This is the accessible text file for GAO report number GAO-03-959 
entitled 'Information Technology: FBI Needs an Enterprise Architecture 
to Guide Its Modernization Activities' which was released on September 
25, 2003.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Report to Congressional Requesters:

September 2003:

INFORMATION TECHNOLOGY:

FBI Needs an Enterprise Architecture to Guide Its Modernization 
Activities:

GAO-03-959:

GAO Highlights:

Highlights of GAO-03-959, a report to congressional requesters 

Why GAO Did This Study:

The Federal Bureau of Investigation (FBI) is in the process of 
modernizing its information technology (IT) systems. Replacing much of 
its 1980s-based technology with modern system applications and a 
robust technical infrastructure, this modernization is intended to 
enable the FBI to take an integrated approach—coordinated agencywide—
to performing its critical missions, such as federal crime 
investigation and terrorism prevention. GAO was requested to conduct a 
series of reviews of the FBI’s modernization management. The objective 
of this first review was to determine whether the FBI has an 
enterprise architecture to guide and constrain modernization 
investments. 

What GAO Found:

About 2 years into its ongoing systems modernization efforts, the FBI 
does not yet have an enterprise architecture. An enterprise 
architecture is an organizational blueprint that defines—in logical or 
business terms and in technology terms—how an organization operates 
today, intends to operate in the future, and intends to invest in 
technology to transition to this future state. GAO’s research has 
shown that attempting to modernize an IT environment without a well-
defined and enforceable enterprise architecture risks, among other 
things, building systems that do not effectively and efficiently 
support mission operations and performance.

The FBI acknowledges the need for an enterprise architecture and has 
committed to developing one by the fall of 2003. However, it currently 
lacks the means for effectively reaching this end. For example, while 
the bureau did recently designate a chief architect and select an 
architecture framework to use, it does not yet have an agency 
architecture policy, an architecture program management plan, or an 
architecture development methodology, all of which are necessary 
components of effective architecture management. 

Given the state of the FBI’s enterprise architecture management 
efforts, the bureau is at Stage 1 of GAO’s enterprise architecture 
management maturity framework (see table). Organizations at Stage 1 
are characterized by architecture efforts that are ad hoc and 
unstructured, lack institutional leadership and direction, and do not 
provide the management foundation necessary for successful 
architecture development and use as a tool for informed IT investment 
decision making. A key for an organization to advance beyond this 
stage is to treat architecture development, maintenance, and 
implementation as an institutional management priority, which the FBI 
has yet to do. To do less will expose the bureau’s ongoing and planned 
modernization efforts to unnecessary risk. 

What GAO Recommends:

GAO recommends that the FBI Director designate the development of a 
complete enterprise architecture as a bureauwide priority and take the 
necessary steps to manage this development accordingly, including 
ensuring key enterprise architecture management practices specified in 
GAO’s maturity framework are implemented.

We provided a draft of this report to the FBI on August 22, 2003, for 
its review and comment, but no comments were received in time for 
issuance of this final report.

[End of section]

Contents:

Letter: 

Results in Brief: 

Background: 

FBI Does Not Have an EA or the Management Foundation Needed to 
Effectively Develop, Maintain, and Implement One: 

Conclusions: 

Recommendations: 

Agency Comments: 

Appendixes:

Appendix I: Scope and Methodology: 

Appendix II: Assessment of FBI's Enterprise Architecture (EA) Efforts 
against GAO's EA Management Maturity Framework: 

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Acknowledgments: 

Tables:

Table 1: FBI Organizational Components and Mission Responsibilities: 

Table 2: Summary of GAO EA Management Framework Maturity Stages and 
Core Elements: 

Abbreviations: 

CIO: chief information officer :

DNA: deoxyribonucleic acid:

EA: enterprise architecture:

FBI: Federal Bureau of Investigation:

GAO: General Accounting Office:

IT: information technology:

:

Letter September 25, 2003:

The Honorable Porter J. Goss 
Chairman, 
Permanent Select Committee on Intelligence 
House of Representatives:

The Honorable Nancy Pelosi 
House of Representatives:

The Honorable Bob Graham 
United States Senate:

The Honorable Richard C. Shelby 
United States Senate:

The Federal Bureau of Investigation (FBI) is in the process of 
modernizing its information technology (IT) systems. Its goal is to 
replace much of its 1980s-based IT environment to better support its 
plans for an agencywide approach to performing critical mission 
operations, including terrorism prevention and federal crime 
investigation. As you requested, we are conducting a series of reviews 
of the FBI's management of its modernization activities. The objective 
of this first review was to determine whether the FBI has a 
modernization blueprint, commonly called an enterprise 
architecture,[Footnote 1] to guide and constrain its modernization 
efforts. Our research has shown that attempting to modernize an IT 
environment without a well-defined and enforceable enterprise 
architecture risks, among other things, building systems that do not 
effectively and efficiently support mission operations and performance. 
Details of our scope and methodology are in appendix I.

Results in Brief:

The FBI does not have an enterprise architecture, although it began 
efforts to develop one about 32 months ago and has invested hundreds of 
millions of dollars in new systems over the last 2 years. Moreover, it 
does not yet have the means in place to effectively develop, maintain, 
and implement an enterprise architecture. That is, it does not have 
most of the architecture management structures and processes advocated 
by federal guidance and best practices. For instance, the bureau does 
not have such architecture management controls as an agency 
architecture policy, an architecture program management plan, an 
architecture development methodology, and an automated architecture 
tool (a repository for architecture documentation).

Given the state of the FBI's enterprise architecture management 
efforts, the bureau has yet to advance beyond Stage 1, the beginning 
stage, of our best practices-based, five-stage enterprise architecture 
management maturity framework.[Footnote 2] Organizations at Stage 1 are 
characterized by architecture efforts that are ad hoc and unstructured, 
lack institutional leadership and direction, and do not provide the 
management foundation necessary for successful architecture 
development and use for informed IT investment decision making. Key for 
an organization to advance beyond this stage is to first treat 
architecture development, maintenance, and implementation as an 
institutional management priority, which the FBI has yet to do, and to 
adopt architecture management best practices. To do less will continue 
to expose the bureau's ongoing and planned modernization efforts to 
unnecessary risk. Accordingly, we are making recommendations to the 
FBI's Director to assist in improving the bureau's enterprise 
architecture efforts. We provided a draft of this report to the FBI on 
August 22, 2003, for its review and comment, but no comments were 
received in time for issuance of this final report.

