GAO-03-877R, Business Systems Modernization: Summary of GAO's Assessment of the Department of Defense's Initial Business Enterprise Architecture


This is the accessible text file for GAO report number GAO-03-877R 
entitled 'Business Systems Modernization: Summary of GAO's Assessment 
of the Department of Defense's Initial Business Enterprise 
Architecture' which was released on July 07, 2003.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

July 7, 2003:

Congressional Committees:

Subject: Business Systems Modernization: Summary of GAO's Assessment of 
the Department of Defense's Initial Business Enterprise Architecture 
(GAO-03-877R):

The Department of Defense (DOD) faces financial and related management 
problems that are pervasive, complex, long-standing, and deeply rooted 
in virtually all business operations throughout the department. These 
problems have impeded the department's ability to provide complete, 
reliable, and timely business information to the Congress, DOD 
managers, and other decision makers. Of the 25 areas on our 
governmentwide "high-risk" list, 6 are DOD program areas, and the 
department shares responsibility for 3 other high-risk areas that are 
governmentwide in scope.[Footnote 1] DOD's problems in each of these 
areas hinder the efficiency of operations, and leave the department 
vulnerable to fraud, waste, and abuse.

For fiscal year 2003, DOD's information technology (IT) budget request 
was over $26 billion. More specifically, to support its business 
operations, DOD reports that it currently relies on about 2,300 
systems, including accounting, acquisition, logistics, and personnel 
systems that will cost about $18 billion--nearly $5.2 billion for 
business systems[Footnote 2] and $12.8 billion primarily for business 
systems infrastructure--in fiscal year 2003 to operate, maintain, and 
modernize. As we have previously reported,[Footnote 3] this environment 
was not designed to be, but rather has evolved into, an overly complex 
and error-prone environment, including (1) little standardization 
across DOD, (2) multiple systems performing the same tasks, (3) the 
same data stored in multiple systems, and (4) manual data entry into 
multiple systems.

One of the seven key elements we have reported[Footnote 4] as necessary 
to successfully reform DOD's financial and related management 
challenges is establishing and implementing an enterprise architecture, 
or modernization blueprint. In May 2001,[Footnote 5] we recommended 
that DOD develop, maintain, and implement an enterprise architecture to 
modernize its financial management operations and systems across the 
department. Subsequently, in its fiscal year 2002 Performance and 
Accountability Report, DOD acknowledged that deficiencies in its 
business systems hindered the department's ability to collect and 
report financial and performance information that is accurate, 
reliable, and timely. The report noted that to address its systemic 
problems and assist in the transformation of the department's business 
operations, the department had undertaken the development and 
implementation of a business enterprise architecture.

An enterprise architecture provides a clear and comprehensive picture 
of an entity, whether it is an organization (e.g., federal department 
or agency) or a functional or mission area that cuts across more than 
one organization (e.g., financial management). This picture consists of 
snapshots of both the enterprise's current or "As Is" operational and 
technological environment and its target or "To Be" environment, as 
well as a capital investment road map for transitioning from the 
current to the target environment. These snapshots further consist of 
"views," which are basically one or more architecture products that 
provide conceptual or logical representations of the enterprise.

The National Defense Authorization Act for Fiscal Year 2003[Footnote 6] 
required DOD to develop, by May 1, 2003, a financial management 
enterprise architecture[Footnote 7] and a transition plan for 
implementing the architecture to meet certain requirements. The act 
also requires DOD to control expenditures for financial system 
improvements while the architecture and transition plan are being 
developed and after they are completed. The act states that the 
enterprise architecture shall describe an information infrastructure 
that, at a minimum, would enable DOD to achieve certain capabilities, 
such as complying with all federal accounting, financial management, 
and reporting requirements. The act also requires development of a 
transition plan for implementing the enterprise architecture that 
includes, among other things, a schedule for phasing out existing 
financial management systems that will not become part of the "To Be" 
environment. Finally, before the architecture and transition plan are 
approved, the act requires DOD to review proposed obligations of funds 
in amounts exceeding $1 million for financial system improvements to 
determine if they meet specific conditions called for in the act. Once 
the architecture and transition plan are approved, the act requires DOD 
to ensure that financial system investments are consistent with the 
architecture and the transition plan.

The act directs us to submit to congressional defense committees, 
within 60 days of DOD's approval of its enterprise architecture and its 
transition plan, an assessment of DOD's actions taken to comply with 
these requirements. (See enc. I for a copy of section 1004 of the act.) 
As agreed with your offices, our objectives were to determine (1) the 
extent to which DOD's actions complied with the requirements of the act 
and (2) DOD's plans for further development and implementation of its 
enterprise architecture. This report transmits a summary of the results 
of our assessment as well as a brief discussion of our key 
observations. (See enc. II for a summary of our assessment approach.) 
We plan to issue a more detailed report of our assessment results, 
including conclusions and specific recommendations. We performed our 
work from March 2003 through June 2003 in accordance with U.S. 
generally accepted government auditing standards. On June 30, 2003, DOD 
provided us with written comments on a draft of this report, which are 
addressed in the "Agency Comments and our Evaluation" section and are 
reprinted in enclosure III.

