This is the accessible text file for GAO report number GAO-06-234T entitled 'Defense Management: Foundational Steps Being Taken to Manage DOD Business Systems Modernization, but Much Remains to be Accomplished to Effect True Business Transformation' which was released on November 9, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Testimony: Before the Subcommittee on Readiness and Management Support, Committee on Armed Services, U.S. Senate: For Release on Delivery: Expected at 2:00 p.m. EST Wednesday, November 9, 2005: Defense Management: Foundational Steps Being Taken to Manage DOD Business Systems Modernization, but Much Remains to be Accomplished to Effect True Business Transformation: Statement of Randolph C. Hite: Director: Information Technology Architecture and Systems: GAO-06-234T: GAO Highlights: Highlights of GAO-06-234T, a testimony before the Subcommittee on Readiness and Management Support, Committee on Armed Services, U.S. Senate: Why GAO Did This Study: For years, the Department of Defense (DOD) has embarked on a series of efforts to transform its business operations, including modernizing underlying information technology (business) systems. GAO has reported on inefficiencies and inadequate accountability across DOD’s major business areas, resulting in billions of dollars of wasted resources annually. Of the 25 areas on GAO’s 2005 list of high-risk federal programs and operations that are vulnerable to fraud, waste, abuse or mismanagement and in need of reform, 8 are DOD programs or operations, and 6 are government-wide high risk areas for which DOD shares responsibility. The Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005 required DOD to satisfy several conditions relative to its approach to managing its business system modernization program, including developing an enterprise transition plan, which GAO is currently assessing. DOD also recently established a Business Transformation Agency intended to advance defense-wide business transformation. GAO was asked to testify on DOD’s business transformation, including its preliminary observations on 1) DOD’s efforts to satisfy fiscal year 2005 defense authorization act requirements; 2) the Business Transformation Agency; and 3) DOD’s efforts to provide the leadership, structures, and plans needed to effect transformation. What GAO Found: GAO’s preliminary observation based on its ongoing work is that DOD has made progress in establishing needed business system modernization management capabilities and appears to have complied with some of the act’s provisions, but more needs to be done. To comply with the act’s requirement that it develop a business enterprise architecture and transition plan meeting certain requirements, DOD approved Version 3.0 of its architecture and associated transition plan on September 28, 2005. GAO’s work so far suggests that this version of the architecture may satisfy the conditions of the act to some extent, but not entirely. For example, while Version 3.0 includes a target architecture, as required, it does not include a current architecture. Without this element, DOD could not analyze the gaps between the two architectures—critical input to a comprehensive transition plan. In addition, the transition plan appears to include certain required information (such as milestones for major projects), but it appears to be inconsistent with the architecture in various ways, such as including some systems that are not in the target architecture and vice versa, and it does not include system performance metrics aligned with the plan’s strategic goals and objectives. Finally, GAO’s preliminary work suggests that DOD may have satisfied some of the act’s requirements regarding the review and approval of investments in business systems, but it either has not satisfied or is still in the process of satisfying others. For example, it has delegated authority and largely established review structures and processes as required. However, some of these structures do not yet appear to be in place, and some reviews and approvals to date may not have followed the criteria in the act. GAO expects to report on these issues shortly. DOD’s Business Transformation Agency offers potential benefits relative to the department’s business systems modernization efforts if the agency can be properly organized, resource, and empowered to effectively execute its roles and responsibilities and is held accountable for doing so. The agency faces several challenges, including standing up a functioning acquisition organization within a short period of time. As DOD moves forward with implementing this agency, it will be important for it to address these issues. DOD has taken several actions intended to advance transformation, such as establishing management structures like the Business Transformation Agency, and developing the enterprise transition plan. While these steps are positive, their primary focus appears to be on business system modernization. Business transformation is much broader and encompasses planning, management, structures, and processes related to all key business areas. As DOD continues to evolve its transformation efforts, critical to successful reform are sustained leadership, structures, and a clear strategic and integrated plan that encompass all major business areas. GAO believes a chief management official, responsible for business transformation, could provide the strong and sustained executive leadership needed in this area. www.gao.gov/cgi-bin/getrpt?GAO-06-234T. To view the full product, including the scope and methodology, click on the link above. For more information, contact Randy Hite at (202) 512- 3429 or email@example.com. [End of section] Mr. Chairman and Members of the Subcommittee: I appreciate the opportunity to be here today to discuss business systems modernization and overall business transformation at the Department of Defense (DOD)--two areas that are on our high-risk list of federal programs and activities that are at risk of waste, fraud, abuse, or mismanagement and in need of broad-based transformation.[Footnote 1] At the onset, I would like to pass on Comptroller General Walker's gratitude to this Subcommittee for your continued oversight of key government operations and management issues, including DOD's business transformation activities. The active role of this Subcommittee is essential to ultimately assuring DOD's continued progress in business transformation, while enhancing public confidence in DOD's stewardship of the hundreds of billions of taxpayer funds it receives each year. Given its size and mission, DOD is one of the largest and most complex organizations to effectively manage in the world. While DOD maintains military forces with significant capabilities, it continues to confront pervasive, decades-old management problems related to its business operations, including outdated and ineffective systems and processes that support these forces. At a time when DOD is challenged to maintain a high level of military operations while competing for resources in an increasingly fiscally constrained environment, DOD's business area weaknesses continue to result in reduced efficiencies and effectiveness that waste billions of dollars every year. Of the 25 areas on our 2005 high-risk list, 8 are DOD programs or operations and 6 are governmentwide high-risk areas for which DOD shares some responsibility. These areas touch on all of DOD's major business operations. In some cases, such as DOD's financial management, weapons acquisition, and business systems modernization areas, we have been highlighting high-risk challenges for a decade or more. This year we added DOD's overall approach to business transformation to our list of high-risk areas because (1) DOD's business improvement initiatives and control over resources are fragmented; (2) DOD lacks a clear and integrated business transformation plan and investment strategy; and (3) DOD has not designated an appropriate level senior management official--such as a chief management official (CMO)--with the authority to be responsible and accountable for overall business transformation reform and related resources. In particular, GAO has suggested the need for a chief management official[Footnote 2] to provide the sustained top-level leadership and accountability needed by DOD to better leverage plans, processes, systems, people and tools to achieve the needed transformation. Many