oversight

Federal Bureau of Investigation's Comments on Recent GAO Report on its Enterprise Architecture Efforts

Published by the Government Accountability Office on 2003-11-14.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

United States General Accounting Office
Washington, DC 20548



          November 14, 2003

          The Honorable Porter J. Goss
          Chairman, Permanent Select Committee on Intelligence
          House of Representatives

          The Honorable Nancy Pelosi
          House of Representatives

          The Honorable Bob Graham
          United States Senate

          The Honorable Richard C. Shelby
          United States Senate

          Subject: Federal Bureau of Investigation’s Comments on Recent GAO Report on
                   its Enterprise Architecture Efforts

          On September 25, 2003, we issued our report on efforts by the Federal Bureau of
          Investigation (FBI) to develop a corporate blueprint—commonly called an
          enterprise architecture—to guide and constrain its information technology (IT)
          systems modernization.1 (This report is available on GAO’s Web site at
          www.gao.gov/cgi-bin/getrpt?GAO-03-959.) We provided the FBI with a draft of this
          report on August 22, 2003, requesting that comments be provided by September
          18. On September 23, the FBI provided us with written comments. However, the
          comments were not received in time to be analyzed, incorporated, and responded
          to in the report and still meet our September 25, 2003, reporting commitment to
          you. As discussed with your offices at that time, we did not extend the reporting
          date in order to include the FBI’s comments and instead are transmitting and
          responding to them in this follow-up correspondence.

          In its written comments signed by the Assistant Director, Inspection Division
          (which are reprinted in their entirety in the enclosure), the FBI made two primary
          points. First, it expressed its commitment to developing and using an enterprise
          architecture (EA), including (1) agreeing with our conclusion that it needs an
          architecture to effectively manage its IT systems modernization; (2) consistent
          with our recommendations, stating that it recognized the need for immediate
          attention to its architecture efforts; and (3) noting that it was managing its
          architecture effort as an IT modernization enabler and priority.

          1
           U.S. General Accounting Office, Information Technology: FBI Needs an Enterprise Architecture
          to Guide Its Modernization Activities, GAO-03-959 (Washington, D.C.: Sept. 25, 2003).


                                                               GAO-04-190R FBI Enterprise Architecture
Related to this first point, the FBI also stated that it has efforts currently under
way to improve its EA posture, and that substantial and real progress has already
been made in doing so. For example, it stated that an executive team had been
established to (1) assess the bureau’s EA status and resource needs using our EA
maturity management framework2 and (2) formulate recommendations for
improvement. Although the FBI’s comments did not specify when it would
complete the assessment, it did state that the necessary resources would be
applied to architecture development, maintenance, and implementation following
the results of the assessment. To illustrate its progress, the FBI stated that it had

•   completed and approved what it referred to as an EA foundation document
    which, according to its comments, contains an architecture approach based on
    55 principles spanning 10 categories of bureau activities and operations and
    acknowledges its largest modernization project (Trilogy) as one enabler for
    moving from its current architectural state to its target state;
•   established key IT modernization management structures and processes, such
    as an investment management process that requires all proposed investments
    to address EA, a governance board to review investment proposals and
    architectural decisions, an application integration board to ensure that new
    applications are consistent with the bureau’s IT environment, and change
    management and control entities to examine and approve changes to its IT
    infrastructure;
•   assigned EA resources, including appointing a chief architect, assigning staff,
    and obtaining private-industry expert assistance, to support its ongoing
    architecture assessment and development of architecture products;
•   established a list of existing systems that had completed security certification
    and accreditation;
•   begun acquiring an automated tool to serve as an architecture repository, as
    well as a risk management tool for determining existing system vulnerabilities
    and cost-effective risk mitigation steps; and
•   begun conducting outreach with external parties, such as the Justice
    Department, the federal CIO Council, and its intelligence community partners
    to, among other things, learn from these entities’ EA experiences.

We support the FBI’s stated commitment to architecture development and use,
including its adoption of our maturity framework. Moreover, we believe that the
examples of EA-related activities cited in the bureau’s comments, some of which
were subsequent to completion of our audit work, are steps in the right direction.
However, the examples that the FBI cites do not alter our report’s findings and
conclusions about the maturity of the FBI’s EA program because they are either
already recognized in our report or they do not fully address the EA management
maturity core elements that our report cites as not being satisfied. Moreover, the

2
 U.S. General Accounting Office, Information Technology: A Framework for Assessing and
Improving Enterprise Architecture Management (Version 1.1), GAO-03-584G (Washington, D.C.:
April 2003).


