Federal Bureau of Investigation's Comments on Recent GAO Report on its Enterprise Architecture Efforts
Gao ID: GAO-04-190R November 14, 2003
On September 25, 2003, we issued our report on efforts by the Federal Bureau of Investigation (FBI) to develop a corporate blueprint--commonly called an enterprise architecture--to guide and constrain its information technology (IT) systems modernization. (This report is available on GAO's Web site at www.gao.gov/cgi-bin/getrpt?GAO-03-959.) We provided the FBI with a draft of this report on August 22, 2003, requesting that comments be provided by September 18. On September 23, the FBI provided us with written comments. However, the comments were not received in time to be analyzed, incorporated, and responded to in the report and still meet our September 25, 2003, reporting commitment to Congress. As discussed with Congress at that time, we did not extend the reporting date in order to include the FBI's comments and instead are transmitting and responding to them in this follow-up correspondence.
In its written comments signed by the Assistant Director, Inspection Division, the FBI made two primary points. First, it expressed its commitment to developing and using an enterprise architecture (EA), including (1) agreeing with our conclusion that it needs an architecture to effectively manage its IT systems modernization; (2) consistent with our recommendations, stating that it recognized the need for immediate attention to its architecture efforts; and (3) noting that it was managing its architecture effort as an IT modernization enabler and priority. Related to this first point, the FBI also stated that it has efforts currently under way to improve its EA posture, and that substantial and real progress has already been made in doing so. For example, it stated that an executive team had been established to (1) assess the bureau's EA status and resource needs using our EA maturity management framework and (2) formulate recommendations for improvement. Although the FBI's comments did not specify when it would complete the assessment, it did state that the necessary resources would be applied to architecture development, maintenance, and implementation following the results of the assessment.
GAO-04-190R, Federal Bureau of Investigation's Comments on Recent GAO Report on its Enterprise Architecture Efforts
This is the accessible text file for GAO report number GAO-04-190R
entitled 'Federal Bureau of Investigation's Comments on Recent GAO
Report on it Enterprise Architecture Efforts' which was released on
November 14, 2003.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
November 14, 2003:
The Honorable Porter J. Goss:
Chairman, Permanent Select Committee on Intelligence:
House of Representatives:
The Honorable Nancy Pelosi:
House of Representatives:
The Honorable Bob Graham:
United States Senate:
The Honorable Richard C. Shelby:
United States Senate:
Subject: Federal Bureau of Investigation's Comments on Recent GAO
Report on its Enterprise Architecture Efforts:
On September 25, 2003, we issued our report on efforts by the Federal
Bureau of Investigation (FBI) to develop a corporate blueprint--
commonly called an enterprise architecture--to guide and constrain its
information technology (IT) systems modernization.[Footnote 1] (This
report is available on GAO's Web site at www.gao.gov/cgi-bin/
getrpt?GAO-03-959.) We provided the FBI with a draft of this report on
August 22, 2003, requesting that comments be provided by September 18.
On September 23, the FBI provided us with written comments. However,
the comments were not received in time to be analyzed, incorporated,
and responded to in the report and still meet our September 25, 2003,
reporting commitment to you. As discussed with your offices at that
time, we did not extend the reporting date in order to include the
FBI's comments and instead are transmitting and responding to them in
this follow-up correspondence.
In its written comments signed by the Assistant Director, Inspection
Division (which are reprinted in their entirety in the enclosure), the
FBI made two primary points. First, it expressed its commitment to
developing and using an enterprise architecture (EA), including
(1) agreeing with our conclusion that it needs an architecture to
effectively manage its IT systems modernization; (2) consistent with
our recommendations, stating that it recognized the need for immediate
attention to its architecture efforts; and (3) noting that it was
managing its architecture effort as an IT modernization enabler and
priority.
