Information Technology
Foundational Steps Being Taken to Make Needed FBI Systems Modernization Management Improvements
Gao ID: GAO-04-842 September 10, 2004
The Federal Bureau of Investigation (FBI) is investing more than a billion dollars over 3 years to modernize its information technology (IT) systems. The modernization is central to the bureau's ongoing efforts to transform the organization. GAO was asked to determine whether the FBI has (1) an integrated plan for modernizing its IT systems and (2) effective policies and procedures governing management of IT human capital, systems acquisition, and investment selection and control.
Although improvements are under way and planned, the FBI does not currently have an integrated plan for modernizing its IT systems. Each of the bureau's divisions and other organizational units that manage IT projects performs integrated planning for its respective IT projects. However, the plans do not provide a common, authoritative, and integrated view of how IT investments will help optimize mission performance, and they do not consistently contain the elements expected to be found in effective systems modernization plans. FBI officials attributed the state of modernization planning to, among other things, the bureau's lack of a policy requiring such activities, which is due in part to the fact that the responsibility for managing IT--including modernization planning--has historically been diffused and decentralized. The FBI's CIO recognizes these planning shortfalls and has initiated efforts to address them. Until they are addressed, the bureau risks acquiring systems that require expensive rework to be effectively integrated, thus hampering organizational transformation. The FBI has established policies and procedures governing IT human capital that are consistent with best practices used by leading private and public organizations. However, the bureau's policies and procedures governing systems acquisition, which are developed on a decentralized basis by the divisions and other units that manage IT projects, include some but not all best practices. In addition, the bureau's investment management policies and procedures, which started in 2001, have been evolving and progressing slowly toward alignment with best practices. According to FBI officials, the state of the bureau's acquisition and investment management policies and procedures is due to a number of factors, including diffused and decentralized IT management authority. The CIO recognizes these problems and has efforts planned and under way to strengthen policies and procedures. Until these efforts are completed, the bureau increases the risk that it will experience problems delivering promised IT investments on time and within budget, which, in turn, could adversely affect systems modernization and organizational transformation.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-04-842, Information Technology: Foundational Steps Being Taken to Make Needed FBI Systems Modernization Management Improvements
This is the accessible text file for GAO report number GAO-04-842
entitled 'Information Technology: Foundational Steps Being Taken to
Make Needed FBI Systems Modernization Management Improvements' which
was released on September 10, 2004.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
September 2004:
INFORMATION TECHNOLOGY:
Foundational Steps Being Taken to Make Needed FBI Systems Modernization
Management Improvements:
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-842]:
GAO Highlights:
Highlights of GAO-04-842, a report to congressional requesters
Why GAO Did This Study:
The Federal Bureau of Investigation (FBI) is investing more than a
billion dollars over 3 years to modernize its information technology
(IT) systems. The modernization is central to the bureau‘s ongoing
efforts to transform the organization. GAO was asked to determine
whether the FBI has (1) an integrated plan for modernizing its IT
systems and (2) effective policies and procedures governing management
of IT human capital, systems acquisition, and investment selection and
control.
What GAO Found:
Although improvements are under way and planned, the FBI does not
currently have an integrated plan for modernizing its IT systems. Each
of the bureau‘s divisions and other organizational units that manage IT
projects performs integrated planning for its respective IT projects.
However, the plans do not provide a common, authoritative, and
integrated view of how IT investments will help optimize mission
performance, and they do not consistently contain the elements expected
to be found in effective systems modernization plans. FBI officials
attributed the state of modernization planning to, among other things,
the bureau‘s lack of a policy requiring such activities, which is due
in part to the fact that the responsibility for managing IT”including
modernization planning”has historically been diffused and
decentralized. The FBI‘s CIO recognizes these planning shortfalls and
has initiated efforts to address them. Until they are addressed, the
bureau risks acquiring systems that require expensive rework to be
effectively integrated, thus hampering organizational transformation.
The FBI has established policies and procedures governing IT human
capital that are consistent with best practices used by leading private
and public organizations. However, the bureau‘s policies and procedures
governing systems acquisition, which are developed on a decentralized
basis by the divisions and other units that manage IT projects, include
some but not all best practices (see figure). In addition, the bureau‘s
investment management policies and procedures, which started in 2001,
have been evolving and progressing slowly toward alignment with best
practices. According to FBI officials, the state of the bureau‘s
acquisition and investment management policies and procedures is due to
a number of factors, including diffused and decentralized IT management
authority. The CIO recognizes these problems and has efforts planned
and under way to strengthen policies and procedures. Until these
efforts are completed, the bureau increases the risk that it will
experience problems delivering promised IT investments on time and
within budget, which, in turn, could adversely affect systems
modernization and organizational transformation.
IT Systems Acquisition Best Practices Addressed in FBI Divisions‘
Policies and Procedures:
[See PDF for image]
[End of figure]
What GAO Recommends:
To help the bureau better manage its systems modernization risks, GAO
is making several recommendations to the Director, including that the
FBI limit its near-term investments in IT systems until the bureau
develops an integrated systems modernization plan and effective
policies and procedures for systems acquisition and investment
management. GAO is also recommending that the Director provide the
Chief Information Officer (CIO) with the responsibility and authority
to effectively manage IT across the bureau. In the FBI‘s written
comments on a draft of this report, the bureau agreed that steps are
being taken to lay the foundation for improving IT operations, and that
much work remains to institutionalize IT management improvements. The
FBI also described recent actions and plans to address our
recommendations.
www.gao.gov/cgi-bin/getrpt?GAO-04-842.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Randolph C. Hite at (202)
512-3439 or hiter@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Integrated Project Planning across the FBI Is Not Yet Occurring, but
Improvements Are Planned:
Policies and Procedures Governing Key Systems Modernization Management
Capabilities Are Partially in Place and Further Improvements Are
Planned:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Brief Descriptions of Major IT Systems Modernization
Initiatives:
Appendix III: Summary of Systems Acquisition Analyses for Six FBI
Divisions:
Appendix IV: Comments from the Federal Bureau of Investigation:
Appendix V: GAO Contact and Staff Acknowledgments:
GAO Contact:
Staff Acknowledgments:
Tables:
Table 1: FBI Components and Divisions and Their Mission
Responsibilities:
Table 2: Major IT Modernization Initiatives for Fiscal Years 2003-2005
by Division:
Table 3: Extent to Which Divisions' Plans Address Modernization
Planning Elements:
Figures:
Figure 1: Simplified FBI Organizational Chart:
Figure 2: Extent to Which Six FBI Divisions' Systems Acquisition
Policies and Procedures Address Best Practices:
Figure 3: Extent to Which Six FBI Divisions' Systems Acquisition
Policies and Procedures Address Configuration Management Best Practices
Figure 4: Extent to Which Six FBI Divisions' Systems Acquisition
Policies and Procedures Address Project Management Best Practices:
Figure 5: Extent to Which Six FBI Divisions' Systems Acquisition
Policies and Procedures Address Quality Assurance Best Practices:
Figure 6: Extent to Which Six FBI Divisions' Systems Acquisition
Policies and Procedures Address Requirements Development and Management
Practices:
Figure 7: Extent to Which Six FBI Divisions' Systems Acquisition
Policies and Procedures Address Risk Management Best Practices:
Abbreviations:
CIO: chief information officer:
CJIS: Criminal Justice Information Services:
FBI: Federal Bureau of Investigation:
IT: information technology:
OMB: Office of Management and Budget:
Letter September 10, 2004:
The Honorable Jane Harman:
Ranking Minority Member:
Permanent Select Committee on Intelligence:
House of Representatives:
The Honorable Bob Graham:
United States Senate:
The Honorable Richard C. Shelby:
United States Senate:
The Honorable Porter J. Goss:
House of Representatives:
The Federal Bureau of Investigation (FBI) is in the midst of investing
more than a billion dollars over 3 years to modernize its information
technology (IT) systems, including its aging infrastructure (e.g.,
networks) and its mission operations and supporting administrative
systems. The modernization is one of the bureau's top 10 priority
initiatives and is central to its ongoing efforts to transform the
organization. Our research has shown that effective IT modernization
management plans, policies, and procedures are important contributors
to an effective systems modernization program. Accordingly, you
requested that we examine whether the FBI has (1) an integrated plan
for modernizing its IT systems and (2) effective policies and
procedures governing management of IT human capital, systems
acquisition, and investment selection and control. We performed our
work in accordance with generally accepted government auditing
standards. Details of our objectives, scope, and methodology are in
appendix I.
Results in Brief:
Integrated project planning is not yet occurring across the bureau, but
improvements are planned for the near future. Specifically, the bureau
does not have an integrated plan or set of plans for modernizing its IT
systems. Instead, the bureau's divisions, offices, and other groups
that manage IT projects are responsible for integrated planning of
their respective projects. Accordingly, the plans do not provide a
common, authoritative, and integrated view of how IT investments will
help optimize mission performance, and they do not consistently satisfy
the elements expected to be found in effective systems modernization
plans. For example, while two of six component organizations included
the majority of key elements, the other four included few of them. FBI
officials attributed the state of modernization planning to, among
other things, the bureau's lack of a policy requiring integrated
planning, which is due in part to the fact that the responsibility for
managing IT, including modernization planning, has historically been
decentralized and diffused. The FBI's Chief Information Officer (CIO)
recognizes these planning shortfalls and has efforts planned and under
way to address them. For instance, the CIO is developing a proposal for
director approval that merges responsibility and authority for IT
management, including integration planning, within the CIO's office.
The longer the bureau continues to invest in systems without an
integrated bureauwide view, the greater the risk that these systems
will be duplicative and will require expensive rework to be integrated,
thus hampering efforts to transform the organization. This risk has
become a reality on five key ongoing infrastructure projects where,
according to the bureau, it has found significant overlap due to the
lack of integrated planning.
The bureau has established policies and procedures governing IT human
capital that are consistent with best practices used by leading private
and public organizations. Conversely, the bureau's policies and
procedures governing systems acquisition and investment selection and
control are not consistent with best practices, although efforts are
planned and under way to remedy this. For example, systems acquisition
policies and procedures, which are developed on a decentralized basis
by the FBI's divisions and other organizations that manage IT projects,
varied in their use of key practices of leading organizations. In
addition, the bureau's investment management policies and procedures,
which started in 2001, have been evolving and progressing slowly toward
alignment with best practices. According to FBI officials, including
the CIO, the state of the bureau's acquisition and investment
management policies and procedures is due to a number of factors,
including diffused and decentralized IT management authority and the
bureau's past history of inattention to IT management. The CIO has
actions planned and under way to strengthen policies and procedures in
each of these critical areas. For example, the CIO is developing a
systems life cycle management approach for bureauwide use that is to be
fully consistent with the practices of leading organizations. Until
this and other CIO efforts are completed, the bureau increases the risk
that it will experience problems delivering promised IT investments on
time and within budget, which could, in turn, adversely affect the
bureau's systems modernization and organizational transformation.
To help the bureau better manage these systems modernization risks, we
are making several recommendations to the FBI Director, including
limiting the bureau's near-term investment in new and existing IT
systems until it develops, among other things, an integrated systems
modernization plan and effective policies and procedures for systems
acquisition and investment management. We are also recommending that
the Director provide the CIO with the responsibility and authority to
effectively manage IT across the bureau.
In the FBI's written comments, which were signed by the CIO, on a draft
of this report, the bureau agreed that it is taking steps to lay a
foundation for improving IT operations. It further agreed that while
progress is being made, much work remains to implement and
institutionalize planned and ongoing IT management improvements. The
FBI also described recent actions and plans for addressing our
recommendations.
Background:
The FBI is the primary investigative agency within the Department of
Justice. Its missions include investigating serious federal crimes,
protecting the nation from foreign intelligence and terrorist threats,
and assisting other law enforcement agencies. Approximately 12,000
special agents and 16,000 mission support personnel are located in the
bureau's Washington, D.C., headquarters and in more than 450 offices in
the United States and 45 offices in foreign countries.
Mission responsibilities at the bureau are divided among the following
five major organizational components.
* Criminal Investigations: investigates serious federal crimes and
probes federal statutory violations involving exploitation of the
Internet and computer systems.
* Law Enforcement Services: provides law enforcement information and
forensic services to federal, state, local, and international agencies.