Summary of Observations:

As we reported in February 2003,[Footnote 8] DOD undertook a 
challenging and ambitious task--to develop within 1 year a 
departmentwide architecture for modernizing its current financial and 
business operations and systems. Thus far, DOD has expended tremendous 
effort and resources and made important progress in complying with the 
legislative requirements aimed at developing and effectively 
implementing a well-defined enterprise architecture. Further, DOD's 
initial version of its business enterprise architecture provides a 
foundation from which to build and ultimately produce a well-defined 
business enterprise architecture. However, the initial version does not 
adequately address the act's requirements 
and other relevant architectural requirements.[Footnote 9] For example, 
the architecture does not adequately describe the accounting and 
financial management requirements and the logical database model, which 
includes data standards and is used to guide the creation of the 
physical databases where information will be stored. Moreover, DOD has 
yet to implement an effective investment management process for 
controlling ongoing and planned business system improvements, including 
one that meets the act's requirements for ensuring that obligations in 
excess of $1 million are consistent with the architecture and the 
transition plan. Collectively, this means that DOD has taken a positive 
first step, but much remains to be accomplished before DOD will have 
the kind of blueprint and associated investment controls to 
successfully modernize its business operations and supporting systems.

DOD's position is that, to varying degrees, the initial version of its 
architecture fully satisfies the act's requirements, but it also 
recognizes that the architecture needs to be expanded and extended to 
provide a sufficient basis for guiding and constraining investment 
decisions. DOD's position is also that it has taken steps to implement 
the act's requirements regarding approving system investments but that 
it needs to do more to effectively select and control system 
investments. DOD attributes the current state of its architecture and 
investment management processes to the limited time it has had to 
define and implement each, in part because it was overly optimistic in 
estimating what it could deliver by May 1, 2003. Until DOD develops and 
provides for effective implementation of a well-defined enterprise 
architecture, its ability to modernize its business and systems 
environments in a way that minimizes risk and maximizes return on 
investment will be severely hindered.

Key Observations on Compliance with Enterprise Architecture 
Requirements:

The department has established some of the architecture management 
capabilities advocated by best practices and federal guidance.[Footnote 
10] Among these are having a program office staffed with 
representatives from across the DOD components, designating a chief 
architect, and using an architecture development methodology and 
automated tool. Further, it has adopted an incremental approach to 
developing its architecture and, according to DOD, has approved an 
initial version of its architecture that it intends to use as a 
foundation upon which to build. The initial version includes a suite of 
diagrams, tables, and other representations that describe, to varying 
degrees, its "As Is" and "To Be" architectural environments. For 
example, the "As Is" descriptions include an inventory of about 2,300 
systems in operation or under development, and their characteristics, 
that support DOD's current business operations. The "To Be" 
descriptions address, to at least some degree, how DOD intends to 
operate in the future, what information will be needed to support these 
future operations, and what technology standards should govern the 
design of future systems.

DOD has also incorporated many relevant federal accounting, financial 
management, and reporting requirements from 152 federal sources in its 
"To Be" architecture products. Of the total 4,000 external requirements 
included in the initial architecture, our review of 1,767 Joint 
Financial Management Improvement Program (JFMIP)[Footnote 11] 
requirements, identified 340 (about 19 percent) that are not included 
or adequately addressed. For example, federal accounting requirements 
for recording revenue are not included. According to program officials, 
critical external requirements are not included or adequately addressed 
primarily because a fully functioning quality assurance process to 
validate the requirements was not in place when the requirements were 
elicited. As a result, the architecture's descriptions of certain 
business processes, such as those associated with revenue accounting 
and reporting, which include over $70 billion earned annually by DOD 
working capital fund activities, are not yet sufficiently complete for 
making informed decisions on systems. Department and contractor 
officials agreed that these system requirements were either excluded or 
not adequately addressed and stated that a subsequent version of the 
architecture would include or modify the requirements.

Additionally, the "As Is" and "To Be" architecture products and the 
transition plan do not include a number of items recommended by 
relevant architectural guidance.[Footnote 12] Program officials agreed 
that the initial version of the architecture does not contain the scope 
and detail needed to acquire business system solutions for its "To Be" 
environment. Program officials attribute this to DOD's being overly 
optimistic in determining what it could develop by May 1, 2003. In an 
effort to manage this expectation gap, DOD officials are using an 
incremental approach for developing and implementing the architecture.

Specifically, the "As Is" view of the current architecture does not 
include the following items:

descriptions of current business operations in terms of the entities/
people that perform the functions, processes, and activities, and the 
locations where the functions, processes, and activities are performed;

data/information being used by the functions, processes, and 
activities;

technology standards being employed;

security standards and tools being used; and:

performance metrics being used.