past administrations have tried to address the deficiencies we have identified at DOD, with the latest attempt being launched in 2001 when Secretary Rumsfeld outlined a vision for transforming the department that called for dramatic changes in management, technology, and business practices. At that time, the Secretary established the Business Management Modernization Program, or BMMP, to effect this change. Since then, we have reported a litany of program weaknesses and made scores of recommendations. Our latest reports on this program, which were issued about the same time as this Subcommittee's last oversight hearing in April 2005 on DOD business transformation and financial accountability, were quite critical of the program, observing that after investing about 4 years and $318 million on the BMMP, the department had made very little progress. To its credit, the Congress, and this Subcommittee in particular, has become increasingly focused on improving DOD's business operations by holding several oversight hearings, such as this one, and enacting legislation. The recent requirements in the Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005 aimed at strengthening DOD's management of its business systems modernization efforts-- developing a business enterprise architecture and transition plan, and establishing system investment management structures and processes-- are particularly important ingredients to addressing DOD's business systems modernization high-risk area. The act requires GAO to review and report on this transition plan within 60 days of its approval by the Secretary of Defense. Senior administration leaders and advisors--including the Secretary of Defense, the Acting Deputy Secretary of Defense, the Deputy Director of the Office of Management and Budget (OMB), various senior level officials, and members of the Defense Business Board--have demonstrated a commitment to addressing DOD's business management weaknesses. OMB and DOD are working together to develop a plan to improve supply chain management that could place the department on the path toward removal of this area from our high-risk list. For example, OMB and DOD are also consulting GAO as they develop action plans for other high-risk areas as well as a business architecture and related enterprise transition plan. Further, DOD has taken actions intended to comply with the Act by establishing system investment review structures and processes, and it has also established a Business Transformation Agency to bring increased management focus to its business systems modernization area. Today, I would like to provide our preliminary perspectives on (1) DOD's efforts to satisfy the business systems modernization requirements in the fiscal year 2005 National Defense Authorization Act; (2) the Business Transformation Agency's potential to help strengthen business systems modernization; and (3) whether DOD efforts to establish management structures and its business enterprise transition plan provide the leadership and planning needed to effect business transformation. My statement is based upon our ongoing assessment of DOD's efforts to comply with the 2005 defense authorization act, as required under the act. As such, the statement provides our preliminary views on DOD's efforts. It is also based on our analysis of DOD's enterprise transition plan relative to our published work on successful organizational transformation efforts and each of DOD's high risk areas, as well as analysis of DOD's directives establishing the Defense Business Transformation Agency, our previous reports and testimonies, and discussions with DOD senior executives. Our work was performed in accordance with U.S. generally accepted government auditing standards. Summary: In summary, let me reiterate what Comptroller General Walker has stated on many occasions-transforming the department's business operations is an absolute necessity given the long-term fiscal outlook, and accomplishing this transformation will require sustained and persistent leadership for at least 5 to 7 years. The department, under the leadership of Acting Deputy Secretary England, recently began taking some positive steps in this direction, particularly with respect to the business systems modernization management changes called for in the fiscal year 2005 National Defense Authorization Act, as well as with certain other DOD high-risk areas. As of today, our preliminary work suggests that progress has been made in complying with the provisions in the act, but more needs to be done. DOD agrees, and it intends to do more. With respect to DOD's compliance with the authorization act's requirements, we will be issuing a full report to this and other defense congressional committees by November 25, 2005. In addition, DOD's Business Transformation Agency offers potential benefits relative to the department's business systems modernization efforts if the agency can be properly organized, resource, and empowered to effectively execute its roles and responsibilities and is held accountable for doing so. The agency faces several challenges, including standing up a functioning acquisition organization within a short period of time. As DOD moves forward with implementing this agency, it will be important for it to address these issues. Furthermore, DOD has taken several actions intended to advance transformation, such as establishing management structures like the Business Transformation Agency, and developing the enterprise transition plan. While these steps are positive, their primary focus appears to be on business system modernization. Business transformation is much broader and encompasses planning, management, structures, and processes related to all key business areas. As DOD continues to evolve its transformation efforts, critical to successful reform are sustained leadership, structures, and a clear strategic and integrated plan that encompass all major business areas. We, therefore, continue to believe that a CMO position along with an integrated strategic plan for the overall business transformation effort, remain essential ingredients for better ensuring that overall business transformation is successfully implemented and sustained. Background: DOD is one of the largest and most complex organizations in the world to manage effectively. While DOD maintains military forces with unparalleled capabilities, it continues to confront pervasive, decades- old management problems related to its business operations--which include outdated systems and processes--that support these forces. These management weaknesses cut across all of DOD's major business areas, such as human capital management; the personnel security clearance program; support infrastructure management; financial management; weapon systems acquisition; contract management; supply chain management; and last, but not least, business systems modernization. All of these DOD areas are on our high-risk list. For years, DOD has attempted to modernize its business systems, and we have provided numerous recommendations to help guide its efforts, including a set of recommendations to help DOD develop and implement an enterprise architecture (or modernization blueprint) and establish effective management controls. To achieve successful transformation, we have also recommended the need for a CMO, and a strategic integrated action plan for the overall business transformation effort. Enterprise Architecture and Information Technology Investment Management Are Critical to Achieving Successful Systems Modernization: Effective use of an enterprise architecture, or modernization blueprint, is a hallmark of successful public and private organizations. For more than a decade, we have promoted the use of architectures to guide and constrain systems modernization, recognizing them as a crucial means to a challenging goal: agency operational structures that are optimally defined in both the business and technological environments. The Congress has also recognized the importance of an architecture-centric approach to modernization: the E- Government Act of 2002,[Footnote 3] for example, requires OMB to oversee the development of enterprise architectures within and across agencies. In brief, an enterprise architecture provides a clear and comprehensive picture of an entity, whether it is an organization (e.g., a federal department) or a functional or mission area that cuts across more than one organization (e.g., financial management). This picture consists of snapshots of both the enterprise's current or "As Is" environment and its target or "To Be" environment. These snapshots consist of "views," which are one or more architecture products (models, diagrams, matrices, text, etc.) that provide logical or technical representations of the enterprise. The architecture also includes a transition or sequencing plan, based on an analysis of the gaps between the "As Is" and "To Be" environments; this plan provides a temporal roadmap for moving between the two that incorporates such considerations as technology opportunities, marketplace trends, fiscal and budgetary constraints, institutional system development and acquisition capabilities, the dependencies and life expectancies of both new and "legacy" (existing) systems, and the projected value of competing investments. Our experience with federal agencies has shown that investing in information technology (IT) without defining these investments in the context of an architecture often results in systems that are duplicative, not well integrated, and unnecessarily costly to maintain and interface.