* Counterterrorism and Counterintelligence: identifies, assesses,
investigates, and responds to national security threats.
* Intelligence: collects, analyzes, and disseminates information on
evolving threats to the United States.
* Administration: manages the bureau's personnel programs, budgetary
and financial services, records, information resources, and information
security.
Each component is headed by an executive assistant director who reports
to the Deputy Director, who, in turn, reports to the Director. The
components are further organized into subcomponents, such as divisions,
offices, and other groups (hereafter referred to as "divisions"). Table
1 lists the components and briefly describes their respective
divisions.
Table 1: FBI Components and Divisions and Their Mission
Responsibilities:
Component: Administration;
Division: Administrative Services Division;
Mission responsibilities: Develop and administer personnel programs and
services, including recruiting, conducting background investigations,
and other administrative activities.
Component: Administration;
Division: Finance Division;
Mission responsibilities: Administer budget and fiscal matters,
including financial planning, payroll services, property management,
and procurement activities.
Component: Administration;
Division: Information Resources Division;
Mission responsibilities: Manage and plan for the use of IT resources.
Component: Administration;
Division: Office of Strategic Planning;
Mission responsibilities: Manage the bureau's strategic planning
activities and provide organizational resource allocation and
management services.
Component: Administration;
Division: Program Management Office;
Mission responsibilities: Support effective and efficient planning,
design, development, and deployment of projects, including IT projects.
Component: Administration;
Division: Records Management Division;
Mission responsibilities: Provide direction and oversight for all
records policy and functions, including records maintenance and
disposition, records review and dissemination, and Freedom of
Information and Privacy Acts.
Component: Administration;
Division: Security Division;
Mission responsibilities: Ensure safe and secure work environment,
including preventing the compromise of national security information.
Component: Counterterrorism and Counterintelligence;
Division: Counterintelligence Division;
Mission responsibilities: Identify and neutralize ongoing national
security threats, including conducting foreign counterintelligence
investigations;
coordinate investigations with the U.S. intelligence community;
and investigate violations of federal espionage statutes.
Component: Counterterrorism and Counterintelligence;
Division: Counterterrorism Division;
Mission responsibilities: Prevent, disrupt, and defeat terrorist
operations before they occur; pursue sanctions for those who have
conducted, aided, and abetted terrorist acts; and provide crisis
management following acts of terrorism against the United States and
U.S. interests.
Component: Criminal Investigations;
Division: Criminal Investigative Division;
Mission responsibilities: Investigate serious federal crimes, including
those associated with organized crime, violent crime, white-collar
crime, government and business corruption, and civil rights violations.
Component: Criminal Investigations;
Division: Cyber Division;
Mission responsibilities: Probe federal statutory violations involving
exploitation of the Internet and computer systems for criminal, foreign
intelligence, and terrorism purposes.
Component: Intelligence;
Division: Office of Intelligence;
Mission responsibilities: Collect and analyze information on evolving
threats to the United States and ensure its dissemination within the
FBI, to the U.S. intelligence community, and to law enforcement.
Component: Law Enforcement Services;
Division: Criminal Justice Information Services Division;
Mission responsibilities: Provide information services on fingerprint
identification, stolen automobiles, criminals, crime statistics, and
other information to state, local, federal, and international law
enforcement.
Component: Law Enforcement Services;
Division: Critical Incident Response Group;
Mission responsibilities: Respond to and manage crisis incidents such
as terrorist activities, child abductions, and other repetitive violent
crimes.
Component: Law Enforcement Services;
Division: Investigative Technology Division;
Mission responsibilities: Provide leadership and technical support to
FBI investigative efforts, including ensuring the operational
availability of modern technologies and the application of forensic
examination services related to the collection, processing, and
exploitation of digital evidence.
Component: Law Enforcement Services;
Division: Laboratory Division;
Mission responsibilities: Perform forensic examinations in support of
criminal investigations and prosecutions, including crime scene
searches, DNA testing, photographic surveillance, expert court
testimony, and other technical services.
Component: Law Enforcement Services;
Division: Office of International Operations;
Mission responsibilities: Promote relations with both foreign and
domestic law enforcement and security services, facilitate
investigative activities where permitted, and provide managerial
support of the Legal Attaché Program.
Component: Law Enforcement Services;
Division: Office of Law Enforcement Coordination;
Mission responsibilities: Improve coordination and information sharing
with state and local law enforcement and public safety agencies.
Component: Law Enforcement Services;
Division: Training Division;
Mission responsibilities: Train agents and support personnel as well
as state, local, international, and other federal law enforcement
personnel in crime investigation, law enforcement, and forensic
investigative techniques.
Source: GAO analysis of FBI data.
[End of table]
Supporting the divisions are various staff offices, including the
Office of the CIO. The CIO's responsibilities include, for example,
development of the bureau's IT strategic plan and operating budget;
development of IT investment management policies, processes, and
procedures; and development and maintenance of the bureau's enterprise
architecture. The CIO reports directly to the Director. Figure 1 shows
a simplified organizational chart of the components, divisions, Office
of the CIO, and respective reporting relationships.
Figure 1: Simplified FBI Organizational Chart:
[See PDF for image]
[End of figure]
To execute its mission responsibilities, the FBI relies extensively on
IT. For example, the Criminal Justice Information Services (CJIS)
division uses the National Crime Information Center 2000 to process
approximately 4 million criminal identification inquiries and other
related transactions for civilian, homeland security, and law
enforcement agencies each day. Similarly, the Laboratory division
stores records of known criminals on the Combined DNA[Footnote 1] Index
System to compare with DNA evidence submitted by federal, state, and
local law enforcement agencies. The FBI reports that it collectively
manages hundreds of systems, networks, databases, applications, and
associated IT tools at an average annual cost of about $800 million. As
we have previously reported,[Footnote 2] the FBI's IT environment is
composed of outdated, nonintegrated systems that do not optimally
support mission operations.
FBI Has Initiated a Wide Range of IT Modernization Projects:
To address its strategic IT needs, the bureau began modernizing its
systems environment in the mid-1990s. Currently, the FBI reports that
eight divisions will spend approximately $1 billion on 18
major[Footnote 3] IT modernization initiatives between fiscal years
2003 and 2005. These initiatives, such as Trilogy and the Investigative
Data Warehouse, are to introduce new systems infrastructure and
applications. For example, Trilogy is to establish an enterprise
network to enable communications among hundreds of domestic and foreign
FBI locations. According to the FBI, the first two segments of the
project--the Transportation Network Component and the Information
Presentation Component--were implemented as of April 2004. The third
segment--the User Applications Component, commonly called the Virtual
Case File--has been delayed and a new schedule is being determined. In
addition, the Investigative Data Warehouse initiative is to provide the
capability to search and share counterterrorism and criminal
investigative information across the bureau; the FBI reports it is in
the process of acquiring the warehouse and has plans for full
deployment by the end of fiscal year 2004.
Some divisions--such as CJIS, Cyber, and Investigative Technology--plan
to spend over $70 million each on IT modernization in fiscal year 2005
alone. For instance, the Investigative Technology Division plans to
spend approximately $83 million in fiscal year 2005 on three major IT
initiatives: Digital Collection, Electronic Surveillance Data
Management System, and the Computer Analysis Response Team. Table 2
shows, by FBI division, the major initiatives and their anticipated
modernization spending. A description of each initiative is provided in
appendix II.
Table 2: Major IT Modernization Initiatives for Fiscal Years 2003-2005
by Division:
Dollars in millions.
Division: Counterterrorism;
Major IT modernization initiative[A]: Foreign Terrorism Tracking Task
Force;
Anticipated spending for fiscal years: 2003-2005: $15.3.
Division: Criminal Justice Information Services;
Major IT modernization initiative[A]: Integrated Automated Fingerprint
Identification System;
Anticipated spending for fiscal years: 2003-2005: $190.8.
Division: Criminal Justice Information Services;
Major IT modernization initiative[A]: National Crime Information Center
2000;
Anticipated spending for fiscal years: 2003-2005: $14.7.
Division: Criminal Justice Information Services;
Major IT modernization initiative[A]: National Instant Criminal
Background Check System;
Anticipated spending for fiscal years: 2003-2005: $104.9.
Division: Cyber;
Major IT modernization initiative[A]: Special Technologies Applications
Section;
Anticipated spending for fiscal years: 2003-2005: $149.4.
Division: Information Resources;
Major IT modernization initiative[A]: Collaborative Capabilities;
Anticipated spending for fiscal years: 2003-2005: $1.0.
Division: Information Resources;
Major IT modernization initiative[A]: Legat/International
Infrastructure;
Anticipated spending for fiscal years: 2003-2005: $10.5.
Division: Information Resources;
Major IT modernization initiative[A]: Sensitive Compartmented
Information Operational Network;
Anticipated spending for fiscal years: 2003-2005: $20.2.
Division: Investigative Technologies;
Major IT modernization initiative[A]: Computer Analysis Response
Team;
Anticipated spending for fiscal years: 2003-2005: $105.1.
Division: Investigative Technologies;
Major IT modernization initiative[A]: Digital Collection;
Anticipated spending for fiscal years: 2003-2005: $93.3.
Division: Investigative Technologies;
Major IT modernization initiative[A]: Electronic Surveillance Data
Management System;
Anticipated spending for fiscal years: 2003-2005: $26.6.
Division: Laboratory;
Major IT modernization initiative[A]: Combined DNA Index System;
Anticipated spending for fiscal years: 2003- 2005: 22.8.
Division: Office of the CIO;
Major IT modernization initiative[A]: Aurora;
Anticipated spending for fiscal years: 2003-2005: $8.0.
Division: Program Management Office;
Major IT modernization initiative[A]: Investigative Data Warehousing
and Virtual Knowledge Base;
Anticipated spending for fiscal years: 2003-2005: $53.0.
Division: Program Management Office;
Major IT modernization initiative[A]: Joint Terrorism Task Force,
Information Sharing Initiative;
Anticipated spending for fiscal years: 2003-2005: $6.5.
Division: Program Management Office;
Major IT modernization initiative[A]: Trilogy;
Anticipated spending for fiscal years: 2003-2005: $110.9.
Division: Security;
Major IT modernization initiative[A]: IT Security/Information
Assurance;
Anticipated spending for fiscal years: 2003-2005: $121.2.
Division: Security;
Major IT modernization initiative[A]: Security Management Information
System;
Anticipated spending for fiscal years: 2003-2005: $12.6.
Total for all major IT modernization initiatives;
Anticipated spending for fiscal years: 2003-2005: $1,066.8.
Source: GAO analysis of FBI data.
[A] Includes modernization initiatives that the FBI designated as major
in its budget requests for fiscal years 2003, 2004, or 2005.
[End of table]
Integrated Project Planning and Effective Policies and Procedures Are
Essential to Effectively Managing IT Modernization Efforts:
Integrated planning across related IT projects and effective policies
and procedures for managing IT human capital, systems acquisitions, and
investment activities are recognized hallmarks of successful public and
private organizations, and they are essential ingredients for
effectively managing large modernization efforts. Our research and
experience with federal agencies has shown that executing modernization
projects without these and other IT management controls increases the
chances of implementing systems that are not well integrated and do not
provide promised capabilities on time and within budget.[Footnote 4]
The Congress and the Office of Management and Budget (OMB) have
recognized the importance of these and other IT management controls.
The Clinger-Cohen Act,[Footnote 5] for example, provides a framework
for effective IT management that includes systems integration planning,
human capital management, acquisition management, and investment
selection and control. In addition, OMB has issued guidance on
integrated IT modernization planning and effective IT human capital,
acquisition, and investment management.[Footnote 6] Further,
organizations such as Carnegie Mellon University's Software Engineering
Institute have also issued guidance on effective acquisition management
practices for areas such as configuration management, project
management, quality assurance, requirements development and
management, and risk management.
Prior Reviews Have Identified Challenges Facing the FBI in Modernizing
Its IT Environment:
Over the past several years, reviews of the FBI's efforts to leverage
IT to support transformation efforts have identified management
weaknesses. In particular, a December 2001 report[Footnote 7] initiated
by the Department of Justice identified weaknesses with, for example,
the bureau's systems acquisition and human capital management
processes. The weaknesses included not having (1) a policy that ensures
consistent implementation of configuration management activities, (2)
processes to ensure adequate definition of system requirements, and (3)
an agencywide systems life cycle methodology. The report also noted
that the FBI had not assessed the current skills of its employees on an
ongoing basis, and it did not have a systematic approach for
identifying the skills and abilities needed for the future.