As a result, DOD does not have a sufficiently described picture of its 
"As Is" environment to permit development of a meaningful and useful 
transition plan that either identifies the proper sequence of changes 
needed to move from its current operating environment to its future 
target environment, or effectively provides for guiding and 
constraining investments in modernized systems.

Additionally, the "To Be" view of the current architecture version does 
not include the following items:

specific organization and location information, which defines the 
entities/people that will perform the functions, processes, and 
activities, and specifies where the functions, processes, and 
activities will be performed;

physical descriptions of systems or applications to be developed or 
acquired;

the physical infrastructure (e.g., hardware and systems software) that 
will be needed to support the business systems; and:

the organizations that will be accountable for security and their roles 
and responsibilities.

Further, we found that the logical database model, which includes data 
standards and is used to guide the creation of the physical databases 
where information will be stored, is not linked to a conceptual data 
model. This raises concern regarding the utility of the logical model 
in supporting information flows for business operations and systems.

As a result, the "To Be" environment lacks the details needed to 
identify and plan for system solutions and operational change, and 
enable DOD to routinely provide timely, accurate, and reliable 
information for management decision making. In addition, the "To Be" 
environment precludes the department from making informed system 
investment decisions.

Aside from the "To Be" architecture's lack of detail, its structure is 
difficult to navigate, thus constraining its ease of use and 
understandability. For example, the architecture does not include user 
instructions or guidance, and certain artifacts (e.g., diagrams) could 
not be read on-line because there was no "zoom" capability enabling 
enlargement. Further, specific content, such as the applicability of 
security standards to specific security services, were difficult to 
locate. While we were able to read certain artifacts and locate 
specific content after extraordinary effort, it is reasonable to expect 
that other users would also encounter difficulty navigating through the 
architecture products. As a result, users may not have a good 
understanding of the architecture's content for use in making informed 
decisions.

The transition plan is also missing important items, such as:

a gap analysis identifying the needed changes to current business 
processes and systems;

an identification of which of the 2,300 current business systems will 
not become part of the "To Be" architecture as well as the time frames 
for phasing out these systems;

a time-based strategy for replacing legacy systems, including 
identification of intermediate (i.e., migration) systems that may be 
temporarily needed; and:

a statement of resources (e.g., funding and staff) needed to transition 
to the target environment.

As a result, DOD does not yet have a meaningful and reliable basis for 
managing the disposition of its existing inventory of about 2,300 
systems or for sequencing the introduction of modernized business 
operations and supporting systems.

In June 2003,[Footnote 13] DOD's verification and validation contractor 
also assessed the initial architecture against relevant best practices 
to determine its quality. Consistent with our assessment, this 
contractor reported that while DOD's architecture contained significant 
content, it lacked the depth and detail needed to begin building and 
implementing modernized systems and making operational changes. 
Further, the contractor reported that the architecture was not easily 
understandable and that its utility to stakeholders in system 
acquisition planning was limited.

With regard to DOD's actions to control ongoing and planned business 
systems investments, DOD has not yet defined and implemented an 
effective approach to select and control business system investments 
exceeding $1 million while the architecture is being developed and 
after it is completed. Program officials stated that the department's 
current approach to selecting and controlling business system 
investments depends on the system owners coming forward with the 
request for approval, and that it has not established the means to 
determine which systems should be submitted for review. Program 
officials acknowledge that the department, at a minimum, could use 
DOD's IT budget documentation to proactively fulfill the act's 
requirements and strengthen the investment management process. Since 
enactment of the National Defense Authorization Act for Fiscal Year 
2003, DOD has approved one business system improvement that met this $1 
million threshold and is currently reviewing four others. Our analysis 
of DOD's fiscal years 2003 and 2004 IT budget requests shows that over 
200 systems in each year's budget, totaling about $4 billion per year, 
could have resulted in obligations of funds that meet the $1 million 
threshold. As a result, the vast majority of the billions of dollars 
that DOD invests in business system improvements annually have not been 
subject to the specific investment control process called for in the 
act.

Key Observations on DOD's Plans for Evolving and Extending Its 
Enterprise Architecture and for Improving Business System:

Investment Decision Making:

According to program officials and the initial version of the 
transition plan, DOD intends to extend and evolve the architecture to 
include missing scope and detail. However, it has not defined specific 
plans outlining how this will be accomplished. Rather, DOD's current 
plan is to develop a strategy for producing the next version of its 
architecture and managing ongoing and planned investments. Among other 
things, this strategy is to provide for:

* determining the resources needed to further develop the architecture;

* developing a methodology for integrating the architecture with other 
internal and external architectures;

* establishing an approach for maintaining its existing systems 
inventory; and:

* evaluating the architecture for completeness, accuracy, and 
integration of end-to-end business processes and system functions.