Page 2                                                     GAO-04-190R FBI Enterprise Architecture
FBI does not currently have a version of an EA to guide and constrain its ongoing
and planned IT investments. Our evaluation and response to each of the FBI’s
examples of progress are provided below.

•   At the time we completed our audit work, the EA foundation document was in
    draft form, and our review of this draft showed that while it contained
    information that would be useful in developing a plan for architecture
    development, maintenance, and implementation, as well as information that
    would be useful in developing architecture artifacts or products, it did not
    satisfy the basic content requirements for either an EA or a plan for
    developing, implementing, and maintaining one. For example, neither the draft
    nor the recently approved version specifies the tasks, time frames, or
    responsible parties for actually developing and completing such architecture
    products as the business, information/data, services/applications, technology,
    and performance reference models, as well as the security views that should
    be part of these models.
•   At the time we completed our audit work, the bureau’s EA governance board
    did not include all relevant internal stakeholders, such as representatives from
    its counterterrorism and counterintelligence organizational components. As
    our framework recognizes, enterprisewide representation and accountability
    on the architecture governance body is a critical success factor and a
    recognized best practice. Since we issued our report, FBI officials told us that
    they now have all relevant stakeholders represented on the board.
•   Our report recognizes that the bureau had appointed a chief architect and
    assigned staff as part of its EA efforts. However, the report also points out that
    it began these efforts over 32 months ago, and the level of commitment and
    resources devoted to them had neither advanced the FBI beyond stage 1 of our
    maturity framework nor produced an EA that could effectively support the
    investment and modernization management processes and structures that the
    FBI cited as having been established. Moreover, as we state in the report, the
    then-chief architect characterized the bureau’s annual commitment of
    $1 million in resources to these efforts as “limited,” and this amount now
    appears to be an overstatement. Specifically, the FBI stated in its comments
    that it is actually investing less than this amount in its EA efforts ($285,000 and
    $500,000 in fiscal years 2003 and 2004, respectively), but that its fiscal year
    2005 budget request includes a substantial, but unspecified, increase.
•   Despite the bureau’s progress in establishing a listing of existing systems
    under security certification and accreditation, which we believe would be a
    useful source of information in developing an EA, the then-chief architect told
    us that this listing was incomplete and required management approval before
    it could serve as a basis for developing the “as-is” architecture description.
•   The bureau’s comments acknowledge that it is in the process of acquiring
    automated EA tools, and thus does not yet satisfy core elements of our
    framework related to establishing an EA management foundation. Further, to
    augment these tools, the bureau has yet to establish a methodology that it will
    follow to create its architecture artifacts, which is another management
    foundation core element.


Page 3                                                  GAO-04-190R FBI Enterprise Architecture
•   We support the efforts that the FBI cited for outreach to relevant external
    stakeholders. Understanding these relationships, and ultimately defining them
    in architecture artifacts, should be part of an effectively managed EA program.

The FBI’s second primary comment was that our report was too narrowly focused
and not comprehensive because it was limited to EA and did not include an
assessment of the FBI’s other IT management controls and capabilities. Because
our report focused on EA, the bureau said that the report was premature.

While we agree that the report focuses on the FBI’s EA activities, we do not agree
that this is either inappropriate or makes the report premature. As agreed with
your offices, we are in the process of reviewing a wide range of FBI IT
management areas, such as system acquisition capabilities, IT human capital
management, IT investment management practices, and architecture development
and use. As further agreed, we are to report on these areas incrementally, as
appropriate. Our report represents an appropriate and timely first increment for
two principal reasons.

•   Our experience over the last 10 years in evaluating federal agency IT
    management has shown that providing our congressional clients and the
    subject agency’s leadership team with the results of major segments of our
    work as they are available permits more timely corrective action, and thus
    better outcomes.
•   Reporting first on EA in particular, which can be viewed as an essential link
    between strategic planning and system investment/implementation, provides
    the FBI sooner rather than later with a comprehensive set of
    recommendations for effectively making its architecture efforts more mature
    in time to influence its ongoing and planned IT investment/implementation
    efforts. Any delay on our part in reporting on this area of strategic importance
    would only increase the agency’s exposure to modernization risk and
    postpone your awareness and understanding of this critical issue. This does
    not, however, mean that the FBI should not be pursuing near-term IT upgrades
    before it completes and is positioned to use an architecture, nor is it intended
    to suggest that the bureau’s planned and ongoing modernization investments
    to date are completely unjustified and unreasonable. Rather, it means that
    these investments and upgrades are being pursued without a blueprint that
    provides an authoritative, commonly understood frame of reference that
    translates strategy into implemental actions, which, in turn, increases
    modernization risk.