In December 2002, Justice's Office of the Inspector General
reported[Footnote 8] that the FBI was not effectively managing its IT
investments. Specifically, the Inspector General reported that the
bureau did not have a complete process for selecting new IT investments
and was not following a disciplined process for controlling ongoing
projects. To address this, the Inspector General made a series of
recommendations aimed at implementing the processes and practices
defined in our IT investment management framework.[Footnote 9] In a
January 2004 follow-on report,[Footnote 10] the Inspector General
stated that, while the bureau had developed plans to address these
recommendations, full development and implementation of the plans--and
thus the establishment of effective investment management processes--
remained to be completed.
More recently, between September 2003 and March 2004, we
reported[Footnote 11] on the challenges the FBI faced in establishing
effective IT modernization management. For example, we reported in
September 2003 (and again in November) that the bureau had not yet
developed a modernization blueprint--commonly referred to as an
enterprise architecture[Footnote 12]--to guide and constrain
modernization efforts. Accordingly, we made recommendations to help the
bureau establish the architecture management capabilities needed to
develop, implement, and maintain an enterprise architecture. The FBI
agreed with our recommendations and is in the process of implementing
them. In addition, in March 2004,[Footnote 13] we reported that the FBI
has not benefited from having sustained IT management leadership with
bureauwide authority. Specifically, the bureau's key leadership and
management positions, including the position of the CIO, had
experienced frequent turnover, and the position of the CIO lacked
bureauwide authority over IT. We found that historically much of the
responsibility and authority for managing IT--including modernization
planning, human capital management, systems acquisition management, and
investment selection and control--was dispersed among the bureau's
divisions. We did not make recommendations in these areas at that time
because our work to fully evaluate these areas had not yet been
completed.
Shortfalls in the FBI's Centerpiece Systems Modernization Project Are
Linked to IT Management Weaknesses:
Reviews of the bureau's centerpiece systems modernization project,
Trilogy, have identified management weaknesses as the cause for cost,
schedule, and performance shortfalls that have been experienced by the
project. For example, over the past several years, the Justice
Inspector General issued several reports[Footnote 14] on the FBI's
management of Trilogy. According to the Inspector General's September
2003 report,[Footnote 15] Trilogy funding grew from an original
estimate of $379.8 million to $596 million, due in part to the lack of
integration planning for one of the three components of Trilogy. In
addition, the Inspector General reported that the original delivery
date for Trilogy's first two components (Transportation Network
Component and Information Presentation Component) slipped 8 months, in
part due to inadequately defined requirements. In March 2004, the
Inspector General testified[Footnote 16] that the continued series of
missed completion estimates and associated cost growth were due to,
among other things, poorly defined requirements, project management
deficiencies, frequent turnover of FBI IT managers, and the FBI's focus
on its other important law enforcement challenges.
In addition, in September 2003, we reported[Footnote 17] that the
bureau lacked an enterprise architecture--a key component in developing
and modernizing systems. We found that the absence of the architecture
contributed to unnecessary rework to integrate several modernization
initiatives, including Trilogy. In March 2004, we testified[Footnote
18] that the bureau's weaknesses in IT management controls, such as
investment management and enterprise architecture, contributed to
Trilogy schedule delays of at least 21 months and cost increases of
about $120 million.
Moreover, the National Research Council reported[Footnote 19] in May
2004 that the bureau was experiencing significant challenges in
developing and implementing Trilogy. For example, the council found
that the bureau did not have a permanent CIO with the technical
knowledge to provide the strong direction needed for the Trilogy
program. In addition, it found that modernization initiatives, such as
Trilogy, were not closely linked to a coherent view of the bureau's
mission and operational needs. Based on its findings, the council
concluded that the bureau was not on the path to success in its IT
modernization program. In a follow-on letter,[Footnote 20] the council
cited substantial progress on these fronts. In particular, it said that
the bureau had hired a permanent CIO, and the CIO had identified the
development of an enterprise architecture as a high priority.
Integrated Project Planning across the FBI Is Not Yet Occurring, but
Improvements Are Planned:
The Clinger-Cohen Act[Footnote 21] requires the use of effective IT
management practices such as organizationwide planning for the
integration of interrelated systems. In addition, OMB provides guidance
to federal agencies on such planning.[Footnote 22] As part of this
planning, agencies are supposed to identify, understand, and manage
interdependencies within and across individual IT systems modernization
projects. Key elements of effective integrated project planning
include:
* linking all IT projects to the organization's mission and related
strategic goals;
* identifying and demonstrating gaps in mission performance due to,
among other things, weak or nonexistent integration among existing
projects, services, systems, databases, networks, or tools;
* defining interdependencies among IT projects, including the business
processes to be supported and technical system interface requirements;
* assigning responsibilities and management structures for coordinating
and overseeing IT project interdependencies;
* identifying the risks associated with project interdependencies and
developing strategies to mitigate the risks; and:
* ensuring that affected organizations provide input and commitment to
plan development and implementation.
Addressing these elements, among other things, identifies the points
where systems are to be integrated and establishes common ground for
interproject planning and management, which is essential to ensuring
that project plans--and thus system solutions--are effectively
integrated. Our prior reviews at federal agencies and research on IT
management have shown that attempting to modernize IT systems without
performing such planning increases the risk of investing in system
solutions that are duplicative, are not well integrated, are
unnecessarily costly to maintain and interface, and do not effectively
optimize mission performance. Accordingly, until agencies develop
integrated approaches, we have recommended[Footnote 23] limiting IT
spending to cost-effective efforts that are congressionally directed;
are near-term, relatively small, and low-risk opportunities to leverage
technology in satisfying a compelling agency need; support operations
and maintenance of existing mission-critical systems; involve deploying
an already developed and fully tested system; or support establishing
integrated planning and other modernization management controls and
capabilities.
The FBI does not have a bureauwide integrated plan or set of plans for
its many systems modernization projects. Instead, divisions have
developed modernization plans covering solely those IT projects that
are within their respective lines of authority. These plans include (1)
division plans that describe to varying degrees how IT projects are to
be executed to support the accomplishment of division-specific
objectives and (2) capital asset plans and business cases--commonly
referred to as budget Exhibit 300s--that justify the resources needed
for the division's major IT projects. However, these plans are not
integrated and do not consistently demonstrate the elements of
integrated IT project planning. Specifically, of the six FBI divisions
we examined, two divisions--Cyber and CJIS--included the majority of
the elements of integrated project planning, while the other four
divisions each incorporated two or fewer of the elements. Table 3
summarizes our analysis.
Table 3: Extent to Which Divisions' Plans Address Modernization
Planning Elements:
Link projects to mission and strategic goals;
Division: Cyber: Criteria met;
Division: CJIS: Criteria not met;
Division: Information Resources: Criteria not met;
Division: Investigative Technology: Criteria not met;
Division: Program Management Office: Criteria met;
Division: Security: Criteria not met.
Identify and demonstrate performance gaps;
Division: Cyber: Criteria not met;
Division: CJIS: Criteria met;
Division: Information Resources: Criteria not met;
Division: Investigative Technology: Criteria not met;
Division: Program Management Office: Criteria not met;
Division: Security: Criteria met.
Define interdependencies among projects;
Division: Cyber: Criteria met;
Division: CJIS: Criteria met;
Division: Information Resources: Criteria not met;
Division: Investigative Technology: Criteria not met;
Division: Program Management Office: Criteria not met;
Division: Security: Criteria not met.
Assign responsibility for managing project interdependencies;
Division: Cyber: Criteria not met;
Division: CJIS: Criteria met;
Division: Information Resources: Criteria not met;
Division: Investigative Technology: Criteria not met;
Division: Program Management Office: Criteria not met;
Division: Security: Criteria met.
Identify risks with interdependencies and develop strategies to
mitigate the risks;
Division: Cyber: Criteria met;
Division: CJIS: Criteria met;
Division: Information Resources: Criteria not met;
Division: Investigative Technology: Criteria met;
Division: Program Management Office: Criteria met;
Division: Security: Criteria not met.
Ensure affected organizations provide input and are committed;
Division: Cyber: Criteria met;
Division: CJIS: Criteria met;
Division: Information Resources: Criteria not met;
Division: Investigative Technology: Criteria not met;
Division: Program Management Office: Criteria not met;
Division: Security: Criteria not met.
Source: GAO analysis of FBI data.
[End of table]
More specifically, our analysis for each of the modernization planning
elements showed the following:
* With respect to the first element, two divisions--Cyber and the
Program Management Office--consistently linked their projects to either
the bureau's strategic plan or its top 10 priorities. The other
divisions linked at least some of their individual projects to bureau-
level strategy. Linking individual projects to the FBI's strategic plan
is an essential step to ensuring that the bureau IT initiatives do not
overlap or leave gaps in mission functions and goals.
* Only two divisions (CJIS and Security) identified and demonstrated
gaps in existing capabilities. CJIS undertook an analysis of system
deficiencies and technology trends to identify and specify improvements
to its law enforcement systems. Security relied on prior reviews of
security incidents and comparisons of existing practices with best
practices to identify needed improvements in system security
requirements. Other divisions largely stated the need for improvements
in system capabilities and capacity without corresponding data on
current or projected mission shortfalls. This is crucial because
without supporting data to derive performance gaps, proposed
improvements may be unnecessary, insufficient, or not identified at
all. In addition, our research and experience[Footnote 24] with federal
IT modernizations show that projects with inadequately defined
improvements are likely to require more resources to plan and manage--
including planning and management of interdependencies--than those that
have been based on reliable performance data and thorough analysis.
* All of the divisions addressed the third element, in part, but only
two divisions--Cyber and CJIS--fully identified interdependencies for
all of their projects. For example, CJIS identified interrelationships
among business processes, systems, databases, networks, components, and
tools. The Investigative Technology Division, on the other hand, did
not consistently identify interdependencies for tools, networks, or
security. In addition, Security did not fully identify technical and
programmatic interdependencies. Identifying project interdependencies
is essential for recognizing the points of integration of projects and
systems and for establishing common ground for interproject planning
and management.
* The CJIS and Security divisions had the most robust mechanisms for
coordinating their project interdependencies with other parts of the
bureau and with external organizations. CJIS relies on its Advisory
Policy Board to identify needed improvements, assess impacts to
customers and their systems, and coordinate schedules and interfaces.
Security collaborates with system owners and managers through division
configuration and change control boards, the security certification and
accreditation process, and other mechanisms to integrate its security
projects and information assurance objectives. Both divisions have
well-defined responsibilities for their project team members. Other
divisions focused on coordination within individual project teams or a
single division, leaving mechanisms for interacting with other
divisions, systems, and technologies poorly defined. This is important
because vague responsibilities and processes for managing project
integration efforts can lead to omissions and conflicts in system
interfaces and project activities.
* The fifth element was satisfied by four of the six divisions.
Specifically, Cyber, CJIS, Investigative Technology, and the Program
Management Office consistently addressed integration risks in their
capital asset plans and business cases. Doing this is important because
it allows for the systematic identification of risks associated with
project interdependencies and management action to mitigate those
risks.
* Finally, the CJIS and Cyber divisions enlisted participation and
commitment from organizations affected by their projects and related
system improvements. For instance, CJIS partnered with the advisory
boards and councils, the vendor community, and the nation's criminal
justice community in successfully developing its systems. Other
divisions, such as Investigative Technology and the Program Management
Office, fell short of meeting this criterion because they did not
consistently specify a means for project personnel to collaborate with
other stakeholders on the development of integrated project plans.
Establishing such a means for knowledgeable personnel to contribute to
planning for interdependencies in areas such as project requirements,
interfaces, and timetables is key to ensuring stakeholder commitment to
project integration plans and their execution.