In addition, DOD program documentation provides for initiating pilot 
projects in the near term that are to demonstrate and implement a 
portion of the architecture and be usable across the department. 
However, DOD officials stated that the pilot projects are intended to 
validate departmentwide business processes and not to implement 
production systems. Because of these differing views of what the pilot 
projects are intended to achieve, the purpose and scope of these 
projects remain unclear and specific projects have yet to be selected. 
If DOD intends for these projects to demonstrate or validate an 
enterprisewide business process to address a current deficiency in 
DOD's business operations and systems, such as the lack of common data 
standards, these projects could help DOD improve its architecture and 
thus may represent reasonable investments. However, if the pilot 
projects are to be used to acquire and implement system solutions and 
place them into production to achieve an operational capability, it is 
unclear how DOD will ensure architecture alignment and manage the risk 
associated with investing in even more systems before it has a well-
defined blueprint and an effective investment management process to 
guide and control them.

With regard to DOD's plans for improving investment management 
controls, DOD has a proposed governance concept that describes how and 
by whom business transformation requirements identified by the 
architecture will be implemented in the department. This proposal vests 
domain owners (DOD business line representatives, such as those in 
logistics, human resource management, and acquisition/procurement) 
with the authority, responsibility, and accountability for business 
transformation, extension and implementation of the architecture, 
development and execution of the transition plan, and investment 
portfolio management for their domains. However, it is not clear how 
the proposed approach, including the act's requirements, will be 
implemented. Further, it is not clear, given the incomplete state of 
version 1.0 of the architecture (1) how the domain owners will ensure 
consistency across domains for architecture extensions and changes and 
(2) how the proposed approach will address our prior recommendations 
for establishing a hierarchy of investment review boards that use an 
explicit and common set of criteria for selecting, controlling, and 
evaluating IT projects as a portfolio of competing investment options. 
One criterion we recommended was to ensure consistency and compliance 
with ongoing architecture development efforts.[Footnote 14] As a 
result, the department does not have a critical structure in place to 
effectively select and control its IT investments, and runs the risk of 
continuing to invest in systems that perpetuate its existing 
incompatible, duplicative, overly costly environment of about 2,300 
business systems that do not optimally support mission performance.

Agency Comments and Our Evaluation:

In commenting on a draft of this report (reprinted in enc. III), DOD 
generally agreed with our assessment of the department's initial 
business enterprise architecture and recognized that "much work remains 
to be done." It then described this work as beginning the transition 
from its "As Is" environment to the "To Be" as defined in the 
architecture. DOD stated that its approach for transitioning focuses on 
reengineering its business processes incrementally and then selecting 
business system solutions to implement the new methods and practices. 
However, as we reported, the initial version of the architecture lacks 
the scope and content needed to provide a sufficient frame of reference 
for moving the department from its current operating environment to its 
future target environment. Moreover, we stated in the report that DOD's 
plans for extending and evolving the architecture have yet to be 
adequately defined. While reengineering business processes is a logical 
component of what needs to be done to evolve the architecture, our 
report identifies many other aspects of the architecture, and the 
transition, that need to be further defined before DOD will have a 
sufficient basis for evaluating and selecting business system 
solutions.

DOD's comments also recognized the need to manage and control its 
ongoing and planned business system investments, and stated that it has 
defined an approach for doing so in draft guidance and would use its 
transformation governance structure to implement the investment 
management process. This guidance is still in draft and DOD has not 
provided it to us. Therefore, we could not determine whether it 
addresses the limitations in the department's existing approach to 
select and control its business system investments or the uncertainties 
associated with its proposed investment governance approach, both of 
which are discussed in this report.

Last, DOD's comments noted that the cost to operate, maintain, and 
modernize its approximately 2,300 systems is about $5 billion and that 
$13 billion provides infrastructure for all DOD systems and includes 
spending on nonbusiness (e.g., command and control or intelligence) 
systems. We do not agree. Specifically, our analysis of DOD's total IT 
budget request for fiscal year 2003 shows approximately $26 billion, of 
which $5 billion relates to the operation, maintenance, and 
modernization of DOD's business systems; about $13 billion relates 
primarily to the infrastructure to support these business systems; and 
the remaining $8 billion relates primarily to command and control 
systems, including the infrastructure to support these systems.

- - - - -:

We will be sending copies of this report to interested congressional 
committees; the Director, Office of Management and Budget; the 
Secretary of Defense; the Under Secretary of Defense (Comptroller); the 
Assistant Secretary of Defense (Networks and Information Integration)/ 
Chief Information Officer; the Under Secretary of Defense (Acquisition, 
Technology, and Logistics); the Under Secretary of Defense (Personnel 
and Readiness); and the Director, Defense Finance and Accounting 
Service. This report will also be available at no charge on our Web 
site at http://www.gao.gov.

If you have any questions concerning this information, please contact 
Gregory Kutz at (202) 512-9095 or kutzg@gao.gov or Randolph Hite at 
(202) 512-3439 or hiter@gao.gov. GAO contacts and key contributors to 
this report are listed in enclosure IV.