Background:

The FBI was founded in 1908 to serve as the primary investigative 
bureau of the Department of Justice. Its mission includes upholding the 
law by investigating serious federal crimes; protecting the nation from 
foreign intelligence and terrorist threats; providing leadership and 
assistance to federal, state, local, and international law enforcement 
agencies; and being responsive to the public in the performance of 
these duties. Approximately 11,000 special agents and 16,000 
professional support personnel are located at the bureau's Washington, 
D.C., headquarters and at more than 400 offices throughout the United 
States and 44 offices in foreign countries.

Mission responsibilities at the bureau are divided among five major 
organizational components: Criminal Investigations, Law Enforcement 
Services, Counterterrorism and Counterintelligence, Intelligence, and 
Administration. Criminal Investigations, for example, investigates 
serious federal crimes, including those associated with organized 
crime, violent offenses, white-collar crime, government and business 
corruption, and civil rights infractions. It also probes federal 
statutory violations involving exploitation of the Internet and 
computer systems for criminal, foreign intelligence, and terrorism 
purposes. (The major components and their associated mission 
responsibilities are shown in table 1.) Each component is headed by an 
Executive Assistant Director who reports to the Deputy Director, who in 
turn reports to the Director.

To execute its mission responsibilities, the FBI relies on the use of 
IT. For example, it develops and maintains computerized IT systems such 
as the Combined DNA[Footnote 3] Index System to support forensic 
examinations, the Digital Collection System to electronically collect 
information on known and suspected terrorists and criminals, and the 
National Crime Information Center and the Integrated Automated 
Fingerprint Identification System to help state and local law 
enforcement agencies identify criminals. According to FBI estimates, 
the bureau manages hundreds of systems, networks, databases, 
applications, and associated tools such as these at an average annual 
cost of about $800 million.

Table 1: FBI Organizational Components and Mission Responsibilities:

Component: Criminal Investigations; Mission responsibilities: 
Investigates serious federal crimes, including those associated with 
organized crime, violent offenses, white-collar crime, government and 
business corruption, and civil rights infractions.

Mission responsibilities: Probes federal statutory violations 
involving exploitation of the Internet and computer systems for 
criminal, foreign intelligence, and terrorism purposes.

Component: Law Enforcement Services; Mission responsibilities: 
Responds to and manages crisis incidents such as terrorist activities, 
child abductions, and other repetitive violent crimes.

Mission responsibilities: Provides information services on fingerprint 
identification, stolen automobiles, criminals, crime statistics, and 
other information to state, local, and international law enforcement.

Mission responsibilities: Performs forensic examinations in support of 
criminal investigations and prosecutions, including crime scene 
searches, DNA testing, photographic surveillance, expert court 
testimony, and other technical services.

Mission responsibilities: Trains FBI agents and support personnel as 
well as state, local, international, and other federal law enforcement 
in crime investigation, law enforcement, and forensic investigative 
techniques.

Component: Counterterrorism and Counterintelligence; Mission 
responsibilities: Identifies and neutralizes ongoing national security 
threats, including conducting foreign counterintelligence 
investigations, coordinates investigations within the U.S. 
intelligence community, and investigates violations of federal 
espionage statutes.

Mission responsibilities: Assesses threats or attacks against critical 
U.S. infrastructure, issues warnings, and investigates and develops 
national responses to threats and attacks.

Component: Intelligence; Mission responsibilities: Collects and 
analyzes information on evolving threats to the United States and 
ensures its dissemination within the FBI, to state and local law 
enforcement, and to the U.S. intelligence community.

Component: Administration; Mission responsibilities: Develops and 
administers the bureau's personnel programs and services, including 
recruiting, conducting background investigations, and other 
administrative activities.

Mission responsibilities: Administers the bureau's budget and fiscal 
matters, including financial planning, payroll services, property 
management, and procurement activities.

Mission responsibilities: Manages and plans for the bureau's use of 
information resources.

Mission responsibilities: Investigates allegations of criminal conduct 
and serious misconduct by FBI employees.

Mission responsibilities: Manages policies, processes, and systems used 
by the bureau to control its extensive investigative and other records.

Mission responsibilities: Ensures a safe and secure FBI work 
environment, including preventing the compromise of national security 
and FBI information.

Source: GAO based on FBI data.

[End of table]

FBI's Existing IT Environment Has Long Suffered from Known 
Deficiencies:

Several prior reviews of the FBI's existing IT environment have 
revealed that it is antiquated and not integrated. Specifically, the 
Department of Justice Inspector General reported[Footnote 4] that as of 
September 2000, the FBI had over 13,000 desktop computers that were 4 
to 8 years old and could not run basic software packages. Moreover, it 
reported that some communications networks were 12 years old and 
obsolete, and that many end-user applications existed that were neither 
Web-enabled nor user-friendly. In addition, a December 2001 review 
initiated by the Department of Justice[Footnote 5] found that FBI's IT 
environment was disparate. In particular, it identified 234 
nonintegrated ("stove-piped") applications, residing on 187 different 
servers, each of which had its own unique databases and did not share 
information with other applications or with other government agencies. 
Moreover, in June 2002, we reported[Footnote 6] that IT has been a 
long-standing problem for the bureau, involving outdated hardware, 
outdated software, and the lack of a fully functional E-mail system. We 
also reported that these deficiencies served to significantly hamper 
the FBI's ability to share important and time-sensitive information 
internally and externally with other intelligence and law enforcement 
agencies.

FBI Has Initiated a Large, Complex Systems Modernization:

Following the terrorist attacks of September 11, 2001, the FBI 
refocused its efforts to investigate the events and to detect and 
prevent possible future attacks. To do this, the bureau changed its 
priorities and accelerated modernization of its IT systems. 
Collectively, the FBI's many modernization efforts involve 51 
initiatives that the FBI reported will cost about $1.5 billion between 
fiscal years 2002 and 2004. For example, the Trilogy project, which is 
to introduce new systems infrastructure and applications, includes 
establishing an enterprisewide network to enable communications between 
hundreds of FBI locations domestically and abroad, upgrading 20,000 
desktop computers, and providing 2,400 printers and 1,200 scanners. In 
addition, a new investigative data warehousing initiative called Secure 
Counterterrorism Operational Prototype Environment is to (1) aggregate 
voluminous counterterrorism files obtained from both internal and 
external sources and (2) acquire analytical capabilities to improve the 
FBI's ability to analyze these files. Another initiative, called the 
FBI Administrative Support System, is to integrate the bureau's 
financial management and administrative systems with the Department of 
Justice's new financial management system.