[Footnote 4] A corporate approach to IT investment management is also characteristic of successful public and private organizations. Recognizing this, the Congress developed and enacted the Clinger-Cohen Act in 1996,[Footnote 5] which requires OMB to establish processes to analyze, track, and evaluate the risks and results of major capital investments in information systems made by executive agencies.[Footnote 6] In response to the Clinger-Cohen Act and other statutes, OMB developed policy for planning, budgeting, acquisition, and management of federal capital assets and issued guidance.[Footnote 7] We have also issued guidance in this area,[Footnote 8] in the form of a framework that lays out a coherent collection of key practices that, when implemented in a coordinated manner, can lead an agency through a robust set of analyses and decision points that support effective IT investment management. This framework defines institutional structures, such as investment review boards, and associated processes, such as common investment criteria. Further, our investment management framework recognizes the importance of an enterprise architecture as a critical frame of reference for organizations making IT investment decisions: specifically, it states that only investments that move the organization toward its target architecture, as defined by its sequencing plan, should be approved (unless a waiver is provided or a decision is made to modify the architecture). Moreover, it states that an organization's policies and procedures should describe the relationship between its architecture and its investment decision- making authority. Our experience has shown that mature and effective management of IT investments can vastly improve government performance and accountability, and can help to avoid wasteful IT spending and lost opportunities for improvements. Recent Reviews of DOD's Business System Modernization Efforts Have Raised Concerns: Since 2001, we have regularly reported[Footnote 9] on DOD's efforts to (among other things) develop an architecture and to establish and implement effective investment management structures and processes. Our reports have continued to raise concerns about the department's architecture program, the quality of the architecture and the transition plan, and the lack of an investment management structure and controls to implement the architecture. Our most recent reports, which were issued in the third and fourth quarters of fiscal year 2005,[Footnote 10] made the following points: * DOD had not established effective structures and processes for managing the development of its architecture. * DOD had not developed a well-defined architecture. The products that it had produced did not provide sufficient content and utility to effectively guide and constrain ongoing and planned system investments. * DOD had not developed a plan for transitioning from the "As Is" to the "To Be" architectures. * DOD did not have an effective departmentwide management structure for controlling its business investments. * DOD had not established common investment criteria for system reviews. * DOD had not included all reported systems in its fiscal year 2005 IT budget request. * The Under Secretary of Defense (Comptroller) had not certified all systems investments with reported obligations exceeding $1 million, as required by the fiscal year 2003 National Defense Authorization Act.[Footnote 11] Our recommendations to DOD provide a comprehensive roadmap for addressing these problems. DOD has largely agreed with the recommendations and as we recently reported, has defined a framework intended to do so. Successful Business Transformation Requires Sound Strategic Planning and Sustained Leadership: In testimony before this Subcommittee earlier this year, Comptroller General Walker emphasized that there are three key elements that DOD must incorporate into its business transformation efforts to successfully address its systemic business challenges.[Footnote 12] First, these efforts must include an integrated strategic business transformation plan, including an enterprise architecture to guide and constrain implementation of such a plan. Second, control of system investments is crucial for successful business transformation. Finally, a CMO is essential for providing the sustained leadership needed to achieve a successful and lasting transformation effort. The CMO would not assume the day-to-day management responsibilities of other DOD officials nor represent an additional hierarchical layer of management but would lead DOD's overall business transformation efforts. Additionally, a 7-year term would also enable the CMO to work with DOD leadership across administrations to sustain the overall business transformation effort. DOD's Efforts to Comply with National Defense Authorization Act for Fiscal Year 2005 Indicate Progress and a Foundation Upon Which to Build: As defined in Section 332 of the defense authorization act for fiscal year 2005,[Footnote 13] DOD is required to satisfy several conditions relative to its approach to managing its business systems modernization program. Generally speaking, DOD is required to do the following: 1. By September 30, 2005, develop a business enterprise architecture that meets certain requirements. 2. By September 30, 2005, develop a transition plan for implementing the architecture that meets certain requirements. 3. Identify each defense business system proposed for funding in the budget submissions for fiscal year 2006 and subsequent years, and for each system, among other things, identify whether funding is for current services or business systems modernization. 4. Take a number of actions regarding the review and approval of investments, including delegating responsibility for business system review and decision making to designated approval authorities,[Footnote 14] establishing investment review boards and supporting process that employ common steps and criteria, and obligating funds for Defense Business System Modernizations after October 1, 2005, only for systems that have been certified and approved. The act also requires us to assess DOD's efforts to comply with the act within 60 days after approval of the business enterprise architecture and transition plan. On September 28, 2005, the Acting Deputy Secretary of Defense approved Version 3.0 of the business enterprise architecture and approved the associated enterprise transition plan. Accordingly, we are currently in the process of conducting our assessment, and we plan by November 25, 2005, to issue a report containing the results of our assessment to defense congressional committees, as specified in the act. As agreed, this statement contains only preliminary observations based on our ongoing work, meaning that these observations may change as we conclude our ongoing assessment. For purposes of this statement, we have grouped the act's requirements, and our preliminary observations, into four categories: business enterprise architecture, enterprise transition plan, fiscal year 2006 budget submission, and investment review and approval. Business Enterprise Architecture Requirements: The act requires that DOD develop, by September 30, 2005,[Footnote 15] a business enterprise architecture. According to the act, this architecture must satisfy three major requirements: 5. Include an information infrastructure that, at a minimum, would enable DOD to: * comply with all federal accounting, financial management, and reporting requirements; * routinely produce timely, accurate, and reliable financial information for management purposes; * integrate budget, accounting, and program information and systems; and: * provide for the systematic measurement of performance, including the ability to produce timely, relevant, and reliable cost information. 