                                      - - - - -

We are sending copies of this correspondence to the Chairman and Vice Chairman
of the Senate Select Committee on Intelligence and the Ranking Minority Member
of the House Permanent Select Committee on Intelligence. We are also sending
copies to the Attorney General; the Director, FBI; the Director, Office of
Management and Budget; and other interested parties. In addition, this


Page 4                                                GAO-04-190R FBI Enterprise Architecture
correspondence will be available without charge on GAO’s Web site at
www.gao.gov.

Should you or your offices have any questions on matters discussed in this
correspondence, please contact me at (202) 512-3439 or by e-mail at
hiter@gao.gov. Key contributors to this response included Katherine I. Chu-
Hickman, Barbara Collier, Gregory Donnellon, Michael P. Fruitman, Paula A.
Moore, Gary N. Mountjoy, and Megan M. Secrest.




Randolph C. Hite
Director, Information Technology Architecture and Systems Issues

Enclosure




Page 5                                              GAO-04-190R FBI Enterprise Architecture
         Enclosure: Comments from the Federal Bureau of Investigation




Page 6                                           GAO-04-190R FBI Enterprise Architecture
Page 7   GAO-04-190R FBI Enterprise Architecture
Page 8   GAO-04-190R FBI Enterprise Architecture
Page 9   GAO-04-190R FBI Enterprise Architecture
Page 10   GAO-04-190R FBI Enterprise Architecture
Page 11   GAO-04-190R FBI Enterprise Architecture
(310268)




Page 12    GAO-04-190R FBI Enterprise Architecture
This is a work of the U.S. government and is not subject to copyright protection in the
United States. It may be reproduced and distributed in its entirety without further
permission from GAO. However, because this work may contain copyrighted images or
other material, permission from the copyright holder may be necessary if you wish to
reproduce this material separately.
                         The General Accounting Office, the audit, evaluation and investigative arm of
GAO’s Mission            Congress, exists to support Congress in meeting its constitutional
                         responsibilities and to help improve the performance and accountability of the
                         federal government for the American people. GAO examines the use of public
                         funds; evaluates federal programs and policies; and provides analyses,
                         recommendations, and other assistance to help Congress make informed
                         oversight, policy, and funding decisions. GAO’s commitment to good
                         government is reflected in its core values of accountability, integrity, and
                         reliability.


                         The fastest and easiest way to obtain copies of GAO documents at no cost is
Obtaining Copies of      through the Internet. GAO’s Web site (www.gao.gov) contains abstracts and full-
GAO Reports and          text files of current reports and testimony and an expanding archive of older
                         products. The Web site features a search engine to help you locate documents
Testimony                using key words and phrases. You can print these documents in their entirety,
                         including charts and other graphics.

                         Each day, GAO issues a list of newly released reports, testimony, and
                         correspondence. GAO posts this list, known as “Today’s Reports,” on its Web
                         site daily. The list contains links to the full-text document files. To have GAO e-
                         mail this list to you every afternoon, go to www.gao.gov and select “Subscribe to
                         e-mail alerts” under the “Order GAO Products” heading.


Order by Mail or Phone   The first copy of each printed report is free. Additional copies are $2 each. A
                         check or money order should be made out to the Superintendent of Documents.
                         GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to
                         a single address are discounted 25 percent. Orders should be sent to:

                         U.S. General Accounting Office
                         441 G Street NW, Room LM
                         Washington, D.C. 20548

                         To order by Phone:    Voice:     (202) 512-6000
                                               TDD:       (202) 512-2537
                                               Fax:       (202) 512-6061


                         Contact:
To Report Fraud,
                         Web site: www.gao.gov/fraudnet/fraudnet.htm
Waste, and Abuse in      E-mail: fraudnet@gao.gov
Federal Programs         Automated answering system: (800) 424-5454 or (202) 512-7470


                         Jeff Nelligan, Managing Director, NelliganJ@gao.gov (202) 512-4800
Public Affairs           U.S. General Accounting Office, 441 G Street NW, Room 7149
                         Washington, D.C. 20548