Beyond the scope and size of the FBI's modernization effort is the need 
to ensure that the modernized systems effectively support information 
sharing within the bureau and among its law enforcement and 
intelligence community partners. This means that the modernized FBI 
systems will, in many cases, have to interface with existing (legacy) 
systems to obtain data to accomplish their functions, which bureau 
officials said will be challenging, given the nonstandard and disparate 
nature of the existing IT environment. Moreover, bureau staff will have 
to be trained on the new systems and business processes modified to 
accommodate their use.

An Enterprise Architecture is Essential to Effectively Managing Systems 
Modernization:

The development, maintenance, and implementation of enterprise 
architectures (EA) are recognized hallmarks of successful public and 
private organizations and as such are an IT management best practice. 
EAs are essential to effectively managing large and complex system 
modernization programs, such as the FBI's. Our experience with federal 
agencies has shown that attempting a major modernization effort without 
a well-defined and enforceable EA results in systems that are 
duplicative, are not well integrated, are unnecessarily costly to 
maintain and interface, and do not effectively optimize mission 
performance.[Footnote 7]

The Congress and the Office of Management and Budget have recognized 
the importance of agency EAs. The Clinger-Cohen Act, for example, 
requires that agency Chief Information Officers (CIO) develop, 
maintain, and facilitate the implementation of architectures as a means 
of integrating:

business processes and agency goals with IT.[Footnote 8] In response to 
the act, the Office of Management and Budget, in collaboration with us 
and others, has issued guidance on the development and implementation 
of these architectures.[Footnote 9] It has also issued guidance that 
requires agency investments in information systems to be consistent 
with agency architectures.[Footnote 10]

An EA is a systematically derived snapshot--in useful models, diagrams, 
and narrative--of a given entity's operations (business and systems), 
including how its operations are performed, what information and 
technology are used to perform the operations, where the operations are 
performed, who performs them, and when and why they are performed. The 
architecture describes the entity in both logical terms (e.g., 
interrelated functions, information needs and flows, work locations, 
systems, and applications) and technical terms (e.g., hardware, 
software, data, communications, and security). EAs provide these 
perspectives for both the entity's current (or "as-is") environment and 
for its target (or "to-be") environment; they also provide a high-level 
capital investment roadmap for moving from one environment to the 
other.

Among others, the Office of Management and Budget, the National 
Institute of Standards and Technology, and the federal CIO Council have 
issued frameworks that define the scope and content of 
architectures.[Footnote 11] For example, the federal CIO Council issued 
a framework, known as the Federal Enterprise Architecture Framework, in 
1999. While the various frameworks differ in their nomenclatures and 
modeling approaches, they consistently provide for defining an 
enterprise architecture's operations in both logical terms and 
technical terms and providing these perspectives both for the "as-is" 
and "to-be" environments, as well as the investment roadmap. Managed 
properly, an enterprise architecture can clarify and help optimize the 
interdependencies and relationships among a given entity's business 
operations and the underlying systems and technical infrastructure that 
support these operations.

The FBI's Lack of an EA Has Been Previously Reported:

Over the past few years, several reviews related to the FBI's 
management of its IT have focused on enterprise architecture efforts 
and needs. For example, in July 2001, the Department of Justice hired a 
consulting firm to review the FBI's IT management. Among other things, 
the consultant recommended that the bureau develop a comprehensive EA 
to help reduce the proliferation of disparate, noncommunicating 
applications.[Footnote 12]

The next year, in February 2002, we reported as part of a 
governmentwide survey of the state of EA maturity that the FBI was one 
of a number of federal agencies that were not effectively managing 
their architecture efforts, and we made recommendations to the Office 
of Management and Budget for advancing the state of architecture 
maturity across the federal government.[Footnote 13] In this report, we 
noted that while the FBI was attempting to lay the management 
foundation for developing an architecture, the bureau had not yet 
established certain basic management structures and controls, such as 
establishing a steering committee or group that had responsibility for 
directing and overseeing the development of the architecture.

Later, our June 2002 testimony[Footnote 14] recommended that the FBI 
significantly upgrade its IT management capabilities, including 
developing an architecture, in order to successfully change its mission 
and effectively transform itself. Subsequently, in December 2002, the 
Department of Justice Inspector General reported[Footnote 15] that the 
FBI needed to complete an architecture to complement its IT investment 
management processes.

GAO's EA Management Maturity Framework Provides a Tool for Measuring 
and Improving EA Management Effectiveness:

According to guidance published by the federal CIO Council,[Footnote 
16]effective architecture management consists of a number of key 
practices and conditions (e.g., establishing a governance structure, 
developing policy, defining management plans, and developing and 
issuing an architecture). In April 2003, we published a maturity 
framework that arranges these key practices and conditions (i.e., core 
elements) of the council's guide into five hierarchical stages, with 
Stage 1 representing the least mature and Stage 5 being the most 
mature.[Footnote 17] The framework provides an explicit benchmark for 
gauging the effectiveness of EA management and provides a roadmap for 
making improvements. Each of the five stages is described below.

1. Creating EA awareness. The organization does not have plans to 
develop and use an architecture, or it has plans that do not 
demonstrate an awareness of the value of having and using an 
architecture. While Stage 1 agencies may have initiated some EA 
activity, these agencies' efforts are ad hoc and unstructured, lack 
institutional leadership and direction, and do not provide the 
management foundation necessary for successful EA development.

2. Building the EA management foundation. The organization recognizes 
that the EA is a corporate asset by vesting accountability for it in an 
executive body that represents the entire enterprise. At this stage, an 
organization assigns EA management roles and responsibilities and 
establishes plans for developing EA products and for measuring program 
progress and product quality; it also commits the resources necessary 
for developing an architecture--people, processes, and tools.

3. Developing the EA. The organization focuses on developing 
architecture products according to the selected framework, methodology, 
tool, and established management plans. Roles and responsibilities 
assigned in the previous stage are in place, and resources are being 
applied to develop actual EA products. The scope of the architecture 
has been defined to encompass the entire enterprise, whether 
organization-based or function-based.