6. Include policies, procedures, data standards, and system interface requirements that are to be applied uniformly throughout the department. 7. Be consistent with OMB policies and procedures. According to DOD, this version is intended to provide a blueprint to help ensure near-term delivery of needed capabilities, resources, and materiel to the warfighter. To do so, this version focused on six Business Enterprise Priorities (see table 1), which DOD states are short-term objectives to achieve immediate results. According to the department, these priorities will evolve and expand in future versions of the architecture. Table 1: Business Enterprise Priorities: Business Enterprise Priority: Personnel Visibility; Description: Providing access to reliable, timely, and accurate personnel information for warfighter mission planning. Business Enterprise Priority: Acquisition Visibility; Description: Providing transparency and access to acquisition information that is critical to supporting life-cycle management of the department's processes for delivering weapon systems and automated information systems. Business Enterprise Priority: Common Supplier Engagement; Description: Aligning and integrating policies, processes, data, technology, and people to simplify and standardize the methods that DOD uses to interact with commercial and government suppliers. Business Enterprise Priority: Materiel Visibility; Description: Improving supply chain performance. Business Enterprise Priority: Real Property Accountability; Description: Acquiring access to real-time information on DOD real property assets. Business Enterprise Priority: Financial Visibility; Description: Providing immediate access to accurate and reliable financial information that will enhance efficient and effective decision making. Source: DOD. [End of table] In addition to focusing version 3.0 on these priorities, according to DOD, the department also limited the extent to which the architecture was to address each priority, focusing on four questions: * Who are our people, what are their skills, and where are they located? * Who are our industry partners, and what is the state of our relationship with them? * What assets are we providing to support the warfighter, and where are these assets deployed? * How are we investing our funds to best enable the warfighting mission? To produce a version of the architecture within the above scope, DOD created 12 of the 23 recommended products included in the DOD Architecture Framework--the structural guide that the department has established for developing an architecture.[Footnote 16] These 12 products included all 7 products that the framework designates as essential.[Footnote 17] For example, one essential product is the Operational Node Connectivity Description, which is a graphic showing "operational nodes" (organizations) and including a depiction of each node's information exchange needs. Our preliminary work suggests that Version 3.0 of DOD's business enterprise architecture may partially satisfy the major conditions specified in the act. For example, Version 3.0 could enable DOD's compliance with many but not all federal accounting, financial management, and reporting requirements. To this end, the architecture includes the Standard Financial Information Structure (SFIS) and the Standard Accounting Classification Structure (SACS), which together could allow DOD to standardize financial data elements necessary to support budgeting, accounting, cost/performance management, and external reporting. Both SFIS and SACS are based upon mandated requirements defined by external regulatory entities, such as the Treasury, OMB, the Federal Accounting Standards Advisory Board, and the Joint Financial Management Improvement Program.[Footnote 18] Moreover, SFIS has in turn been used to develop and incorporate business rules in the architecture for such areas as managerial cost accounting, general ledger, and federally owned property. Business rules are important because they explicitly translate important business policies and procedures into specific and unambiguous rules that govern what can and cannot be done. However, it is not apparent that the architecture provides for compliance with all federal accounting, financial, and reporting requirements. For example, it may not contain the information needed to achieve compliance with the Treasury's United States Standard General Ledger[Footnote 19] or a strategy for achieving this compliance. As another example, Version 3.0 may partially enable DOD to produce timely, accurate, and reliable financial information for management purposes. Specifically, according to the architecture, financial information is to be produced through (1) SFIS, which can support data accuracy, reliability, and integrity requirements for budgeting, financial accounting, cost and performance management, and external reporting across DOD, and (2) a "Manage Business Enterprise Reporting" system function, which is intended to support the reporting of financial management and program performance information, including agency financial statements. However, timely, accurate and reliable information depends, in part, on using standard definitions of key terms, which the architecture does not appear to include in all cases. For example, in Version 3.0 of the architecture, terms such as "balance forwarded" and "receipt balances" were not defined in the integrated dictionary although these terms were used in process descriptions. In the absence of standardized definitions, components (military services, defense agencies, and field activities) may use terms and definitions that are locally meaningful but which cannot be reliably and accurately aggregated to permit DOD- wide visibility, which is critical to achieving DOD's stated business enterprise priorities. This inability to aggregate has historically required DOD to create information for management purposes using inefficient methods, such as data calls and data conversions, that have limited the information's reliability and timeliness. Our preliminary work also suggests that Version 3.0 may partially satisfy the act's requirement that it be consistent with OMB policies and procedures. For example, Version 3.0 appears to include information flows and relationships, as required by OMB guidance. OMB guidance also requires the architecture to describe the "As Is" and "To Be" environments and a transition plan; however, Version 3.0 does not include an "As Is" environment. Without this element, DOD would not be able to develop a gap analysis identifying performance shortfalls, which as discussed in the next section, is a critical input to a comprehensive transition plan. In addition, OMB guidance requires that the architecture include, among other things, a description of the technology infrastructure; such a description is not apparent in Version 3.0, in that it does not identify such needed technology components as wide-area networks, databases, and telecommunications. Similarly, Version 3.0 does not appear to include a security architecture, although OMB guidance requires agencies to incorporate security into the architecture of their information and systems to ensure the security of agency business operations. Version 3.0 may also contain other limitations. For example, it may not yet be fully integrated with the enterprise transition plan. In particular, we are currently attempting to determine why 21 systems identified in the architecture are not included in the "Master List of Systems and Initiatives" in the transition plan (the master list serves as the baseline of currently planned--"To Be"--systems that begin to address the transformational objectives of the program). In addition, DOD has itself disclosed certain limitations. For example, it reported that the architecture is not adequately linked to the