FBI officials from each of the divisions agreed with the results of our
analyses of their respective planning efforts and attributed the state
of their planning to several factors. First, as we previously
reported,[Footnote 25] the FBI does not have an enterprise
architecture, and thus business processes and IT systems have been
viewed parochially, rather than as corporate resources that must be
planned and managed on a bureauwide basis. Second, no bureau policy
exists for divisions to develop integrated IT project plans. Instead,
existing policy assigns responsibility for IT planning, including
planning for modernization projects, to divisions. Third, the bureau
has not assigned responsibility and authority for ensuring that
integrated bureauwide planning occurs. While the divisions are
responsible for project planning, no organization is responsible for
reviewing and approving the divisions' plans to ensure that mission
gaps across the bureau are fully addressed and project dependencies and
overlap are minimized.
According to the CIO, several efforts are underway and planned to
address these underlying weaknesses and strengthen modernization
planning. Consistent with our prior recommendations, the FBI has
established a program to develop an enterprise architecture. In doing
so, the bureau has, among other things, (1) established a program
office to manage the effort, (2) assigned a chief architect and
supporting personnel, (3) established an architecture governance board
that includes representatives from all divisions to review and identify
projects that are inconsistent with the existing IT environment and
inhibit internal and external information sharing, and (4) hired a
contractor to assist with developing the architecture. The bureau plans
to issue the first version of the architecture by the end of September
2004. This version is to document the bureau's current IT environment.
The bureau plans to issue the other key parts of the architecture--
namely, the future IT operating environment and transition plan--in
fiscal year 2005.
Also, the CIO is in the process of merging agencywide authority and
responsibility for IT, including systems modernization planning, under
the CIO in time to be reflected in the bureau's fiscal year 2006 budget
and associated capital investment plans and business cases. Further,
the CIO's office intends to hire a contractor to facilitate bureauwide
integrated planning, including the formulation of integrated plans for
systems modernization projects.
Until the FBI completes these and other efforts to introduce an
integrated approach to IT project planning, there is increased risk
that the bureau's IT systems will be unnecessarily duplicative, will
later require expensive rework to be integrated, and will thus hamper
organizational transformation efforts. According to the FBI, this risk
has already become reality in the case of five key infrastructure
projects (including Trilogy and the Integrated Data Warehouse) that
were launched independently between May 2001 and June 2003 and later
found to have significant areas of overlap. The FBI attributed the
redundancy in part to the lack of integrated planning.
Policies and Procedures Governing Key Systems Modernization Management
Capabilities Are Partially in Place and Further Improvements Are
Planned:
Establishing effective corporate policies and procedures for managing
IT human capital, acquiring systems, and making investment decisions
are examples of key best practices that leading organizations use to
modernize their IT systems and facilitate organizational
transformation. The FBI has such policies and procedures for managing
IT human capital; however, it does not yet have a documented and
consistent approach for acquisition and investment management.
Specifically, adoption of best practices for acquisition management
policies and procedures in such areas as configuration management and
quality assurance varies among divisions, and bureau investment
management policies and procedures, including selection and control
processes, are still under development. The state of the FBI's
acquisition and investment management policies and procedures is due to
a number of factors, including diffused and decentralized IT management
authority, past inattention to IT management, and lack of sustained IT
leadership. The CIO has recently taken steps to strengthen policies and
procedures in each of these areas. Until this is completed, the bureau
will be challenged in its ability to effectively manage all of its
systems modernization projects, and thus is at increased risk of
acquiring systems that do not adequately satisfy mission needs on
schedule and within budget, which could hamper the bureau's systems
modernization and organizational transformation.
Strategic IT Human Capital Management Policies and Procedures Have Been
Developed:
As we have previously reported,[Footnote 26] strategic human capital
management includes viewing people as assets whose value to an
organization can be enhanced by investing in them. As the value of
people increases, so does the performance capacity of the organization.
In March 2002, GAO, based on our experience with leading organizations,
issued a model[Footnote 27] with four cornerstones[Footnote 28]
encompassing strategic human capital management. One of the
cornerstones, strategic workforce planning (also called strategic human
capital planning), enables organizations to remain aware of and be
prepared for current and future needs as an organization, ensuring that
they have the knowledge, skills, and abilities needed to pursue their
missions. In December 2003, GAO issued a set of key principles, or
practices, for effective strategic human capital planning.[Footnote 29]
These practices include:
* involving top management, employees, and other stakeholders in
developing, communicating, and implementing a strategic workforce plan;
* determining the critical skills and competencies that will be needed
to achieve current and future programmatic results;
* developing strategies that are tailored to address gaps between the
current workforce and future needs;
* building the capability to support workforce strategies; and:
* monitoring and evaluating an agency's progress toward its human
capital goals and the contribution that human capital results have made
to achieving programmatic goals.
These practices are generic and apply to any organization or
organizational component, such as an agency's IT organization.
The bureau has developed IT human capital policies and procedures and
incorporated them into the bureau's enterprisewide strategic human
capital plan issued in March 2004.[Footnote 30] These IT policies and
procedures are in alignment with the key best practices discussed
above. For example, they call for top management stakeholders (e.g.,
the CIO, the head of the Office of Strategic Planning, and the head of
Administration) and other stakeholders (e.g., section and unit chiefs)
to be involved with the development, communication, and implementation
of these policies and procedures. Further, the policies and procedures
provide for the development of a detailed data bank to store critical
skills needed in the development and selection of personnel, including
IT staff. They also define strategies to address workforce gaps,
including recruiting programs that provide for tuition assistance and
cooperative education. In addition, the policies and procedures call
for establishing an IT center to support workforce strategies and train
existing personnel for future competencies and skills that will be
needed. Further, the policies and procedures require monitoring and
evaluating the agency's progress by tracking implementation plans to
ensure that results are achieved on schedule.
The FBI will face challenges as it implements its strategic IT human
capital policies and procedures. As we have previously
reported,[Footnote 31] when implementing new human capital policies and
procedures, how it is done, when it is done, and the basis on which it
is done can make all the difference in whether such efforts are
successful. With successful implementation, the bureau can better
position itself to ensure it has the right people, in the right place,
at the right time to effectively modernize IT and transform the
organization.
Use of Best Practices in Systems Acquisition Policies and Procedures
Varies Widely among the Divisions:
The Clinger-Cohen Act[Footnote 32] requires, among other things, the
establishment of effective IT management policies and procedures. The
Software Engineering Institute's Capability Maturity Models™[Footnote
33] provide for 30 best practice policies and procedures for five key
systems acquisition management areas--configuration management,
project management, quality assurance, requirements development and
management, and risk management. Collectively, these management areas
and associated best practices provide a foundation for:
* acquiring systems that allow organizations to manage changes to the
system configurations;
* tracking project cost, schedule, and performance;
* defining standards to ensure integrity in products;
* establishing clearly defined and managed requirements; and:
* identifying and mitigating risks.
Each management area has five to seven best practices associated with
it that, when properly defined and implemented, assist organizations in
performing effectively in that area. A detailed list of the practices,
by management area, is in appendix III.
The acquisition management policies and procedures currently in place
at the FBI for these five areas vary widely by division. While each of
the six divisions we examined has policies and procedures that
incorporate many best practices, these divisions' policies and
procedures also do not address important practices. For example, in
project management, the divisions' policies and procedures generally
addressed all of the best practices. Conversely, in requirements
development and management, four of the six divisions' policies and
procedures addressed fewer than half of the best practices for that
area. See figure 2 for a summary of our analysis.
The FBI attributed the variance among divisions and the lack of
alignment with best practices to, among other things, the bureau's
decentralized approach to managing IT and past inattention given to IT
management. Until recently, authority for managing IT, along with
budget control, was diffused and decentralized among the divisions. In
addition, the FBI did not establish bureauwide policies and guidance
for developing systems acquisition policies and procedures consistently
and in accordance with best practices. As such, the divisions defined
policies and procedures independently from one another, contributing to
different sets of policies and procedures.
To strengthen the FBI's systems acquisition capabilities, the CIO has
efforts planned and under way to define and implement bureauwide
systems acquisition policies and procedures that are to incorporate
best practices. Until this is accomplished, the bureau will be
challenged in its ability to manage all of its systems modernization
projects and thus is at increased risk that it will be unable to
deliver promised capabilities on time and within budget.
Figure 2: Extent to Which Six FBI Divisions' Systems Acquisition
Policies and Procedures Address Best Practices:
[See PDF for image]
[End of figure]
The analyses in the following sections show the variance among
divisions in their use of best practices for the five acquisition
management areas: configuration management, project management,
quality assurance, requirements development and management, and risk
management. An analysis of each division is in appendix III.
Configuration Management:
Configuration management involves identifying the configuration (i.e.,
descriptive characteristics of a system) at a given point in time,
systematically controlling changes to that configuration, and
maintaining the integrity of the configuration throughout the system's
life cycle. Effective policies and procedures for configuration
management[Footnote 34] include the following practices:
1. defining roles and responsibilities, including identifying a person
or group with authority for managing a system's baselines and approving
changes to the baselines;
2. developing a plan that defines the activities to be performed, the
schedule of the activities, and the resources required (e.g., staff);
3. establishing a repository (also called a library), using tools and
procedures to store and retrieve the configuration and to maintain
control over changes to it;
4. identifying, documenting, managing, and controlling configuration
items and their associated baselines;
5. managing system change requests and problem reports by ensuring that
configuration changes are initiated, recorded, reviewed, approved, and
tracked;
6. periodically reporting status of the configuration; and:
7. periodically auditing baselines, including assessing the integrity
and correctness of baselines, reporting audit results, and tracking
audit action items to closure.
The policies and procedures for three of the six divisions addressed
these seven best practices, while policies and procedures for two
divisions addressed all but one or two of the practices. The remaining
division's policies and procedures addressed just one of the seven
practices. See figure 3 for a summary of our analysis.
The key practices that are not addressed in division policies and
procedures are important and their absence can negatively impact the
divisions' ability to effectively manage the configuration of their
respective systems and thus their systems' ability to efficiently and
effectively support division objectives. In particular, Investigative
Technology's policies and procedures did not identify configuration
management roles and responsibilities. This is important because
project teams need to have a responsible party for approving and
controlling changes. To do otherwise would allow anyone to make random
changes to the configuration, potentially causing unnecessary rework
and reconfiguration. As another example, this division's policies and
procedures did not establish a library system. This is also critical to
successful configuration management because the library system stores
the initial configuration of the system as well as any subsequent
changes. Without the library system, the project team would be unable
to ensure the correctness of the current configuration.
In addition, the Program Management Office's policies and procedures
did not provide for periodic baseline auditing and periodic management
review of the status of configuration management activities. These
practices are important because they verify that projects are in
compliance with applicable configuration management standards and
procedures, and they provide awareness of and insight into systems
process activities at the appropriate level and in a timely manner.
Figure 3: Extent to Which Six FBI Divisions' Systems Acquisition
Policies and Procedures Address Configuration Management Best
Practices:
[See PDF for image]
[End of figure]
Project Management:
The purpose of project management is to manage the activities of the
project office and supporting organization to ensure a timely,
efficient, and effective acquisition. Effective policies and procedures
for project management[Footnote 35] include the following practices:
1. identifying project management roles and responsibilities;
2. developing a project management plan;
3. baselining and tracking the status of project cost, schedule, and
performance, including associated risks;
4. establishing a process to identify, record, track, and correct
problems discovered during the acquisition; and:
5. periodically reviewing and communicating the status of project
management activities and commitments with management and affected
groups.
The policies and procedures for five of the six divisions addressed all
five of these project management practices; one division did not
address two practices. Specifically, Cyber's policies and procedures
did not identify processes for baselining and tracking project cost,
schedule, performance status, and associated risks. See figure 4 for a
summary of our analysis. This practice is important because it provides
measurable benchmarks against which to gauge progress, identify
deviations from expectations, and permit timely corrective action to be
taken. Without this practice, the chances of system projects costing
more than budgeted, taking longer than envisioned, and not performing
as intended are greatly increased. The division's policies and
procedures also did not provide for a process to identify, record,
track, and correct problems. This practice is important because it
provides for systematically managing and controlling issues that impact
cost, schedule, or performance.