4. Completing the EA. The organization has completed its EA products, 
meaning that the products have been approved by the EA steering 
committee or an investment review board, and by the CIO. Further, an 
independent agent has assessed the quality (i.e., completeness and 
accuracy) of the EA products. Additionally, evolution of the approved 
products is governed by a written EA maintenance policy approved by the 
head of the organization.

5. Leveraging the EA to manage change. The organization has secured 
senior leadership approval of the EA products and has a written 
institutional policy stating that IT investments must comply with the 
architecture, unless granted an explicit compliance waiver. Further, 
decision makers are using the architecture to identify and address 
ongoing and proposed IT investments that are conflicting, overlapping, 
not strategically linked, or redundant. Also, the organization tracks 
and measures EA benefits or return on investment, and adjustments are 
continuously made to both the EA management process and the EA 
products.

FBI Does Not Have an EA or the Management Foundation Needed to 
Effectively Develop, Maintain, and Implement One:

The FBI has yet to develop an EA, and it does not have the requisite 
means in place to effectively develop, maintain, and implement one. The 
state of the bureau's architecture efforts is attributable to the level 
of management priority and commitment that the bureau has assigned to 
this effort. Unless this changes, it is unlikely the FBI will produce a 
complete and useful architecture, and without the architecture, the 
bureau will be severely challenged in its ability to implement a set of 
modernized systems that optimally support critical mission needs.

FBI Does Not Have an Architecture:

An EA is an essential tool for effectively and efficiently engineering 
business operations (e.g., processes, work locations, and information 
needs and flows) and defining, implementing, and evolving IT systems in 
a way that best supports these operations. As mentioned earlier, an EA 
provides systematically derived and captured structural descriptions--
in useful models, diagrams, tables, and narrative--of how a given 
entity operates today and how it plans to operate in the future, and it 
includes a roadmap for transitioning from today to tomorrow. The nature 
and content of these descriptions vary among organizations depending on 
the EA framework selected.

The FBI has selected the federal CIO Council's Federal Enterprise 
Architecture Framework as the basis for defining its EA. At the highest 
level of component content description, the Federal Enterprise 
Architecture Framework requires an "as-is" architectural description, a 
"to-be" architectural description, and a transition plan. For the "as-
is" and "to-be" descriptions, this framework also requires the 
following major architecture products: business, information/data, 
applications, and technical components.

The FBI has yet to develop any of these architectural components. In 
response to our requests for all EA products, FBI officials, including 
the chief architect and the deputy chief information officer, told us 
that they do not yet exist. They added that they are currently in the 
process of developing an inventory of the FBI's existing (legacy) 
systems, which is a first step toward creating "as-is" architectural 
descriptions. They also stated that their goal is to develop and issue 
an initial bureau EA by the fall of 2003.

The FBI lacks an architecture largely because it is not treating 
development and use of one as a management priority. According to the 
FBI's chief architect, although the FBI launched its architecture 
effort 32 months ago, resources allocated to this effort have been 
limited to about $1 million annually and four staff. In contrast, our 
research of successful architecture efforts in other federal agencies 
shows that their resource needs are considerably greater than those 
that the FBI has committed. Similarly, the Justice Inspector General 
reported in December 2002[Footnote 18] that limited funding and 
resources contributed to the immature state of the bureau's EA efforts. 
Additionally, assignment of responsibility and accountability for 
developing the architecture has not been stable over the last 32 
months. For example, the chief architect has changed three times in the 
past 12 months.

As our prior reviews of federal agencies and research of architecture 
best practices show, attempts to modernize systems without an 
architecture, which is what the FBI is doing, increases the risk that 
large sums of money and much time and effort will be invested in 
technology solutions that are duplicative, are not well integrated, are 
unnecessarily costly to maintain and interface, and do not effectively 
optimize mission performance. In the FBI's case, there are indications 
that this is occurring. For example, the director of the modernization 
program management office told us that the office recently assumed 
responsibility for managing three system modernization 
initiatives[Footnote 19] and found that they will require rework in 
order for them to be integrated. Such integration--which an EA would 
have provided for--was not previously factored into their development.

To allow for a more coordinated and integrated approach to pursuing its 
other 48 modernization initiatives, the FBI has started holding 
informal meetings among top managers to discuss related systems. 
However, such meetings are not a sufficient surrogate for an explicitly 
defined architectural blueprint that provides a commonly understood, 
accepted frame of reference against which to effectively and 
efficiently acquire and implement well-integrated systems.

Management Structures and Processes Needed to Develop, Maintain, and 
Implement an EA Are Not In Place:

Because the task of developing, maintaining, and implementing an EA is 
an important, complex, and difficult endeavor, doing so effectively and 
efficiently requires that rigorous, disciplined management practices be 
adopted. Such practices form the basis of our EA management maturity 
framework, which specifies by stages the key architecture management 
structures, processes, and controls that are embodied in federal 
guidance and best practices. For example, Stage 2 specifies nine key 
practices or core elements that are necessary to provide the management 
foundation for successfully launching and sustaining an architecture 
effort. Five of the nine Stage 2 core elements are described below.

* Establish an architecture steering committee representing the 
enterprise and make the committee responsible for directing, 
overseeing, or approving the EA. This committee should include 
executive-level representatives from each line of business, and these 
representatives should have the authority to commit resources and 
enforce decisions within their respective organizational units. By 
establishing this enterprisewide responsibility and accountability, 
the agency demonstrates its commitment to building the management 
foundation and obtaining buy-in from across the organization.

* Appoint a chief architect who is responsible and accountable for the 
EA, and who is supported by the EA program office and overseen by the 
architecture steering committee. The chief architect, in collaboration 
with the Chief Information Officer, the architecture steering 
committee, and the organizational head, is instrumental in obtaining 
organizational buy-in for the EA, including support from the business 
units, as well as in securing resources to support architecture 
management functions, such as risk management, configuration 
management, quality assurance, and security management.

* Use an architecture development framework, methodology, and automated 
tool to develop and maintain the EA. These are important because they 
provide the means for developing the architecture in a consistent and 
efficient manner. The framework provides a formal structure for 
representing the EA, while the methodology is the common set of 
procedures that the enterprise is to follow in developing the EA 
products. The automated tool serves as a repository where architectural 
products are captured, stored, and maintained.