Gregory D. Kutz:

Director, Financial Management and Assurance:

Randolph C. Hite:

Director, Information Technology Architecture and Systems Issues:

Signed by Gregory D. Kutz and Randolph C. Hite

Enclosures:

List of Committees:

The Honorable Ted Stevens:

Chairman:

The Honorable Robert C. Byrd:

Ranking Minority Member:

Committee on Appropriations:

United States Senate:

The Honorable John W. Warner:

Chairman:

The Honorable Carl Levin:

Ranking Minority Member:

Committee on Armed Services:

United States Senate:

The Honorable C.W. Bill Young:

Chairman:

The Honorable David R. Obey:

Ranking Minority Member:

Committee on Appropriations:

House of Representatives:

The Honorable Duncan Hunter:

Chairman:

The Honorable Ike Skelton:

Ranking Minority Member:

Committee on Armed Services:

House of Representatives:

The Honorable Jim Saxton:

Chairman:

The Honorable Martin T. Meehan:

Ranking Minority Member:

Subcommittee on Terrorism, Unconventional Threats and Capabilities:

Committee on Armed Services:

House of Representatives:

Enclosure I:

SEC. 1004. [of Public Law 107-314] DEVELOPMENT AND IMPLEMENTATION OF 
FINANCIAL MANAGEMENT ENTERPRISE ARCHITECTURE:

(a) REQUIREMENT FOR ENTERPRISE ARCHITECTURE AND FOR TRANSITION PLAN--:

Not later than May 1, 2003, the Secretary of Defense shall develop--:

(1) a financial management enterprise architecture for all budgetary, 
accounting,

finance, enterprise resource planning, and mixed information systems of 
the:

Department of Defense; and:

(2) a transition plan for implementing that financial management 
enterprise architecture.

(b) COMPOSITION OF ENTERPRISE ARCHITECTURE--:

(1) The financial management enterprise architecture developed under 
subsection (a)(1) shall describe an information infrastructure that, at 
a minimum, would enable the Department of Defense to--:

(A) comply with all Federal accounting, financial management, and 
reporting requirements;

(B) routinely produce timely, accurate, and reliable financial 
information for management purposes;

(C) integrate budget, accounting, and program information and systems; 
and:

(D) provide for the systematic measurement of performance, including 
the ability to produce timely, relevant, and reliable cost information.

(2) That enterprise architecture shall also include policies, 
procedures, data standards, and system interface requirements that are 
to apply uniformly throughout the Department of Defense.

(c) COMPOSITION OF TRANSITION PLAN--The transition plan developed under 
subsection (a)(2) shall include the following:

(1) The acquisition strategy for the enterprise architecture, including 
specific time-phased milestones, performance metrics, and financial and 
nonfinancial resource needs.

(2) A listing of the mission critical or mission essential operational 
and developmental financial and nonfinancial management systems of the 
Department of Defense, as defined by the Under Secretary of Defense 
(Comptroller), consistent with budget justification documentation, 
together with:

(A) the costs to operate and maintain each of those systems during 
fiscal year:

2002; and:

(B) the estimated cost to operate and maintain each of those systems 
during fiscal year 2003.

(3) A listing of the operational and developmental financial management 
systems of the Department of Defense as of the date of the enactment of 
this Act (known as 'legacy systems') that will not be part of the 
objective financial and nonfinancial management system, together with 
the schedule for terminating those legacy systems that provides for 
reducing the use of those legacy systems in phases.

(d) CONDITIONS FOR OBLIGATION OF SIGNIFICANT AMOUNTS FOR FINANCIAL 
SYSTEM IMPROVEMENTS--An amount in excess of $1,000,000 may be obligated 
for a defense financial system improvement only if the Under Secretary 
of Defense (Comptroller) makes a determination regarding that 
improvement as follows:

(1) Before the date of an approval specified in paragraph (2), a 
determination that 
the defense financial system improvement is necessary for either of the 
following reasons:

(A) To achieve a critical national security capability or address a 
critical requirement in an area such as safety or security.

(B) To prevent a significant adverse effect (in terms of a technical 
matter, cost, or schedule) on a project that is needed to achieve an 
essential capability, taking into consideration in the determination 
the alternative solutions for preventing the adverse effect.

(2) On and after the date of any approval by the Secretary of Defense 
of a financial management enterprise architecture and a transition plan 
that satisfy the requirements of this section, a determination that the 
defense financial system improvement is consistent with both the 
enterprise architecture and the transition plan.