Figure 4: Extent to Which Six FBI Divisions' Systems Acquisition
Policies and Procedures Address Project Management Best Practices:
[See PDF for image]
[End of figure]
Quality Assurance:
Quality assurance describes processes for providing independent
assessments of whether management process requirements are being
followed and whether product standards and requirements are being
satisfied. Effective quality assurance policies and
procedures[Footnote 36] include the following practices:
1. identifying quality assurance roles and responsibilities;
2. having a quality assurance plan;
3. participating in the development and review of plans, standards, and
procedures;
4. reviewing work activities and products;
5. documenting and handling deviations from standards and procedures
that are found in activities and work products; and:
6. periodically reporting and reviewing the results and findings of
quality assurance activities with management.
One division has incorporated these six quality assurance practices in
its policies and procedures; the remaining five divisions included all
but one or two. See figure 5 for a summary of our analysis. For
example, the policies and procedures for Counterterrorism and
Information Resources do not address participating in the development
and review of plans, standards, and procedures, which is key to
ensuring that they are aligned with relevant systems acquisition
policies, are appropriately tailored to meet project needs, and are
usable for performing quality reviews and audits. In addition, the
policies and procedures for Cyber, Investigative Technology, and the
Program Management Office do not include periodic reporting and reviews
of the results and findings of quality assurance activities. This
practice is important to ensuring that issues and concerns that could
impede quality outcomes are disclosed so that appropriate corrective
action can be taken. If they are not disclosed, the chances of system
cost, schedule, and performance shortfalls are increased.
Figure 5: Extent to Which Six FBI Divisions' Systems Acquisition
Policies and Procedures Address Quality Assurance Best Practices:
[See PDF for image]
[End of figure]
Requirements Development and Management:
Requirements development and management involves establishing and
maintaining agreement on what the system is to do (functionality), how
well it is to do it (performance), and how it is to interact with other
systems (interfaces). Effective policies and procedures for
requirements development and management[Footnote 37] include the
following practices:
1. identifying requirements development and management roles and
responsibilities;
2. involving end users in development of and changes to requirements;
3. having a requirements management plan;
4. developing and baselining requirements, and controlling changes to
them;
5. appraising changes to requirements for their impact on the project
or IT environment;
6. maintaining traceability among requirements and other project
deliverables; and:
7. periodically reviewing the status of requirements activities with
management.
With one exception (CJIS), the policies and procedures for the
divisions generally did not address the above practices. See figure 6
for a summary of our analysis. For instance, while the Program
Management Office's policies and procedures met four of the seven
practices, such as involving end users in development of and changes to
the requirements and reviewing the status of project requirements
activities with management, they did not address maintaining
traceability among requirements and other project deliverables. This
practice is important because it ensures that project deliverables used
to acquire systems are consistent with end user needs, which is
critical to delivering systems that perform as intended and thus meet
mission needs.
Moreover, the policies and procedures of four divisions--namely
Counterterrorism, Cyber, Information Resources, and Investigative
Technology--satisfied three or fewer of the practices. For example,
none of the four divisions' policies and procedures addressed
appraising changes to requirements for their impact on the project or
the IT environment. Appraising changes is important because it allows
management and the project team to determine whether changes to the
requirements, along with their associated effect on the existing IT
environment as well as project cost and schedule estimates, would be
worthwhile. Additionally, Investigative Technology was missing six of
seven practices, including developing and baselining requirements and
maintaining them under change control. These practices are essential to
ensuring that requirements are completely and correctly defined and
that uncontrolled changes, commonly referred to as "requirements
creep," are mitigated.
Figure 6: Extent to Which Six FBI Divisions' Systems Acquisition
Policies and Procedures Address Requirements Development and Management
Practices:
[See PDF for image]
[End of figure]
The actual consequences of not having effective requirements
development and management policies and procedures can be seen in the
performance of the bureau's Trilogy project, which is to replace aging
systems infrastructure and consolidate and modernize key investigative
case management applications. The FBI reported that, as of August 2004,
Trilogy:
has experienced a delay of at least 21 months and a cost increase of
$201 million. According to the CIO, the project's added time and cost
were due in large part to requirements development and management
process weaknesses.
Risk Management:
Managing risks means proactively identifying facts and circumstances
that increase the probability of failing to meet system expectations
and commitments and taking steps to prevent failures from occurring.
Effective policies and procedures for risk management[Footnote 38]
include the following practices:
1. identifying risk management roles and responsibilities;
2. having a risk management plan;
3. integrating risk management with other management and planning
functions;
4. identifying, analyzing, controlling, and mitigating project risks;
and:
5. periodically reviewing the status of project risks and risk
mitigation activities with management.
The policies and procedures of all six divisions incorporate two or
more of the five risk management best practices. See figure 7 for a
summary of our analysis. However, key practices were not addressed. For
example, all of the divisions' policies and procedures do not provide
for integrating risk management with other planning and management
functions. This practice is important because it ensures that possible
risks and mitigation strategies are adequately provided for in project
planning schedule estimates and identified risks are assessed for
impact to the organization's IT environment. In addition, the policies
and procedures of Counterterrorism, Cyber, and Information Resources do
not provide for periodically reviewing the status of project risks and
risk mitigation activities with management, a process that is key to
ensuring that management is aware of risks to the project, plans to
mitigate these risks, and the status and progress of mitigation
activities.
Figure 7: Extent to Which Six FBI Divisions' Systems Acquisition
Policies and Procedures Address Risk Management Best Practices:
[See PDF for image]
[End of figure]
IT Investment Management Policies and Procedures Are Evolving Slowly
toward Alignment with Best Practices:
The Clinger-Cohen Act of 1996[Footnote 39] provides an important
framework for effective investment management. It requires federal
agencies to focus on the results they achieve through IT investments
while concurrently improving their acquisition processes. It also
requires discipline and structure in how agencies select and control
investments. In May 2000, we issued a framework[Footnote 40] (which we
updated in March 2004) that encompasses IT investment management best
practices, including investment selection and control policies and
procedures, and is based on our research at successful private and
public sector organizations. This framework is consistent with the
Clinger-Cohen Act and identifies, among other things, effective
policies and procedures for developing an enterprisewide collection--or
portfolio--of investments to enable an organization to determine
priorities and make decisions across investment categories based on
analyses of the relative organizational value and risks of all
investments. These portfolios include three types of IT investments--
planned (proposed systems or system enhancements), under way (systems
under development), and completed (existing systems). The framework
also calls for integrating and overseeing these investments to manage
the complete portfolio of investments.
The bureau's efforts to define IT investment policies and procedures
are evolving slowly toward alignment with best practices. Specifically,
according to officials from the CIO's office, the bureau has had three
separate and sequential efforts to develop its investment management
process. The first effort started in December 2001, when the bureau
developed an investment management and transition plan. This plan
called for establishing and defining bureau policies and procedures for
the select, control, and evaluate steps set forth in GAO's framework.
In March 2002, the FBI completed the definition of select phase
procedures and began pilot testing them in developing its fiscal year
2004 IT budget request for new investments and legacy (existing) system
enhancements bureauwide. The bureau completed the pilot in May 2002,
but efforts to further define policies and procedures for the control
and evaluate phases stalled and were not fully completed.
In early 2003, the bureau began its second effort--shifting focus on
its investment management process by initiating development of a new
process for investing in IT and other non-IT assets such as buildings
and plant equipment. According to officials from the CIO's office,
development of the process stalled at the end of 2003, before it could
be fully implemented.
In early 2004, the bureau started its third and current effort. The FBI
decided to have separate policies and procedures for IT due to the
differences in IT and non-IT investments. According to the CIO, the
bureau's current processes for IT investment management include one for
investments that are planned and under way and another for maintenance
of existing systems. The process for investments that are planned and
under way is still being defined. The CIO has established a program
office and has allocated staff, but the work is just beginning and is
not planned to be completed until the second quarter of fiscal year
2005. For existing systems, the bureau developed a set of policies and
procedures that define a process to allocate operations and maintenance
resources against competing needs by assessing the performance of
existing systems. The bureau is piloting the process on different types
of systems (e.g., application, infrastructure) with the goal of
enterprisewide implementation by April 2005. Between June and December
2003, the program office tested the procedures on Information Resources
application systems. A second pilot was recently initiated in April
2004 on Information Resources infrastructure systems, with the goal of
completing the test by November 2004. According to the CIO, the bureau
has hired a contractor to assist with enterprisewide rollout, which
began in June, and is also in the process of acquiring a tool to manage
its IT investment portfolio.
According to bureau officials, including the current CIO, the slowly
evolving state of investment management is due in part to the fact that
the bureau CIO position, which is responsible for developing the
requisite policies and procedures, has had a high rate of turnover.
Specifically, the CIO has changed five times in the past 2 1/2 years.
As a result, development of investment management policies and
procedures has not benefited from sustained management attention and
leadership, and thus has shifted focus repeatedly and lagged. Until
planned and ongoing improvements are completed, the FBI will lack
effective controls over its IT investments and thus will be unable to
ensure that the mix of investments it is pursuing is the best to meet
the bureau's goals for modernizing IT and transforming the
organization.
Improvements Are Planned for Developing Systems Modernization
Management Capabilities:
The CIO has acknowledged the weaknesses in systems acquisition
management and investment management and has improvements planned to
strengthen them. For example, according to the CIO, the FBI is
establishing a strategic planning process as part of a bureauwide IT
management effort. The CIO also said that the results of the strategic
planning process will be used to guide the enterprise architecture and
IT investment management. In putting this process in place, the FBI has
drafted an IT strategic plan (to be issued in September 2004) that
outlines ongoing and planned efforts to strengthen both investment
management and systems acquisition policies and procedures by
standardizing them across the bureau and incorporating best practices
such as GAO's investment management model and best practices in
configuration management and quality assurance. In addition, the CIO
has begun efforts to establish bureauwide requirements development and
management policies and procedures by developing a process for
requirements definition--the first step in developing requirements. The
CIO has also drafted a life cycle management process that is to
integrate systems acquisition management, investment management, and
other key IT domain areas, such as IT strategic planning and enterprise
architecture. According to the CIO, this integration is to be completed
by the end of 2006.
These improvements, if properly defined and implemented, will increase
the FBI's modernization management capabilities. However, we remain
concerned about their completion for several reasons. First, the
improvements have yet to be completely defined and implemented. In
addition, other key ingredients to effective IT management--development
of a modernization blueprint and the establishment of integrated
project planning--are not yet in place. Further, as discussed earlier,
the FBI has had problems sustaining leadership and management attention
for similar IT improvements.
Conclusions:
The FBI is beginning to lay the management foundation needed for
comprehensive improvements in its systems modernization management
approach and capabilities. The foundational steps are in appropriate
areas, such as development of a modernization blueprint (enterprise
architecture), initiation of integrated project planning, and
establishment of IT management policies and procedures for human
capital, systems acquisition, and investment selection and control.
However, the steps still need to be fully defined and properly
implemented across the bureau to produce the integrated systems
environment needed to optimally support mission needs and produce
system investments that deliver expected capabilities and mission
benefits on time and within budget and thus support the organizational
transformation. This will require senior executive leadership and
commitment and provision of sufficient CIO authority to fully define
and institutionalize effective IT management approaches and
capabilities bureauwide. Such commitment includes vesting
accountability and responsibility for managing IT under the CIO--
including budget management control and oversight of IT programs and
initiatives--and aligning modernization planning and management
policies and procedures with the best practices of leading
organizations. Until this occurs, the bureau will remain challenged in
its ability to effectively and efficiently manage its systems
modernization efforts, and thus its near-term investments in modernized
systems will remain at risk.
Recommendations for Executive Action:
Until the bureau's IT management foundation is completed and available
to effectively guide and constrain the hundreds of millions of dollars
it is spending on IT investments, we recommend that the Director direct
the heads of the divisions to limit spending on their respective IT
investments to cost-effective efforts that:
* are congressionally directed;
* take advantage of near-term, relatively small, low-risk opportunities
to leverage technology in satisfying a compelling bureau need;
* support operations and maintenance of existing systems critical to
the FBI's mission; or:
* support establishment of the FBI's IT management foundation,
including the development of a modernization blueprint (enterprise
architecture), initiation of integrated project planning, and
development of IT management policies and procedures for systems
acquisition and investment selection and control.
In establishing the management foundation, we recommend that the FBI
Director provide the CIO with the responsibility and authority for
managing IT bureauwide, including budget management control and
oversight of IT programs and initiatives.