component[Footnote 20] architectures and transition plans. This omission is particularly important given the department's newly adopted federated approach to developing and implementing the architecture. In addition, according to DOD, the architecture must be improved to better designate enterprise data sources, business services, and IT infrastructure services, such as enterprise data storage. This is important because each of these greatly affects the scope and design of specific systems. According to DOD officials, the department is taking an incremental approach to developing the architecture and meeting the act's requirements. Accordingly, they said that Version 3.0 was appropriately scoped to provide for that content which could be produced in the time available to both lay the foundation for fully meeting the act's requirements and provide a blueprint for delivering near-term capabilities and systems to meet near-term business enterprise priorities. Based on these considerations, they asserted that Version 3.0 fully satisfies the intent of the act. We support DOD's taking an incremental approach to developing the business enterprise architecture, as we recognize that adopting such an approach is both a best practice and a prior GAO recommendation. In addition, our preliminary work suggests that Version 3.0 may provide a foundation upon which to build a more complete architecture. Nevertheless, the real question that remains is whether this version contains sufficient scope, detail, integration, and consistency to serve as a sufficient frame of reference for defining a common vision and transition plan to guide and constrain system investments. Enterprise Transition Plan: The act requires that DOD develop, by September 30, 2005, a transition plan for implementing its business enterprise architecture. According to the act, this plan must meet three conditions: 8. Include an acquisition strategy for new systems that are expected to be needed to complete the defense business enterprise architecture. 9. Include listings of the legacy systems that will and will not be part of the target business systems environment, and a strategy for making modifications to those systems that will be included. 10. Include specific time-phased milestones, performance metrics, and a statement of the financial and nonfinancial resource needs. On September 28, 2005, the Acting Deputy Secretary of Defense approved the transition plan. Our preliminary work on this plan suggests that it may partially satisfy each condition. For example, the plan appears to include elements of an acquisition strategy for new systems and describe a high-level approach for modernizing the department's business operations and systems. Further, it includes detailed information on about 60 business systems (ongoing programs) that are to be part of the "To Be" architectural environment, as well as an acquisition strategy for each system. However, the plan does not appear to be based on a top-down capability gap analysis between the "As Is" and "To Be" architectures that describes capability and performance shortfalls and clearly identifies which system investments (such as the 60 identified programs) are to address these shortfalls. This is important because a transition plan is to be an acquisition strategy that recognizes timing and technological dependencies among planned systems investments, as well as such other considerations as market trends and return on investment. Similarly, our preliminary work suggests that the plan identifies some of the legacy systems that are to be replaced by ongoing programs (for example, it identifies the Defense Cash Accountability System as a target system and lists several legacy systems that it would replace), and it provides a list of legacy systems that will be modified to provide capabilities associated with the target architecture environment. However, the plan's listings of legacy systems that will and will not be part of the target architecture do not appear to be complete. For example, the plan identified 145 legacy systems that would be migrating to one target system (the Expeditionary Combat Support System), but other DOD documentation[Footnote 21] shows that this target system includes over 659 legacy systems, suggesting that 514 systems may not be accounted for. Finally, the plan appears to include some of the required information on milestones, performance metrics, and resource needs. The plan includes key milestone dates for the 60 systems/programs identified (such as the Defense Travel System), but it does not show specific dates for terminating or migrating many legacy systems (such as the Cash Reconciliation System), and it does not include milestone dates for some ongoing programs (such as the Navy Tactical Command Support System). Similarly, although the plan includes performance metrics for some systems,[Footnote 22] it does not include for each system measures and metrics, focused on benefits or mission outcomes that can be linked to the plan's strategic goals. In addition, according to program officials, the resource needs in the transition plan for some programs are not current, as these needs are reflective of the fiscal year 2006 budget, which was developed before a recent reevaluation of how these programs will fit into the "To Be" environment. Our preliminary work also suggests that in addition to the limitations just described, the plan may be missing relevant context and be inconsistent with the architecture in various ways. For example, it identifies 60 systems as target systems (for example, the Defense Cash Accountability System), but the "To Be" architecture appears to include only 23 of these. In addition, the plan includes a list of 66 systems that are characterized as nonpriority enterprise or component programs that will be part of the target architecture, but the target architecture does not appear to identify all these systems. According to DOD officials, the transition plan is evolving, and any limitations will be addressed in future iterations of the plan. They also stated that the department has taken an incremental approach to developing a transition plan, and that the plan, as constrained by the scope of Version 3.0 of the architecture, satisfies the intent of the act's requirements. As with the architecture, we support an incremental development approach. Moreover, this plan represents DOD's first ever enterprise transition plan, and thus constitutes progress. However, questions remain as to whether it is of sufficient scope and content to effectively and efficiently manage the disposition of the department's existing inventory of systems or to sequence the introduction of modernized business operations and supporting systems. Fiscal Year 2006 IT Budget Submission: The fiscal year 2005 defense authorization act specifies information that the department is to incorporate in its IT budget request for fiscal year 2006 and each fiscal year thereafter. Generally, the act states that each budget request for business systems must: 11. Identify each defense business system for which funding is being requested. 12. Provide information on all funds, by appropriation, for each business system, including funds by appropriation specifically for current services (Operation and Maintenance) and systems modernization (Procurement; Research, Development, Test and Evaluation; and Defense Working Capital Fund). 13. Identify the designated approval authority for each business system. On the basis of our preliminary work, it appears that DOD's fiscal year 2006 IT budget submission may partially satisfy these conditions. For example, although the fiscal year 2006 budget may not identify each business system for which funding is requested, DOD is taking steps to ensure that subsequent fiscal year budget requests are more comprehensive. This situation arose because DOD's fiscal year 2006 budget submission was submitted in February 2005, when the department did not yet have a single inventory of all of its business systems. As a result, DOD officials could not guarantee that all business systems were included in the submission. Currently, the department is updating its single database for its inventory of business systems, as we had recommended,[Footnote 23] which is scheduled to be completed by September 30, 2006. Finally, DOD officials stated that the fiscal year 2007 IT budget submission will be derived from a separate DOD authoritative IT budget database. There may be additional areas of uncertainty regarding the completeness of DOD's IT budget submission. One source of uncertainty is inconsistencies in the way that DOD classifies systems: as business systems or as national security systems.[Footnote 24] For example, as we previously reported,[Footnote 25] DOD reclassified 56 systems in its fiscal year 2005 budget request from business systems to national security systems, resulting in a decrease of approximately $6 billion in the fiscal year 2005 budget request for business systems and related infrastructure. Similarly, in the fiscal year 2006 submission, 13 systems previously classified as business systems were reclassified as national security systems, and 10 systems previously classified as national security systems were reclassified as business systems. We understand that DOD is currently reviewing its reclassifications. Our preliminary work also indicates that DOD may not have ensured that budget requests for all business systems identify the type of funding- -by appropriation--being requested and whether the funding was for current services or modernization. In the fiscal year 2006 budget submission, systems identified are categorized by the type of funding (appropriation) being requested and whether the funding is for current services or modernization; however, not all systems may be identifiable. In particular, it is not clear what is covered by one funding type or category referred to as "All Other." For fiscal year 2006, this category totaled about $1.2 billion and included, for example, about $22.6 million specifically for financial management. According to DOD officials,[Footnote 26] this category in the IT budget includes system projects that do not have to be identified by name because they fall below the $2 million reporting threshold for budgetary purposes. Finally, our preliminary work indicates that DOD's fiscal year 2006 IT budget submission identifies the designated approval authority for most systems, but not all. In particular, the approval authorities for 57 systems in the submission were not apparent. For example, the Navy's C2 On-the-Move Network Digital Over-the-Horizon Relay system and the Defense Commissary Agency's Enterprise Business System have a designated approval authority of "Other." Full compliance with the act's conditions relative to budgetary disclosure is an important enabler of informed budgetary decision making and oversight. Without such disclosure, whether incorrect system classification, or mere oversights, the department's efforts to improve its control and accountability over its business systems investments are hindered, and the department and the Congress are constrained in their ability to effectively monitor and oversee the billions of dollars spent annually to maintain, operate, and modernize DOD's business systems. Investment Review and Approval Requirements: The fiscal year 2005 defense authorization act specifies actions that the department is to take regarding the review and approval of investments in business systems. Generally, the act sets up three requirements for the department: * Delegate the authority and accountability for defense business systems to designated approval authorities within the Office of the Secretary of Defense. * By March 15, 2005, require each approval authority to establish an investment review process to review the planning, design, acquisition, development, deployment, operation, maintenance, modernization, and project cost benefits and risks of all defense business systems for which the approval authority is responsible. * Effective October 1, 2005, obligate funds for a defense business system modernization project with total cost exceeding $1 million after the approval authority designated for that system certifies to the Defense Business Systems Management Committee (DBMSC) that the system project meets specific conditions that are called for in the act, and the certification by the approval authority is approved by the DBSMC. On the basis of our preliminary work, it appears that DOD has satisfied some aspects of these conditions, and is potentially in the process of satisfying other aspects. First, on March 19, 2005, the Acting Deputy Secretary of Defense issued a memorandum that delegated the authority for the review, approval, and oversight of planning, design, acquisition, deployment, operation, maintenance, and modernization of the department's business systems. Designation of these approval authorities is consistent with the act. Further, our research and evaluations, as reflected in the guidance that we have issued, shows that clear assignment of senior executive investment management responsibilities and accountabilities are key aspects of having an effective institutional approach to IT investment management. Second, DOD has established investment review structures and processes, including a hierarchy of investment review boards with representation from across the department, as well as a standard set of investment review and decision-making criteria for these boards to use to ensure compliance and consistency with the business enterprise architecture. Further, the DBSMC was chartered in February 2005 as the highest ranking system modernization governance body, as required by the act.[Footnote 27] Further, DOD has designated the chair and membership of the boards consistent with the act, and all but one of designated approval authorities have established investment review boards for their areas of responsibility, which the act requires each to do. The one approval authority that does not appear to have established a review process is the Assistant Secretary of Defense (Networks and Information Integration)/Chief Information Officer. To support its investment review structures, DOD has also established investment review processes that include, among other things, the use of business enterprise architecture compliance procedures, common decision criteria, threshold criteria to ensure appropriate levels of review and accountability. Notwithstanding these investment review structures and processes, it remains uncertain to what extent DOD components have established similar investment review bodies and will adopt common investment review and decision-making processes. DOD components are expected to establish their own structures and processes. Under the department's concept of "tiered accountability," significant responsibility and accountability for business system investments is to reside with the military services and defense agencies. The extent to which the components establish and consistently implement common investment management structures and processes is important, because doing so is a best practice. Without such structures and processes, investment decisions could potentially perpetuate the existence of overly complex, error-prone, nonintegrated system environments and limit introduction of corporate solutions to long- standing business problems. Finally, our preliminary work indicates that the department is in the process of ensuring that defense business system modernizations[Footnote 28] costing greater than $1 million are certified and approved in accordance with the act. Specifically, the department has identified 210 systems with costs greater than $1 million, thus requiring certification and approval. Of these 210, DOD reports that 166 were certified and approved in accordance with the act before September 30, 2005. This means that 44 were not, and according to the act, the department cannot make further obligations for any of these other than with funding left over from previous fiscal years, until they are certified and approved. One potential issue with regard to the department's system certification and approval efforts to date is whether it has identified all business system modernizations with costs greater than $1 million. Doing this requires, among other things, proper classification of systems as national security systems or as business systems. If a business system is improperly classified, it may not be reviewed, certified, and approved in accordance with the act. As stated earlier, questions persist regarding whether the department has properly classified all business systems as such. Another potential issue is whether DOD has followed the act's criteria for DBSMC review and approval in all of the aforementioned 166 systems. Specifically, it appears that the DBSMC approved the certification of at least six business systems in August 2005 that had been previously reviewed in accordance with earlier criteria;[Footnote 29] however, the current criteria under the act do not provide for the DBSMC to approve a certification based upon such previous certification. According to DOD officials, these six systems will go through the current review process no later than February 2006. In addition to these six, DOD officials told us that several other systems investments, which were certified and approved on the grounds that they were mission essential,[Footnote 30] will also be resubmitted for DBSMC approval. DOD's Business Transformation Agency Could Help Strengthen Systems Modernization Management and Oversight if it is Effectively Implemented: On October 7, 2005, DOD established the Business Transformation Agency (BTA) to advance defense-wide business transformation efforts in general but particularly with regard to business systems modernization. BTA reports directly to the vice chair of the DBMSC.[Footnote 31] Among other things, BTA includes an acquisition executive who is to be responsible for 28 DOD-wide business projects, programs, systems, and initiatives. In addition, the BTA is to be responsible for integrating and supporting the work of the Office of the Secretary of Defense (OSD) principal staff assistants, who include the approval authorities that chair the business system investment review boards. In our view, BTA offers potential benefits relative to the department's business systems modernization efforts, if the agency can be properly organized, resourced, and empowered to effectively execute its roles and responsibilities, and if it is held accountable for doing so. In this regard, the agency faces a number of challenges as described below. According to DOD, this agency is expected to have a functioning acquisition organization by November 21, 2005. While such a timeline is daunting in and of itself, it is particularly challenging given that DOD is estimating up to 12 months to establish a permanent director. Moreover, there are numerous key acquisition functions that would need to established and made operational to effectively assume 28 DOD-wide projects, programs, systems, and initiatives, and our experience across the government shows that these functions can take considerable time to establish. Among other things, the agency is to be responsible for ensuring consistency and continuity across the department's core business missions with respect to, for example, business process re-engineering and related business system matters. While the agency should be able to accomplish this relative to the DOD-wide efforts that it can control, it does not appear to have the requisite authority to carry out this responsibility relative to DOD component system investments, which it does not have investment control over. At best, the agency will be able to support the DBMSC in its efforts to ensure such consistency and continuity. As currently structured, the agency does not include support to an OSD principal staff assistant and approval authority--the Assistant Secretary of Defense for Networks Integration and Infrastructure, who is responsible for DOD information technology infrastructure, such as wide-area networks, local-area networks, telecommunications, and security services. In addition, the agency's relationship to the Defense Information Systems Agency, which is also responsible for certain DOD-wide system capabilities and services, is not specified. As the department moves forward with implementing this new agency, it will important for it to address these issues. Effective DOD Business Transformation Will Require Broader Focus than Recently Launched Business Systems Modernization Management Structures and Activities: For DOD to successfully transform its overall business operations, it will need senior level management accountability, a comprehensive and integrated business transformation plan that covers all of its key business functions; people with needed skills, knowledge, experience, responsibility, and authority to implement the plan; an effective process and related tools; and results-oriented performance measures that link institutional, unit, and individual performance goals and expectations to promote accountability for results. Over the last 3 years, GAO has made several recommendations that if implemented successfully could help DOD move forward in establishing the means to successfully address the challenges it faces in transforming its business operations. For example, as the Comptroller General testified before this subcommittee earlier this year, DOD needs a full-time CMO position, created through legislation, with responsibility and authority for DOD's overall business transformation efforts.[Footnote 32] The CMO must be a person with significant authority and experience who would report directly to the Secretary of Defense. Given the nature and complexity of the overall business transformation effort, and the need for sustained attention over a significant period of time, this position should be a term appointment and the person should be subject to a performance contract. The Secretary of Defense, Acting Deputy Secretary of Defense, and other senior leaders have clearly shown commitment to business transformation and addressing deficiencies in the Department's business operations. As I discussed earlier, DOD has taken several actions, including setting up the DBSMC, publishing a business enterprise transition plan and most recently, establishing the Business Transformation Agency. Moreover, DOD is examining various aspects of its business operations as part of the ongoing Quadrennial Defense Review. While these management structures and plan are positive steps, their primary focus, at this point, appears to be on business systems modernization. Clearly, maintaining effective and modern business systems is a key enabler to transformation. However, business transformation is much broader and encompasses not only the supporting systems, but also the planning, management, organizational structures, and processes related to all DOD's major business areas. Such areas include support infrastructure management, human capital management, financial management, weapon systems acquisition, contract management, planning and budgeting, and supply chain management. Recognizing that DOD is continuing to evolve its efforts to plan and organize itself to achieve business transformation, critical to the success of these efforts will be management attention and structures that focus on transformation from a broad perspective and a clear strategic and integrated plan that, at a summary level, addresses all of the department's major business areas. This strategic plan should contain results-oriented performance measures that link institutional, unit, and individual goals, measures and expectations, and would be instrumental in establishing investment priorities and guiding the department's resource decisions. Finally, the lynchpin to ensure successful business transformation is the presence of strong and sustained executive leadership with appropriate responsibility, authority, and accountability. The central authority we had envisioned to allow for strong and sustained executive leadership over DOD's business management reform efforts is a full- time, executive-level II position for a CMO, who would serve as the Deputy Secretary of Defense for Management. This position would divide and institutionalize the functions of the Deputy Secretary of Defense by creating a separate Deputy Secretary of Defense for Management. As we envision it, the CMO would feature a term of office that spans administrations, which would serve to underscore the importance of taking a professional, nonpartisan, institutional, and sustainable approach to the overall business transformation effort. As I understand it, DOD's position is that the Acting Deputy Secretary of Defense, who also serves as the chair of the DBSMC, has the requisite position, authority, and purview to perform the functions of a CMO. Under the Acting Deputy's leadership, DOD expects to be able to demonstrate progress towards achieving business reform. Comptroller General Walker continues to believe a CMO is necessary to provide the sustained leadership needed to achieve true