* Develop an architecture program management plan. This plan specifies 
how and when the architecture is to be developed. It includes a 
detailed work breakdown structure, resource estimates (e.g., funding, 
staffing, and training), performance measures, and management controls 
for developing and maintaining the architecture. The plan demonstrates 
the organization's commitment to managing EA development and 
maintenance as a formal program.

* Allocate adequate resources to the EA effort. An organization needs 
to have the resources (funding, people, tools, and technology) to 
establish and effectively manage its architecture. This includes, among 
other things, identifying and securing adequate funding to support EA 
activities, hiring and retaining the right people, and selecting and 
acquiring the right tools and technology to support activities.

Our framework similarly identifies key architecture management 
practices associated with later stages of EA management maturity. For 
example, at Stage 3, the stage at which organizations focus on 
architecture development activities, organizations need to satisfy six 
core elements. Two of the six are discussed below.

* Issue a documented architecture policy, approved by the 
organization's head, governing the development of the EA. The policy 
defines the scope of the architecture, including the requirement for a 
description of the baseline and target architecture, as well as an 
investment roadmap or sequencing plan specifying the move between the 
two. This policy is an important means for ensuring enterprisewide 
commitment to developing an EA and for clearly assigning responsibility 
for doing so.

* Ensure that EA products are under configuration management. This 
involves ensuring that changes to products are identified, tracked, 
monitored, documented, reported, and audited. Configuration management 
maintains the integrity and consistency of products, which is key to 
enabling effective integration among related products and for ensuring 
alignment between architecture artifacts.

At Stage 4, during which organizations focus on architecture completion 
activities, organizations need to satisfy eight core elements. Two of 
the eight are described below.

* Ensure that EA products and management processes undergo independent 
verification and validation. This core element involves having an 
independent third party--such as an internal audit function or 
contractor that is not involved with any of the architecture 
development activities--verify and validate that the products were 
developed in accordance with EA processes and product standards. Doing 
so provides organizations with needed assurance of the quality of the 
architecture.

* Ensure that business, performance, information/data, application/
service, and technology descriptions address security. An organization 
should explicitly and consistently address security in its business, 
performance, information/data, application/service, and technology EA 
products. Because security permeates every aspect of an organization's 
operations, the nature and substance of institutionalized security 
requirements, controls, and standards should be captured in EA 
products.

At Stage 5, during which the focus is on architecture maintenance and 
implementation activities, organizations need to satisfy eight core 
elements. Two of the eight are described below.

* Make EA an integral component of IT investment decision-making 
processes. Because the roadmap defines the IT systems that an 
organization plans to invest in as it transitions from the "as-is" to 
the "to-be" environment, the EA is a critical frame of reference for 
making IT investment decisions. Using the EA when making such decisions 
is important because organizations should approve only those 
investments that move the organization toward the "to-be" environment, 
as specified in the roadmap.

* Measure and report return on EA investment. Like any investment, the 
EA should produce a return on investment (i.e., a set of benefits), and 
this return should be measured and reported in relation to costs. 
Measuring return on investment is important to ensure that expected 
benefits from the EA are realized and to share this information with 
executive decision makers, who can then take corrective action to 
address deviations from expectations.

Effective EA management is generally not achieved until an organization 
has a completed and approved architecture that is being effectively 
maintained and implemented, which is equivalent to having satisfied 
many Stage 4 and 5 core elements. Table 2 summarizes our framework's 
five stages and the associated core elements for each.

Table 2: Summary of GAO EA Management Framework Maturity Stages and 
Core Elements:

Stage: Stage 1: Creating EA awareness; Core elements: Agency is aware 
of EA.

Stage: Stage 2: Building the EA management foundation; Core elements: 
Adequate resources exist.

Core elements: Committee or group representing the enterprise is 
responsible for directing, overseeing, or approving EA.

Core elements: Program office responsible for EA development and 
maintenance exists.

Core elements: Chief architect exists.

Core elements: EA is being developed using a framework, methodology, 
and an automated tool.

Core elements: EA plans call for describing "as-is" environment, "to-
be" environment, and sequencing plan.

Core elements: EA plans call for describing the enterprise in terms of 
business, data, applications, and technology.

Core elements: EA plans call for business, performance, data, 
applications, and technology descriptions to address security.

Core elements: EA plans call for developing metrics for measuring EA 
progress, quality, compliance, and return on investment.

Stage: Stage 3: Developing EA products (includes all elements from 
Stage 2); Core elements: Written/approved policy exists for EA 
development.

Core elements: EA products are under configuration management.

Core elements: EA products describe or will describe the enterprise's 
business--and the data, applications, and technology that support it.

Core elements: EA products describe or will describe the "as-is" 
environment, the "to-be" environment, and a sequencing plan.

Core elements: Business, performance, data, application, and technology 
address or will address security.

Core elements: Progress against EA plans is measured and reported.

Stage: Stage 4: Completing EA products; (includes all elements from 
Stage 3); Core elements: Written/approved policy exists for EA 
maintenance.

Core elements: EA products and management processes undergo independent 
verification and validation.

Core elements: EA products describe the enterprise's business--and the 
data, applications, and technology that support it.

Core elements: EA products describe the "as-is" environment, the "to-
be" environment, and a sequencing plan.

Core elements: Business, performance, data, application, and technology 
descriptions address security.

Core elements: Organization chief information officer has approved EA.

Core elements: Committee or group representing the enterprise or the 
investment review board has approved current version of EA.

Core elements: Quality of EA products is measured and reported.

Stage: Stage 5: Leveraging the EA for managing change (includes all 
elements from Stage 4); Core elements: Written/approved policy exists 
for IT investment compliance with EA.

Core elements: Process exists to formally manage EA change.

Core elements: EA is integral component of IT investment management 
process.

Core elements: EA products are periodically updated.

Core elements: IT investments comply with EA.

Core elements: Organization head has approved current version of EA.

Core elements: Return on EA investment is measured and reported.

Core elements: Compliance with EA is measured and reported.

Source: GAO.

[End of table]

The FBI is currently at Stage 1 of our maturity framework. Of the nine 
foundational stage core elements (Stage 2), the FBI has fully satisfied 
one element by designating a chief architect. Additionally, the bureau 
has partially satisfied two other elements. First, it has established 
an architecture governance board as its steering committee. However, 
the bureau has not included all relevant FBI stakeholders on the board, 
such as representatives from its counterterrorism and 
counterintelligence organizational component. Second, the bureau has 
selected the Federal Enterprise Architecture Framework as the framework 
to guide its architecture development. However, it has not yet selected 
a development methodology or automated tool (a repository for 
architectural products).