In addition, we recommend that the FBI Director, with assistance from
the CIO, ensure that future and ongoing modernization plans and efforts
are effectively integrated by taking five actions: (1) establishing a
bureauwide requirement (policy) to develop an integrated plan (or set
of plans) for modernization investments, (2) developing corresponding
guidance on plan contents and scope, (3) ensuring the appropriate
resources and training are available to implement policy and guidance,
(4) assigning responsibility and accountability for developing the
plans, and (5) assigning responsibility and accountability to the CIO
for reviewing the plans to ensure adherence to the policy and guidance,
including alignment with the bureau's enterprise architecture.
We also recommend that the FBI Director, with the CIO's assistance,
take four actions to ensure that the bureau establishes effective
policies and procedures for systems acquisition and investment
management selection and control. With regard to systems acquisition,
we recommend (1) correcting the weaknesses in configuration management,
project management, quality assurance, requirements development and
management, and risk management policies and procedures described in
this report's body and detailed in appendix III and implementing the
resulting changes accordingly; and (2) assessing the other divisions
that manage IT investments to determine whether their policies and
procedures align with best practices and, to the extent there are gaps,
correcting them. With regard to IT investment management, we recommend
(3) developing the bureau's investment management processes in
accordance with key IT investment decision-making best practices, such
as GAO's IT investment management framework; and (4) identifying, and
acting on, options for speeding up their implementation.
Agency Comments and Our Evaluation:
In its written comments on a draft of this report, which were signed by
the CIO and are reprinted in appendix IV, the FBI agreed that the
bureau is taking steps to lay the management foundation for improving
IT operations. The FBI also agreed that, while progress is being made,
much work remains to implement and institutionalize planned and ongoing
IT management improvements. It stated that our recommendations are
consistent with the FBI's internal reviews and with those of other
oversight entities. In addition, the FBI described actions planned and
under way to address our recommendations and provided technical
comments, which we have incorporated, as appropriate, in the report.
We are sending copies of this report to the Chairman and Vice Chairman
of the Senate Select Committee on Intelligence, and the Chairman and
Vice Chairman of the House Permanent Select Committee on Intelligence.
We are also sending copies to the Attorney General; the Director, FBI;
the Director, Office of Management and Budget; and other interested
parties. The report will also be available without charge on GAO's Web
site at [Hyperlink, http://www.gao.gov].
Should you have any questions about matters discussed in this report,
please contact me at (202) 512-3439 or by e-mail at
[Hyperlink, hiter@gao.gov]. Key contributors to this report are listed
in appendix V.
Signed by:
Randolph C. Hite,
Director, Information Technology Architecture and Systems Issues:
[End of section]
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
As agreed with your offices, our objectives were to examine whether the
FBI has (1) an integrated plan for modernizing its IT systems, and (2)
effective policies and procedures governing management of IT human
capital, systems acquisition, and investment selection and control. For
the first objective, we focused on the bureau's IT modernization plan
and supporting documents. In light of the FBI's response that its
divisions were responsible for modernization planning, we included six
divisions in our scope of work--Criminal Justice Information Services
(CJIS), Cyber, Information Resources, Investigative Technology, the
Program Management Office, and Security--because they had the largest
planned or ongoing IT modernization investments. For the second
objective, we focused on the bureau's policies and procedures for IT
human capital, systems acquisition, and investment selection and
control. In response to this request, bureau officials told us that
systems acquisition policies and procedures were developed within each
division. To obtain a crosscutting sample, we analyzed the systems
acquisition policies and procedures of at least one division with major
IT modernization investments from each of the components,[Footnote 41]
based on funding for fiscal years 2003 through 2005; thus, the scope
for systems acquisition included Counterterrorism, CJIS, Cyber,
Information Resources, Investigative Technology, and the Program
Management Office.
To address the first objective--determining whether the FBI had an
integrated plan or set of plans for modernizing its IT systems--we
reviewed program plans, IT capital asset plans and business cases
(commonly called Exhibit 300s), and other supporting documentation from
each of the six divisions, as well as the bureau's strategic plan,
draft IT strategic plan, and information sharing strategy, and then
compared this documentation with Office of Management and Budget (OMB)
planning guidance[Footnote 42] and our research and past experience on
federal systems modernizations to determine the extent to which the
plans exhibited an integrated approach to managing IT projects,
including addressing project interdependencies. We also interviewed FBI
officials from these organizations, as well as the Finance Division,
Counterterrorism Division, Counterintelligence Division, Office of
Intelligence, and the Office of the Chief Information Officer (CIO) to
(1) verify and clarify our understanding of headquarters and division
modernization planning roles, processes, and products; (2) determine
why division plans did not fully satisfy the elements of effective
modernization planning; and (3) identify the effects of not having a
fully integrated modernization plan (or set of plans).
In addressing the second objective--determining whether the bureau has
effective policies and procedures governing management of IT human
capital, IT systems acquisition, and IT investment selection and
control--we assessed whether bureau policies and procedures were fully
consistent with the practices of successful private and public IT
organizations and, where appropriate, those specified in relevant
federal IT management laws and administrative guidance (e.g., OMB
circulars and agency-specific rules and regulations) that embody such
best practices. A detailed description of our methodology for each of
these management controls and capabilities is provided below.
To evaluate the bureau's policies and procedures in IT human capital
management, we analyzed the FBI's strategic human capital plan,
specifically those parts addressing IT human capital management. We
then compared the results of our analysis with best practices for
strategic workforce planning.[Footnote 43] We chose strategic workforce
planning because it is central to strategic human capital management
for organizations, like the FBI, that are in the early stages of
transformation. In addition, these practices apply to any organization
or organizational component, such as the bureau's IT organization. We
also interviewed senior FBI officials, including the CIO and the
assistant director responsible for the bureau's human capital effort,
to verify and clarify our understanding of headquarters and division
human capital policies and procedures.
To determine whether the FBI has effective policies and procedures
governing management of IT systems acquisition, we compared division-
level policies and procedures with best practices. In doing so, we
focused on the following key areas: configuration management, project
management, quality assurance, requirements development and
management, and risk management. We evaluated these areas because they
are used throughout the systems acquisition life cycle and are critical
to the success of organizations, like the FBI, that are in the early
stages of systems modernization. Best practices for these areas are
provided in the Carnegie Mellon University Software Engineering
Institute's Capability Maturity Models.[Footnote 44] To document
division policies and procedures, we reviewed division-level management
plans and handbooks, standard operating procedures, common software
processes, systems development life cycle guidance, management group
charters, and management plan templates. We then compared the policies
and procedures with best practices for the five key management areas.
In addition, we interviewed the CIO and FBI division officials who were
responsible for IT systems acquisition management to (1) verify and
clarify our understanding of division-level policies and procedures in
each of the five control areas; (2) identify planned and ongoing
initiatives to, among other things, improve systems acquisition
management across the bureau, including the definition and
implementation of a bureauwide systems life cycle management process
that is to include systems acquisition management policies and
procedures consistent with best practices; (3) determine why divisions
varied in their use of best practices; and (4) determine the effects of
not having these practices in place on ongoing and planned systems
modernization initiatives.
To evaluate the bureau's IT investment management, including selection
and control, we reviewed the Inspector General's December 2002 report
and audit follow-up memoranda[Footnote 45] on the bureau's efforts to
develop and implement effective investment management processes. We
also reviewed bureau documents, including the draft IT strategic plan,
on steps taken since the Inspector General's 2002 report. Further, we
interviewed the CIO and officials from the CIO's office responsible for
investment and portfolio management to understand improvements under
way and planned, why progress has been slow, and the effect of not
having effective policies and procedures in place and operating while
the bureau continues to make large investments in modernized systems.
Finally, to verify our findings and validate our assessments, we met
and discussed with the CIO and the affected division officials our
analysis of the state of integration plans and IT management policies
and procedures.
We performed our work at FBI headquarters in Washington, D.C., and at
field locations in Clarksburg, West Virginia, and Quantico, Virginia,
from November 2003 through July 2004, in accordance with generally
accepted government auditing standards.
[End of section]
Appendix II: Brief Descriptions of Major IT Systems Modernization
Initiatives:
Initiative: Aurora;
Description of intended functions and services: Provide system
architectural, engineering, development, integration, and test services
to complete the modernization of FBI information technology.
Initiative: Collaborative Capabilities;
Description of intended functions and services: Provide direct access
to law enforcement and intelligence databases from a collection of
personal computers connected through a common unclassified FBI local
area network.
Initiative: Combined DNA Index System;
Description of intended functions and services: Enable federal, state,
and local crime laboratories to exchange and compare DNA profiles
electronically, including the capability to link serial violent crimes
to each other and to convicted offenders.
Initiative: Computer Analysis Response Team;
Description of intended functions and services: Ensure the ability of
the FBI to collect, preserve, examine, and present computer evidence
in support of FBI investigative programs, including developing
technical capabilities that provide timely and accurate forensic
information and preserving evidence to be analyzed by
counterintelligence and counterterrorism experts.
Initiative: Digital Collection;
Description of intended functions and services: Ensure the ability of
the FBI to collect evidence and intelligence (for example, from
telephone calls and modem transmissions) through the acquisition,
deployment, and support of communications interception techniques and
systems to facilitate and support national security, domestic
counterterrorism, and criminal investigative efforts.
Initiative: Electronic Surveillance Data Management System;
Description of intended functions and services: Implement a system
architecture that increases the FBI's ability to manage, analyze, and
share electronic surveillance and other types of collected data, and
integrates data analysis capabilities to improve the efficiency with
which investigators can develop leads and intelligence.
Initiative: Foreign Terrorism Tracking Task Force;
Description of intended functions and services: Manage data for end-to-
end decision making that contributes to the mission of keeping foreign
terrorists and their supporters out of the United States or leads to
their exclusion, denial of benefits, surveillance, or prosecution.
Initiative: Integrated Automated Fingerprint Identification System;
Description of intended functions and services: Provide the local,
state, federal, and international law enforcement community and
homeland security organizations with criminal history services and the
capability to search the FBI fingerprint repository for matches to ten-
print and latent fingerprints.
Initiative: Investigative Data Warehousing and Virtual Knowledge Base;
Description of intended functions and services: Provide the capability
to easily and rapidly search and share counterterrorism and criminal
investigative information--including text, photographs, video, and
audio material--across the FBI and with federal, state, and local
organizations.
Initiative: IT Security/Information Assurance;
Description of intended functions and services: Provide a foundation
for safeguarding the FBI's information, including developing a
comprehensive and proactive security program, improving security
awareness, monitoring FBI systems, conducting vulnerability
assessments, and establishing a critical incident response capability.
Initiative: Joint Terrorism Task Force, Information Sharing Initiative;
Description of intended functions and services: Provide the IT
infrastructure required to support the task force's efforts to capture
the cumulative knowledge of area law enforcement agencies and the
federal government in a systematic and ongoing manner so as to produce
regional counterterrorism and crime strategies and cooperative
investigations.
Initiative: Legat/International Infrastructure;
Description of intended functions and services: Provide IT support and
services to the FBI's foreign locations, including reducing
vulnerabilities to accessing and sharing critical, time-sensitive
information internationally.
Initiative: National Crime Information Center 2000;
Description of intended functions and services: Provide an online
computerized index of crime information--including information about
individuals, vehicles, and property--to local, state, federal, and
international law enforcement and criminal justice agencies.
Initiative: National Instant Criminal Background Check System;
Description of intended functions and services: Conduct name searches
and provide criminal history records on individuals purchasing firearms
or transferring ownership of firearms.
Initiative: Security Management Information System;
Description of intended functions and services: Support all activities
and functions within the bureau's Security division, including
replacing manual work processes with efficient streamlined automation,
consolidating existing security applications, and enhancing electronic
information sharing with other FBI divisions, the law enforcement
community, and the intelligence community.
Initiative: Sensitive Compartmented Information Operational Network;
Description of intended functions and services: Provide a backup system
for the top secret/sensitive compartmented information local area
network and expand the user base of this network within FBI
headquarters, field offices, and other facilities.
Initiative: Special Technologies Applications Section;
Description of intended functions and services: Provide IT resources
and services for investigations of federal violations in which the
Internet, computer systems, or networks are exploited as instruments
or targets of terrorist organizations, foreign government-sponsored
intelligence operations, or criminal activity.