Related to this first point, the FBI also stated that it has efforts
currently under way to improve its EA posture, and that substantial and
real progress has already been made in doing so. For example, it stated
that an executive team had been established to (1) assess the bureau's
EA status and resource needs using our EA maturity management
framework[Footnote 2] and (2) formulate recommendations for
improvement. Although the FBI's comments did not specify when it would
complete the assessment, it did state that the necessary resources
would be applied to architecture development, maintenance, and
implementation following the results of the assessment. To illustrate
its progress, the FBI stated that it had
completed and approved what it referred to as an EA foundation document
which, according to its comments, contains an architecture approach
based on 55 principles spanning 10 categories of bureau activities and
operations and acknowledges its largest modernization project (Trilogy)
as one enabler for moving from its current architectural state to its
target state; established key IT modernization management structures
and processes, such as an investment management process that requires
all proposed investments to address EA, a governance board to review
investment proposals and architectural decisions, an application
integration board to ensure that new applications are consistent with
the bureau's IT environment, and change management and control
entities to examine and approve changes to its IT infrastructure;
assigned EA resources, including appointing a chief architect,
assigning staff, and obtaining private-industry expert assistance, to
support its ongoing architecture assessment and development of
architecture products;
established a list of existing systems that had completed security
certification and accreditation;
begun acquiring an automated tool to serve as an architecture
repository, as well as a risk management tool for determining existing
system vulnerabilities and cost-effective risk mitigation steps; and:
begun conducting outreach with external parties, such as the Justice
Department, the federal CIO Council, and its intelligence community
partners to, among other things, learn from these entities' EA
experiences.
We support the FBI's stated commitment to architecture development and
use, including its adoption of our maturity framework. Moreover, we
believe that the examples of EA-related activities cited in the
bureau's comments, some of which were subsequent to completion of our
audit work, are steps in the right direction. However, the examples
that the FBI cites do not alter our report's findings and conclusions
about the maturity of the FBI's EA program because they are either
already recognized in our report or they do not fully address the EA
management maturity core elements that our report cites as not being
satisfied. Moreover, the FBI does not currently have a version of an EA
to guide and constrain its ongoing and planned IT investments. Our
evaluation and response to each of the FBI's examples of progress are
provided below.
:
At the time we completed our audit work, the EA foundation document was
in draft form, and our review of this draft showed that while it
contained information that would be useful in developing a plan for
architecture development, maintenance, and implementation, as well as
information that would be useful in developing architecture artifacts
or products, it did not satisfy the basic content requirements for
either an EA or a plan for developing, implementing, and maintaining
one. For example, neither the draft nor the recently approved version
specifies the tasks, time frames, or responsible parties for actually
developing and completing such architecture products as the business,
information/data, services/applications, technology, and performance
reference models, as well as the security views that should be part of
these models.
At the time we completed our audit work, the bureau's EA governance
board did not include all relevant internal stakeholders, such as
representatives from its counterterrorism and counterintelligence
organizational components. As our framework recognizes, enterprisewide
representation and accountability on the architecture governance body
is a critical success factor and a recognized best practice. Since we
issued our report, FBI officials told us that they now have all
relevant stakeholders represented on the board.
Our report recognizes that the bureau had appointed a chief architect
and assigned staff as part of its EA efforts. However, the report also
points out that it began these efforts over 32 months ago, and the
level of commitment and resources devoted to them had neither advanced
the FBI beyond stage 1 of our maturity framework nor produced an EA
that could effectively support the investment and modernization
management processes and structures that the FBI cited as having been
established. Moreover, as we state in the report, the then-chief
architect characterized the bureau's annual commitment of $1 million in
resources to these efforts as "limited," and this amount now appears to
be an overstatement. Specifically, the FBI stated in its comments that
it is actually investing less than this amount in its EA efforts
($285,000 and $500,000 in fiscal years 2003 and 2004, respectively),
but that its fiscal year 2005 budget request includes a substantial,
but unspecified, increase.
Despite the bureau's progress in establishing a listing of existing
systems under security certification and accreditation, which we
believe would be a useful source of information in developing an EA,
the then-chief architect told us that this listing was incomplete and
required management approval before it could serve as a basis for
developing the "as-is" architecture description.
The bureau's comments acknowledge that it is in the process of
acquiring automated EA tools, and thus does not yet satisfy core
elements of our framework related to establishing an EA management
foundation. Further, to augment these tools, the bureau has yet to
establish a methodology that it will follow to create its architecture
artifacts, which is another management foundation core element.
We support the efforts that the FBI cited for outreach to relevant
external stakeholders. Understanding these relationships, and
ultimately defining them in architecture artifacts, should be part of
an effectively managed EA program.
The FBI's second primary comment was that our report was too narrowly
focused and not comprehensive because it was limited to EA and did not
include an assessment of the FBI's other IT management controls and
capabilities. Because our report focused on EA, the bureau said that
the report was premature.
While we agree that the report focuses on the FBI's EA activities, we
do not agree that this is either inappropriate or makes the report
premature. As agreed with your offices, we are in the process of
reviewing a wide range of FBI IT management areas, such as system
acquisition capabilities, IT human capital management, IT investment
management practices, and architecture development and use. As further
agreed, we are to report on these areas incrementally, as appropriate.
Our report represents an appropriate and timely first increment for two
principal reasons.
Our experience over the last 10 years in evaluating federal agency IT
management has shown that providing our congressional clients and the
subject agency's leadership team with the results of major segments of
our work as they are available permits more timely corrective action,
and thus better outcomes.
Reporting first on EA in particular, which can be viewed as an
essential link between strategic planning and system investment/
implementation, provides the FBI sooner rather than later with a
comprehensive set of recommendations for effectively making its
architecture efforts more mature in time to influence its ongoing and
planned IT investment/implementation efforts. Any delay on our part in
reporting on this area of strategic importance would only increase the
agency's exposure to modernization risk and postpone your awareness and
understanding of this critical issue. This does not, however, mean that
the FBI should not be pursuing near-term IT upgrades before it
completes and is positioned to use an architecture, nor is it intended
to suggest that the bureau's planned and ongoing modernization
investments to date are completely unjustified and unreasonable.
Rather, it means that these investments and upgrades are being pursued
without a blueprint that provides an authoritative, commonly understood
frame of reference that translates strategy into implemental actions,
which, in turn, increases modernization risk.
We are sending copies of this correspondence to the Chairman and Vice
Chairman of the Senate Select Committee on Intelligence and the Ranking
Minority Member of the House Permanent Select Committee on
Intelligence. We are also sending copies to the Attorney General; the
Director, FBI; the Director, Office of Management and Budget; and other
interested parties. In addition, this correspondence will be available
without charge on GAO's Web site at www.gao.gov.
Should you or your offices have any questions on matters discussed in
this correspondence, please contact me at (202) 512-3439 or by e-mail
at hiter@gao.gov. Key contributors to this response included Katherine
I. Chu-Hickman, Barbara Collier, Gregory Donnellon, Michael P.
Fruitman, Paula A. Moore, Gary N. Mountjoy, and Megan M. Secrest.
Signed by:
Randolph C. Hite:
Director, Information Technology Architecture and Systems Issues:
Enclosure:
U.S. Department of Justice:
Federal Bureau of Investigation:
Washington, D.C. 20535-0001:
September 22, 2003:
Mr. Gary Mountjoy:
Assistant Director:
Information Technology:
U.S. General Accounting Office:
441 G Street, N. W. Washington, DC 20548:
Dear Sir:
I would like to thank you for affording the FBI the opportunity to
respond to the General Accounting Office (GAO) report entitled "FBI
Needs an Enterprise Architecture to Guide its Modernization
Activities.":
The FBI agrees with the report's conclusion that the FBI should have an
enterprise architecture. In fact, as noted in the enclosed response,
substantial progress has been made in establishing the FBI Enterprise
Architecture.
However, because this report is limited in its scope, it does not
incorporate the tremendous progress the FBI has made in the
modernization of its Information Technology (IT) systems. Moreover, we
suggest that this report is premature and should be a part of a
comprehensive assessment of the FBI's IT progress, as has been the
practice in previous GAO studies that assess IT systems.
Again, thank-you for the opportunity to respond to the report, and if
you or your staff have any questions regarding our enclosed response,
please contact me any time.
Sincerely yours,
Signed by:
Steven C. McCraw:
Assistant Director:
Inspection Division:
Comments on GAO Draft "FBI Needs an Enterprise Architecture to Guide
its Modernization Activities":
Comment in response to "Results in Brief" (Pg. 3) and "Conclusions"
(Pg. 20):
The FBI recognizes that several information technology management and
technical control mechanisms, needed to most effectively guide our
modernization efforts, are not as well developed as we need them to be.
In February 2003, FBI executive management directed an initiative to:
(1) consolidate FBI technology upgrade efforts into a comprehensive
enterprise system managed and sourced by a single prime contractor; and
(2) obtain an interim System Engineering, Integration and Test
contractor to blend the Trilogy VCF, SCOPE and IDW projects, and
several smaller efforts into a unified and functioning whole. The first
element is known as Aurora and a FY2005 budget enhancement request,
which includes very substantial funding for Enterprise Architecture
(EA) related activities, has been prepared and is under consideration
at DOJ and OMB at this time. Further, in April 2003, FBI executive
management recognized the need for more immediate attention to EA and
assigned an executive team to assess current status and formulate
recommendations to improve our EA posture. When that assessment is
complete the FBI will commit the necessary personnel and fiscal
resources to correct EA shortfalls. The FBI, as mentioned elsewhere in
the draft report, has selected the CIO Council's "Federal Enterprise
Architecture Framework" as the basis for defining the FBI EA. The FBI
acknowledges the validity of the GAO EA Management Maturity Framework
and is using the GAO framework as part of its internal assessment. FBI
executive management has determined to treat EA as an IT modernization
priority and to manage EA as such.
While the assessment of FBI EA is still underway, real progress has
already been achieved as follows:
EA Foundation Document:
* An FBI Enterprise Architecture "Foundation Document" has been
completed and approved. The Document bases its EA approach on 55
principles in 10 categories of FBI activities or operations. These
reflect the Director's 10 Priorities through three mission areas
and several prescribed functions of the FBI's information
enterprise. This document acknowledges the de facto Trilogy
Architecture as one of the infrastructure enablers from the "As-Is" to
the "To-Be" FBI IT environments.
Boards and Processes:
* An Investment Management Process (IMP) has been established in the
FBI consistent with the Clinger-Cohen Act to ensure IT and other
investments are aligned to meet mission needs and priorities. A
Business Plan template requires all investments to address 10 areas
including Enterprise Architecture. The IMP ensures management of
investments during the Select, Control and Evaluate phases.
* An FBI wide Enterprise Architecture Board (EAB) has been established,
comprised of FBI executives in Senior Executive Service (SES) and the
Senior Level (SL) positions, and is already reviewing architecture
decisions. This Board reviews IT proposals to ensure that they are
consistent with the de facto Trilogy Architecture, Standards and the
new emerging EA Vision as delineated in the EA Foundation Document.
* In March 2003, the FBI Information Resources Division (IRD) initiated
an interim Change Management Process that includes an Executive Change
Management Board (CMB) and a Technical Change Control Board (TCCB),
both of which are comprised of qualified executives, senior level and
management staff at GS-15 level with sufficient experience and
expertise. These boards regularly record, track, and approve all
changes to the IT Operational infrastructure (networks, systems,
applications, and computing).
* IRD has initiated an Application Integration Board to ensure all new
Applications are consistent with FBI's IT environment.
* Resources:
* A Chief Architect has been appointed, with staff provided on a
matrixed basis while the assessment is ongoing.
* Expert assistance from private industry has been obtained and is
supporting the assessment and will be developing elements of the
architecture.
List of Systems:
* A definitive list of current FBI systems under Certification and
Accreditation (C&A) has been established for the Sensitive-But-
Unclassified, Classified Secret and Classified Top Secret Enclaves.
Tools:
* A commercial tool (Popkin) for managing EA is in process of being
purchased. This tool is exactly the same as the one used by the
Department of Justice (DOJ). The tool will first be populated with the
current "As-Is" systems baseline information and will rely on
Configuration Management (CM) Information from the Trilogy-provided
Enterprise Management Systems and new CM tools.
* The FBI is in process of acquiring a Risk Management Tool that has
been successfully deployed in the IC (e.g. National Security Agency).
This tool will assist the FBI in determining where IT vulnerabilities
should be mitigated through risk/cost trade-offs, thereby ensuring IT
Continuity of Operations (COOP). The FBI will interface this tool with
the EA Tool.
External Efforts:
* The FBI is actively participating in the DOJ architecture effort.
* The FBI has met with members of the Chief Information Officer (CIO)
Council's Architecture Integration Committee to understand the
requirements of the Federal Enterprise Architecture Reference Model.
* The FBI has actively participated with the IC partners to determine
status of their EA efforts and lessons learned in implementation of EA.
This will assist the FBI in our Information Sharing efforts with the IC
and also assist the FBI in determining the resources and processes
required to tailor the FBI's EA effort. For example, the FBI is a
voting member of the IC-CIO Communications Board, Intelligence
Implementation Board (IIB) and keeps abreast of IC architecture
efforts.
Comment in Response to "Recommendations" (Pg. 21):
The FBI will designate EA as an IT modernization enabler and will
manage it as such. FBI executive management assigned an executive team,
in April 2003, to assess current EA status and formulate
recommendations to improve our EA posture. When this assessment is
complete the necessary personnel and fiscal resources will be applied
and the FBI EA will be implemented in a manner consistent with the GAO
EA Management Maturity Framework.
GAO Comment: Page 7 - "Department of Justice Inspector General reported
that, as of September 2000, the FBI had over 13,000 desktop computers
that were 4 to 8 years old and could not run basic software packages.
Moreover, it reported that some communications networks were 12 years
old and were obsolete.":
FBI Response: It should be noted that under the Trilogy program the FBI
has successfully deployed over 20,000 new desktop computers and
peripherals which have been upgraded to current Industry standards,
reused more than 7,500 older desktops, replaced the obsolete
communications networks with Industry-standard, robust Local and Wide
Area Networks with redundancy and standard NSA-approved secure
encryption.
The enterprise servers and operating systems will be upgraded in fiscal
year 2004. Enterprise Mainframes have been upgraded to requisite
computing capacity. Therefore, the major deficiencies cited in the
classified IT infrastructure are no longer a problem for the FBI.
Although, several older applications have already been web-enabled, the
five most significant investigative and counterterrorism applications
are nearing replacement under the auspices of the Trilogy Program.
Migration of the remaining applications will require further effort and
funding. The problems cited were very significant, but they no longer
represent the FBI's "Existing IT Environment" from a networking and
computing perspective.
GAO Comment: Page 13 - "They added that they are currently in the
process of developing an inventory of the FBI's existing (legacy)
systems.":
FBI Response: The inventory of legacy systems has been completed and is
now part of the basis for managing the FBI C&A program. This inventory
will be entered into the recently purchased Popkin EA management tool
as part of the current systems baseline information.
GAO Comment: Page 13 - "resources allocated to this effort have been
limited to about $1 million annually and four staff.":
FBI Response: The FBI has not committed $1 million annually to EA.
During FY2003 the FBI has devoted approximately $285,000 to EA. Base
funding of $500,000 has been identified that can be applied to EA
during FY2004. An executive assessment of EA status and needs is
underway after which the necessary FY2004 funding will be determined
and identified. Substantial EA funding, of approximately $6.5 million,
that addresses EA, technical planning and systems engineering issues
has been requested for FY2005 as part of the Aurora budget enhancement
request. Substantial EA funding requests are also projected for FY2006
and for a steady-state commencing in FY2007. The dedicated architecture
staff was previously at four. While the FBI is assessing EA needs, a
matrixed staff is being provided to the Chief Architect.
GAO Comment: Page 15 - "Establish an architecture steering committee
representing the enterprise and make the committee responsible for
directing, overseeing, or approving the EA.":
FBI Response: During April 2003, FBI management assigned an executive
team to address EA. An FBI wide EAB has been established, comprised of
FBI executives in SES and the SL positions, and is already reviewing
architecture decisions. The EAB charter and Policy has been prepared
and is nearing approval by the Deputy Director and will be promulgated
throughout the enterprise.
GAO Comment: Page 15 - "Appoint a chief architect who is responsible
and accountable for the EA, and who is supported by the EA program
office and overseen by the architecture steering committee.":
FBI Response: A chief architect has been appointed. The chief architect
currently reports directly to the chair of the EAB. Appropriate
staffing and other resources to support the chief architect have not
yet been determined.
Staff is currently being provided on a matrixed basis. The charter for
the chief architect and staff has not yet been prepared.
GAO Comment: Page 15 - "Use an architecture development framework,
methodology, and automated tool to develop and maintain the EA.":
FBI Response: An FBI Enterprise Architecture "Foundation Document" has
been completed and approved. The FBI has selected the CIO Council's
"Federal Enterprise Architecture Framework" as the basis for defining
the FBI EA. The Popkin automated tool has recently been purchased. The
methodology for EA development has not yet been selected.
(310268):
FOOTNOTES
[1] U.S. General Accounting Office, Information Technology: FBI Needs
an Enterprise Architecture to Guide Its Modernization Activities, GAO-
03-959 (Washington, D.C.: Sept. 25, 2003).
[2] U.S. General Accounting Office, Information Technology: A Framework
for Assessing and Improving Enterprise Architecture Management (Version
1.1), GAO-03-584G (Washington, D.C.: April 2003).