The FBI has not satisfied the six remaining Stage 2 core elements. For 
example, the bureau has not established a program office. In addition, 
it has not developed a program management plan that provides for 
describing (1) the bureau's "as-is" and "to-be" environments, as well 
as a sequencing plan for transitioning from the "as-is" to the "to-be" 
and (2) the enterprise in terms of business, data, applications and 
technology, including how security will be addressed in each. With 
respect to Stages 3, 4, and 5, the FBI has not satisfied any of the 
associated core elements. (The detailed results of our assessment of 
the FBI's satisfaction of each of the stages and associated core 
elements is provided in app. II.):

The state of the FBI's EA management maturity is attributable to a lack 
of management commitment to having and using an architecture and to 
giving it priority. Indeed, several of the core elements cited above as 
not being satisfied, such as having EA policies and allocating adequate 
resources, are indicators of an organization's architectural 
commitment. According to FBI officials, including the chief architect, 
EA management has not been an agency priority, and thus has not 
received needed attention and resources.

Without effective EA management structures, processes, and controls, it 
is unlikely that the bureau will be able to produce a complete and 
enforceable enterprise architecture and thus be able to implement 
modernized systems in a way that minimizes overlap and duplication and 
maximizes integration and mission support.

Conclusions:

The bureau's ongoing and planned system modernization efforts are at 
risk of not being defined and implemented in a way that best supports 
institutional mission needs and operations. Effectively mitigating this 
risk will require swift development and use of a modernization 
blueprint, or enterprise architecture; up to now, the FBI has not 
adequately demonstrated a commitment to developing such an 
architecture. In reversing this pattern, it is important that the 
architecture development and use be made an agency priority, and that 
it be managed in a way that satisfies the practices embodied in our 
architecture management maturity framework. To do less will continue to 
expose the bureau's system modernization efforts, and ultimately the 
effectiveness and efficiency of its mission performance, to unnecessary 
risk.

Recommendations:

We recommend that the FBI Director immediately designate EA 
development, maintenance, and implementation as an agency priority and 
manage it as such. To this end, we recommend that the Director ensure 
that appropriate steps are taken to develop, maintain, and implement an 
EA in a manner consistent with our architecture management framework. 
This includes first laying an effective EA management foundation by 
(1) ensuring that all business partners are represented on the 
architecture governance board; (2) adopting an architecture 
development methodology and automated tool; (3) establishing an EA 
program office that is accountable for developing the EA; (4) tasking 
the program office with developing a management plan that specifies how 
and when the EA is to be developed and issued; (5) ensuring that the 
management plan provides for the bureau's "as-is" and "to-be" 
environments, as well as a sequencing plan for transitioning from the 
"as-is" to the "to-be"; (6) ensuring that the management plan also 
describes the enterprise in terms of business, data, applications, and 
technology; (7) ensuring that the plan also calls for describing the 
security related to the business, data, and technology; (8) ensuring 
that the plan establishes metrics for measuring EA progress, quality, 
compliance, and return on investment; and (9) allocating the necessary 
funding and personnel to EA activities.

Next, we recommend that the Director ensure that steps to develop the 
architecture products include (1) establishing a written and approved 
policy for EA development; (2) placing EA products under configuration 
management; (3) ensuring that EA products describe the enterprise's 
business, as well as the data, applications, and technology that 
support it; (4) ensuring that EA products describe the "as-is" 
environment, the "to-be" environment, and a sequencing plan; 
(5) ensuring that business, performance, data, application, and 
technology descriptions address security; and (6) ensuring that 
progress against EA plans is measured and reported.

In addition, we recommend that the Director ensure that steps to 
complete architecture products include (1) establishing a written and 
approved policy for EA maintenance; (2) ensuring that EA products and 
management processes undergo independent verification and validation; 
(3) ensuring that EA products describe the enterprise's business and 
the data, application, and technology that supports it; (4) ensuring 
that EA products describe the "as-is" environment, the "to-be" 
environment, and a sequencing plan; (5) ensuring that business, 
performance, data, application, and technology descriptions address 
security; (6) ensuring that the Chief Information Officer approves the 
EA; (7) ensuring that the steering committee and/or the investment 
review board has approved the current version of the EA; and 
(8) measuring and reporting on the quality of EA products.

Further, we recommend that the Director ensure that steps taken to use 
the EA to manage modernization efforts include (1) establishing a 
written and approved policy for IT investment compliance with EA, 
(2) establishing processes to formally manage EA changes, (3) ensuring 
that EA is an integral component of IT investment management processes, 
(4) ensuring that EA products are periodically updated, (5) ensuring 
that IT investments comply with the EA, (6) obtaining Director approval 
of the current EA version, (7) measuring and reporting EA return on 
investment, and (8) measuring and reporting on EA compliance.

Finally, we recommend that the Director ensure that the bureau develops 
and implements an agency strategy for mitigating the risks associated 
with continued investment in modernized systems before it has an EA and 
controls for implementing it.

Agency Comments:

We discussed our findings with the FBI's Chief Architect and later 
transmitted a draft of this report to the bureau on August 22, 2003, 
for its review and comment, requesting that any comments be provided by 
September 18, 2003. However, none were provided in time to be included 
in this printed report.

We are sending copies of this report to the Chairman and Vice Chairman 
of the Senate Select Committee on Intelligence and the Ranking Minority 
Member of the House Permanent Select Committee on Intelligence. We are 
also sending copies to the Attorney General; the Director, FBI; the 
Director, Office of Management and Budget; and other interested 
parties. In addition, the report will also be available without charge 
on GAO's Web site at [Hyperlink, www.gao.gov.] w [Hyperlink, http://
www.gao.gov] ww.gao.gov.

Should you have any questions about matters discussed in this report, 
please contact me at (202) 512-3439 or by E-mail at [Hyperlink, 
hiter@gao.gov] h [Hyperlink, hiter@gao.gov] iter@gao.gov. Key 
contributors to this report are listed in appendix III.