Initiative: Trilogy;
Description of intended functions and services: Introduce new systems
infrastructure and upgrade existing investigative and intelligence
applications, including establishing an enterprise network to enable
communications among hundreds of domestic and foreign FBI locations.
Source: GAO analysis of FBI data.
[End of table]
[End of section]
Appendix III: Summary of Systems Acquisition Analyses for Six FBI
Divisions:
Analyses for CJIS, Counterterrorism, and Cyber:
Acquisition management control: Configuration management;
Best practice elements: Identifying roles and responsibilities;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Configuration management;
Best practice elements: Developing a configuration management plan;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Configuration management;
Best practice elements: Establishing a library system;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Configuration management;
Best practice elements: Identifying, documenting, managing, and
controlling configuration items and baselines;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Configuration management;
Best practice elements: Managing change requests and problem reports;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Configuration management;
Best practice elements: Periodically auditing baselines;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Configuration management;
Best practice elements: Periodically having management review the
status of configuration management activities;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: No.
Acquisition management control: Project management;
Best practice elements: Identifying roles and responsibilities;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Project management;
Best practice elements: Developing a project management plan;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Project management;
Best practice elements: Baselining and tracking project cost, schedule, and performance status and associated risks;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: No.
Acquisition management control: Project management;
Best practice elements: Establishing a corrective action system to
identify, record, track, and correct problems;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: No.
Acquisition management control: Project management;
Best practice elements: Periodically reviewing and communicating the
status of project management activities and commitments;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Quality assurance;
Best practice elements: Identifying roles and responsibilities;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Quality assurance;
Best practice elements: Developing a quality assurance plan;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: No;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Quality assurance;
Best practice elements: Participating in the development and review of
integration plans, standards, and procedures;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: No;
Addressed by division policy? Cyber: No.
Acquisition management control: Quality assurance;
Best practice elements: Reviewing activities and work products to
verify compliance with applicable standards and procedures;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Quality assurance;
Best practice elements: Documenting and handling deviations in
activities and work products;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Quality assurance;
Best practice elements: Periodically reporting and reviewing the
results and findings of quality assurance activities;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: No.
Acquisition management control: Requirements development and
management;
Best practice elements: Identifying roles and responsibilities;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: No;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Requirements development and
management;
Best practice elements: Involving end users in development of and
changes to requirements;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: No;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Requirements development and
management;
Best practice elements: Developing a requirements management plan;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: No;
Addressed by division policy? Cyber: No.
Acquisition management control: Requirements development and
management;
Best practice elements: Developing and baselining requirements, and
maintaining them under change control;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: No;
Addressed by division policy? Cyber: No.
Acquisition management control: Requirements development and
management;
Best practice elements: Appraising changes to requirements for their
impact on the project or IT environment;
Addressed by division policy? CJIS: No;
Addressed by division policy? Counterterrorism: No;
Addressed by division policy? Cyber: No.
Acquisition management control: Requirements development and
management;
Best practice elements: Maintaining traceability among requirements
and project deliverables;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: No;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Requirements development and
management;
Best practice elements: Periodically reviewing the status of
requirements development and management activities with management;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: No;
Addressed by division policy? Cyber: No.
Acquisition management control: Risk management;
Best practice elements: Identifying roles and responsibilities;
Addressed by division policy? CJIS: No;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: No.
Acquisition management control: Risk management;
Best practice elements: Developing a risk management plan;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Risk management;
Best practice elements: Integrating risk management with other
planning and management functions;
Addressed by division policy? CJIS: No;
Addressed by division policy? Counterterrorism: No;
Addressed by division policy? Cyber: No.
Acquisition management control: Risk management;
Best practice elements: Identifying, analyzing, controlling, and
mitigating project risks;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: Yes;
Addressed by division policy? Cyber: Yes.
Acquisition management control: Risk management;
Best practice elements: Periodically having management review the
status of project risks and risk management activities;
Addressed by division policy? CJIS: Yes;
Addressed by division policy? Counterterrorism: No;
Addressed by division policy? Cyber: No.
Source: GAO analysis of FBI data.
[End of table]
Analyses for Information Resources, Investigative Technology, and
Program Management Office:
Acquisition management control: Configuration management;
Best practice elements: Identifying roles and responsibilities;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: No;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Configuration management;
Best practice elements: Developing a configuration management plan;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: Yes;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Configuration management;
Best practice elements: Establishing a library system;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: No;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Configuration management;
Best practice elements: Identifying, documenting, managing, and
controlling configuration items and baselines;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: No;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Configuration management;
Best practice elements: Managing change requests and problem reports;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: No;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Configuration management;
Best practice elements: Periodically auditing baselines;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: No;
Addressed by division policy? Program Management Office: No.
Acquisition management control: Configuration management;
Best practice elements: Periodically having management review the
status of configuration management activities;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: No;
Addressed by division policy? Program Management Office: No.
Acquisition management control: Project management;
Best practice elements: Identifying roles and responsibilities;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: Yes;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Project management;
Best practice elements: Developing a project management plan;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: Yes;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Project management;
Best practice elements: Baselining and tracking project cost,
schedule, and performance status and associated risks;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: Yes;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Project management;
Best practice elements: Establishing a corrective action system to
identify, record, track, and correct problems;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: Yes;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Project management;
Best practice elements: Periodically reviewing and communicating the
status of project management activities and commitments;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: Yes;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Quality assurance;
Best practice elements: Identifying roles and responsibilities;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: Yes;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Quality assurance;
Best practice elements: Developing a quality assurance plan;
Addressed by division policy? Information Resources: No;
Addressed by division policy? Investigative Technology: Yes;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Quality assurance;
Best practice elements: Participating in the development and review of
integration plans, standards, and procedures;
Addressed by division policy? Information Resources: No;
Addressed by division policy? Investigative Technology: Yes;
Addressed by division policy? Program Management Office: No.
Acquisition management control: Quality assurance;
Best practice elements: Reviewing activities and work products to
verify compliance with applicable standards and procedures;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: Yes;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Quality assurance;
Best practice elements: Documenting and handling deviations in
activities and work products;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: Yes;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Quality assurance;
Best practice elements: Periodically reporting and reviewing the
results and findings of quality assurance activities;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: No;
Addressed by division policy? Program Management Office: No.
Acquisition management control: Requirements development and
management;
Best practice elements: Identifying roles and responsibilities;
Addressed by division policy? Information Resources: No;
Addressed by division policy? Investigative Technology: No;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Requirements development and
management;
Best practice elements: Involving end users in development of and
changes to requirements;
Addressed by division policy? Information Resources: No;
Addressed by division policy? Investigative Technology: No;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Requirements development and
management;
Best practice elements: Developing a requirements management plan;
Addressed by division policy? Information Resources: No;
Addressed by division policy? Investigative Technology: No;
Addressed by division policy? Program Management Office: No.
Acquisition management control: Requirements development and
management;
Best practice elements: Developing and baselining requirements, and
maintaining them under change control;
Addressed by division policy? Information Resources: No;
Addressed by division policy? Investigative Technology: No;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Requirements development and
management;
Best practice elements: Appraising changes to requirements for their
impact on the project or IT environment;
Addressed by division policy? Information Resources: No;
Addressed by division policy? Investigative Technology: No;
Addressed by division policy? Program Management Office: No.
Acquisition management control: Requirements development and
management;
Best practice elements: Maintaining traceability among requirements
and project deliverables;
Addressed by division policy? Information Resources: No;
Addressed by division policy? Investigative Technology: Yes;
Addressed by division policy? Program Management Office: No.
Acquisition management control: Requirements development and
management;
Best practice elements: Periodically reviewing the status of
requirements development and management activities with management;
Addressed by division policy? Information Resources: No;
Addressed by division policy? Investigative Technology: No;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Risk management;
Best practice elements: Identifying roles and responsibilities;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: No;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Risk management;
Best practice elements: Developing a risk management plan;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: Yes;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Risk management;
Best practice elements: Integrating risk management with other
planning and management functions;
Addressed by division policy? Information Resources: No;
Addressed by division policy? Investigative Technology: No;
Addressed by division policy? Program Management Office: No.
Acquisition management control: Risk management;
Best practice elements: Identifying, analyzing, controlling, and
mitigating project risks;
Addressed by division policy? Information Resources: Yes;
Addressed by division policy? Investigative Technology: Yes;
Addressed by division policy? Program Management Office: Yes.
Acquisition management control: Risk management;
Best practice elements: Periodically having management review the
status of project risks and risk management activities;
Addressed by division policy? Information Resources: No;
Addressed by division policy? Investigative Technology: Yes;
Addressed by division policy? Program Management Office: Yes.
Source: GAO analysis of FBI data.
[End of table]
[End of section]
Appendix IV: Comments from the Federal Bureau of Investigation:
U.S. Department of Justice:
Federal Bureau of Investigation:
Washington, D. C. 20535:
August 16, 2004:
Mr. Gary Mountjoy:
Assistant Director:
Information Technology:
U.S. General Accounting Office:
441 G Street, N.W.:
Washington, D.C. 20548:
Dear Sir:
Thank you for affording the FBI the opportunity to review and provide
comments on the GAO Draft Audit Report entitled "Information
Technology, Foundational Steps Being Taken to Needed FBI Systems
Modernization Management Improvements." Based upon our review, your
recommendations are consistent with the FBI's internal reviews and with
those of other oversight entities. In fact, I am pleased to inform you
the FBI has made significant progress to address the challenges and
issues facing information technology (IT) systems at the FBI.
The FBI has strengthened its IT senior management ranks by permanently
filling the Chief Information Officer (CIO) position. The CIO is
responsible for the FBI's overall information technology efforts,
including developing the FBI's IT strategic plan and operating budget;
developing and maintaining the FBI's technology assets; and providing
the technical direction for the re-engineering of FBI business
processes. In July 2004, the Chief Technology Officer (CTO) position
was filled. The CTO is responsible for centralizing the FBI's current
IT projects to support the FBI's mission and setting the pace for
technology infusion. Also, in July 2004, the Project Management
Executive (PME) position was filled. The PME is responsible for the
oversight and management of all IT acquisition development projects.
In June 2004, the FBI reorganized its IT resources under the Office of
the CIO (OCIO). The OCIO is responsible for centrally managing all of
the IT responsibilities, activities, policies, and employees across the
FBI. The OCIO is comprised of four major functions and organizations:
the Office of IT Policy and Planning (OIPP), Information Technology
Systems Development (ITSD), the Office of IT Program Management (OIPM),
and the Information Technology Operations Division (ITOD) (formerly
IRD).
This new organizational structure provides for the integration and
close coordination of all IT activities. It promotes long-term
information planning and policy development, dedicated knowledgeable
project management teams, research and development for proactive
concept development and infusion of emergent technologies, new system
development, and the integration, operations and maintenance of both
new and legacy systems.
The FBI Strategic Information Technology Plan (SITP), which is 90%
complete, is expected to be approved in September 2004. The SITP is
fully aligned and synchronized with the FBI Strategic Plan, 2004 -
2009, with a very similar outline and direct traceability between the
FBI strategic goals and objectives and supporting IT legacy systems and
new initiatives. It is also fully integrated with the FBI's information
technology investment management process and aligned with the
Department of Justice IT Strategic Plan.
To manage existing investments within the FBI's comprehensive IT
Portfolio, the FBI's OCIO established a Portfolio Management Program,
to assess the performance of the IT legacy (production) environment.
This assessment is critical to improving the capabilities of the IT
leadership team to make informed, holistic decisions regarding the
existing portfolio of investments. With the support of a consultant, a
phased implementation of this program began with a focus on an
Applications Pilot Assessment of 86 legacy/operational applications in
the Information Resources Division (IRD). The outcome of this analysis,
completed in February 2004, resulted in developing a methodology and a
decision-making tool for senior management in the IT portfolio/
investment process. The methodology included capturing baseline data,
aligning applications with the Director's 10 priorities, assessing
functional and technical performance, analyzing results, and
identifying improvement opportunities. Upon completion of the
Enterprise-wide Portfolio analysis, the resulting recommendations will
include recommendations concerning which investments should be
leveraged, replaced, outsourced, or retired.