(e) CONGRESSIONAL REPORTS--Not later than March 15 of each year from 
2004 through 2007, the Secretary of Defense shall submit to the 
congressional defense committees a report on the progress of the 
Department of Defense in implementing the enterprise architecture and 
transition plan required by this section. Each report shall include, at 
a minimum--:

(1) a description of the actions taken during the preceding fiscal year 
to implement the enterprise architecture and transition plan (together 
with the estimated costs of such actions);

(2) an explanation of any action planned in the enterprise architecture 
and transition plan to be taken during the preceding fiscal year that 
was not taken during that fiscal year;

(3) a description of the actions taken and planned to be taken during 
the current fiscal year to implement the enterprise architecture and 
transition plan (together with the estimated costs of such actions); 
and:

(4) a description of the actions taken and planned to be taken during 
the next fiscal year to implement the enterprise architecture and 
transition plan (together with the estimated costs of such actions).

(f) COMPTROLLER GENERAL REVIEW--Not later than 60 days after the 
approval of an enterprise architecture and transition plan in 
accordance with the requirements of subsection (a), and not later than 
60 days after the submission of an annual report required by subsection 
(e), the Comptroller General shall submit to the congressional defense 
committees an assessment of the extent to which the actions taken by 
the Department comply with the requirements of this section.

(g) DEFINITIONS--In this section:

(1) The term 'defense financial system improvement' means the 
acquisition of a new budgetary, accounting, finance, enterprise 
resource planning, or mixed information system for the Department of 
Defense or a modification of an existing budgetary, accounting, 
finance, enterprise resource planning, or mixed information system of 
the Department of Defense. Such term does not include routine 
maintenance and operation of any such system.

(2) The term 'mixed information system' means an information system 
that supports financial and non-financial functions of the Federal 
Government as defined in Office of Management and Budget Circular A-127 
(Financial management Systems).

(h) REPEAL--(1) Section 2222 of title 10, United States Code, is 
repealed. The table of sections at the beginning of chapter 131 of such 
title is amended by striking the item relating to such section.

(2) Section 185(d) of such title is amended by striking 'has the 
meaning given that term in section 2222(c)(2) of this title' and 
inserting 'means an automated or manual system from which information 
is derived for a financial management system or an accounting system'.

Enclosure II:

Summary of Assessment Approach:

To accomplish our objectives for determining (1) the extent to which 
DOD's actions complied with the requirements of section 1004 of Public 
Law 107-314 and (2) DOD's plans for further development and 
implementation of the architecture, we assessed DOD's initial 
architecture, which the DOD Comptroller transmitted to the Comptroller 
General on May 8, 2003. Consistent with the act and as agreed with 
congressional defense committees' staffs, this assessment focused on 
compliance with all federal accounting, financial management, and 
reporting requirements; the content of the "As Is" and "To Be" 
environments; the content of the transition plan to include time-phased 
milestones for phasing out existing systems, resource needs for 
implementing the "To Be" environment, and information on the systems 
inventory; and the extent to which DOD is controlling its business 
system investments.

We also used our Enterprise Architecture Management Maturity 
Framework[Footnote 15] that describes the five stages of management 
maturity to determine the extent to which DOD has adopted key elements 
of architecture management best practices. To make this determination, 
we reviewed program documentation, such as program policies and 
procedures and architecture products, and compared them to the elements 
in the framework.

Specific to our review of federal requirements, we could not determine 
whether the architecture contained all federal accounting, financial 
management and reporting requirements because a central repository of 
all such requirements does not exist. Nevertheless, to assess the 
completeness of the federal requirements, we compared the about 4,000 
external[Footnote 16] requirements contained in the architecture to 
those listed in selected JFMIP[Footnote 17] federal systems 
requirements publications. The JFMIP requirements consisted of about 45 
percent of the total external requirements. We performed a detailed 
review of 1,767 of the JFMIP requirements.

To review the "As Is" and "To Be" environments and the transition plan, 
we decomposed version 1.0 of the architecture into various parts and 
components and made a comparison against relevant benchmarks. More 
specifically, we first divided the architecture into the three primary 
component parts specified in the act and recognized in best practices 
and federal guidance: the "As Is" architecture, the "To Be" 
architecture, and the transition plan. We then divided the "As Is" and 
the "To Be" architectures into the six architectural components. We 
then compared version 1.0 to (1) relevant criteria[Footnote 18] 
governing the content of key architectural elements for the transition 
plan and (2) the six components of the "As Is" and "To Be" 
architectures. In addition, we reviewed comments from DOD's 
verification and validation contractor (MITRE).

To review DOD's actions to comply with the $1 million obligation 
threshold for financial system improvements, we obtained and reviewed 
memorandums and other documentation regarding the approval of 
expenditures for system investments in excess of $1 million. We also 
reviewed and analyzed the DOD IT budget requests for fiscal years 2003 
and 2004 to identify systems that met the $1 million threshold and 
compared this to the total number of systems DOD reviewed and approved 
to measure the extent of systems that potentially should be reviewed.

To determine DOD's plans for further development and implementation of 
the architecture, we reviewed the performance work statement; DOD's 
proposed governance concept, including domain owner roles and 
responsibilities; and program documentation pertaining to plans for 
implementing pilot projects. We also reviewed the status of DOD's 
response to our prior recommendations pertaining to controlling ongoing 
and planned IT systems investments.

To augment our document reviews and analyses, we interviewed officials 
from various DOD organizations and contractors, including the Office of 
the Under Secretary of Defense (Comptroller); Office of the Under 
Secretary of Defense (Acquisition, Technology, and Logistics); Office 
of the Under Secretary of Defense (Personnel and Readiness); IBM; and 
MITRE Corporation.

We conducted our work primarily at DOD headquarters offices in 
Washington, D.C., and Arlington, Virginia, from March 2003 through June 
2003 in accordance with U.S. generally accepted government auditing 
standards. On June 30, 2003, DOD provided us with written comments on a 
draft of this report, which are addressed in the "Agency Comments and 
Our Evaluation" section and are reprinted in enclosure III.

Enclosure III:

Comments from the Department of Defense:

UNDER SECRETARY OF DEFENSE 1100 DEFENSE PENTAGON WASHINGTON DC 20301-
1100:
COMPTROLLER:

JUN 30 2003:

Mr. Gregory Kutz Director:

Financial Management and Assurance 
United States General Accounting Office Washington, DC 20548:

Dear Mr. Kutz:

This is in response to the General Accounting Office (GAO) Draft 
Report, GAO-03-877R, "Business Systems Modernization: Summary of GAO's 
Assessment of Department of Defense's Initial Business Enterprise 
Architecture," dated June 23, 2003.

As recognized in the report, "the Department of Defense (DoD) undertook 
a challenging and ambitious task-to develop within 1 year a Department-
wide architecture for modernizing its current financial and business 
operations and systems. The DoD has expended tremendous effort and made 
important progress.... and the DoD's initial version of the Business 
Enterprise Architecture (BEA) provides a foundation from which to 
build... and ultimately produce a well-defined business enterprise 
architecture.":

The Department is proud of the initial version of the BEA and 
Transition Plan, which were delivered on time and under budget. 
However, we agree that much work remains to be done. The Department's 
architecture is the largest, most complex, and most pervasive business 
enterprise architecture developed to date, either in the public or 
private sectors. The BEA applies not only to financial management, but 
also to the enormous number and types of business transactions that 
support the Department's budget formulation, acquisition, inventory 
management, logistics, personnel, and property management businesses. 
The BEA, therefore, is a blueprint for interconnecting the Department's 
business processes, data, and systems in order to obtain enterprise-
wide performance efficiency and results.

We are now entering another challenging phase of the program---to begin 
the transition from our current "as is" environment to the "to be" as 
defined in the architecture. Our approach will focus on reengineering 
our business processes and then selection of the business system 
solutions to implement the new methods and practices. This 
reengineering effort will be done incrementally. The first increment 
will implement the foundation of the architecture and key business 
processes. Examples are the use of the United States Standard General 
Ledger, a standard accounting code structure, data standards, storage 
and retrieval of data, and logistics business processes coupled with 
the related acquisition and accounting processes.

As we move forward, we recognize the need to manage and control our 
ongoing and planned business system investments. Our approach to do 
this is defined in the draft DoD Directive, "Information Technology 
(IT) Capital Planning and Investment Control (CPIC):

Portfolio Management," and draft DoD Instruction, "Operation of the IT 
CPIC Portfolio Management System." We will use our transformation 
governance structure to implement the investment review process.

In a related matter, the GAO draft report states, "To support business 
operations, DoD reports that it currently relies on about 2,300 systems 
including accounting, acquisition, logistics, and personnel systems 
that will cost $18 billion in Fiscal Year (FY) 2003 to operate, 
maintain and modernize." We believe approximately $5 billion is more 
accurate-the remaining 
$13 billion provides infrastructure for all DoD systems and includes 
spending on nonbusiness (e.g., command and control or intelligence) 
systems.

The Department will address specific comments to the detailed report 
that the GAO plans to release in the near future. That report is 
expected to include the GAO's assessment results, conclusions, and 
specific recommendations.

My point of contact for this matter is Ms. Marilyn Fleming, Chief 
Architect, Directorate for Business Modernization and Systems 
Integration. She may be contacted by email: flemingm@osd.pentagon.mil 
or by telephone at (703) 607-3367.

Sincerely,

Dov S. Zakheim:

Signed by Dov S. Zakheim:

Enclosure IV:

GAO Contacts and Staff Acknowledgments:

GAO Contacts: Jennifer Wilson, (202) 512-9192:

Cynthia Jackson, (202) 512-5086:

Acknowledgments In addition to the individuals named above, key 
contributors to this report included Beatrice Alff, Nabajyoti 
Barkakati, Justin Booth, Francine DelVecchio, Francis Dymond, Neelaxi 
Lakhmani, Anh Le, Evelyn Logue, Mai Nguyen, Darby Smith, Stacey Smith, 
Alan Steiner, Randolph Tekeley, and William Wadsworth.