business transformation. In light of DOD's position, we would encourage the Subcommittee to require DOD to periodically report on its efforts, including describing the specific goals and measures against which it is measuring its progress in achieving business reform. In closing, the department as made important progress in the last 6 months in establishing the kind of business systems modernization management capabilities that our research and evaluations show are essential to a successful modernization program--namely, an architecture, a transition plan, and system investment decision-making structures and processes. But more needs to be done to complete each of these areas, and most importantly, to ensure that they are reflected in how each and every business system investment is managed. While the new business transformation agency can help get this done, much remains to be accomplished before this agency is functioning as intended. Beyond systems modernization, overall business transformation remains a major challenge. The creation of a CMO position, and the development of a strategic transformation plan to integrate and guide the department's people, process, and technology change initiatives, would go a long way in helping the department meet this challenge. Mr. Chairman and Members of the Subcommittee, this concludes my prepared statement. I would be happy to answer any questions you may have at this time. FOOTNOTES  GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C. January 2005).  S.780, 109TH Cong., 1st Sess. introduced in the U.S. Senate on April 15, 2005, would create a statutory Chief Management Officer.  The E-Government Act of 2002, Pub. L. No. 107-347, § 101(a), 116 Stat. 2899, 2903-05, (Dec. 17, 2002), Sec 44 U.S.C. § 3602 (e), (f).  See, for example, GAO, Homeland Security: Efforts Under Way to Develop Enterprise Architecture, but Much Work Remains, GAO-04-777 (Washington, D.C. Aug. 6, 2004); DOD Business Systems Modernization: Limited Progress in Development of Business Enterprise Architecture and Oversight of Information Technology Investments, GAO-04-731R (Washington, D.C. May 17, 2004); and Information Technology: Architecture Needed to Guide NASA's Financial Management Modernization, GAO-04-43 (Washington, D.C. Nov. 21, 2003).  The Clinger-Cohen Act of 1996, 40 U.S.C. sections 11101-11704. This act expanded the responsibilities of OMB and the agencies that had been set under the Paperwork Reduction Act, which requires that agencies engage in capital planning and performance and results-based management. 44 U.S.C. § 3504(a)(1)(B)(vi) (OMB); 44 U.S.C. § 3506(h)(5) (agencies)  We have made recommendations to improve OMB's process for monitoring high-risk IT investments; see GAO, Information Technology: OMB Can Make More Effective Use of Its Investment Reviews, GAO-05-276 (Washington, D.C. Apr. 15, 2005).  This policy is set forth and guidance is provided in OMB Circular No. A-11 (section 300) and in OMB's Capital Programming Guide, which directs agencies to develop, implement, and use a capital programming process to build their capital asset portfolios.  GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, GAO-04-394G (Washington, D.C. March 2004).  GAO, Information Technology: Architecture Needed to Guide Modernization of DOD's Financial Operations, GAO-01-525 (Washington, D.C. May 17, 2001);DOD Business Systems Modernization: Improvements to Enterprise Architecture Development and Implementation Efforts Needed, GAO-03-458 (Washington, D.C. Feb. 28, 2003); Information Technology: Observations on Department of Defense's Draft Enterprise Architecture, GAO-03-571R (Washington, D.C. Mar. 28, 2003); Business Systems Modernization: Summary of GAO's Assessment of the Department of Defense's Initial Business Enterprise Architecture, GAO-03-877R (Washington, D.C. July 7, 2003); DOD Business Systems Modernization: Important Progress Made to Develop Business Enterprise Architecture, but Much Work Remains, GAO-03-1018 (Washington, D.C. Sept. 19, 2003); DOD Business Systems Modernization: Limited Progress in Development of Business Enterprise Architecture and Oversight of Information Technology Investments, GAO-04-731R (Washington, D.C. May 17, 2004).  GAO, DOD Business Systems Modernization: Billions Being Invested without Adequate Oversight, GAO-05-381 (Washington, D.C. Apr. 29, 2005); DOD Business Systems Modernization: Long-standing Weaknesses in Enterprise Architecture Development Need to Be Addressed, GAO-05-702 (Washington, D.C. July 22, 2005).  Bob Stump National Defense Authorization Act for Fiscal Year 2003, Pub. L. No. 107-314, § 1004, 116 Stat. 2458, 2629-2631 (Dec. 2, 2002).  See GAO, Defense Management: Key Elements Needed to Successfully Transform DOD Business Operations, GAO-05-629T (Washington, D.C. Apr. 28, 2005).  Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005, Pub. L. No. 108-375, § 332, 118 Stat. 1811, 1851-1856 (Oct. 28, 2004) (codified in part at 10 U.S.C. § 2222).  Approval authorities include the Under Secretary of Defense for Acquisition, Technology, and Logistics; the Under Secretary of Defense (Comptroller); the Under Secretary of Defense for Personnel and Readiness; and the Assistant Secretary of Defense for Networks and Information Integration/Chief Information Officer of the Department of Defense. These approval authorities are responsible for the review, approval, and oversight of business systems and must establish investment review processes for systems under their cognizance.  Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005, Pub. L. No. 108-375, § 332, 118 Stat. 1811, 1851-1856 (Oct. 28, 2004) (codified in part at 10 U.S.C. § 2222).  The Department of Defense Architecture Framework recommends that the architecture include 23 of the 26 possible architecture products to meet the department's stated intention to use the architecture as the basis for departmentwide business and systems modernization.  DOD, Department of Defense Architecture Framework, Version 1.0, Volume 1 (August 2003) and Volume 2 (February 2004).  JFMIP was a joint and cooperative undertaking of the Department of the Treasury, GAO, the Office of Management and Budget (OMB), and the Office of Personnel Management (OPM), working in cooperation with each other and other federal agencies to improve financial management practices in the federal government. Leadership and program guidance were provided by the four Principals of JFMIP--the Secretary of the Treasury, the Comptroller General of the United States, and the Directors of OMB and OPM. Although JFMIP ceased to exist as a stand- alone organization as of December 1, 2004, the JFMIP Principals will continue to meet at their discretion.  The United States Standard General Ledger provides a uniform Chart of Accounts and technical guidance to be used in standardizing federal agency accounting.  DOD components include the military services, defense agencies, and field activities.  DOD, Expeditionary Combat Support System Sources Sought Synopsis (May 10, 2004).  For example, for DOD's military personnel and pay system, the Defense Integrated Military Human Resources System (DIMHRS), the plan cites a goal of reducing manual workarounds for military pay by 9 percent.  GAO, DOD Business Systems Modernization: Billions Continue to Be Invested with Inadequate Management Oversight and Accountability, GAO- 04-615 (Washington, D.C. May 27, 2004).  National security systems are intelligence systems, cryptologic activities related to national security, military command and control systems, and equipment that is an integral part of a weapon or weapons system or is critical to the direct fulfillment of military or intelligence missions.  GAO-05-381.  GAO-04-615.  See 10 U.S.C. § 186.  The term 'defense business system modernization' is defined in 10 U.S.C. § 2222(j) (3) as "(A) the acquisition or development of a new defense business system; or (B) any significant modification or enhancement of an existing defense business system (other than necessary to maintain current services)."  The six systems were reviewed under the criteria set forth in the fiscal year 2003 defense authorization act.  See 10 U.S.C. § 2222 (a)(1)(C).  The vice chair of the DBSMC is the Under Secretary of Defense for Acquisition, Technology and Logistics.  S.780, 109TH Cong., 1st Sess. introduced in the U.S. Senate on April 15, 2005, would create a statutory Chief Management Officer.