In March 2004, the FBI OCIO embarked on the second phase of the
Portfolio Management Program, i.e., the infrastructure portfolio
assessment of IRD. The first major milestone (data collection) of this
effort will be completed in the 4Th Quarter FY 2004. The FBI OCIO also
initiated the Enterprise-wide Portfolio build-out for all applications,
infrastructure, services, and management under the auspices of a
follow-on contract in June 2004. Upon completion of the Enterprise-wide
portfolio (targeted for the 3`d Quarter FY 2005), this type of analysis
can potentially provide decision-makers the information to redirect
resources (dollars and personnel) towards the FBI's most critical
requirements.
To support the phased implementation of this program, the FBI OCIO
released a Statement of Work (SOW) on April 27, 2004 to Industry under
a GSA Schedule to competitively select an Enterprise Electronic Tool
and Support Services contractor for Enterprise Portfolio Management.
This SOW includes tool and services for the IT Investment Management
(ITIM), Legacy/ Operational Portfolio and Project Management program
areas. Anticipated selection and contract award of the integrated tool
is targeted for August 2004. This capability will bring FBI to the
forefront of agencies with an electronic ability to handle the inter-
relationships of key OCIO processes as mandated by Office of Management
and Budget and GAO.
The FBI's Life Cycle Management Directive (LCMD) is in the Director's
office for approval. The LCMD guides FBI personnel on the technical
management and engineering practices used to plan, acquire, operate,
maintain and replace IT systems and services.
It provides detailed direction for FBI Program/Project Manager to plan,
organize, direct, and control programs/projects throughout their life
cycle, from inception to deactivation. It sets the framework for the
development of comprehensive program/project plans which, through
appropriate "tailoring", will successfully deliver capabilities to FBI
users on schedule and within budget. It establishes control gates tied
to demonstrated accomplishments. It assigns accountability at the onset
and ensures user involvement throughout the program/project life cycle.
An Office of Intelligence (OI) Executive Working Group, chaired by OI
and facilitated by the OCIO, was created to identify the enterprise IT
requirements needed to support OI operations. Operational and Support
Divisions as well as Field Offices participate in the working group.
The initial focus of the working group was to identify the Immediate/
Near-Term IT requirements by 6/30/2004. Requirements are defined as the
high-level, end-goal business and mission operational need for
supporting FBI intelligence activities.
The initial analysis of the OI Immediate/Near-Term IT requirements,
resulted in the identification of 53 requirements. The 53 requirements
have been validated and captured in a formal document. The OCIO is
currently defining the technology and products needed to support the
services required to meet the OI requirements. The collection of OI
Mid-Term IT requirement has been initiated.
Although progress is being made, much work remains to institutionalize
the processes that have been and are being developed. Steps are being
taken to lay a solid foundation to improve IT operations throughout the
FBI.
Again, thank you for the opportunity to respond to the report. Should
you or your staff have questions regarding our response, please contact
me any time.
Sincerely yours,
Signed by:
Zalmai Azmi:
Chief Information Officer:
[End of section]
Appendix V: GAO Contact and Staff Acknowledgments:
GAO Contact:
Gary Mountjoy, (202) 512-6367:
Staff Acknowledgments:
In addition to the individual named above, key contributors to this
report included Nabajyoti Barkakarti, Katherine Chu-Hickman, Lester
Diamond, Elena Epps, Nancy Glover, Paula Moore, and Megan Secrest.
(310269):
FOOTNOTES
[1] Deoxyribonucleic acid.
[2] GAO, Information Technology: FBI Needs an Enterprise Architecture
to Guide Its Modernization Activities, GAO-03-959 (Washington, D.C.:
Sept. 25, 2003).
[3] Using Department of Justice guidance, the FBI defines a major
system as one that has an annual cost greater than $10 million, a total
life cycle cost greater than $50 million, or an annual cost greater
than $500,000 for financial information systems; is mandated for
departmentwide use; has significant multiple component impact for the
department; has legal requirements or designation as a congressional
line item; or is high risk or politically sensitive, as determined by
the Justice CIO.
[4] See GAO, DOD Business Systems Modernization: Improvements to
Enterprise Architecture Development and Implementation Efforts Needed,
GAO-03-458 (Washington, D.C.: Feb. 28, 2003); Business Systems
Modernization: IRS Needs to Better Balance Management Capacity with
System Acquisition Workload, GAO-02-356 (Washington, D.C.: Feb. 28,
2002); and Information Technology: DLA Should Strengthen Business
Systems Modernization Architecture and Investment Activities, GAO-01-
631 (Washington, D.C.: June 29, 2001).
[5] Clinger-Cohen Act of 1996, 40 U.S.C. §§11101-11703.
[6] See Office of Management and Budget, Management of Federal
Information Resources, Circular A-130 (Washington, D.C., Nov. 28, 2000)
and Planning, Budgeting, Acquisition, and Management of Capital Assets,
Circular A-11, Part 7 (Washington, D.C., July 2003).
[7] Arthur Andersen, LLP, Management Study of the Federal Bureau of
Investigation (Dec. 14, 2001).
[8] U.S. Department of Justice Office of the Inspector General, Federal
Bureau of Investigation's Management of Information Technology
Investments, Report 03-09 (Washington, D.C., December 2002).
[9] GAO, Information Technology Investment Management: A Framework for
Assessing and Improving Process Maturity, Exposure Draft, GAO/AIMD-
10.1.23 (Washington, D.C.: May 2000). In March 2004, GAO updated this
version: Information Technology Investment Management: A Framework for
Assessing and Improving Process Maturity, version 1.1, GAO-04-394G
(Washington, D.C.: March 2004).
[10] U.S. Department of Justice Office of the Inspector General, Action
Required on the Federal Bureau of Investigation's Management of
Information Technology Investments, Audit Report Number 03-09,
(Washington, D.C., January 2004).
[11] GAO, Information Technology: FBI Needs an Enterprise Architecture
to Guide Its Modernization Activities, GAO-03-959, (Washington, D.C.:
Sept. 25, 2003); Federal Bureau of Investigation's Comments on Recent
GAO Report on its Enterprise Architecture Efforts, GAO-04-190R,
(Washington, D.C.: Nov. 14, 2003); and FBI Transformation: FBI
Continues to Make Progress in Its Efforts to Transform and Address
Priorities, GAO-04-578T (Washington, D.C.: Mar. 23, 2004).
[12] An enterprise architecture can be viewed as a blueprint that
defines, in logical or business terms and in technology terms, how an
organization, for example, operates today, how it intends to operate in
the future, and how it intends to invest in technology to transition to
this future state.
[13] GAO-04-578T.
[14] U.S. Department of Justice Office of the Inspector General, The
Federal Bureau of Investigation's Implementation of Information
Technology Recommendations, Audit Report 03-36 (Washington, D.C.,
September 2003), Audit Report 03-09, and Action Required on Audit
Report 03-09.
[15] Inspector General Audit Report 03-36.
[16] U.S. Department of Justice Office of the Inspector General,
Statement of Glenn A. Fine, Inspector General, before the Senate
Committee on Appropriations, Subcommittee on Commerce, Justice, State
and the Judiciary, (Washington, D.C., Mar. 23, 2004).
[17] GAO-03-959.
[18] GAO-04-578T.
[19] National Research Council, A Review of the FBI's Trilogy
Information Technology Modernization Program, (Washington, D.C., May
10, 2004).
[20] National Research Council, follow-on report to A Review of the
FBI's Trilogy Information Technology Modernization Program,
(Washington, D.C., June 7, 2004).
[21] Clinger-Cohen Act of 1996, 40 U.S.C. §§11101-11703.
[22] See Office of Management and Budget, Management of Federal
Information Resources, Circular No. A-130 (Washington, D.C., Nov. 28,
2000) and Planning, Budgeting, Acquisition, and Management of Capital
Assets, Circular No. A-11, Part 7 (Washington, D.C., July 2003).
[23] See GAO, Information Technology: Homeland Security Should Better
Balance Need for System Integration Strategy with Spending for New and
Enhanced Systems, GAO-04-509 (Washington, D.C.: May 21, 2004), and Tax
Systems Modernization: Blueprint Is a Good Start, but Not Yet
Sufficiently Complete to Build or Acquire Systems, GAO/AIMD/GGD-98-54
(Washington, D.C.: Feb. 24, 1998).
[24] See, for example, GAO, DOD Business Systems Modernization:
Improvements to Enterprise Architecture Development and Implementation
Efforts Needed, GAO-03-458 (Washington, D.C.: Feb. 28, 2003); Business
Systems Modernization: IRS Needs to Better Balance Management Capacity
with System Acquisition Workload, GAO-02-356 (Washington, D.C.: Feb.
28, 2002); and Information Technology: DLA Should Strengthen Business
Systems Modernization Architecture and Investment Activities, GAO-01-
631 (Washington, D.C.: June 29, 2001).
[25] GAO-03-959.
[26] See GAO, Human Capital: Attracting and Retaining a High-Quality
Information Technology Workforce, GAO-02-113T (Washington, D.C.: Oct.
4, 2001); A Model of Strategic Human Capital Management, GAO-02-373SP
(Washington, D.C.: Mar. 15, 2002); and Key Principles for Effective
Strategic Workforce Planning, GAO-04-39 (Washington, D.C.: Dec. 11,
2003).
[27] GAO-02-373SP.
[28] The four human capital cornerstones are leadership; strategic
human capital planning; acquiring, developing, and retaining talent;
and results-oriented organizational cultures.
[29] GAO-04-39.
[30] Federal Bureau of Investigation, FBI Strategic Human Capital Plan
(Washington, D.C., March 2004).
[31] GAO-04-578T.
[32] Clinger-Cohen Act of 1996, 40 U.S.C. §§11101-11703.
[33] Carnegie Mellon University's Software Engineering Institute has
developed criteria, known as the Software Acquisition Capability
Maturity Model (CMU/SEI-99-TR-002, April 1999) and Key Practices of the
Capability Maturity Model (CMU/SEI-93-TR-25, February 1993) for
determining organizations' software acquisition management and
development effectiveness or maturity. Capability Maturity Model and
CMM are registered in the U.S. Patent and Trademark Office.
[34] See Key Practices of the Capability Maturity Model (CMU/SEI-93-TR-
025, February 1993).
[35] See Software Acquisition Capability Maturity Model (CMU/SEI-99-TR-
002, April 1999).
[36] See Key Practices of the Capability Maturity Model (CMU/SEI-93-TR-
025, February 1993).
[37] See Software Acquisition Capability Maturity Model (CMU/SEI-99-TR-
002, April 1999).
[38] See Software Acquisition Capability Maturity Model (CMU/SEI-99-TR-
002, April 1999).
[39] Clinger-Cohen Act of 1996, 40 U.S.C. §§11101-11703.
[40] GAO, Information Technology Investment Management: A Framework for
Assessing and Improving Process Maturity, Exposure Draft, GAO/AIMD-
10.1.23 (Washington, D.C.: May 2000). In March 2004, GAO updated this
version: Information Technology Investment Management: A Framework for
Assessing and Improving Process Maturity, version 1.1, GAO-04-394G
(Washington, D.C.: March 2004).
[41] There were no divisions from the Intelligence component included
in our scope because it was recently formed in January 2003, and
Intelligence officials stated that they were not yet managing any
systems modernization initiatives and they had not established polices
and procedures to do so.
[42] See OMB Circular Nos. A-11 and A-130.
[43] GAO, A Model of Strategic Human Capital Management, GAO-02-373SP
(Washington, D.C.: Mar. 15, 2002) and Key Principles for Effective
Strategic Workforce Planning, GAO-04-39 (Washington, D.C.: Dec. 11,
2003).
[44] See Software Acquisition Capability Maturity Model (CMU/SEI-99-TR-
002, April 1999) and Key Practices of the Capability Maturity Model
(CMU/SEI-93-TR-025, February 1993).
[45] U.S. Department of Justice Office of the Inspector General,
Federal Bureau of Investigation's Management of Information Technology
Investments, Report 03-09 (Washington, D.C., December 2002) and U.S.
Department of Justice Office of the Inspector General, Action Required
on the Federal Bureau of Investigation's Management of Information
Technology Investments, Audit Report Number 03-09, (Washington, D.C.,
January 2004).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548: