developing, maintaining, and using the architecture). Also, none have fully satisfied the core elements associated with Stage 3 (developing the architecture), 4 (completing the architecture), and 5 (leveraging the architecture for organizational change). As a result, none have yet to advance to a state that can be considered fully mature and effective. Although all departments are at Stage 1, the status of the three vary considerably. Specifically, the Air Force far exceeds the Navy, which generally exceeds the Army, in terms of the total number of core elements that are fully satisfied. Further, even though all three are at Stage 1, the Air Force has at least partially satisfied all of the core elements associated with Stage 3 and has partially satisfied all but three core elements across all stages. The Navy has at least partially satisfied all of the core elements associated with Stage 2 and all but one of the Stage 3 core elements. Moreover, the Air Force has made important progress in maturing its EA program over the last 2 years, while the Navy has made mixed progress, and the Army has not made progress. As our research shows, the state of an organization's EA program owes largely to the extent to which the program has benefited from sustained executive leadership. This is because virtually all of the barriers to effectively developing and using architectures, such as parochialism, cultural resistance, adequate resources, and top management understanding, can be addressed through such leadership. In this regard, Air Force officials attributed their progress toward establishing a fully mature architecture program to sustained executive leadership. Without fully mature programs, the departments introduce increased risk of developing and implementing IT solutions that are duplicative, do not interoperate, and thus do not optimize departmentwide performance. The Military Departments' Full Satisfaction of Our Framework's Core Elements Varies, but None Have Programs That Are Fully Mature: To reach a given stage of maturity under our architecture framework and associated evaluation methodology, a military department had to fully satisfy all of the core elements at that stage. Using this criterion, each of the military departments is at Stage 1, meaning that none could demonstrate through verifiable documentation that it has established all of the core foundational commitments and capabilities needed to effectively manage the development, maintenance, and implementation of an architecture. However, this does not mean that the departments are at identical states of maturity. Rather, the Air Force is considerably more advanced than the Navy and Army. (See appendices IV through VI for details on the extent to which each military department satisfied each of the core elements of our maturity framework.) Assigning the military departments' architecture programs to a maturity stage based on whether all elements of a stage are fully satisfied provides only one perspective on these programs. Another is the extent to which each program has also fully satisfied core elements across higher stages of maturity. When the percentage of core elements that have been fully satisfied across all stages is considered, a similar picture of the departments' relative variability is evident. Specifically, the percent of all core elements that are fully satisfied ranges from a high of 61 percent for the Air Force to a low of 3 percent for the Army (the Navy fully satisfied 13 percent of the core elements). Table 3 summarizes the percentage of core elements that are fully satisfied in total, by maturity stage, for each military department. Table 3: Percent of Framework Elements Fully Satisfied, by Maturity Stage: Military departments: Air Force; Framework elements fully satisfied: All stages: 61%; Framework elements fully satisfied: Stage 2: 78%; Framework elements fully satisfied: Stage 3: 83%; Framework elements fully satisfied: Stage 4: 38%; Framework elements fully satisfied: Stage 5: 50%. Military departments: Navy; Framework elements fully satisfied: All stages: 13%; Framework elements fully satisfied: Stage 2: 22%; Framework elements fully satisfied: Stage 3: 17%; Framework elements fully satisfied: Stage 4: 0%; Framework elements fully satisfied: Stage 5: 13%. Military departments: Army; Framework elements fully satisfied: All stages: 3%; Framework elements fully satisfied: Stage 2: 11%; Framework elements fully satisfied: Stage 3: 0%; Framework elements fully satisfied: Stage 4: 0%; Framework elements fully satisfied: Stage 5: 0%. Source: GAO analysis of agency data. [End of table] Notwithstanding this perspective, it is important to note that the staging of core elements in our framework provide a hierarchical or systematic progression to establishing a mature and effective architecture program. That is, core elements associated with lower framework stages generally support the effective execution of higher maturity stage core elements. For instance, if a program has developed its full suite of "as-is" and "to-be" architecture products, including a sequencing plan (Stage 4 core elements), but the products are not under configuration management (Stage 3 core element), then the integrity and consistency of the products cannot be adequately assured. In this regard, even though the Navy has partially developed its EA products, the quality of these products is questionable because the Navy has not placed them under configuration management. Further, not satisfying even a single lower stage core element can have a significant impact on the effectiveness of an architecture program. For example, not using a defined framework or methodology (Stage 2 core element) or not performing configuration management (Stage 3 core element), can significantly limit the quality and utility of an architecture. DOD's experience between 2001 and 2005 in developing its BEA is a case in point. During this time, we made a series of recommendations grounded in, among other things, our architecture management framework to ensure that it was successful in doing so.[Footnote 27] In 2005,[Footnote 28] we reported that despite investing hundreds of millions of dollars and 4 years in developing multiple versions of wide-ranging architecture products, the department did not have a well-defined architecture, and what it did develop had limited utility. Among other things, we attributed the poor state of its architecture products to methodological, human capital, and configuration management weaknesses. Looking at related groupings of core elements that are fully satisfied also provides a useful perspective on the state of the military departments' architecture programs. As noted earlier, these groupings of core elements are architecture governance, content, use, and measurement. Overall, the military departments varied in the extent to which each of the groups were met. For example, while the Air Force fully satisfied 71 percent of the governance core elements, the Navy and Army only fully satisfied 14 and 7 percent, respectively. The extent to which each department satisfied the core elements in each grouping are discussed below. (See table 4 for a summary of the extent to which each department fully satisfied these groupings.) * Governance refers to core elements that provide the management structures and processes needed to guide and direct an architecture program. Neither the Navy nor the Army has established effective architecture governance, having satisfied only 14 and 7 percent of these core elements, respectively. For example, neither has a written or approved departmentwide policy for EA development and maintenance or for requiring that IT investments comply with the EA. This is important because approved policies demonstrate institutional commitment to having and using an architecture. As our framework states, an approved enterprisewide policy provides the kind of top management support and sponsorship needed to overcome the barriers to architecture development and use. In contrast, the Air Force has fully satisfied the majority of governance core elements. However, the remaining unsatisfied core elements are significant. For example, it has not fully established a committee or group with representation from across the enterprise to direct, oversee, and approve the architecture. This is significant because the architecture is a corporate asset that needs to be enterprisewide in scope and accepted by senior leadership if it is to be leveraged effectively for organizational change. Table 4: Percent of Architecture Framework Core Elements Satisfied, by Group: Military departments: Air Force; Framework groups: Governance: 71%; Framework groups: Content: 60%; Framework groups: Use: 50%; Framework groups: Measurement: 40%. Military departments: Navy; Framework groups: Governance: 14%; Framework groups: Content: 10%; Framework groups: Use: 0%; Framework groups: Measurement: 20%. Military departments: Army; Framework groups: Governance: 7%; Framework groups: Content: 0%; Framework groups: Use: 0%; Framework groups: Measurement: 0%. Source: GAO analysis of agency data. [End of table] * Content refers to core elements that provide for the scope, depth, integrity, understanding, and consistency of products and artifacts that make up the architecture. Only the Air Force has fully satisfied much in the way of architecture content, having fully met 60 percent of the core elements, with the Navy and Army meeting only 10 and 0 percent, respectively. For example, while the Air Force has placed its EA products under configuration management and provided for ensuring that its EA products will describe the "as-is" environment, "to-be" environment, and sequencing plan, neither the Navy nor the Army has done the same. Moreover, none of the departments have fully addressed security as part of their respective "as-is" and "to-be" products developed to date. This is important because security is relevant and essential to every aspect of an organization's operations, and therefore, the nature and substance of institutionalized security requirements, controls, and standards should be embedded throughout the architecture. Further, none of the departments is using an independent verification and validation agent to help ensure the quality of these products. As we have previously reported, independent verification and validation is a proven means for obtaining unbiased insight into such essential architecture qualities as completeness, understandability, and consistency. * Use refers to core elements that provide for an architecture-centric approach to IT investment management (i.e., treating architecture as the authoritative frame of reference for guiding and constraining IT investments). Again, the Air Force has fully satisfied 50 percent of this grouping's core elements, while the Navy and the Army have fully satisfied none of the core elements. For example, the Air Force has made its EA an integral component of its IT investment process by requiring that investments demonstrate their architectural compliance. This is important because in order for the benefits of an EA to be realized, IT investments must comply with it. However, neither the Air Force nor the other two departments could demonstrate that their respective IT investments are actually in compliance with their respective architectures. This is relevant because the benefits from using an EA, such as improved information sharing, increased consolidation, enhanced productivity, and lower costs, cannot be fully realized unless individual investments are actually in compliance with, for example, architectural rules and standards. * Measurement refers to core elements that provide for determining and disclosing progress in developing, maintaining, and using the EA, including measurement against plans, process standards, and product quality. None of the departments satisfied many of these core elements. Specifically, the Air Force fully satisfied 40 percent and the Navy fully satisfied 20 percent of these core elements, while the Army did not satisfy any. For example, while the Air Force has plans that call for the development of metrics to measure EA progress, quality, compliance, and return on investment, and the Navy is measuring and reporting on progress against plans, none of the departments is measuring and reporting on IT investment compliance with its architecture or return on investment from its architecture program. Without measuring architecture development, maintenance, and use, an organization is not positioned to take timely corrective action to address deviations from plans, expectations, and outcomes, which in turn limits the chances of EA program success. The Military Departments' Partial Satisfaction of Framework's Core Elements Also Varies, and Provides a Basis from Which to Build: In instances where the military departments have not fully satisfied certain core elements in our framework, two have at least partially satisfied[Footnote 29] many of these elements. To illustrate, the Air Force would improve to Stage 3 if the criterion for being at a given stage was relaxed to only partially satisfying a core element. Moreover, the Navy would advance to Stage 2 under this less demanding criterion. In contrast, the Army would remain at Stage 1. Partial satisfaction of a core element is an indicator of some progress and provides a basis on which to improve. Nevertheless, it also indicates that more work is needed, for example, to establish architectural commitments and capabilities and to demonstrate and verify that both exist and are functioning as intended. Moreover, even though a core element can be partially satisfied, what remains to fully satisfy it can be significant and can require considerable time and resources. Thus, it is important to note that even though the departments have partially satisfied some core elements, fully satisfying some of them may remain a challenge. It is also important to note that fully, rather than partially, satisfying certain elements, such as those that fall within the architecture content group, are key to the success of an EA. Not fully satisfying these elements can have important implications for the quality of an architecture, and thus its usability and results. The extent to which each of the departments partially satisfied the core elements at each stage of our framework is discussed below and summarized in table 5. * The Air Force has at least partially satisfied 100 percent of the elements associated with Stages 2 and 3 and has a solid base on which to build an effective architecture management foundation and its associated plans and products. Nevertheless, important aspects of a successful architecture program are still missing. For example, while the Air Force is developing its EA using a framework (the Air Force EA Framework) and an automated tool (Metis ArchitectTM[Footnote 30]), it does not have a documented methodology governing how its architecture is being developed and maintained. This is important because a methodology provides a common set of procedures for developing EA products and helps to ensure consistency in how these products are developed and maintained across the organization. Also, while the Air Force does have metrics related to its EA, these metrics do not address measuring progress against plans. As our framework states, progress in developing EA products should be measured against EA plans so that deviations from expectations can be examined for cause and impact and appropriate actions can be taken to address them. Table 5: Percent of Framework Elements at Least Partially Satisfied, by Stage: Military departments: Air Force; Framework elements fully or partially satisfied: All stages: 90%; Framework elements fully or partially satisfied: Stage 2: 100%; Framework elements fully or partially satisfied: Stage 3: 100%; Framework elements fully or partially satisfied: Stage 4: 75%; Framework elements fully or partially satisfied: Stage 5: 88%. Military departments: Navy; Framework elements fully or partially satisfied: All stages: 65%; Framework elements fully or partially satisfied: Stage 2: 100%; Framework elements fully or partially satisfied: Stage 3: 83%; Framework elements fully or partially satisfied: Stage 4: 63%; Framework elements fully or partially satisfied: Stage 5: 13%. Military departments: Army; Framework elements fully or partially satisfied: All stages: 16%; Framework elements fully or partially satisfied: Stage 2: 44%; Framework elements fully or partially satisfied: Stage 3: 0%; Framework elements fully or partially satisfied: Stage 4: 0%; Framework elements fully or partially satisfied: Stage 5: 13%. Source: GAO analysis of agency data. [End of table] * The Navy has at least partially satisfied 93 percent of the elements associated with Stages 2 and 3 and has in place many aspects of the core elements that support these stages, which it can use to continue establishing an effective architecture management foundation and associated plans and products. However, important aspects of certain core elements are missing. For example, similar to the Air Force, the Navy is developing its EA using a framework (the DOD Architecture Framework) and automated tools (Telelogic System Architect®[Footnote 31] and Metis ArchitectTM). Also, similar to the Air Force, the Navy does not have a documented methodology governing how its architecture is being developed and maintained. In addition, the Navy has yet to establish a committee or group representing the enterprise that is responsible for directing, overseeing, or approving the architecture. Establishing such a governance entity is important because it demonstrates the organization's commitment to building and using an architecture and helps to obtain necessary buy-in from across the organization. Further, while the Navy has drafted an EA policy, the policy has not yet been approved. Approval is important because it demonstrates senior leadership commitment to the architecture and clearly assigns responsibility and accountability for development and maintenance of the architecture. * The Army has at least partially satisfied 27 percent of the elements associated with Stages 2 and 3, but has not made progress toward establishing the commitments and capabilities that comprise the core elements integral to an effective architecture management foundation and associated plans and products. In particular, while the Army has an EA program office, the office does not have an approved charter. A program charter is important because it defines key aspects about how the office will operate in order to achieve program goals and outcomes. Further, while the Army is using an automated tool (System Architect) to capture architecture products, it is not using a framework or methodology. This is significant because the framework provides a defined structure and nomenclature for representing architecture information across the organization and the methodology describes a common set of procedures to be used for developing products in a coherent way. Together, they help to ensure that activities associated with capturing the architecture are understood by those involved and are completed in a consistent, accountable, and repeatable manner. The Military Departments Varied in the Extent to Which Their Architecture Programs Have Recently Improved: We reported in August 2006 that each of the military departments was at the initial stage of our architecture maturity framework.[Footnote 32] More specifically, we reported that the Air Force, Navy, and Army had fully satisfied 45, 32, and 3 percent, and that they had partially satisfied 26, 39, and 42 percent, of the 31 core elements, respectively. Accordingly, we made recommendations for each department to fully implement the framework's core elements. Since then, the departments have addressed our recommendations to varying degrees. Specifically, the Air Force has made the most progress, increasing the percentage of fully satisfied core elements from 45 to 61 percent and increasing the percentage of partially satisfied core elements from 26 to 29 percent. The Navy has made mixed progress, decreasing the percentage of fully satisfied core elements from 32 to13 percent and increasing the percentage of partially satisfied core elements from 39 to 52 percent. The Army has not made progress, keeping the percentage of fully satisfied core elements at 3 percent while decreasing the percentage of partially satisfied core elements from 42 to 13 percent. The specific progress made by each department is discussed below and summarized in table 6. * The Air Force's 16 percent increase in the core elements that are fully satisfied relate to five core elements. For example, we previously reported that the Air Force's architecture program plans did not call for developing metrics to measure EA progress, quality, compliance, and return on investment. Since then, the Air Force has expanded its plans to include such metrics. The addition of these metrics is important because they provide the basis for knowing whether program expectations are being met, which could prompt timely corrective action to address any significant deviations. Also, while the Air Force did not previously have its architecture products under configuration management, it has since done so. This progress is important because it helps to integrate and align the products and to track and manage changes to them in a way that ensures product integrity. Finally, the Air Force has also established the architecture as an integral component of its IT investment management process by explicitly requiring that its IT investments align with the EA. This was not the case in 2006 and represents a significant improvement because without requiring alignment, investments are more likely to deviate from the architecture in ways that increase duplication of effort and decrease interoperability. The Air Force's 3 percent increase in the core elements that are partially satisfied relate to three core elements. For example, we reported in 2006 that the Air Force's EA products did not address security. Since then, the Air Force has developed an Information Assurance Domain Architecture to augment its EA products. To the Air Force's credit, this document addresses important aspects of security relative to its technical reference models. However, it does not similarly address security in relation to the EA's business, systems, and information models. For example, the business models do not address the goals and strategies for addressing current security risks and future security threats. In addition, while the Air Force now has a sequencing plan, this plan is not complete because it does not include, and is not grounded in, an analysis of the gap in capabilities between the department's "as-is" and "to-be" architectural environments. Such a gap analysis is necessary to determine what capabilities are currently lacking and which capabilities will need to be acquired or developed in a sequence that is based on a variety of factors. According to Air Force officials, the positive progress that it has made in maturing its architecture program is due, in large part, to the focus, commitment, and leadership of senior department executives, including the Secretary of the Air Force. In this regard, they said that their experiences and lessons learned show that such leadership paved the way for establishing the department's institutional commitment to its EA. Such commitment, they said, is demonstrated by the Air Force's approved EA policies and funding, and its capabilities to meet commitments, such as the department's structures and processes for governing architecture development and implementation. Table 6: Net Change in Percent of Framework Elements Satisfied from 2006 to 2008: Military departments: Air Force; Fully satisfied: +16%; Partially satisfied: +3%. Military departments: Navy; Fully satisfied: -19%; Partially satisfied: +13%. Military departments: Army; Fully satisfied: 0%; Partially satisfied: -29%. Source: GAO analysis of agency data. [End of table] * The Navy's 19 percent decrease in the core elements that are fully satisfied relate to six core elements, and according to Navy officials, are largely due to the Navy's recent efforts to expand the scope of its architecture program beyond that which existed in 2006. More specifically, in 2006, the Navy's architecture program was focused on what it refers to as FORCEnet, which is the Navy's IT infrastructure architecture. During the course of our review, the Navy reported that it has adopted DOD's federated architecture approach, thereby expanding its program to include all Navy organizations and all architecture reference models (e.g., business, data, performance). However, it has yet to reflect this expansion in program scope in key governance documents, such as its EA policies and plans, that relate to these six core elements. Without fully satisfying these governance core elements, the department will be challenged in its ability to develop and implement a Navy-wide federated architecture. The 13 percent increase in the core elements that are partially satisfied are largely associated with three content-related core elements. For example, we reported in 2006 that the Navy's FORCEnet products did not include descriptions of the "to-be" architecture in terms of, for example, business, information/data, applications/ service, and performance. Under the Navy's expanded scope, it has since developed "to-be" architecture products (DOD Architecture Framework views) that address these areas. However, these products are not yet sufficiently complete. To illustrate, the functional areas (e.g., human resources) in the business or operational views have not been decomposed into functional activities (e.g., recruiting) and processes (e.g., interviewing), and the information exchanges between functional areas in the operational views are not defined. Moreover, there are no data models to identify and describe relationships among the data elements within each functional area. According to Navy officials, the shift to a broader, federated approach to developing and implementing a Navy enterprise architecture was recently endorsed by secretariat-level leadership and senior department executives. * The Army continues to fully satisfy one core element (having a chief architect). However, it has also experienced a 29 percent decrease in those core elements that it had partially satisfied in 2006 (nine core elements), most of which relate to such governance topics as EA policies and plans. Specifically, the plans and policies that the Army had in 2006 were not approved. Because they were not approved, they did not fully satisfy the various associated core elements. Since then, the Army official principally responsible for the program told us that the department's senior executives, including the Army Vice-Chief of Staff, have endorsed a new architecture approach in which the Army will use OMB's reference models (e.g., business, performance, information/ data). To this end, the officials said that decisions are to be made in the near future about how to best structure the program to implement this approach, including what the program's scope will be and what resources will be needed to sustain it. This official added that once these decisions are made, as part of the Army's budget submission and approval process, the EA policies and plans will be updated to reflect these decisions. Conclusions: If managed effectively, enterprise architectures can be a useful change management and organizational transformation tool. The conditions for effectively managing enterprise architecture programs are contained in our five stage architecture maturity framework. None of the military departments has fully satisfied all of the conditions needed to achieve Stage 2 or above in the framework, which means that none have programs that we would currently consider effective and mature. However, the Navy has partially satisfied most, and the Air Force has partially satisfied all, of the core elements needed to be at Stage 3. In addition, among the three military departments, the Air Force has satisfied the most core elements across all framework stages. Moreover, the Air Force has demonstrated the most progress in the last 2 years in satisfying the framework's core elements. However, the military departments have not yet met the conditions for the effective governance, content, use and measurement of their respective architecture programs. The Air Force has a solid foundation on which to continue building, but the Navy and, even more so, the Army has much to accomplish before either will have effective and mature architecture programs. As a result, DOD, as a whole, is not as well positioned as it should be to realize the significant benefits that a well-managed federation of architecture programs can provide. As we have previously reported, the key to having a mature architecture program, and thereby realizing the benefits of an architecture-centric approach to IT investment decision making, is sustained executive leadership. This is because virtually all of the barriers to effectively developing and using architectures, such as parochialism, cultural resistance, adequate resources, and top management understanding, can be addressed through such leadership. For the military departments to advance their respective architecture programs, sustained executive leadership will be needed. In this regard, the Navy and the Army could benefit from the lessons learned and experiences to date of the Air Force's efforts to mature its architecture program. Recommendation for Executive Action: Because we have outstanding recommendations to the Secretary of Defense aimed at, among other things, having the Departments of the Air Force, Navy, and Army fully satisfy each of the core elements in our architecture framework, we are not making additional recommendations relative to our framework at this time. However, given the uneven status and progress of the respective military departments, we reiterate our outstanding recommendations and further recommend that the Secretary of Defense direct the Secretaries of the Navy and Army to ensure that their respective departments reach out to the Department of the Air Force to learn from and apply the lessons and experiences that have allowed the Air Force to make the progress it has in maturing its architecture program. Agency Comments: In written comments on a draft of this report, signed by the Deputy Under Secretary of Defense (Business Transformation) and reprinted in appendix II, the department agreed with our recommendation, and described efforts underway and planned to implement it. We are sending copies of this report to interested congressional committees; the Director, Office of Management and Budget; and the Secretary of Defense. Copies of this report will be made available to other interested parties on request. This report will also be available at no charge on our Web site at [hyperlink, http://www.gao.gov]. If you or your staffs have any questions on matters discussed in this report, please contact me at (202) 512-3439 or hiter@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix VII. Signed by: Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: List of Committees: The Honorable Carl Levin: Chairman: The Honorable John McCain: Ranking Member: Committee on Armed Services: United States Senate: The Honorable Daniel K. Inouye: Chairman: The Honorable Ted Stevens: Ranking Member: Subcommittee on Defense: Committee on Appropriations: United States Senate: The Honorable Ike Skelton: Chairman: The Honorable Duncan L. Hunter: Ranking Member: Committee on Armed Services: House of Representatives: The Honorable John P. Murtha: Chairman: The Honorable C.W. Bill Young: Ranking Member: Subcommittee on Defense: Committee on Appropriations: House of Representatives: [End of section] Appendix I: Objective, Scope, and Methodology: Our objective was to determine the current status of the military departments' enterprise architecture efforts. To do so, we used a data collection instrument based on our Enterprise Architecture Management Maturity Framework (EAMMF), and related guidance, such as the Office of Management and Budget Circular A-130 and guidance published by the federal Chief Information Officers (CIO) Council, as well as our past reports and guidance on the management and content of enterprise architectures. We also met with the chief architects of the military departments to discuss our scope and methodology, share the data collection instrument, and discuss the type and nature of supporting documentation needed to verify responses to instrument questions. On the basis of documentation provided to support the departments' respective responses to our data collection instrument, we analyzed the extent to which each department satisfied the 31 core elements in our EAMMF. To guide our analyses, we used our standard evaluation criteria for determining whether a given core element was fully satisfied, partially satisfied, or not satisfied (See tables 7, 8, 9, and 10 for the core elements of Stages 2, 3, 4, and 5, respectively.) To fully satisfy a core element, sufficient documentation had to be provided to permit us to verify that all aspects of the core element were met. To partially satisfy a core element, sufficient documentation had to be provided to permit us to verify that at least some aspects of the core element were met. Core elements that did not meet criteria for fully or partially satisfied were judged to be not satisfied. Table 7: Stage 2 Evaluation Criteria: Core element: Adequate resources exist; Evaluation criteria: Agency responded that "very adequate," "somewhat adequate," or "neither adequate nor inadequate" resources exist for funding, personnel, and tools. Core element: Committee or group representing the enterprise is responsible for directing, overseeing, and approving enterprise architecture (EA); Evaluation criteria: Agency (1) responded that a committee or group representing the enterprise is responsible for direction, oversight, and approval of the enterprise architecture; (2) provided a charter or other documentation supporting the group's responsibilities; and (3) provided sample meeting minutes or other documentation confirming that meetings have been held. Core element: Program office responsible for EA development and maintenance exists; Evaluation criteria: Agency (1) responded that a program office is responsible for EA development and maintenance and (2) provided documentation supporting their assertion. Core element: Chief architect exists; Evaluation criteria: Agency (1) responded that chief architect exists and (2) provided documentation or assertion that the chief architect is responsible and accountable for EA and serves as the EA program manager. Core element: EA being developed using a framework, methodology, and automated tool; Evaluation criteria: Agency (1) responded that the enterprise architecture is being developed using a framework, methodology, and automated tool; (2) provided documentation supporting the use of a framework and automated tool; and (3) provided a documented methodology that includes steps for developing, maintaining, and validating the enterprise architecture. Core element: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Evaluation criteria: Agency (1) responded that EA plans call for describing the "as-is" and "to-be" environments and a sequencing plan and (2) provided plans that document this assertion; or agency (1) responded that the EA describes the "as- is" and "to-be" environments and a sequencing plan and (2) provided documentation to support this assertion. Core element: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Evaluation criteria: Agency (1) responded that EA plans call for describing the enterprise in terms of business, performance, information/data, application/service, and technology and (2) provided plans that document this assertion; or agency (1) responded that the EA describes the enterprise in terms of business, performance, information/data, application/service, and technology and (2) provided documentation to support this assertion. Core element: EA plans call for business, performance, information/ data, application/service, and technology to address security; Evaluation criteria: Agency (1) responded that EA plans call for business, performance, information/data, application/service, and technology descriptions to address security and (2) provided plans that document this assertion; or agency (1) responded that the business, performance, information/data, application/service, and technology descriptions address security and (2) provided documentation to support this assertion. Core element: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Evaluation criteria: Agency (1) responded that EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment and (2) provided plans to support this assertion; or responded (1) that EA progress, quality, compliance, and/or return on investment is measured and reported and (2) provided support for this assertion. Source: GAO. [End of table] Table 8: Stage 3 Evaluation Criteria: Core element: Written and approved policy exists for EA development; Evaluation criteria: Agency (1) responded that a written and approved organization policy exists for EA development and (2) provided a policy that supported this assertion. Core element: EA products are under configuration management; Evaluation criteria: Agency (1) responded that EA products are under configuration management and (2) provided their formally documented configuration management approach. Core element: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Evaluation criteria: Agency (1) responded that EA plans call for describing the "as-is" and "to-be" environments and a sequencing plan, (2) provided plans that document this assertion, and (3) responded that it is "in the process of developing the EA" or that it "has developed an EA"; or agency (1) responded that the EA describes the "as-is" and "to-be" environments and a sequencing plan and (2) provided documentation to support this assertion. Core element: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Evaluation criteria: Agency (1) responded that EA plans call for describing the enterprise in terms of business, performance, information/data, application/service, and technology; (2) provided plans that document this assertion; and (3) responded that it is "in the process of developing the EA" or that it "has developed an EA"; or agency (1) responded that the EA describes the enterprise in terms of business, performance, information/data, application/service, and technology and (2) provided documentation to support this assertion. Core element: These descriptions address or will address security; Evaluation criteria: Agency (1) responded that EA plans call for business, performance, information/data, application/service, and technology descriptions to address security; (2) provided plans that document this assertion; and (3) responded that it is "in the process of developing the EA" or that it "has developed an EA"; or agency (1) responded that the business, performance, information/data, application/service, and technology descriptions address security and (2) provided documentation to support this assertion. Core element: Progress against EA plans is measured and reported; Evaluation criteria: Agency (1) responded that it measures and reports progress against plans; (2) provided a description of how progress against plans is measured and reported; and (3) provided sample reports that include sample measures. Source: GAO. [End of table] Table 9: Stage 4 Evaluation Criteria: Core element: Written and approved policy exists for EA maintenance; Evaluation criteria: Agency (1) responded that a written and approved organization policy exists for EA maintenance and (2) provided a policy that supported this assertion. Core element: EA products and management processes undergo independent verification and validation; Evaluation criteria: Agency (1) responded that EA products and management processes undergo independent verification and validation; (2) provided proof that independent verification and validation activities were conducted by an independent third party and reported outside the span of control of the chief architect; and (3) provided sample independent verification and validation (IV&V) reports to the audit team. Independence was a critical element for satisfaction of this item. Core element: EA products describe "as-is" environment, "to-be" environment, and sequencing plan; Evaluation criteria: Agency (1) responded that the EA describes the "as- is" and "to-be" environments and a sequencing plan; (2) provided documentation to support this assertion; and (3) responded that it has developed an EA. In addition, an agency could not receive full credit for satisfying this element unless it fully satisfied the element, "Both 'as is' and 'to-be' environments are described in terms of business, performance, information/data, application/service, and technology." Core element: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Evaluation criteria: Agency (1) responded that the EA describes the enterprise in terms of business, performance, information/data, application/service, and technology; (2) provided documentation to support this assertion; and (3) responded that it has developed an EA. Core element: These descriptions address security; Evaluation criteria: Agency (1) responded that the business, performance, information/data, application/service, and technology descriptions address security; (2) provided documentation to support this assertion; and (3) responded that it has developed an EA. Core element: Organization CIO has approved EA; Evaluation criteria: Agency (1) responded that the CIO has approved the current version of the EA and (2) provided a signature page or other proof that the CIO has approved the current version of the EA. Core element: Committee or group representing the enterprise or the investment review board has approved current version of EA; Evaluation criteria: Agency (1) responded that a committee or group representing the enterprise or the investment review board has approved the current version of the EA and (2) provided meeting minutes or other proof that a committee or group representing the enterprise or the investment review board has approved the current version of the EA. Core element: Quality of EA products is measured and reported; Evaluation criteria: Agency (1) responded that it measures and reports product quality, (2) provided a description of how quality is measured and reported, and (3) provided sample reports that include sample measures. Source: GAO. [End of table] Table 10: Stage 5 Evaluation Criteria: Core element: Written and approved organization policy exists for Information Technology (IT) investment compliance with EA; Evaluation criteria: Agency (1) responded that a written and approved organization policy exists for IT investment compliance with EA and (2) provided a written policy to support this assertion. Core element: Process exists to formally manage EA change; Evaluation criteria: Agency (1) responded that a process exists to formally manage EA change and (2) provided evidence to support this assertion. Core element: EA is integral component of IT investment management process; Evaluation criteria: Agency (1) responded that EA is an integral component of IT investment management process; (2) provided documentation describing how the EA is used when making IT investment decisions; (3) provided evidence that a sequencing plan exists to guide IT investments; and (4) partially or fully satisfied at least one of the following Stage 3 elements: (a) EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; (b) both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; or (c) these descriptions address or will address security. Core element: EA products are periodically updated; Evaluation criteria: Agency (1) responded that EA products are periodically updated and (2) provided a description of the process used for updating EA products. Core element: IT investments comply with EA; Evaluation criteria: Agency (1) responded that IT investments comply with EA; (2) provided evidence that IT is not selected and approved under the organization's capital planning and investment control process unless it is compliant with the EA; and (3) partially or fully satisfied at least one of the following Stage 3 elements: (a) EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; (b) both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; or (c) these descriptions address or will address security. Core element: Organization head has approved current version of EA; Evaluation criteria: Agency (1) responded that the organization head has approved the current version of the EA; (2) provided a signature page or other proof that organization head or a deputy organization head has approved current version of EA or provided proof of formal delegation of this activity and subsequent approval; and (3) partially or fully satisfied at least one of the following Stage 3 elements: (a) EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; (b) both "as-is" and "to-be" environments are described or will be described in terms given in Stage 2; or (c) these descriptions address or will address security. Core element: Return on EA investment is measured and reported; Evaluation criteria: Agency (1) responded that return on investment has been measured and reported; (2) provided a description of how return on investment is measured and reported; and (3) provided sample reports that included sample measures. Core element: Compliance with EA is measured and reported; Evaluation criteria: Agency (1) responded that compliance has been measured and reported, (2) provided a description of how compliance is measured and reported, and (3) provided sample reports that included sample measures. Source: GAO. [End of table] In applying our methodology, we first analyzed and determined the extent to which each department satisfied the core elements in our framework, and then met with their representatives to discuss core elements that were not satisfied and why. As part of this interaction, we sought, and in some cases were provided, additional supporting documentation. We then considered this documentation when determining the degree to which each department satisfied each core element. In applying our evaluation criteria, we analyzed the results across different core elements to determine patterns and issues. We conducted our work in the metropolitan area of Washington, D.C., from September 2007 through March 2008, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Comments from the Department of Defense: Office Of The Under Secretary Of Defense: Acquisition Technology And Logistics: 3000 Defense Pentagon: Washington, DC 20301-3000: April 16, 2008: Mr. Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: U.S. Government Accountability Office: 441 G Street, N.W. Washington, DC 20548: Dear Mr. Hite: This is the Department of Defense (DoD) response to the GAO Draft Report, GAO-08-519, "DOD Business Systems Modernization: Military Departments Need to Strengthen Management of Enterprise Architecture Programs" dated March 10, 2008 (GAO Code 310652). Detail comments on the report recommendations are enclosed. This report reiterates the value, already recognized by the Department, of sharing lessons learned in architecture development and implementation across the Business Mission Area (BMA). Enterprise architecture development across the Department has gained significant momentum and continues to mature at both the enterprise and component levels, although, as noted in the GAO report, some components are further along in development than others. To further maturation and share benchmark "best practices," two important information sharing venues have been created. The Bi-Weekly BMA CIO Meeting and the Architecture Summits provide forums for sharing the lessons learned described in the single GAO recommendation. The Department continues to receive positive feedback on the value of these venues and views them as clear channels for cross-departmental information sharing. Additionally, the Secretary of Defense, acting through the Chief Management Officer, will direct the Departments of the Army and Navy to reach out to the Department of the Air Force to seek additional opportunities to transfer architecture best practices at the enterprise and component levels. As we continue to improve the Department's business transformation efforts, we welcome GAO's insight and partnership in reaching the common goal of maturing and strengthening our enterprise architecture programs. Signed by: Paul A. Brinkley: Deputy Under Secretary of Defense: (Business Transformation): Enclosure: As stated: GAO Draft Report Dated March 10, 2008: GAO-08-519 (GAO CODE 310652): "DOD Business Systems Modernization: Military Departments Need To Strengthen Management Of Enterprise Architecture Programs" Department Of Defense Comments To The GAO Recommendation: Recommendation: The GAO recommends that the Secretary of Defense direct the Secretaries of the Army and Navy to ensure that their respective Departments reach out to the Department of the Air Force to learn from and apply the lessons and experiences that have allowed the Air Force to make the progress it has in maturing its architecture program. (p. 38/GAO Draft Report) DOD Response: Concur. The Department strongly values the sharing of information across the enterprise. Many formal and informal architecture-related discussions are currently taking place. Two examples of formal discussion include the Bi-Weekly Chief Information Officer (CTO) Meetings and a recent Architecture Summit conducted in March 2008. These venues have included CIO representation from the DoD services and Agencies to include the Department of the Army, Navy and Air Force. Information exchanges such as these and others have proven valuable in transferring knowledge across the enterprise. Additionally, the Secretary of Defense, acting through the Chief Management Officer, will direct the Departments of the Army and Navy to reach out to the Department of the Air Force to seek additional opportunities to transfer architecture best practices at the enterprise and component levels where appropriate given the unique differences of each organization. [End of section] Appendix III: Brief History of Architecture Frameworks and Management Guidance: During the mid-1980s, John Zachman, widely recognized as a leader in the field of enterprise architecture, identified the need to use a logical construction blueprint (i.e., an architecture) for defining and controlling the integration of systems and their components.[Footnote 33] Accordingly, Zachman developed a structure, or framework, for defining and capturing an architecture, which provides for six perspectives, or "windows," from which to view the enterprise.[Footnote 34] Zachman also proposed six abstractions, or models, associated with each of these perspectives.[Footnote 35] Zachman's framework provides a way to identify and describe an entity's existing and planned component parts and the parts' relationships before the entity begins the costly and time-consuming efforts associated with developing or transforming itself. Since Zachman introduced his framework, a number of frameworks have emerged within the federal government, beginning with the publication of the National Institute of Standards and Technology framework in 1989. Since that time, other federal entities have issued frameworks, including the Department of Defense and the Department of the Treasury. In September 1999, the federal Chief Information Officers Council published the Federal Enterprise Architecture Framework, which was intended to provide federal agencies with a common construct for their architectures, thereby facilitating the coordination of common business processes, technology insertion, information flows, and system investments among federal agencies. The Federal Enterprise Architecture Framework described an approach, including models and definitions, for developing and documenting architecture descriptions for multiorganizational functional segments of the federal government. [Footnote 36] More recently, Office of Management and Budget (OMB) established the Federal Enterprise Architecture Program Management Office to develop a federal enterprise architecture according to a collection of five "reference models" (see table 11). These models are intended to facilitate governmentwide improvement through cross-agency analysis and the identification of duplicative investments, gaps, and opportunities for collaboration, interoperability, and integration within and across government agencies. Table 11: Federal Enterprise Architecture Reference Models: Reference model: Performance Reference Model; Description: Provides a common set of general performance outputs and measures for agencies to use to achieve business goals and objectives. Reference model: Business Reference Model; Description: Describes the business operations of the federal government independent of the agencies that perform them, including defining the services provided to state and local governments. Reference model: Service Component Reference Model; Description: Identifies and classifies IT service (i.e., application) components that support federal agencies and promotes the reuse of components across agencies. Reference model: Data and Information Reference Model; Description: Describes, at an aggregate level, the types of data and information that support program and business line operations, and the relationships among these types. Reference model: Technical Reference Model; Description: Describes how technology is supporting the delivery of service components, including relevant standards for implementing the technology. Source: GAO. [End of table] Although these post-Zachman frameworks differ in their nomenclatures and modeling approaches, each consistently provides for defining an enterprise's operations in both logical and technical terms, provides for defining these perspectives for the enterprise's current and target environments, and calls for a transition plan between the two. Legislation and federal guidance address enterprise architecture. Specifically, the Clinger-Cohen Act of 1996 directs the CIOs of major departments and agencies to develop, maintain, and facilitate the implementation of information technology architectures as a means of integrating agency goals and business processes with information technology.[Footnote 37] Also, OMB Circular A-130, which implements the Clinger-Cohen Act, requires that agencies document and submit their initial enterprise architectures and that agencies submit updates when significant changes to their enterprise architectures occur. The circular also directs OMB to use various reviews to evaluate the adequacy and efficiency of each agency's compliance with the circular. Since then, OMB has developed and implemented an enterprise architecture assessment tool. According to OMB, the tool helps to illustrate the current state of an agency's architecture and assists agencies in integrating architectures into their decision-making processes. The latest version of the assessment tool (2.0) was released in December 2005 and includes three capability areas: (1) completion, (2) use, and (3) results. Table 12 describes each of these areas. Table 12: OMB EA Assessment Framework Capability Areas: Capability area: Completion; Description: Addresses ensuring that architecture products describe the agency in terms of processes, services, data, technology, and performance and that the agency has developed a transition strategy. Capability area: Use; Description: Addresses the establishment of important management practices, processes, and policies, such as configuration management, communications, and integration of the architecture with capital planning processes. Capability area: Results; Description: Addresses the effectiveness and value of the architecture by encouraging performance measurements and using it to ensure agency policies align to OMB IT policy. Source: OMB. [End of table] The tool also includes criteria for scoring an agency's architecture program on a scale of 0 to 5.[Footnote 38] In early 2006, the major departments and agencies were required by OMB to provide a self- assessment of their architecture programs using the tool. OMB then used the self assessment to develop its own assessment. These assessment results are to be used in determining the agency's e-Government score within the President's Management Agenda. [End of section] Appendix IV: Table: Department of the Air Force Assessment: Stages and elements: Stage 1: Creating EA awareness: Agency is aware of EA; Extent to which element is satisfied: n/a. Stages and elements: Stage 2: Building the EA management foundation: Adequate resources exist; Extent to which element is satisfied: Yes. Stages and elements: Stage 2: Building the EA management foundation: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Extent to which element is satisfied: Partial. Stages and elements: Stage 2: Building the EA management foundation: Program office responsible for EA development and maintenance exists; Extent to which element is satisfied: Yes. Stages and elements: Stage 2: Building the EA management foundation: Chief architect exists; Extent to which element is satisfied: Yes. Stages and elements: Stage 2: Building the EA management foundation: EA being developed using a framework, methodology, and automated tool; Extent to which element is satisfied: Partial. Stages and elements: Stage 2: Building the EA management foundation: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Extent to which element is satisfied: Yes. Stages and elements: Stage 2: Building the EA management foundation: EA plans call for describing enterprise in terms of business, performance, information/data, applications/service, and technology; Extent to which element is satisfied: Yes. Stages and elements: Stage 2: Building the EA management foundation: EA plans call for business, performance, information/data, applications/service, and technology to address security; Extent to which element is satisfied: Yes. Stages and elements: Stage 2: Building the EA management foundation: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Extent to which element is satisfied: Yes. Stages and elements: Stage 3: Developing architecture products: Written and approved policy exists for EA development; Extent to which element is satisfied: Yes. Stages and elements: Stage 3: Developing architecture products: EA products are under configuration management; Extent to which element is satisfied: Yes. Stages and elements: Stage 3: Developing architecture products: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Extent to which element is satisfied: Yes. Stages and elements: Stage 3: Developing architecture products: Both "as-is" and "to-be" environments are described or will be described in terms given in Stage 2; Extent to which element is satisfied: Yes. Stages and elements: Stage 3: Developing architecture products: These descriptions address or will address security; Extent to which element is satisfied: Yes. Stages and elements: Stage 3: Developing architecture products: Progress against EA plans is measured and reported; Extent to which element is satisfied: Partial. Stages and elements: Stage 4: Completing architecture products: Written and approved policy exists for EA maintenance; Extent to which element is satisfied: Yes. Stages and elements: Stage 4: Completing architecture products: EA products and management processes undergo independent verification and validation; Extent to which element is satisfied: No. Stages and elements: Stage 4: Completing architecture products: EA products describe "as-is" environment, "to-be" environment, and sequencing plan; Extent to which element is satisfied: Partial. Stages and elements: Stage 4: Completing architecture products: Both "as-is" and "to-be" environments are described in terms given in Stage 2; Extent to which element is satisfied: Partial. Stages and elements: Stage 4: Completing architecture products: These descriptions address security; Extent to which element is satisfied: Partial. Stages and elements: Stage 4: Completing architecture products: Organization CIO has approved EA; Extent to which element is satisfied: Yes. Stages and elements: Stage 4: Completing architecture products: Committee or group representing the enterprise or the investment review board has approved current version of EA; Extent to which element is satisfied: No. Stages and elements: Stage 4: Completing architecture products: Quality of EA products is measured and reported; Extent to which element is satisfied: Yes. Stages and elements: Stage 5: Leveraging the architecture to manage change: Written and approved organization policy exists for IT investment compliance with EA; Extent to which element is satisfied: Yes. Stages and elements: Stage 5: Leveraging the architecture to manage change: Process exists to formally manage EA change; Extent to which element is satisfied: Yes. Stages and elements: Stage 5: Leveraging the architecture to manage change: EA is integral component of IT investment management process; Extent to which element is satisfied: Yes. Stages and elements: Stage 5: Leveraging the architecture to manage change: EA products are periodically updated; Extent to which element is satisfied: Yes. Stages and elements: Stage 5: Leveraging the architecture to manage change: IT investments comply with EA; Extent to which element is satisfied: Partial. Stages and elements: Stage 5: Leveraging the architecture to manage change: Organization head has approved current version of EA; Extent to which element is satisfied: No. Stages and elements: Stage 5: Leveraging the architecture to manage change: Return on EA investment is measured and reported; Extent to which element is satisfied: Partial. Stages and elements: Stage 5: Leveraging the architecture to manage change: Compliance with EA is measured and reported; Extent to which element is satisfied: Partial. Source: GAO analysis of agency data. [End of table] [End of section] Appendix V: Table: Department of the Navy Assessment: Stages and elements: Stage 1: Creating EA awareness: Agency is aware of EA; Extent to which element is satisfied: n/a. Stages and elements: Stage 2: Building the EA management foundation: Adequate resources exist; Extent to which element is satisfied: Yes. Stages and elements: Stage 2: Building the EA management foundation: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Extent to which element is satisfied: Partial. Stages and elements: Stage 2: Building the EA management foundation: Program office responsible for EA development and maintenance exists; Extent to which element is satisfied: Partial. Stages and elements: Stage 2: Building the EA management foundation: Chief architect exists; Extent to which element is satisfied: Yes. Stages and elements: Stage 2: Building the EA management foundation: EA being developed using a framework, methodology, and automated tool; Extent to which element is satisfied: Partial. Stages and elements: Stage 2: Building the EA management foundation: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Extent to which element is satisfied: Partial. Stages and elements: Stage 2: Building the EA management foundation: EA plans call for describing enterprise in terms of business, performance, information/data, applications/service, and technology; Extent to which element is satisfied: Partial. Stages and elements: Stage 2: Building the EA management foundation: EA plans call for business, performance, information/data, applications/service, and technology to address security; Extent to which element is satisfied: Partial. Stages and elements: Stage 2: Building the EA management foundation: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Extent to which element is satisfied: Partial. Stages and elements: Stage 3: Developing architecture products: Written and approved policy exists for EA development; Extent to which element is satisfied: Partial. Stages and elements: Stage 3: Developing architecture products: EA products are under configuration management; Extent to which element is satisfied: No. Stages and elements: Stage 3: Developing architecture products: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Extent to which element is satisfied: Partial. Stages and elements: Stage 3: Developing architecture products: Both "as-is" and "to-be" environments are described or will be described in terms given in Stage 2; Extent to which element is satisfied: Partial. Stages and elements: Stage 3: Developing architecture products: These descriptions address or will address security; Extent to which element is satisfied: Partial. Stages and elements: Stage 3: Developing architecture products: Progress against EA plans is measured and reported; Extent to which element is satisfied: Yes. Stages and elements: Stage 4: Completing architecture products: Written and approved policy exists for EA maintenance; Extent to which element is satisfied: Partial. Stages and elements: Stage 4: Completing architecture products: EA products and management processes undergo independent verification and validation; Extent to which element is satisfied: No. Stages and elements: Stage 4: Completing architecture products: EA products describe "as-is" environment, "to-be" environment, and sequencing plan; Extent to which element is satisfied: Partial. Stages and elements: Stage 4: Completing architecture products: Both "as-is" and "to-be" environments are described in terms given in Stage 2; Extent to which element is satisfied: Partial. Stages and elements: Stage 4: Completing architecture products: These descriptions address security; Extent to which element is satisfied: Partial. Stages and elements: Stage 4: Completing architecture products: Organization CIO has approved current version EA; Extent to which element is satisfied: No. Stages and elements: Stage 4: Completing architecture products: Committee or group representing the enterprise or the investment review board has approved current version of EA; Extent to which element is satisfied: No. Stages and elements: Stage 4: Completing architecture products: Quality of EA products is measured and reported; Extent to which element is satisfied: Partial. Stages and elements: Stage 5: Leveraging the architecture to manage change: Written and approved organization policy exists for IT investment compliance with EA; Extent to which element is satisfied: No. Stages and elements: Stage 5: Leveraging the architecture to manage change: Process exists to formally manage EA change; Extent to which element is satisfied: No. Stages and elements: Stage 5: Leveraging the architecture to manage change: EA is integral component of IT investment management process; Extent to which element is satisfied: No. Stages and elements: Stage 5: Leveraging the architecture to manage change: EA products are periodically updated; Extent to which element is satisfied: Yes. Stages and elements: Stage 5: Leveraging the architecture to manage change: IT investments comply with EA; Extent to which element is satisfied: No. Stages and elements: Stage 5: Leveraging the architecture to manage change: Organization head has approved current version of EA; Extent to which element is satisfied: No. Stages and elements: Stage 5: Leveraging the architecture to manage change: Return on EA investment is measured and reported; Extent to which element is satisfied: No. Stages and elements: Stage 5: Leveraging the architecture to manage change: Compliance with EA is measured and reported; Extent to which element is satisfied: No. Source: GAO analysis of agency data. [End of table] [End of section] Appendix VI: Table: Department of the Army Assessment: Stages and elements: Stage 1: Creating EA awareness: Agency is aware of EA; Extent to which element is satisfied: n/a. Stages and elements: Stage 2: Building the EA management foundation: Adequate resources exist; Extent to which element is satisfied: Partial. Stages and elements: Stage 2: Building the EA management foundation: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Extent to which element is satisfied: No. Stages and elements: Stage 2: Building the EA management foundation: Program office responsible for EA development and maintenance exists; Extent to which element is satisfied: Partial. Stages and elements: Stage 2: Building the EA management foundation: Chief architect exists; Extent to which element is satisfied: Yes. Stages and elements: EA being developed using a framework, methodology, and automated tool; Extent to which element is satisfied: Partial. Stages and elements: Stage 2: Building the EA management foundation: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Extent to which element is satisfied: No. Stages and elements: Stage 2: Building the EA management foundation: EA plans call for describing enterprise in terms of business, performance, information/data, applications/service, and technology; Extent to which element is satisfied: No. Stages and elements: Stage 2: Building the EA management foundation: EA plans call for business, performance, information/data, applications/service, and technology to address security; Extent to which element is satisfied: No. Stages and elements: Stage 2: Building the EA management foundation: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Extent to which element is satisfied: No. Stages and elements: Stage 3: Developing architecture products: Written and approved policy exists for EA development; Extent to which element is satisfied: No. Stages and elements: Stage 3: Developing architecture products: EA products are under configuration management; Extent to which element is satisfied: No. Stages and elements: Stage 3: Developing architecture products: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Extent to which element is satisfied: No. Stages and elements: Stage 3: Developing architecture products: Both "as-is" and "to-be" environments are described or will be described in terms given in Stage 2; Extent to which element is satisfied: No. Stages and elements: Stage 3: Developing architecture products: These descriptions address or will address security; Extent to which element is satisfied: No. Stages and elements: Stage 3: Developing architecture products: Progress against EA plans is measured and reported; Extent to which element is satisfied: No. Stages and elements: Stage 4: Completing architecture products: Written and approved policy exists for EA maintenance; Extent to which element is satisfied: No. Stages and elements: Stage 4: Completing architecture products: EA products and management processes undergo independent verification and validation; Extent to which element is satisfied: No. Stages and elements: Stage 4: Completing architecture products: EA products describe "as-is" environment, "to-be" environment, and sequencing plan; Extent to which element is satisfied: No. Stages and elements: Stage 4: Completing architecture products: Both "as-is" and "to-be" environments are described in terms given in Stage 2; Extent to which element is satisfied: No. Stages and elements: Stage 4: Completing architecture products: These descriptions address security; Extent to which element is satisfied: No. Stages and elements: Stage 4: Completing architecture products: Organization CIO has approved current version of EA; Extent to which element is satisfied: No. Stages and elements: Stage 4: Completing architecture products: Committee or group representing the enterprise or the investment review board has approved current version of EA; Extent to which element is satisfied: No. Stages and elements: Stage 4: Completing architecture products: Quality of EA products is measured and reported; Extent to which element is satisfied: No. Stages and elements: Stage 5: Leveraging the architecture to manage change: Written and approved organization policy exists for IT investment compliance with EA; Extent to which element is satisfied: No. Stages and elements: Stage 5: Leveraging the architecture to manage change: Process exists to formally manage EA change; Extent to which element is satisfied: No. Stages and elements: Stage 5: Leveraging the