(192086):

See for example, Office of Management and Budget, Federal Enterprise 
Architecture Business Reference Model, Version 1.0 (2002); Chief 
Information Officer Council, A Practical Guide to Federal Enterprise 
Architecture, Version 1.0 (February 2001); Office of Management and 
Budget Circular No. A-130, Management of Federal Information Resources 
(Nov. 28, 2000); M.A.Cook, Building Enterprise Information 
Architectures: Reengineering Information Systems (Upper Saddle River, 
N.J.: Prentice Hall, 1996); and National Institute of Standards and 
Technology, Information Management Directions: The Integration 
Challenge, Special Publication 500-167 (September 1989).

FOOTNOTES

[1] U.S. General Accounting Office, High-Risk Series: An Update, GAO-
03-119 (Washington, D.C.: January 2003). The nine interrelated high-
risk areas that represent the greatest challenge to DOD's development 
of world-class business operations to support its forces are contract 
management, financial management, support infrastructure management, 
inventory management, systems modernization, weapon system 
acquisition, human capital, information security, and real property. 
The last three areas are governmentwide in scope.



[2] Business systems include financial and nonfinancial systems, such 
as civilian personnel, finance, health, logistics, military personnel, 
procurement, and transportation, with the common element being the 
generation or use of financial data to support DOD's business 
operations.



[3] U.S. General Accounting Office, DOD Financial Management: Important 
Steps Underway But Reform Will Require a Long-term Commitment, GAO-02-
784T (Washington, D.C.: June 4, 2002).



[4] GAO-02-784T.



[5] U.S. General Accounting Office, Information Technology: 
Architecture Needed to Guide Modernization of DOD's Financial 
Operations, GAO-01-525 (Washington, D.C.: May 17, 2001).



[6] Bob Stump National Defense Authorization Act for Fiscal Year 2003, 
Pub. L. No. 107-314, � 1004, 116 Stat. 2458, 2629, Dec. 2, 2002. 



[7] In May 2003, the DOD Comptroller changed the architecture name from 
the Financial Management Enterprise Architecture to the Business 
Enterprise Architecture to reflect the transformation of departmentwide 
business operations and supporting systems, including accounting and 
finance, budget formulation, acquisition, inventory management, 
logistics, personnel, and property management systems.

[8] U.S. General Accounting Office: DOD Business Systems Modernization: 
Improvements to Enterprise Architecture Development and Implementation 
Efforts Needed, GAO-03-458 (Washington, D.C.: Feb. 28, 2003).



[9] See for example, Office of Management and Budget, Federal 
Enterprise Architecture Business Reference Model, Version 1.0 (2002); 
Chief Information Officer Council, A Practical Guide to Federal 
Enterprise Architecture, Version 1.0 (February 2001); Office of 
Management and Budget Circular No. A-130, Management of Federal 
Information Resources (Nov. 28, 2000); M.A.Cook, Building Enterprise 
Information Architectures: Reengineering Information Systems (Upper 
Saddle River, N.J.: Prentice Hall, 1996); and National Institute of 
Standards and Technology, Information Management Directions: The 
Integration Challenge, Special Publication 500-167 (September 1989).



[10] U.S. General Accounting Office, Information Technology: A 
Framework for Assessing and Improving Enterprise Architecture 
Management (Version 1.1), GAO-03-584G (Washington, D.C.: April 2003).



[11] JFMIP is a joint undertaking of the Department of the Treasury, 
GAO, the Office of Management and Budget, and the Office of Personnel 
Management, working with each other, other agencies, and the private 
sector to improve financial management in the federal government. JFMIP 
requirements arise from various public laws, regulations, bulletins, 
circulars, federal accounting standards, and leading practices and are 
applicable governmentwide. Agencies must use these requirements, in 
addition to agency-unique mission requirements, in planning and 
implementing their financial management improvement projects. 

[12] 



MITRE Technical Report: Review of Financial Management Enterprise 
Architecture (FMEA), Version 1.0, June 2003.

[13] GAO-03-458.



[14] GAO-03-584G.



[15] External requirements are those that are obtained from 
authoritative sources and constrain various aspects of the 
architecture.



[16] We used nine JFMIP systems requirements documents: revenue, 
acquisition, core financial, human resources and payroll, managerial 
cost accounting, inventory, travel, property management, and benefits.



[17] See for example, Office of Management and Budget, Federal 
Enterprise Architecture Business Reference Model, Version 1.0 (2002); 
Chief Information Officer Council, A Practical Guide to Federal 
Enterprise Architecture, Version 1.0 (February 2001); Office of 
Management and Budget Circular No. A-130, Management of Federal 
Information Resources (Nov. 28, 2000); M.A.Cook, Building Enterprise 
Information Architectures: Reengineering Information Systems (Upper 
Saddle River, N.J.: Prentice Hall, 1996); and National Institute of 
Standards and Technology, Information Management Directions: The 
Integration Challenge, Special Publication 500-167 (September 1989).



[18]