Randolph C. Hite 
Director, Information Technology Architecture and Systems Issues:

Signed by Randolph C. Hite: 

[End of section]

Appendixes:

[End of section]

Appendix I: Scope and Methodology:

To evaluate whether Federal Bureau of Investigation (FBI) has a 
modernization blueprint, commonly called an enterprise architecture 
(EA), to guide and constrain its modernization efforts, we requested 
that the bureau provide us with all of its EA products. We also 
interviewed FBI officials, including the chief architect, to verify the 
status and plans for developing bureau EA products, the causes for why 
none had been completed to date, and the effects of proceeding with 
modernization initiatives without an EA.

To assess whether the FBI was effectively managing its architecture 
activities, we compared bureau EA management practices to our EA 
management maturity framework.[Footnote 20] This framework is based on 
A Practical Guide to Federal Enterprise Architecture, published by the 
federal Chief Information Officers (CIO) Council.[Footnote 21] To do 
this, we first reviewed bureau EA plans and products, and we 
interviewed FBI officials to verify and clarify our understanding of 
bureau EA efforts. Next, we compared the information that we had 
collected against our EA management maturity framework practices to 
determine the extent to which the FBI was employing such effective 
management practices. In addition, we interviewed FBI's chief architect 
and other bureau officials to determine, among other things, the cause 
of differences between what is specified in the framework and the 
condition at the FBI. We also reviewed past FBI information technology 
(IT) management studies and Department of Justice Inspector General 
reports, to understand the state of FBI management practices, including 
their strengths and weaknesses, underlying causes for improvements, and 
open recommendations. Further, we interviewed FBI division officials to 
understand the extent of their participation in the bureau's 
architecture efforts. Finally, to verify our findings and validate our 
assessment, we discussed with the chief architect our analysis of the 
state of FBI's EA practices against our maturity framework.

We performed our work at FBI headquarters in Washington, D.C., from 
September 2002 until August 2003, in accordance with generally accepted 
government auditing standards.

[End of section]

Appendix II: Assessment of FBI's Enterprise Architecture (EA) Efforts 
against GAO's EA Management Maturity Framework:

Stage: Stage 1: Creating EA awareness; Core elements: Agency is aware 
of EA; Satisfied? (yes, no, or partially): Yes; Comments: The FBI has 
acknowledged the need for an EA.

Stage: Stage 2: Building the EA management foundation; Core elements: 
Adequate resources exist; Satisfied? (yes, no, or partially): No; 
Comments: The FBI has allocated four architects and approximately $1 
million annually for the development, implementation, and maintenance 
of its EA.

Core elements: Committee or group representing the enterprise is 
responsible for directing, overseeing, or approving EA; Satisfied? 
(yes, no, or partially): Partially; Comments: The FBI has established 
the architecture governance board to direct, oversee, and approve the 
EA. However, not all FBI components are represented on the board.

Core elements: Program office responsible for EA development and 
maintenance exists; Satisfied? (yes, no, or partially): No; Comments: 
The FBI does not have a program office responsible for the development, 
maintenance, or implementation of its EA.

Core elements: Chief architect exists; Satisfied? (yes, no, or 
partially): Yes; Comments: The FBI has designated a chief architect.

Core elements: EA is being developed using a framework, methodology, 
and an automated tool; Satisfied? (yes, no, or partially): Partially; 
Comments: The FBI plans to use the Federal Enterprise Architecture 
Framework. However, FBI officials reported that they are not using a 
methodology or automated tool.

Core elements: EA plans call for describing "as-is" environment, "to-
be" environment, and sequencing plan; Satisfied? (yes, no, or 
partially): No; Comments: No EA plans exist.

Core elements: EA plans call for describing the enterprise in terms of 
business, data, applications, and technology; Satisfied? (yes, no, or 
partially): No; Comments: No plans exist.

Core elements: EA plans call for business, performance, data, 
application, and technology descriptions to address security; 
Satisfied? (yes, no, or partially): No; Comments: No plans exist.

Core elements: EA plans call for developing metrics for measuring EA 
progress, quality, compliance, and return on investment; Satisfied? 
(yes, no, or partially): No; Comments: No plans exist.

Stage: Stage 3: Developing EA products (includes all elements from 
Stage 2); Core elements: Written/approved policy exists for EA 
development; Satisfied? (yes, no, or partially): No; Comments: The FBI 
does not have a written and approved policy for EA development.

Core elements: EA products are under configuration management; 
Satisfied? (yes, no, or partially): No; Comments: The FBI has not 
developed its EA products; thus no products are under configuration 
management.

Core elements: EA products describe or will describe the enterprise's 
business and the data, applications, and technology that support it; 
Satisfied? (yes, no, or partially): No; Comments: The FBI plans to 
describe its enterprise's business and the data, applications, and 
technology that support it. However, no completion date has been 
established.

Core elements: EA products describe or will describe the "as-is" 
environment, the "to-be" environment, and a sequencing plan; 
Satisfied? (yes, no, or partially): No; Comments: The FBI plans to 
describe its "as-is" and "to-be" environments, as well as a sequencing 
plan. However, no completion date has been established.

Core elements: Business, performance, data, application, and technology 
address or will address security; Satisfied? (yes, no, or partially): 
No; Comments: No plans exist.

Core elements: Progress against EA plans is measured and reported; 
Satisfied? (yes, no, or partially): No; Comments: No plans exist.

Stage: Stage 4: Completing EA products (includes all elements from 
Stage 3); Core elements: Written/approved policy exists for EA 
maintenance; Satisfied? (yes, no, or partially): No; Comments: 
According to FBI officials, there is no written and approved policy for 
EA maintenance.

Core elements: EA products and management processes undergo independent 
verification and validation; Satisfied? (yes, no, or partially): No; 
Comments: The FBI has not developed EA products, and management 
processes do not undergo independent verification and validation.

Core elements: EA products describe the enterprise's business and the 
data, applications, and technology that support it; Satisfied? (yes, 
no, or partially): No; Comments: The FBI has not developed these 
products.

Core elements: EA products describe the "as-is" environment, the "to-
be" environment, and a transitioning plan; Satisfied? (yes, no, or 
partially): No; Comments: The FBI has not developed these products.

Core elements: Business, performance, data, application, and technology 
descriptions address security; Satisfied? (yes, no, or partially): No; 
Comments: No plans exist.