architecture to manage change: EA is integral component of IT investment management process; Extent to which element is satisfied: Partial. Stages and elements: Stage 5: Leveraging the architecture to manage change: EA products are periodically updated; Extent to which element is satisfied: No. Stages and elements: Stage 5: Leveraging the architecture to manage change: IT investments comply with EA; Extent to which element is satisfied: No. Stages and elements: Stage 5: Leveraging the architecture to manage change: Organization head has approved current version of EA; Extent to which element is satisfied: No. Stages and elements: Stage 5: Leveraging the architecture to manage change: Return on EA investment is measured and reported; Extent to which element is satisfied: No. Stages and elements: Stage 5: Leveraging the architecture to manage change: Compliance with EA is measured and reported; Extent to which element is satisfied: No. Source: GAO analysis of agency data. [End of table] [End of section] Appendix VII: GAO Contact and Staff Acknowledgments: GAO Contact: Randolph C. Hite, (202) 512-3439 or hiter@gao.gov: Staff Acknowledgments: In addition to the contact named above, Tonia Johnson (Assistant Director), Timothy Eagle, Elena Epps, Michael Holland, Neela Lakhmani, Rebecca LaPaze, Anh Le, and Freda Paintsil made key contributions to this report. [End of section] Footnotes: [1] GAO, Information Technology: Architecture Needed to Guide Modernization of DOD's Financial Operations, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-525] (Washington, D.C.: May 17, 2001). [2] GAO, DOD Business Systems Modernization: Progress Continues to Be Made in Establishing Corporate Management Controls, but Further Steps Are Needed, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-733] (Washington, D.C.: May 14, 2007); GAO, Business System Modernization: Strategy for Evolving DOD's Business Enterprise Architecture Offers a Conceptual Approach, but Execution Details Are Needed, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-451] (Washington, D.C.: Apr. 16, 2007), GAO, Defense Business Transformation: A Comprehensive Plan, Integrated Efforts, and Sustained Leadership Are Needed to Assure Success, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-229T] (Washington, D.C.: Nov. 16, 2006); GAO, Business Systems Modernization: DOD Continues to Improve Institutional Approach, but Further Steps Needed, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-658] (Washington, D.C.: May 15, 2006); GAO, DOD Business Systems Modernization: Long-Standing Weaknesses in Enterprise Architecture Development Need to Be Addressed, [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO-05-702] (Washington, D.C.: July 22, 2005); GAO, DOD Business Systems Modernization: Limited Progress in Development of Business Enterprise Architecture and Oversight of Information Technology Investments, [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO-04-731R] (Washington, D.C.: May 17, 2004); and GAO, DOD Business Systems Modernization: Important Progress Made to Develop Business Enterprise Architecture, but Much Work Remains, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-1018] (Washington, D.C.: Sept. 19, 2003). [3] Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005, Pub. L. No. 108-375, § 332, 118 Stat. 1811, 1851-1856 (Oct. 28, 2004) (codified in part at 10 U.S.C. § 2222). [4] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-451]. [5] GAO, Information Technology: A Framework for Assessing and Improving Enterprise Architecture Management (Version 1.1), [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-584G] (Washington D.C.: Apr. 2003). [6] GAO, Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06- 831] (Washington D.C.: Aug. 14, 2006). [7] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-658]. [8] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-310]. [9] These 8 high-risk areas include DOD's overall approach to (1) business transformation, (2) business systems modernization, (3) financial management, (4) the personnel security clearance program, (5) supply chain management, (6) support infrastructure management, (7) weapon systems acquisition, and (8) contract management. [10] The 7 governmentwide high-risk areas are: (1) disability programs, (2) ensuring the effective protection of technologies critical to U.S. national security interests, (3) interagency contracting, (4) information systems and critical infrastructure, (5) information- sharing for homeland security, (6) human capital, and (7) real property. [11] GAO, Homeland Security: Efforts Under Way to Develop Enterprise Architecture, but Much Work Remains, [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO-04-777] (Washington, D.C.: Aug. 6, 2004); GAO, Information Technology: Architecture Needed to Guide NASA's Financial Management Modernization, [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO-04-43] (Washington, D.C.: Nov. 21, 2003); GAO, Information Technology: DLA Should Strengthen Business Systems Modernization Architecture and Investment Activities, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-631] (Washington, D.C.: June 29, 2001); [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-731R]; and [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-1018]. [12] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-584G]. [13] Chief Information Officers Council, A Practical Guide to Federal Enterprise Architecture, Version 1.0 (February 2001). [14] This set of products is consistent with OMB's federal enterprise architecture reference models. [15] The OMB EA Assessment Framework Version 2.2 tool helps illustrate the current state of an agency's architecture and assists agencies in integrating architectures into their decision-making processes. The latest version of the assessment tool (2.2) was released in October 2007 and includes three capability areas: (1) completion, (2) use, and (3) results. The tool also includes criteria for scoring an agency's architecture program on a scale of 0 to 5. A score of 0 means undefined, 1 means initial, 2 means managed, 3 means used, 4 means results-oriented, and 5 means optimized. [16] The Warfighting Mission Area focuses on transforming how DOD achieves its mission objectives by addressing joint warfighting capabilities and providing life-cycle oversight to applicable DOD component and combatant command IT investments. [17] The Business Mission Area is responsible for ensuring that capabilities, resources, and materiel are reliably delivered to the warfighter. Specifically, the Business Mission Area addresses areas such as real property and human resources management. [18] The DOD Intelligence Mission Area is focused on establishing advanced capabilities to anticipate adversaries and includes IT investments within the military intelligence program and defense component programs of the National Intelligence Program. [19] The Enterprise Information Environment Mission Area enables the functions of the other mission areas (e.g., Warfighting Mission Area, Business Mission Area, and Intelligence Mission Area) and encompasses all communications; computing; and core enterprise service systems, equipment, or software that provides a common information capability or service for enterprise use. [20] According to DOD, GIG consists of a globally interconnected, end- to-end set of information capabilities, associated processes, and personnel for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policymakers, and support personnel. As such, the GIG architecture spans all four mission areas. [21] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-525], [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-458], [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-571R], [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-877R], [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-1018], [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-731R], [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-381], and [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-702]. [22] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-1018]. [23] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-451]. [24] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-831]. [25] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-451]. [26] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-733]. [27] See, for example, [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO-01-525], [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO-03-458], [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO-04-731R], [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO-05-702], and GAO, DOD Business Systems Modernization: Important Progress Made in Establishing Foundational Architecture Products and Investment Management Practices, but Much Work Remains, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-219] (Washington, D.C.: Nov. 23, 2005). [28] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-702]. [29] Partially satisfied means that a department has addressed some, but not all, aspects of the core element. [30] Metis ArchitectTM is an architecture tool from Troux Technologies, Inc. [31] Telelogic System Architect® is a set of architecture tools from Telelogic, Inc. [32] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-831]. [33] J. A. Zachman, "A Framework for Information Systems Architecture," IBM Systems Journal vol. 26, no. 3 (1987). [34] The windows include (1) the strategic planner, (2) the system user, (3) the system designer, (4) the system developer, (5) the subcontractor, and (6) the system itself. [35] The models cover (1) how the entity operates, (2) what the entity uses to operate, (3) where the entity operates, (4) who operates the entity, (5) when entity operations occur, and (6) why the entity operates. [36] Similar to Zachman's framework, the Federal Enterprise Architecture Framework's proposed models describe an entity's business, data necessary to conduct the business, applications to manage the data, and technology to support the applications. [37] 40 U.S.C. sections 11315. [38] A score of 0 means undefined, 1 means initial, 2 means managed, 3 means utilized, 4 means results-oriented, and 5 means optimized. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548:

The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.