Core elements: Organization chief information officer has approved EA; 
Satisfied? (yes, no, or partially): No; Comments: There is no approved 
version of the FBI's EA.

Core elements: Committee or group representing the enterprise or the 
investment review board has approved current version of EA; Satisfied? 
(yes, no, or partially): No; Comments: The FBI has not developed an 
EA.

Core elements: Quality of EA products is measured and reported; 
Satisfied? (yes, no, or partially): No; Comments: The FBI has not 
developed an EA.

Stage: Stage 5: Leveraging the EA for managing change (includes all 
elements from Stage 4); Core elements: Written/approved policy exists 
for IT investment compliance with EA; Satisfied? (yes, no, or 
partially): No; Comments: The FBI has no written and approved policy 
addressing IT investment compliance with EA.

Core elements: Process exists to formally manage EA change; Satisfied? 
(yes, no, or partially): No; Comments: No management plans exist.

Core elements: EA is integral component of IT investment management 
process; Satisfied? (yes, no, or partially): No; Comments: The FBI has 
not developed an EA.

Core elements: EA products are periodically updated; Satisfied? (yes, 
no, or partially): No; Comments: The FBI has not developed an EA.

Core elements: IT investments comply with EA; Satisfied? (yes, no, or 
partially): No; Comments: The FBI has not developed an EA.

Core elements: Organization head has approved current version of EA; 
Satisfied? (yes, no, or partially): No; Comments: The organization head 
has not approved the EA.

Core elements: Return on EA investment is measured and reported; 
Satisfied? (yes, no, or partially): No; Comments: The FBI does not have 
an EA to determine return on investment.

Core elements: Compliance with EA is measured and reported; Satisfied? 
(yes, no, or partially): No; Comments: The FBI does not have an EA to 
measure and report compliance.

Source: GAO based on FBI data.

[End of table]

[End of section]

Appendix III: GAO Contact and Staff Acknowledgments:

GAO Contact:

Gary Mountjoy, (202) 512-6367:

Acknowledgments:

In addition to the individual named above, key contributors to this 
report included Nabajyoti Barkakati, Katherine I. Chu-Hickman, Barbara 
Collier, Michael Fruitman, David Hinchman, Mary Beth McClanahan, Paula 
Moore, and Megan Secrest.

(310246):

FOOTNOTES

[1] An enterprise architecture is a set of descriptive models (e.g., 
diagrams and tables) that define, in business terms and in technology 
terms, how an organization operates today, how it intends to operate in 
the future, and how it intends to invest in technology to transition 
from today's operational environment to tomorrow's.

[2] U.S. General Accounting Office, Information Technology: A Framework 
for Assessing and Improving Enterprise Architecture Management (Version 
1.1), GAO-03-584G (Washington, D.C.: April 2003).

[3] Deoxyribonucleic acid.

[4] U.S. Department of Justice Office of the Inspector General, Federal 
Bureau of Investigation's Management of Information Technology 
Investments, Report 03-09 (Washington, D.C.: December 2002).

[5] Arthur Andersen, LLP, Management Study of the Federal Bureau of 
Investigation (Dec. 14, 2001).

[6] U.S. General Accounting Office, FBI Reorganization: Initial Steps 
Encouraging but Broad Transformation Needed, GAO-02-865T (Washington, 
D.C.: June 21, 2002).

[7] See, for example, U.S. General Accounting Office, DOD Business 
Systems Modernization: Improvements to Enterprise Architecture 
Development and Implementation Efforts Needed, GAO-03-458 (Washington, 
D.C.: February 2003); Information Technology: DLA Should Strengthen 
Business Systems Modernization Architecture and Investment Activities, 
GAO-01-631 (Washington, D.C.: June 2001); and Information Technology: 
INS Needs to Better Manage the Development of Its Enterprise 
Architecture, GAO/AIMD-00-212 (Washington, D.C.: August 2000).

[8] 40 U.S.C. 111315(b)(2).

[9] Office of Management and Budget, Information Technology 
Architectures, Memorandum M-97-16 (June 18, 1997), rescinded with the 
update of Office of Management and Budget Circular A-130 (Nov. 30, 
2000).

[10] Office of Management and Budget, Management of Federal Information 
Resources, Circular A-130 (Nov. 30, 2000).

[11] Office of Management and Budget Circular A-130; National Institute 
of Standards and Technology, Information Management Directions: The 
Integration Challenge, Special Publication 500-167 (September 1989); 
and federal CIO Council, Federal Enterprise Architecture Framework, 
Version 1.1 (September 1999).

[12] Arthur Andersen, LLP, Management Study of the Federal Bureau of 
Investigation (Dec. 14, 2001).

[13] U.S. General Accounting Office, Information Technology: Enterprise 
Architecture Use Across the Federal Government Can Be Improved, GAO-02-
6 (Washington, D.C.: Feb. 19, 2002).

[14] GAO-02-865T.

[15] U.S. Department of Justice Office of the Inspector General, 
Federal Bureau of Investigation's Management of Information Technology 
Investments, Report 03-09 (Washington, D.C.: December 2002). 

[16] Federal CIO Council, A Practical Guide to Federal Enterprise 
Architecture, Version 1.0 (February 2001).

[17] GAO-03-584G.

[18] U.S. Department of Justice Office of the Inspector General, 
Federal Bureau of Investigation's Management of Information Technology 
Investments, Report 03-09 (Washington, D.C.: December 2002). 

[19] The three modernized systems that the program management office is 
integrating are Trilogy, Secure Counterterrorism Operational Prototype 
Environment, and FBI Administrative Support System. 

[20] U.S. General Accounting Office, Information Technology: Enterprise 
Architecture Use Across the Federal Government Can Be Improved, GAO-02-
6 (Washington, D.C.: Feb. 19, 2002).

[21] Federal CIO Council, A Practical Guide to Federal Enterprise 
Architecture, Version 1.0 (February 2001).

GAO's Mission:

The General Accounting Office, the investigative arm of Congress, 
exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony:

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics.

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading.

Order by Mail or Phone:

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:

U.S. General Accounting Office

441 G Street NW,

Room LM Washington,

D.C. 20548:

To order by Phone: 	

	Voice: (202) 512-6000:

	TDD: (202) 512-2537:

	Fax: (202) 512-6061:

To Report Fraud, Waste, and Abuse in Federal Programs:

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470:

Public Affairs:

Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.

General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.

20548: