This is the accessible text file for GAO report number GAO-04-731R 
entitled 'DOD Business Systems Modernization: Limited Progress in 
Development of Business Enterprise Architecture and Oversight of 
Information Technology Investments' which was released on May 17, 2004.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

May 17, 2004:

Congressional Defense Committees:

Subject: DOD Business Systems Modernization: Limited Progress in 
Development of Business Enterprise Architecture and Oversight of 
Information Technology Investments:

The Department of Defense's (DOD) long-standing business systems 
problems adversely affect the economy, effectiveness, and efficiency of 
its business operations and have resulted in a lack of adequate 
transparency and appropriate accountability across all of its major 
business areas. To help the department transform its operations, we 
recommended[Footnote 1] in 2001 that DOD develop an enterprise 
architecture to guide and constrain its almost $20 billion annual 
investment in business systems and that it establish the investment 
controls needed to implement this architecture. In July 2001, DOD 
initiated a program[Footnote 2] to, among other things, develop a DOD 
business enterprise architecture (architecture). This effort is an 
essential part of the Secretary of Defense's broad initiative to 
"transform the way the department works and what it works on.":

Because DOD is one of the largest and most complex organizations in the 
world, overhauling its business operations and supporting systems 
represents a huge management challenge. In fiscal year 2003, DOD 
reported that its operations involved over $1 trillion in assets, 
nearly $1.6 trillion in liabilities, approximately 3.3 million military 
and civilian personnel, and disbursements of over $416 billion. To 
support its business operations, DOD reported that it relies on about 
2,300 business systems, including accounting, acquisition, logistics, 
and personnel systems. The department requested about $19 billionůabout 
$4.8 billion for business systems modernization and about $14 billion 
for operation and maintenance of these systemsůin fiscal year 2004.

ecognizing the importance of DOD's efforts to transform its business 
operations and systems through the use of an enterprise architecture, 
the Congress included provisions in the National Defense Authorization 
Act for Fiscal Year 2003[Footnote 3] that were aimed at developing and 
effectively implementing a well-defined architecture. Specifically, 
section 1004 of this act required that DOD (1) develop, by May 1, 2003, 
a financial management enterprise architecture[Footnote 4] and a 
transition plan for implementing the architecture that meets certain 
requirements and (2) review financial system improvements with proposed 
obligations of funds in amounts exceeding $1 million to determine if 
those system improvements meet specific conditions that are called for 
in the act. The act also directed us to assess actions that DOD has 
taken to comply with these requirements. In July[Footnote 5] and 
September 2003,[Footnote 6] we reported on DOD's actions and made a 
number of recommendations to assist DOD in its efforts to effectively 
develop and implement an architecture and to guide and constrain its 
business systems investments.

The act further requires that the Secretary of Defense submit an annual 
report not later than March 15 of each year from 2004 through 2007 to 
congressional defense committees on its progress in implementing the 
architecture, including the transition plan. Additionally, the act 
directs us to submit to congressional defense committees, within 60 
days of DOD's report submission, an assessment of DOD's actions taken 
to comply with these requirements. (See enc. I for a copy of section 
1004 of the act.) DOD submitted its first annual report on March 15, 
2004. This report is our assessment of DOD's March 15, 2004 report. As 
agreed with your offices, we determined (1) the actions DOD has taken 
to address our previous recommendations regarding the development and 
implementation of the architecture and (2) the actions DOD is taking to 
ensure its ongoing and planned investments will be consistent with its 
evolving architecture.

We performed our work from December 2003 through April 2004 in 
accordance with U.S. generally accepted government auditing standards. 
Details on our scope and methodology are in enclosure II.

Results in Brief:

Since our last review--and after 3 years of effort and over $203 
million in obligations--we have not seen any significant change in the 
content of DOD's architecture or in DOD's approach to investing 
billions of dollars annually in existing and new systems. Few actions 
have been taken to address the recommendations we made in our September 
2003[Footnote 7] report, which were aimed at improving DOD's plans for 
developing the next version of the architecture and implementing the 
institutional means for selecting and controlling both planned and 
ongoing business systems investments. To DOD's credit, it has 
established, for example, a group under the Business Management 
Modernization Program (program) steering committe[Footnote 8]eE to 
facilitate communication and coordination across the domai[Footnote 
9]ns for modernization program activities, including extending and 
evolving the architecture. However, DOD has not yet adopted key 
architecture management best practi[Footnote 10]ces and has not added 
the scope and detail to its architecture that we previously identified 
as missing. Further, DOD has not yet implemented an effective 
management structure and processes to provide adequate control and 
accountability over its $5 billion annual investment in business 
systems modernization. Additionally, the department does not have 
reasonable assurance that it is in compliance with the National Defense 
Authorization Act for Fiscal Year 2003, which requires DOD's 
Comptroller to review all system improvements with obligations 
exceeding $1 million.

Regarding architecture management best practices, DOD has not yet 
implemented key elements, such as assigning accountability and 
responsibility for directing, overseeing, and approving the 
architecture. In addition, it has not explicitly defined performance 
metrics to evaluate the architecture's quality, content, and utility. 
With respect to the architectural content, DOD's latest version of the 
architecture does not include many of the key elements of a well-
defined "As Is," "To Be," and transition plan that we previously 
reported as not being satisfied.[Footnote 11] For example, the "To Be" 
environment does not provide sufficient descriptive content related to 
future business operations and supporting technology to permit 
effective acquisition and implementation of system solutions and 
associated operational change. Similarly, DOD's verification and 
validation contractor has concluded that this latest version of the 
architecture retains most of the limitations that the initial version 
had. Moreover, DOD has not yet defined specific plans, including 
milestones, detailing how it intends to extend and evolve the 
architecture to incorporate this missing content. For example, the 
program's first objective for increment one--to enable asset 
accountability, total force visibility, and an unqualified audit 
opinion on DOD's fiscal year 2007 consolidated financial statements--is 
not supported by a DOD-wide plan of action, and the individual 
component plans for accomplishing this objective may not be linked to 
the program's activities, including the architecture. According to DOD, 
it will not have the plans on how the capabilities for increment one 
will be achieved until August 2004.

DOD has also made limited progress in addressing our recommendations 
aimed at establishing and implementing effective investment management 
processes and, therefore, continues to lack effective management 
oversight and control over ongoing business systems modernization 
investments. While DOD has recently issued a policy that assigns 
investment management responsibilities to the domains, the policy has 
not yet been implemented, and DOD has not clearly defined the roles and 
responsibilities of the domains, established common investment 
criteria, and conducted a comprehensive review of its existing business 
systems to ensure that they are consistent with the architecture. 
Further, each of the DOD components continues to receive its own 
funding and make its own parochial investment decisions. Moreover, DOD 
has not yet established and implemented an effective process for 
ensuring that system improvements with obligations exceeding $1 million 
are submitted to DOD's Comptroller for review and to determine whether 
they are consistent with the architecture, as required by the National 
Defense Authorization Act for Fiscal Year 2003. Based upon a comparison 
of limited information provided by the military services and defense 
agencies, we identified a total of $863 million in obligations for 
improvements that exceeded $1 million each but had not been submitted 
to DOD's Comptroller for review and determination.

The department acknowledges that it still has much more to do, 
including developing the architecture to a necessary level of detail, 
defining specific performance metrics, and clarifying the roles and 
responsibilities associated with managing the domains' portfolios of 
business systems and ensuring that these systems comply with the 
architecture. The limited progress that DOD has made is due, in part, 
to the lack of clearly assigned, accountable, and sustained program 
leadership and to changes in the program direction and priorities. For 
example, from May 2003 to February 2004, there was no program manager 
to identify, direct, and execute program activities. Our experience in 
reviewing other challenged architecture efforts shows that these 
efforts have suffered from limited senior management understanding of 
and commitment to an architecture and from cultural resistance to 
having and using one. Cultural resistance to change, organization 
component parochialism, and stovepiped operations are all evident at 
DOD.

Because many of our prior recommendations--for managing architecture 
development, maintenance, and implementation and for controlling 
ongoing and planned investments in business systems--remain open, we 
are not making any new recommendations in this report, but we are 
reiterating the 22 open recommendations that we made in our May 
2001,[Footnote 12] February 2003,[Footnote 13] and September 
2003[Footnote 14] reports. (Enc. III contains details on the status of 
all of our prior recommendations, including our assessment of DOD's 
actions.) It is imperative that DOD act swiftly to implement these 
recommendations. If it does not, the prognosis for this program is 
bleak, which in turn puts the department's business transformation 
efforts in jeopardy.

In written comments, which are reprinted in enclosure IV, DOD agreed 
with our assessment that the department's long-standing business 
systems problems have resulted in a lack of adequate transparency and 
appropriate accountability across all major business areas and that 
development and use of an architecture is necessary to transforming its 
business operations and supporting systems. In response to our 
characterization that progress has been limited, DOD stated that, over 
the past 3 years, progress has been slower than either GAO or DOD would 
prefer but that it has been significant, despite appearances to the 
contrary. In support of its view, DOD provided an extensive package of 
information. We considered this information, most of which we had 
previously evaluated. The willingness of DOD's leadership to tackle the 
department's decades-old problems with its business operations and 
supporting systems represents a major step forward. However, we remain 
convinced that it is fair to characterize DOD's progress in developing 
a well-defined architecture and implementing effective management 
oversight and control over its business systems as limited. As a 
result, we did not make any changes to this report.

Background:

Prior Reviews of DOD's Architecture Efforts Have Identified Challenges 
and Weaknesses:

Over the last 3 years, we have reported[Footnote 15] that one of the 
key elements to successfully meeting DOD's financial and related 
business management challenges is establishing and implementing an 
enterprise architecture, or modernization blueprint. An enterprise 
architecture provides a clear and comprehensive picture of an entity, 
whether it is an organization (e.g., federal department or agency) or a 
functional or mission area that cuts across more than one organization 
(e.g., financial management). This picture consists of snapshots of 
both the enterprise's current or "As Is" operational and technological 
environment and its target or "To Be" environment, as well as a capital 
investment road map for transitioning from the current to the target 
environment. These snapshots further consist of "views," which are 
basically one or more architecture products that provide conceptual or 
logical representations of the enterprise. We have made numerous 
recommendations to assist DOD in successfully developing the 
architecture and using it to gain control over its ongoing business 
systems investments. Enclosure III contains details on the status of 
all of our prior recommendations, including our assessment of DOD's 
actions.

In May 2001[Footnote 16], we reported that the department did not have 
an architecture for its financial and financial-related business 
operations, nor the management structures, processes, and controls in 
place to effectively develop and implement one. We reported that if the 
department continued to spend billions of dollars on new and modified 
systems, independently from one another and outside the context of an 
architecture, this would result in more processes and systems that are 
duplicative, not interoperable, and unnecessarily costly to maintain 
and interface. We made eight recommendations aimed at providing the 
means for effectively developing and implementing an architecture. The 
Secretary of Defense established a program in July 2001 to develop and 
implement an architecture. In April 2002, DOD entered into an agreement 
with International Business Machines (IBM) pursuant to a governmentwide 
General Services Administration contract, under which DOD issued task 
orders for services to begin developing the architecture.

During the first year of DOD's architecture development, in 2002, we 
reviewed the department's efforts and recognized that it was 
undertaking a challenging and ambitious task and following some 
architecture best practices and information technology (IT) investment 
management processes and controls. We also identified challenges and 
weaknesses in DOD's architecture efforts. For example, in a February 
2003 report,[Footnote 17] we pointed out that DOD had not yet (1) 
established a governance structure and process controls needed to 
ensure ownership of and accountability for the architecture across the 
department, (2) clearly communicated to intended stakeholders its 
purpose, scope, and approach for developing the architecture, and (3) 
defined and implemented an independent quality assurance process. We 
also reported that DOD had yet to establish the necessary departmental 
investment governance structure and process controls needed to 
adequately align ongoing investments with its architectural goals and 
direction. We made six recommendations aimed at enhancing DOD's ability 
to further develop its architecture and guide and constrain its 
business systems modernization investments.

Our March 2003[Footnote 18] report noted that the draft version of the 
architecture did not include a number of items recommended by relevant 
architectural guidance and that DOD's plans would not fully satisfy the 
requirements of the National Defense Authorization Act for Fiscal Year 
2003. For example, the draft architecture did not include a "To Be" 
security view, which defines the security requirements, including 
relevant standards to be applied in implementing security policies, 
procedures, and controls. DOD officials agreed with our preliminary 
assessment of the architecture and stated that subsequent versions of 
the architecture would provide these missing details.

In July and September 2003,[Footnote 19] we reported that although DOD 
had expended tremendous effort and resources in complying with 
statutory requirements for developing and implementing a well-defined 
architecture, the initial version of its architecture, including the 
transition plan, did not adequately address the statutory requirements 
and other relevant architectural requirements. For example, the "As Is" 
environment did not include descriptions of the current business 
operations in terms of entities and people who perform the functions, 
processes, and activities and the locations where these are performed. 
The "To Be" environment did not include descriptions of actual systems 
to be developed or acquired to support future business operations and 
the physical infrastructure that would be needed to support the 
business systems. The transition plan did not include time frames for 
phasing out existing systems within DOD's reported current inventory of 
about 2,300 business systems. Overall, the department's initial version 
of the architecture did not contain sufficient scope and detail either 
to satisfy the act's requirements or to effectively guide and constrain 
the departmentwide business transformation and systems modernization. 
In our September 2003 report[Footnote 20], we reiterated the open 
recommendations that we had made in our May 2001[Footnote 21] and 
February 2003[Footnote 22] reports, and we made 10 new recommendations 
aimed at improving DOD's plans for developing the next version of the 
architecture and implementing the institutional means for selecting and 
controlling both planned and ongoing business systems investments. To 
date, DOD has yet to address 22 of our recommendations.

Funding Status of Architecture Program:

As of March 12, 2004, about $258 million had been appropriated to 
support the program, of which the department reported having obligated 
over $203 million and having made disbursements of $111 million since 
the program began in 2002. Table 1 shows the reported status of program 
funding by appropriation and fiscal year.

Table 1: Reported Funding Status of DOD's Business Management 
Modernization Program as of March 12, 2004:

(Dollars in millions):

:

Appropriation; Appropriated; Obligated; Unobligated[A]; Disbursed; 
Unliquidated[B].

Fiscal year 2002/2003 Research, Development, Test, and 
Evaluation (RDT&E) -Defensewide (DW)[C]; 
Appropriated: $94.5; 
Obligated: $94.5; 
Unobligated[A]: $0.0; 
Disbursed: $83.0; 
Unliquidated[B]: $11.5.

Fiscal year 2003/2004 RDT&E -DW[D]; 
Appropriated: $67.2; 
Obligated: $67.2; 
Unobligated[A]: $0.0; 
Disbursed: $11.9; 
Unliquidated[B]: $55.3.

Fiscal year 2004/2005 RDT&E - DW[E]; 
Appropriated: $45.1; 
Obligated: $8.5; 
Unobligated[A]: $36.6; 
Disbursed: $0.0; 
Unliquidated[B]: $8.5.

Fiscal year 2003 Operations and Maintenance (O&M) -DW[F]; 
Appropriated: $24.9; 
Obligated: $24.9; 
Unobligated[A]: $0.0; 
Disbursed: $16.1; 
Unliquidated[B]: $8.8.

Fiscal year 2004 O&M-DW[G]; 
Appropriated: $26.1; 
Obligated: $8.3; 
Unobligated[A]: $17.8; 
Disbursed: $0.0; 
Unliquidated[B]: $8.3.

Total; 
Appropriated: $257.8; 
Obligated: $203.4; 
Unobligated[A]: $54.4; 
Disbursed: $111.0; 
Unliquidated[B]: $92.4. 

Source: Unaudited funding information contained in DOD's March 15, 2004 
report to congressional defense committees. We did not validate the 
accuracy and reliability of the funding information reported.

[A] Unobligated balances are the differences between funds appropriated 
and obligated; they represent funds that have not been obligated for 
expenditure. GAO's calculations are based on DOD's reported data.

[B] Unliquidated balances are the differences between the funds 
obligated and disbursed; they represent funds that have been obligated 
but have not yet been paid. GAO's calculations are based on DOD's 
reported data.

[C] The fiscal year 2002/2003 RDT&E funds supported the initial 
delivery of the architecture, transition plan, and change management 
and communications initiatives.

[D] The fiscal year 2003/2004 RDT&E funds were used to refine the 
architecture through business process modeling/reengineering for the 
program's first increment and to fund test and evaluation activities, 
verification and validation efforts, and engineering support.

[E] The fiscal year 2004/2005 RDT&E funds will be used to complete the 
program's first increment and begin work on the second increment and to 
fund the integration of the architecture, engineering support, and test 
and evaluation activities.

[F] The fiscal year 2003 O&M funds were used for salaries, facilities, 
supplies, and program management support contracts.

[G] The fiscal year 2004 O&M funds are being used for salaries, 
facilities, supplies, and program management support contracts.

[End of table]

DOD Has Taken Few Actions to Address Our Previous Recommendations:

DOD has taken some steps since our last review, but it has not yet (1) 
implemented key architecture management best practices,[Footnote 23] 
such as assigning accountability and responsibility for directing, 
overseeing, and approving the architecture to a committee or group 
comprised of representatives from across DOD's major organization 
components, (2) revised the architecture products to include the 
missing scope and detail needed to guide and constrain the 
implementation of system solutions, and (3) clearly defined near-term 
and long-term plans for guiding its transformation activities. Until 
the department addresses these key elements to fully satisfy relevant 
architectural guidance, it will be challenged in its ability to produce 
an architecture that is sufficient to guide and constrain its business 
operations and systems modernization efforts. In response to our 
recommendations, DOD has taken some actions, including establishing a 
group to facilitate communication and coordination across the domains 
for program activities; beginning to establish a configuration change 
management process; recently issuing a policy governing the 
development, maintenance, and implementation of the architecture; and 
updating the initial version of the architecture. However, these 
actions are not sufficient and do not fully address our concerns.

DOD Has Not Yet Implemented Key Architecture Management Best Practices:

DOD's actions have not been adequate to address architecture management 
best practices or our previous recommendations. Since our last report, 
the department has taken some actions in response to our 
recommendations concerning the need to implement an effective 
architecture management program. First, in September 2003, it formally 
established the Domain Owners Integration Team (DO/IT), which reports 
to the steering committee. The DO/IT is comprised of the various senior 
executives from each domain and the Business Modernization and Systems 
Integration office. The DO/IT is responsible for facilitating 
communication and coordination across the domains for program 
activities, including extending and evolving the architecture. 
According to program officials, the DO/IT's role is continuing to 
evolve. In particular, the specific actions or tasks it needs to 
perform to carry out this responsibility have not been defined in 
detail.

Second, DOD has taken steps to establish and implement a configuration 
management process to ensure that all changes to the architecture 
products are justified and are accounted for in a manner that maintains 
documentation integrity. Specifically, the department has established a 
configuration control board (CCB), developed a charter, and written 
procedures governing this process. However, the CCB has been tasked 
with reviewing changes to only some, but not all, of the architecture 
products. For example, the CCB is not responsible for tracking changes 
that are being made to the transition plan. In addition, both the 
charter and the procedures governing this process are still in draft. 
According to DOD officials, the charter is to be approved in June 2004, 
but no time frame has been provided for final approval of the 
procedures.

Third, DOD has recently issued an IT portfolio management policy 
governing the development, maintenance, and implementation of the 
architecture. This policy addresses, among other things, the roles, 
responsibilities, and relationships of key players and program 
participants, the value of an architecture, and the scope of the 
architecture. However, the policy does not address accountability for 
and approval of updates to the architecture, as called for by best 
practices, nor does it address the issuance of waivers in those 
instances when exceptions to the architecture are justified on the 
basis of documented analysis.

Finally, DOD has developed high-level performance measures that are to 
be used to develop the more specific results-oriented performance 
metrics needed to enable it to evaluate program progress and benefits. 
This means that DOD has yet to establish measurable, results-oriented 
goals to evaluate and track, on an ongoing basis, specific program 
progress, outcomes, and results. For example, it has not explicitly 
defined performance measures to evaluate the quality, content, and 
utility of subsequent major updates to its initial architecture. Given 
that DOD has reported obligations of over $203 million since 
architecture development efforts began 3 years ago, this is a serious 
performance management weakness. It is critical that the department 
establishes meaningful, tangible, and measurable program goals and 
objectives--short-term and long-term--to enable the department to 
determine what value it is receiving for its investment.

In addition, the department has yet to address other prior 
recommendations related to architecture management best practices. Two 
examples are provided below.

* DOD has not assigned accountability and responsibility for directing, 
overseeing, and approving the architecture to a committee or group 
comprised of representatives from across the department. Although it 
previously established an executive and a steering committee, these 
committees are advisory in nature, and they are currently not 
accountable or responsible for directing, overseeing, and approving the 
architecture. According to the department, it expects to revise the 
committees' charters in June 2004 to include these responsibilities.

* DOD does not have an independent verification and validation function 
to review the architecture products and management processes. The 
department's current verification and validation contractor is not 
independent[Footnote 24] and is responsible for reviewing the 
architecture products and only selected program deliverables. According 
to program officials, the department is planning to acquire the 
services of a new contractor to perform this work, who will be tasked 
with reviewing all the architecture products and all other program 
deliverables. However, DOD officials also said that no decision has 
been made to change the reporting structure of this function to make it 
independent or to have this contractor review architecture management 
processes. In addition, no milestones have been set for any of these 
planned actions.

Several factors have contributed to the department's limited progress 
in implementing an effective architecture management program, such as 
changes to and a lack of accountability in program leadership, 
direction, and priorities. As we previously stated, DOD has not yet 
formalized responsibility for directing, overseeing, and approving the 
architecture. Further, from May 2003 to February 2004, there was no 
program manager to identify, direct, and execute program activities. 
DOD hired a new program manager in February 2004. Initially, DOD had 
planned to develop and implement its architecture in 1 year, but later 
it adopted an incremental approach to developing the architecture. 
About 1 year after adopting this approach, DOD has assigned labels to 
these increments, but it has not yet defined the purpose of these 
increments and plans of action to implement them.

Further, our research of successful organizations and experience in 
reviewing other challenged enterprise architecture efforts show that 
senior management's understanding of and commitment to an enterprise 
architecture and overcoming cultural resistance to having and using one 
are critical success factors. Cultural resistance to change, military 
service parochialism, and stovepiped operations have all contributed 
significantly to the failure of previous attempts to implement broad-
based management reforms at DOD. Until such barriers are addressed, and 
effective architecture management structures and processes are 
established, it is unlikely that DOD will be able to produce and 
maintain a complete and enforceable architecture or implement 
modernized systems in a way that minimizes overlap and duplication and 
maximizes integration and mission support.

DOD's Architecture Products Remain Incomplete, with Minimal Content 
Change:

Since our last review, DOD has not made significant changes to the 
content of its architecture. The department has an updated version of 
the architecture (version 2.0), which is currently being reviewed, but 
it has not been approved. According to DOD, this version of the 
architecture differs from the initial architecture (version 1.0) in 
that it incorporates integrated "baseline reference business process 
models," which, according to DOD, constitute a high-level process 
framework consisting of processes that provide a business perspective 
on the department's operations (e.g., execute budget and performance 
plans) that cut across functions and organizations. DOD also stated 
that version 2.0 includes the previously excluded requirements (e.g., 
revenue requirements) for the Joint Financial Management Improvement 
Program (JFMIP)[Footnote 25] and partially addresses 21 of the 62 
missing architecture content elements that we recommended be added. 
According to DOD, the domains are currently validating all of the 
requirementsůincluding the JFMIP requirements:

Further, with regard to the 21 missing elements, documentation provided 
by DOD shows that it is either just beginning to initiate activities or 
was planning to develop plans to address these missing elements. This 
documentation also did not specify either how or when any of the 21 
elements would be fully addressed. Instead, it showed that the 
department, to date, has made only cosmetic changes to the 
architecture, such as correcting typographical (i.e., misspelled words) 
and grammatical errors, as well as deleting unnecessary text from 
various architecture products. DOD has yet to incorporate the missing 
scope and detail that we previously identified. For example, the "To 
Be" environment does not provide sufficient descriptive content related 
to future business operations and supporting technology to permit 
effective acquisition and implementation of system solutions and the 
associated operational change.

Program officials also stated that version 2.0 addresses some of the 
recommendations made by its verification and validation contractor. 
However, DOD did not provide documentation showing that it had 
addressed any of these recommendations. For example, the verification 
and validation contractor had previously reported that the "As Is" 
information was insufficient to support realistic transition planning. 
In April 2004, this contractor further reported that, while there have 
been some improvements in both the overall completeness of definitions 
and the structure of the architecture products, version 2.0[Footnote 
26] retains most of the critical problems previously cited for version 
1.0. Some examples are below.

* The utility of the architecture to stakeholders and the ability of 
the architecture to support acquisition and portfolio investment 
management decisions remain unclear.

* Supporting documentation that describes the analysis and rationale 
for architecture choices represented within many of the architecture 
products remains incomplete in many areas and, when available, is 
poorly linked or referenced.

* The "As Is" environment, including business processes and existing 
business application systems and supporting technology, is inadequate, 
making it difficult for DOD to perform a gap analysis to support 
development of a transition plan.

* The information assurance (security) representation remains spotty 
and difficult to find even at the enterprise level, and it has some 
unnecessary deviations from the department's accepted practices.

In addition, the verification and validation contractor stated that the 
reference business process models included in version 2.0, which DOD 
cited as the major difference from version 1.0, lacked the underlying 
data and linkage to make it useful in reengineering existing processes. 
The contractor also stated that these models would likely need to be 
reworked based on the results of efforts that the domains currently 
have under way.

According to DOD and contractor officials responsible for updating the 
architecture products, the changes made to date have primarily affected 
architecture management processes and not the architecture's content; 
and this is the result of the change in the program's focus and 
priorities, as discussed above. However, these officials also stated 
that the Architecture Integration Teams (AIT), comprised of 
representatives from the domains, are currently focused on developing 
needed architectural contentůprimarily business processes, business 
rules, and regulations for increment one.

Until the architecture is sufficiently complete and includes the 
missing scope and detail, the department remains at risk for not 
achieving its intended business transformation goals and of not having 
an architecture that can be used to guide and constrain ongoing and 
planned business systems investments to prevent duplicative and 
noninteroperable systems.

DOD Has Yet To Explicitly Define Near-term and Long-term Plans for 
Guiding Its Transformation Activities:

DOD has not yet developed either near-term or long-term plans for 
developing the architecture that explicitly identify and establish a 
baseline for the actions to be taken, milestones to be achieved, cost 
estimates to be met, and targeted outcomes to be achieved. As we 
previously stated, DOD has adopted an incremental approach to 
developing the architecture, including the transition plan, and plans 
to refine and extend the architecture in three increments. The 
increments, as defined by DOD, are:

* Increment one. To enable asset accountability, total force 
visibility, and an unqualified audit opinion of DOD's consolidated 
fiscal year 2007 financial statements.

* Increment two. To focus on reducing acquisition cycle time and 
streamlining the Planning, Programming, Budgeting, and Execution System 
process between fiscal years 2004 and 2009.

* Increment three. To focus on providing total asset visibility and 
total force management between fiscal years 2004 and 2010.

However, it is unclear what the increments individually or collectively 
mean, and what they will provide or allow DOD to achieve in the near-
term and long-term, because DOD does not have detailed plans that 
include performance measures for the quality, content, and utility of 
the architecture. Although the three increments were identified in 
November 2003, program officials do not expect to have a plan for 
increment one until the next version of the transition plan is 
completed in August 2004. According to program officials, the goals and 
scope for the second and third increments were only recently approved 
by the steering committee and, therefore, detailed plans of action and 
milestones for developing these plans do not yet exist.

Currently, DOD has three initiatives under way to support increment 
one. First, the program office is developing a plan of action for 
increment one and intends to complete the plan by August 2004. Second, 
the accounting and finance domain is conducting workshops to develop 
needed business rules and requirements for extending and evolving 
version 2.0 of the architecture. This domain also has two ongoing pilot 
initiatives to acquire and implement production accounting systems by 
the end of 2005 at an estimated cost of $135 million, which are 
intended to provide JFMIP-compliant financial management systems to 
support the department's general and working capital fund activities. 
Last, DOD components are developing individual plans detailing their 
respective efforts for supporting increment one. However, there is no 
evidence that the program office is coordinating with the components 
and that the components are coordinating amongst themselves. According 
to a Defense Logistics Agency (DLA) official, there is currently no 
direct link between DLA's plan and modernization program activities. 
Because there are not yet detailed plans guiding the program's 
activities, it is unclear whether and how these activities support each 
other and whether they support the department's goal of achieving an 
unqualified audit opinion in 2007.

DOD recognizes that it needs to develop detailed plans and establish 
performance metrics to measure and track program progress in order to 
determine (1) what it wants to accomplish by a certain point in time, 
(2) what it has actually accomplished by that point in time, and (3) 
how much it has spent. Changes in the direction of the program and a 
lack of sustained leadership have hindered DOD's ability to do so. In 
its March 15, 2004 progress report, DOD reported that it plans to 
establish an initial approved program metrics baseline to evaluate the 
cost, schedule, and performance of the program and that, beginning with 
the fourth quarter of fiscal year 2004, it plans to begin formal 
tracking and reporting of specific program goals, objectives, and 
measures.

The lack of explicitly defined program plans also has made it difficult 
to define measurable tasks that are or will be assigned to DOD 
employees and the 289 program contractor employees who are involved in 
architecture development, domain support, and program support 
functions. In reviewing the contractor's work statements for 
architecture development, we found that many of the tasks lacked the 
specificity necessary to use them effectively to monitor the 
contractor's progress. For example, tasks included such broad 
statements as "maintain, extend, and integrate" the architecture. Since 
DOD is acquiring services on the basis of direct labor hours at 
specified fixed hourly rates and cost of materials, it is essential 
that the department use efficient methods and effective cost controls 
to measure the work being performed.[Footnote 27] It is also essential 
because the proposed work statement that DOD plans to approve, at an 
estimated cost of $43 million, explicitly states that work is 
considered complete when the hours allotted have been expended, rather 
than defining completion as the contractor's delivery of products that 
meet predefined quality standards. According to DOD, to enable it to 
better monitor the contractor's progress, it plans to reduce future 
tasks to 15 staff-day increments (from 6 week increments) and to 
require the contractor to provide more frequent, informal products to 
program officials so they can monitor and track progress more 
rigorously.

Without an explicitly defined program baseline, detailed plans, and 
performance measures, it is difficult to validate or justify the $122 
million that DOD has requested for fiscal year 2005 and the $494 
million the department estimates it will need for fiscal years 2006 
through 2009. In fact, DOD has been unable to show measurable progress 
and meaningful utility of the architecture products to DOD stakeholders 
for the $203.4 million that had been obligated for this program as of 
March 2004.

DOD Has Taken Few Actions to Control Ongoing and Planned Investments in 
Business Systems:

DOD continues to lack effective investment management oversight and 
control over its numerous investments in business systems. While the 
domains have been designated to oversee business systems investments, 
the actual funding continues to be spread among DOD's components, which 
continue to make their own parochial decisions regarding those 
investments, including obligations in excess of $1 million for system 
improvements, without having received the scrutiny of DOD's Comptroller 
as required by the National Defense Authorization Act for Fiscal Year 
2003.[Footnote 28] Because DOD lacks a departmentwide focus and 
effective management oversight and control of its business systems 
investments, it continues to invest billions of dollars in systems that 
potentially will fail to deliver the integrated business systems 
outcomes that are needed to provide DOD management with timely and 
reliable financial information.

We previously recommended[Footnote 29] that DOD establish investment 
review boards to better control its business systems investments (with 
each board comprised of representatives from across the department) and 
that the boards, consistent with recognized best practices, use a 
standard set of investment review and decision-making criteria to 
ensure compliance and consistency with the architecture. DOD agreed 
with our recommendations and, in response, it issued in March 2004 an 
IT portfolio management policy that assigns the domains responsibility 
for IT portfolio management. However, the procedures to be followed to 
implement the policy are still under development and no time frames for 
completion have been provided. According to the IT portfolio management 
policy, the department has 180 days (until mid-September 2004) to 
develop these procedures. In addition, the department has yet to 
formalize specific roles and responsibilities of the domains, develop 
standard criteria for performing the system reviews, and assign 
explicit authority for fulfilling roles and responsibilities. DOD 
recognizes the need to clarify the roles and responsibilities 
associated with managing the domains' portfolios of business systems 
and ensure compliance with the architecture. However, it has yet to 
establish time frames for completing these activities.

DOD has not yet implemented an effective investment management 
structure and processes for controlling ongoing and planned business 
systems investments, including one that meets the act's requirements 
for ensuring that system improvements with obligations in excess of $1 
million are consistent with the architecture. In an attempt to 
substantiate that the obligations for business systems modernization 
were in accordance with the National Defense Authorization Act for 
Fiscal Year 2003, we requested that DOD agencies provide us with a list 
of obligations greater than $1 million for fiscal year 2003[Footnote 
30] and fiscal year 2004, as of December 2003. To ascertain whether 
DOD's Comptroller had made the determination required by the act, we 
compared a list of systems approvals provided by the program office 
with the obligational data (by system) provided by the DOD activities. 
As we previously testified,[Footnote 31] we identified $479 million in 
obligations for business systems modernization reported by the DOD 
military services that were not submitted to DOD's Comptroller for 
review. Subsequently, we requested information from the defense 
agencies and found $384 million in reported obligations for business 
systems modernization that had not been submitted to DOD's Comptroller 
for review. Examples of DOD system improvements with obligations in 
excess of $1 million that were not submitted include the following:

* The Defense Finance and Accounting Service (DFAS) obligated about $19 
million in fiscal year 2003 for the DFAS Corporate Database/DFAS 
Corporate Warehouse. We previously reported[Footnote 32] that DOD had 
yet to provide economic justification that its investment in this 
system would result in tangible improvements to DOD's financial 
management operations. As of April 2004, an economic analysis has yet 
to be approved but, according to DOD officials, about $129 million had 
been spent on the program through January 2004.

* The Defense Information Systems Agency obligated about $7 million in 
fiscal year 2003 and about $2 million in fiscal year 2004 for the Wide 
Area Workflow.[Footnote 33]

* DFAS obligated about $7 million in fiscal year 2003 for the Defense 
Standard Disbursing System before it was terminated in December 2003 
after approximately 7 years of effort and a reported investment of 
about $53 million. We previously reported[Footnote 34] that continued 
investment in this system had not been justified, because an economic 
analysis had not been updated to reflect significant schedule delays. 
DFAS noted that this system was terminated because a valid business 
case for continuing the effort could not be made.

* DLA obligated about $5 million in fiscal year 2003 and about $2 
million in fiscal year 2004 for the Defense Medical Logistics Standard 
Support Program.

These and other examples demonstrate that DOD does not have reasonable 
assurance that it is in compliance with the National Defense 
Authorization Act for Fiscal Year 2003, which provides that obligations 
in excess of $1 million for system improvements may not be made unless 
DOD Comptroller makes a determination that the improvement is in 
accordance with the criteria specified in the act. The act places 
limitations on the legal authority of individual program and government 
contracting officials to obligate funds in support of the systems for 
which they are responsible, but DOD has yet to proactively manage its 
investments to avoid violations of the limitations and to review and 
approve investments in any meaningful way in order to comply with these 
statutory limitations.

DOD acknowledges that the department does not have a systematic means 
to identify and determine which system improvements should be submitted 
to DOD's Comptroller for review and, in essence, is dependent upon 
system owners coming forward to the domains and requesting approval. 
Also, as we have testified,[Footnote 35] DOD components continue to 
receive direct funding for their business systems and continue to make 
their own parochial decisions regarding investments without the 
scrutiny of DOD's Comptroller that is required by the act. The current 
funding process has contributed to the proliferation of duplicative, 
nonintegrated, and stovepiped business systems that are highly prone to 
error and are unable to provide DOD management with timely, reliable 
financial information. In March 2004,[Footnote 36] we offered a 
suggestion for legislative action to address this issue, consistent 
with our open recommendations to DOD that funds for its business 
systems be appropriated directly to the domains in order to provide for 
accountability, transparency, and the ability to prevent the continued 
parochial approach to systems investments that exists today. The 
legislation we envisioned--for which we will make a legislative 
proposal in a related report to be issued soon--would define the scope 
of the domains and establish functional responsibility for managing the 
portfolio of business systems to the domains. The domains would 
establish business systems investment review boards with DOD-wide 
representation, including the military services and defense agencies.

Until DOD strengthens its process for selecting and controlling 
business systems investments and sufficiently develops a well-defined 
architecture that can be used to guide and constrain investment 
decisions, it will likely continue to spend billions of dollars on 
duplicative, nonintegrated, stovepiped systems that do not optimize 
mission performance and accountability and, therefore, do not support 
the department's transformation goals.

Conclusions:

Having and effectively using a well-defined architecture is essential 
for guiding and constraining DOD's business transformation efforts and 
moving the department away from nonintegrated business systems 
development efforts. DOD's efforts to date to address our prior 
recommendations aimed at accomplishing this have not been sufficient. 
Specifically, despite 3 years of effort and over $203 million in 
reported obligations, DOD's architecture remains insufficiently 
defined, and the way in which the department makes business systems 
investments decisions remains largely unchanged. As a result, billions 
of dollars continue to be at risk of being spent on more systems that 
are duplicative, are not interoperable, cost more to maintain than 
necessary, and do not optimize mission performance and accountability.

The future of DOD's architecture development and implementation 
activities is at risk; this in turn places the department's business 
transformation effort in jeopardy of failing as other efforts by the 
department have in the past. Therefore, it is imperative that DOD move 
swiftly to implement our 22 open recommendations, which are aimed at 
strengthening architecture management activities, adding missing 
content to architecture products, and implementing investment oversight 
and control measures.

Agency Comments and Our Evaluation:

In commenting on a draft of this report (reprinted in enc. IV), DOD 
agreed with our assessment that its long-standing business systems 
problems have resulted in a lack of adequate transparency and 
appropriate accountability across all major business areas. It 
confirmed that development and use of an architecture is necessary to 
transforming its business operations and supporting systems. However, 
in response to our characterization that progress has been limited, DOD 
stated that, over the past 3 years, progress has been slower than 
either GAO or DOD would prefer but that it has been significant, 
despite appearances to the contrary. The willingness of DOD's 
leadership to tackle the department's decades-old problems with its 
business operations and supporting systems represents a major step 
forward. However, we continue to believe that our characterization of 
DOD's progress in developing a well-defined architecture and 
implementing effective management oversight and control over its 
business systems as limited is fair. Therefore, we are not making any 
changes to our report.

DOD stated that we did not adequately consider or incorporate in our 
report important completed and ongoing activities, plans, and 
documentation, and provided an extensive package of information. We 
disagree that we did not adequately consider or incorporate in our 
report important completed and ongoing activities, plans, and 
documentation. While our assessment focused primarily on the 
department's completed, ongoing, and planned activities that it 
reported to Congress on March 15, 2004, we also considered and 
incorporated various activities, plans, and documentation through April 
27, 2004, which included the vast majority of the information in the 
package.

In addition, we acknowledged in this report most, if not all, of the 
actions DOD represents in their comments as having been completed such 
as issuing the IT portfolio management policy and establishing the DO/
IT. We also recognized many of DOD's ongoing activities, such as the 
workshops being held by the accounting and finance domain and the 
department's establishment of the AIT, which are currently focused on 
developing needed architectural content for increment one. To gain an 
understanding of the specific AIT activities, which began in January 
2004, we met with the domains during our review and discussed various 
collaborative efforts, such as their participation in validating 
business rules and requirements to support the development of end-to-
end business processes. Regarding planned activities, we recognized 
DOD's intent to revise the executive and steering committees' charters 
to include responsibilities for directing, overseeing, and approving 
the architecture, and to develop the procedures for implementing the IT 
portfolio management policy. In its response, DOD stated that it plans 
to complete these actions in June and December 2004, respectively.

Because we received information about certain activities after we 
completed our fieldwork--or not at all--these activities are not 
included in our evaluation. For example, DOD stated that the department 
plans to release a management initiative during May 2004; establish an 
architecture and program management maturity plan and supporting 
metrics to address the quality, content, and utility of the 
architecture; and establish a balanced scorecard and supporting metrics 
focused on the organization's internal management processes. While we 
inquired about the management initiative during our review, program 
officials stated that they were unable to provide us a copy because DOD 
does not allow the release of such draft documents outside the 
department. In addition, program officials did not provide a 
characterization of the focus or scope of the management initiative; 
therefore we were unable to include it in our report. We made inquiries 
about other initiatives during the course of our review, but were not 
advised of the maturity plan and balanced scorecard. However, it is 
important to note that carrying out activities does not necessarily 
guarantee results, and thus progress, unless these activities are based 
on an approved program plan that can be used to measure progress.

In addition, we disagree with DOD's other comments. Specifically, DOD 
stated that the Comptroller is accountable for approval of updates to 
the architecture as called for by best practices. As we previously 
reported[Footnote 37] and reiterated in this report, best practices 
recommend that the accountability and responsibility for directing, 
overseeing, and approving the architecture be assigned to a committee 
or group comprised of representatives responsible for the core business 
areas across the department--not a single individual. The purpose of 
assigning the accountability and responsibility to such a committee is 
to obtain and ensure continued enterprisewide support of the 
architecture effort, thereby, increasing the department's chances for 
success.

In addition, DOD stated that its verification and validation function 
is independent because the contractor responsible for these activities 
currently reports to the Deputy Director, Program Support, who is not 
directly involved with developing the architecture. DOD also stated 
that to ensure this independence, reports prepared by this contractor 
are provided directly to GAO and the steering committee. We disagree 
that this function is sufficiently independent. According to best 
practices, the contractor performing this role should report the 
results of its work directly to the steering committee, as well as the 
program office. Since the Deputy Director, Program Support reports 
directly to the program management office and not the steering 
committee, the function is not independent. In addition, the 
verification and validation contractor agreed with us that its reports 
are not provided directly to GAO or the steering committee. The 
contractor also concurred with our statement that, in the one instance 
in which it briefed the steering committee, the program office modified 
the content of the presentation.

DOD disagreed with our prior position that funds for DOD business 
systems be appropriated directly to the domains. We are reaffirming 
that position as stated by the Comptroller General in his March 2004 
testimony[Footnote 38] before the Subcommittee on Readiness and 
Management Support, Senate Armed Services Committee. This matter for 
congressional consideration and related changes in responsibility will 
be discussed in additional detail in a report to be issued shortly.

We are sending copies of this report to interested congressional 
committees; the Director, Office of Management and Budget; the 
Secretary of Defense; the Under Secretary of Defense (Comptroller); the 
Assistant Secretary of Defense (Networks and Information Integration)/
DOD Chief Information Officer; the Under Secretary of Defense 
(Acquisition, Technology, and Logistics); the Under Secretary of 
Defense (Personnel and Readiness); and the Director, Defense Finance 
and Accounting Service. This report will also be available at no charge 
on our Web site at http://www.gao.gov.

If you have any questions concerning this information, please contact 
Gregory Kutz at (202) 512-9095 or kutzg@gao.gov or Randolph Hite at 
(202) 512-3439 or hiter@gao.gov. GAO contacts and key contributors to 
this report are listed in enclosure V.

Signed by: 

Gregory D. Kutz:

Director, Financial Management and Assurance:

Signed by: 

Randolph C. Hite:

Director, Information Technology Architecture and Systems Issues:

Enclosures:

List of Committees:

The Honorable John W. Warner:
Chairman:
The Honorable Carl Levin:
Ranking Minority Member:
Committee on Armed Services:
United States Senate:

The Honorable Ted Stevens:
Chairman:
The Honorable Daniel K. Inouye:
Ranking Minority Member:
Subcommittee on Defense:
Committee on Appropriations:
United States Senate:

The Honorable Duncan Hunter:
Chairman:
The Honorable Ike Skelton:
Ranking Minority Member:
Committee on Armed Services:
House of Representatives:

The Honorable Jerry Lewis:
Chairman:
The Honorable John P. Murtha:
Ranking Minority Member:
Subcommittee on Defense:
Committee on Appropriations:
House of Representatives:

Enclosure I:

SEC. 1004. [of Public Law 107-314] DEVELOPMENT AND IMPLEMENTATION OF 
FINANCIAL MANAGEMENT ENTERPRISE ARCHITECTURE:

(a) REQUIREMENT FOR ENTERPRISE ARCHITECTURE AND FOR TRANSITION PLAN--

Not later than May 1, 2003, the Secretary of Defense shall develop--

(1) a financial management enterprise architecture for all budgetary, 
accounting, finance, enterprise resource planning, and mixed 
information systems of the Department of Defense; and:

(2) a transition plan for implementing that financial management 
enterprise architecture.

(b) COMPOSITION OF ENTERPRISE ARCHITECTURE--

(1) The financial management enterprise architecture developed under 
subsection (a)(1) shall describe an information infrastructure that, at 
a minimum, would enable the Department of Defense to--

(A) comply with all Federal accounting, financial management, and 
reporting requirements;

(B) routinely produce timely, accurate, and reliable financial 
information for management purposes;

(C) integrate budget, accounting, and program information and systems; 
and:

(D) provide for the systematic measurement of performance, including 
the ability to produce timely, relevant, and reliable cost information.

(2) That enterprise architecture shall also include policies, 
procedures, data standards, and system interface requirements that are 
to apply uniformly throughout the Department of Defense.

(c) COMPOSITION OF TRANSITION PLAN--The transition plan developed under 
subsection (a)(2) shall include the following:

(1) The acquisition strategy for the enterprise architecture, including 
specific time-phased milestones, performance metrics, and financial and 
nonfinancial resource needs.

(2) A listing of the mission critical or mission essential operational 
and developmental financial and nonfinancial management systems of the 
Department of Defense, as defined by the Under Secretary of Defense 
(Comptroller), consistent with budget justification documentation, 
together with--

(A) the costs to operate and maintain each of those systems during 
fiscal year 2002; and:

(B) the estimated cost to operate and maintain each of those systems 
during fiscal year 2003.

(3) A listing of the operational and developmental financial management 
systems of the Department of Defense as of the date of the enactment of 
this Act (known as 'legacy systems') that will not be part of the 
objective financial and nonfinancial management system, together with 
the schedule for terminating those legacy systems that provides for 
reducing the use of those legacy systems in phases.

(d) CONDITIONS FOR OBLIGATION OF SIGNIFICANT AMOUNTS FOR FINANCIAL 
SYSTEM IMPROVEMENTS--An amount in excess of $1,000,000 may be obligated 
for a defense financial system improvement only if the Under Secretary 
of Defense (Comptroller) makes a determination regarding that 
improvement as follows:

(1) Before the date of an approval specified in paragraph (2), a 
determination that the defense financial system improvement is 
necessary for either of the following reasons:

(A) To achieve a critical national security capability or address a 
critical requirement in an area such as safety or security.

(B) To prevent a significant adverse effect (in terms of a technical 
matter, cost, or schedule) on a project that is needed to achieve an 
essential capability, taking into consideration in the determination 
the alternative solutions for preventing the adverse effect.

(2) On and after the date of any approval by the Secretary of Defense 
of a financial management enterprise architecture and a transition plan 
that satisfy the requirements of this section, a determination that the 
defense financial system improvement is consistent with both the 
enterprise architecture and the transition plan.

(e) CONGRESSIONAL REPORTS--Not later than March 15 of each year from 
2004 through 2007, the Secretary of Defense shall submit to the 
congressional defense committees a report on the progress of the 
Department of Defense in implementing the enterprise architecture and 
transition plan required by this section. Each report shall include, at 
a minimum--

(1) a description of the actions taken during the preceding fiscal year 
to implement the enterprise architecture and transition plan (together 
with the estimated costs of such actions);

(2) an explanation of any action planned in the enterprise architecture 
and transition plan to be taken during the preceding fiscal year that 
was not taken during that fiscal year;

(3) a description of the actions taken and planned to be taken during 
the current fiscal year to implement the enterprise architecture and 
transition plan (together with the estimated costs of such actions); 
and:

(4) a description of the actions taken and planned to be taken during 
the next fiscal year to implement the enterprise architecture and 
transition plan (together with the estimated costs of such actions).

(f) COMPTROLLER GENERAL REVIEW--Not later than 60 days after the 
approval of an enterprise architecture and transition plan in 
accordance with the requirements of subsection (a), and not later than 
60 days after the submission of an annual report required by subsection 
(e), the Comptroller General shall submit to the congressional defense 
committees an assessment of the extent to which the actions taken by 
the Department comply with the requirements of this section.

(g) DEFINITIONS--In this section:

(1) The term 'defense financial system improvement' means the 
acquisition of a new budgetary, accounting, finance, enterprise 
resource planning, or mixed information system for the Department of 
Defense or a modification of an existing budgetary, accounting, 
finance, enterprise resource planning, or mixed information system of 
the Department of Defense. Such term does not include routine 
maintenance and operation of any such system.

(2) The term 'mixed information system' means an information system 
that supports financial and non-financial functions of the Federal 
Government as defined in Office of Management and Budget Circular A-127 
(Financial Management Systems).

(h) REPEAL--(1) Section 2222 of title 10, United States Code, is 
repealed. The table of sections at the beginning of chapter 131 of such 
title is amended by striking the item relating to such section.

(2) Section 185(d) of such title is amended by striking 'has the 
meaning given that term in section 2222(c)(2) of this title' and 
inserting 'means an automated or manual system from which information 
is derived for a financial management system or an accounting system'.

Enclosure II: Scope and Methodology:

Consistent with the act and as agreed with congressional defense 
committees' staffs, our review focused on (1) the actions the 
Department of Defense (DOD) has taken to address our previous 
recommendations regarding the development and implementation of the 
architecture and (2) the actions DOD is taking to ensure its ongoing 
and planned investments will be consistent with its evolving 
architecture.

To determine what actions DOD has taken to address our previous 
recommendations that relate to the development and implementation of 
the architecture, we met with DOD and contractor officials to obtain an 
update on the status of our prior recommendations. We used our 
Enterprise Architecture Management Maturity Framework,[Footnote 39] 
which describes the stages of management maturity, to update the status 
of key elements of architecture management best practices that DOD had 
not adopted. To make this determination, we reviewed program 
documentation, such as program policies and procedures, communications 
plan, and charters for the governance bodies; and we compared them to 
the elements in the framework. We reviewed program documentation, such 
as requests documenting proposed and actual changes to the architecture 
and external[Footnote 40] requirements extracted from the updated 
architecture. We also reviewed contractor task orders to determine the 
work performed and planned by the prime contractor associated with 
extending and evolving the architecture.

To determine what actions DOD is taking to ensure its ongoing and 
planned business systems investments are consistent with its evolving 
architecture, we met with DOD officials to obtain an update on the 
status of our prior recommendations. We met with appropriate officials 
from the offices of the Under Secretary of Defense (Comptroller) and 
the Assistant Secretary of Defense (Networks and Information 
Integration)/DOD Chief Information Officer, and with representatives 
from the domains to discuss the status of various draft policies and 
guidance that are aimed at improving the department's control of and 
accountability for business systems investments. We also reviewed and 
analyzed DOD's budget request for fiscal year 2004 to identify the 
business systems investments that could be subject to the requirements 
of the National Defense Authorization Act for Fiscal Year 2003, which 
requires that all financial system improvements with obligations in 
excess of $1 million be reviewed by DOD's Comptroller, who must make a 
determination on whether the system improvements are in accordance with 
criteria specified in the act. To assess DOD's compliance with the act, 
we also obtained and reviewed departmental guidance, memorandums, DOD 
Comptroller review decisions, and other documentation provided by the 
program office. Additionally, we requested that DOD provide us with 
data on obligations in excess of $1 million for business systems 
modernization for fiscal years 2003 and 2004, as of December 2003. We 
also received obligational data from some of the defense agencies. We 
then compared the obligational data with the information we had 
received from the program office to ascertain if the systems 
modernization had been reviewed.

To augment our document reviews and analyses, we interviewed officials 
from various DOD organizations and contractors, including the Office of 
the Under Secretary of Defense (Comptroller); Office of the Under 
Secretary of Defense (Acquisition, Technology, and Logistics); Office 
of the Under Secretary of Defense (Personnel and Readiness); 
International Business Machines; and MITRE Corporation.

We did not validate the accuracy and reliability of the funding 
information contained in DOD's March 15, 2004, report. Also, the 
unliquidated and unobligated calculations that we made were based on 
DOD reported data. Further, we did not validate the accuracy and 
reliability of the obligational data provided by the military services 
and the defense agencies for systems modernization.

We requested comments on a draft of this report from the Secretary of 
Defense or his designee. We received written comments from the Acting 
Under Secretary of Defense (Comptroller), which we printed in enclosure 
IV. We considered, but did not reprint the voluminous attachments that 
DOD provided with its written comments.

We conducted our work primarily at DOD headquarters offices in 
Washington, D.C., and Arlington, Virginia, from December 2003 through 
April 2004, in accordance with U.S. generally accepted government 
auditing standards.

Enclosure III: Status of Prior Recommendations on DOD's Business 
Enterprise Architecture (BEA):

GAO-01-525: Information Technology: Architecture Needed to Guide 
Modernization of DOD's Financial Operations. May 17, 2001.

Recommendation: (1) The Secretary of Defense immediately designate DOD 
financial management modernization a departmental priority and 
accordingly direct the Deputy Secretary of Defense to lead an 
integrated program across the department for modernizing and optimizing 
financial management operations and systems; 
Status of recommendation: Implemented; 
DODís comments and our assessment: DODís comments and our assessment: 
[Empty].

Recommendation: (2) The Secretary immediately issue a DOD policy that 
directs the development, implementation, and maintenance of a financial 
management enterprise architecture; 
Status of recommendation: Partially implemented; 
DODís comments and our assessment: DOD recently issued its Information 
Technology (IT) Portfolio Management policy. This policy, in 
conjunction with the overarching Global Information Grid[A] policy, 
assigns responsibilities for the development, implementation, and 
maintenance of the BEA.b However, it does not provide for having 
accountability for and approval of updates to the BEA, processes for 
BEA oversight and control, and review and validation of the BEA.

Recommendation: (3) The Secretary immediately modify the Senior 
Financial Management Oversight Council's charter to; 
designate the Deputy Secretary of Defense as the Council Chair and the 
Under Secretary of Defense (Comptroller) as the Council vice-Chair; 
* empower the Council to serve as DOD's financial management enterprise 
architecture steering committee, giving it the responsibility and 
authority to ensure that a DOD financial management enterprise 
architecture is developed and maintained in accordance with the DOD 
C4ISR Architecture Framework; 
* empower the Council to serve as DOD's financial management investment 
review board, giving it the responsibility and authority to (1) select 
and control all DOD financial management investments and (2) ensure 
that its investment decisions treat compliance with the financial 
management enterprise architecture as an explicit condition for 
investment approval that can be waived only if justified by a 
compelling written analysis; 
and; 
* expand the role of the Council's System Compliance Working Group to 
include supporting the Council in determining the compliance of each 
system investment with the enterprise architecture at key decision 
points in the system's development or acquisition life cycle; 
Status of recommendation: Partially implemented; 
DODís comments and our assessment: The department had previously 
established the executive and steering committees, which we reported 
were advisory in nature. The department recently established the Domain 
Owners Integration Team[C] and stated that these three bodies are 
responsible for governing the program. However, these three groups have 
not been assigned the accountability and responsibility for directing, 
overseeing, and approving the BEA. According to DOD, it expects to 
revise and finalize the executive and steering committees' charters to 
include these responsibilities in June 2004; DOD issued an IT portfolio 
management policy (March 2004) that assigns the domains[D] 
responsibility for IT portfolio management. However, the procedures to 
be followed to implement the policy are still under development and no 
time frames for completion have been provided. According to the IT 
portfolio management policy, the department has 180 days (until mid-
September 2004) to develop these procedures. In addition, the 
department has yet to formalize specific roles and responsibilities of 
the domains, develop standard criteria for performing the system 
reviews, and assign explicit authority for fulfilling roles and 
responsibilities. DOD has yet to establish time frames for completing 
these activities.

Recommendation: (4) The Secretary immediately make the Assistant 
Secretary of Defense (Command, Control, Communications & Intelligence), 
in collaboration with the Under Secretary of Defense (Comptroller), 
accountable to the Senior Financial Management Oversight Council for 
developing and maintaining a DOD financial management enterprise 
architecture; In fulfilling this responsibility, the Assistant 
Secretary appoint a Chief Architect for DOD financial management 
modernization and establish and adequately staff and fund an enterprise 
architecture program office that is responsible for developing and 
maintaining a DOD-wide financial management enterprise architecture in 
a manner that is consistent with the framework defined in the CIO 
Council's published guide for managing enterprise architectures. In 
particular, the Assistant Secretary should take appropriate steps to 
ensure that the Chief Architect; 
* obtains executive buy-in and support; 
* establishes architecture management structure and controls; 
* defines the architecture process and approach; 
* develops the baseline architecture, the target architecture, and the 
sequencing plan; 
* facilitates the use of the architecture to guide financial management 
modernization projects and investments; 
and; 
* maintains the architecture; 
Status of recommendation: Partially implemented; 
DODís comments and our assessment: The Assistant Secretary of Defense 
(Networks and Information Integration)/DOD Chief Information Officer is 
a member of the executive and steering committees; however, as 
discussed previously, members' roles and responsibilities are advisory 
in nature; DOD established a Financial Management Modernization Program 
Office in July 2001. DOD has also appointed a chief architect and, 
according to the department, it has adequate program funding and staff 
for developing and maintaining its BEA. However, DOD has not yet 
defined the roles and responsibilities for the Chief Architect.

Recommendation: (5) The Assistant Secretary of Defense (Command, 
Control, Communications & Intelligence) reports at least quarterly to 
the Senior Financial Management Oversight Council on the Chief 
Architect's progress in developing a financial management enterprise 
architecture, including the Chief Architect's adherence to enterprise 
architecture policy and guidance from OMB, the CIO Council, and DOD; 
Status of recommendation: Partially implemented; 
DODís comments and our assessment: The Assistant Secretary of Defense 
(Networks and Information Integration)/ DOD Chief Information Officer 
is a member of the steering committee, which is briefed monthly by the 
program office on various program activities; 
but not necessarily on the development and maintenance of the BEA's 
content. The Chief Architect is a member of the program office.

Recommendation: (6) The Senior Financial Management Oversight Council 
report to the Secretary of Defense every 6 months on progress in 
developing and implementing a financial management enterprise 
architecture; 
Status of recommendation: Partially implemented; 
DODís comments and our assessment: The Deputy Chief Financial Officer 
briefed the Secretary of Defense in November 2003 on behalf of DOD's 
Comptroller, who chairs the executive committee.

Recommendation: (7) The Secretary reports every 6 months to the 
congressional defense authorizing and appropriating committees on 
progress in developing and implementing a financial management 
enterprise architecture; 
Status of recommendation: Partially implemented; 
DODís comments and our assessment: Senate Report 107-213 directs that 
the department report every 6 months on the status of the BEA effort. 
DOD submitted status reports on January 31 and July 31, 2003 and on 
January 31, 2004. However, these reports were submitted by DOD's 
Comptroller and were not signed by the members of the executive or 
steering committees.

Recommendation: (8) Until a financial management enterprise 
architecture is developed and the Council is positioned to serve as 
DOD's financial management investment review board as recommended 
above, the Secretary of Defense limit DOD components' financial 
management investments to; 
* deployment of systems that have already been fully tested and involve 
no additional development or acquisition cost; 
* stay-in-business maintenance needed to keep existing systems 
operational; 
* management controls needed to effectively invest in modernized 
systems; 
and; 
* new systems or existing system changes that are congressionally 
directed or are relatively small, cost effective, and low risk and can 
be delivered in a relatively short time frame; 
Status of recommendation: Not implemented; 
DODís comments and our assessment: DOD has not yet defined and 
implemented an approach for selecting and controlling business systems 
investments. In March 2004, the Deputy Secretary of Defense signed the 
IT portfolio management policy and assigned responsibility to the 
domains for IT portfolio management. However, the procedures to be 
followed to implement the policy are still under development and no 
time frames for completion have been provided. According to the IT 
portfolio management policy, the department has 180 days (until mid-
September 2004) to develop these procedures. In addition, the 
department has yet to formalize specific roles and responsibilities of 
the domains, develop standard criteria for performing the system 
reviews, and assign explicit authority for fulfilling roles and 
responsibilities. DOD has yet to establish time frames for completing 
these activities.

GAO-03-458: DOD Business Systems Modernization: Improvements to 
Enterprise Architecture Development and Implementation Efforts Needed. 
February 28, 2003.

Recommendation: (1) The Secretary of Defense ensure that the enterprise 
architecture executive committee members are singularly and 
collectively made explicitly accountable to the Secretary for the 
delivery of the enterprise architecture, including approval of each 
version of the architecture; 
Status of recommendation: Partially implemented; 
DODís comments and our assessment: The department had previously 
established the executive and steering committees, which we reported 
were advisory in nature. The department recently established the Domain 
Owners Integration Team and stated that these three bodies are 
responsible for governing the program. However, these groups have not 
been assigned the accountability and responsibility for directing, 
overseeing, and approving the BEA. According to DOD, it expects to 
revise and finalize the executive and steering committees' charters to 
include these responsibilities in June 2004.

Recommendation: (2) The Secretary of Defense ensure that the enterprise 
architecture program is supported by a proactive marketing and 
communication program; 
Status of recommendation: Not implemented; 
DODís comments and our assessment: DOD has a strategic communications 
plan; 
however, the plan has not yet been executed. According to DOD, the plan 
is scheduled to be executed between June and December 2004.

Recommendation: (3) The Secretary of Defense ensure that the quality 
assurance function; 
* includes the review of adherence to process standards and reliability 
of reported program performance, 
* is made independent of the program management function, and; 
* is not performed by subject matter experts involved in the 
development of key architecture products; 
Status of recommendation: Partially implemented; 
DODís comments and our assessment: According to DOD, the quality 
assurance function does not yet address process standards and program 
performance, nor is it yet an independent function. Further, DOD 
subject matter experts continue to be involved in the quality assurance 
function.

Recommendation: (4) The Secretary gain control over ongoing IT 
investments by establishing a hierarchy of investment review boards, 
each responsible and accountable for selecting and controlling 
investments that meet defined threshold criteria, and each composed of 
the appropriate level of executive representatives, depending on the 
threshold criteria, from across the department; 
Status of recommendation: Not implemented; 
DODís comments and our assessment: DOD has not yet defined and 
implemented an approach for selecting and controlling business systems 
investments. In March 2004, the Deputy Secretary of Defense signed the 
IT portfolio management policy and assigned responsibility to the 
domains for IT portfolio management. However, the procedures to be
followed to implement the policy are still under development and no 
time frames for completion have been provided. According to the IT 
portfolio management policy, the department has 180 days (until mid-
September 2004) to develop these procedures. In addition, the 
department has yet to formalize specific roles and responsibilities of 
the domains, develop standard criteria for performing the system 
reviews, and assign explicit authority for fulfilling roles and 
responsibilities. DOD has yet to establish time frames for completing 
these activities.

Recommendation: (5) The Secretary gain control over ongoing IT 
investments by establishing a standard set of criteria to include (a) 
alignment and consistency with the DOD enterprise architecture and; 
(b) our open recommendations governing limitations in business systems 
investments pending development of the architecture; 
Status of recommendation: Not implemented; 
DODís comments and our assessment: DOD has not developed standard 
criteria for evaluating business systems investments and has not 
established time frames for completing this activity.

Recommendation: (6) The Secretary gain control over ongoing IT 
investments by directing these boards to immediately apply these 
criteria in completing reviews of all ongoing IT investments, and to 
not fund investments that do not meet these criteria unless they are 
otherwise justified by explicit criteria waivers; 
Status of recommendation: Not implemented; 
DODís comments and our assessment: In March 2004, the Deputy Secretary 
of Defense signed the IT portfolio management policy and assigned 
responsibility to the domains for IT portfolio management. However, the 
procedures to be followed to implement the policy are still under 
development and no time frames for completion have been provided. 
According to the IT portfolio management policy, the department has 180 
days (until mid- September 2004) to develop these procedures. In 
addition, the department has yet to formalize specific roles and 
responsibilities of the domains, develop standard criteria for 
performing the system reviews, and assign explicit authority for 
fulfilling roles and responsibilities. DOD has yet to establish time 
frames for completing these activities. Further, the policy also does 
not address the issuance of waivers in those instances when exceptions 
to the BEA are justified on the basis of documented analysis.

GAO-03-1018: DOD Business Systems Modernization: Important Progress 
Made to Develop Business Enterprise Architecture, but Much Work 
Remains. September 19, 2003.

Recommendation: (1) The Secretary of Defense or his appropriate 
designee; 
define and implement an effective investment management process to 
proactively identify, control, and obtain DOD Comptroller review and 
approval of expenditures for new and ongoing business systems 
investments exceeding $1 million while the architecture is being 
developed and after it is completed, and which includes clearly defined 
domain owners' roles and responsibilities for selecting and controlling 
ongoing and planned 
system investments; 
Status of recommendation: Not implemented; 
DODís comments and our assessment: As discussed in this report, DOD has 
not yet defined and implemented an effective investment management 
process to proactively identify and control system improvements 
exceeding $1 million in obligations. DOD officials have acknowledged 
that the department does not have a systematic means to identify and 
determine which system improvements should be submitted to the 
Comptroller for review and, are dependent upon system owners coming 
forward to the domains and requesting approval.

Recommendation: (2) The Secretary of Defense or his appropriate 
designee implement the core elements in our Enterprise Architecture 
Framework for Assessing and Improving Enterprise Architecture 
Management that we identify in this report as not satisfied, including 
ensuring that minutes of the meetings of the executive body charged 
with directing, overseeing, and approving the architecture are prepared 
and maintained; 
Status of recommendation: Partially implemented; 
DODís comments and our assessment: DOD has taken some actions, but 
these actions are not sufficient to fully address our previous 
concerns. For example, DOD has; 
* established the Domain Owners Integration Team; 
* begun to establish a configuration management process; 
* recently issued an IT portfolio management policy governing the 
development, maintenance, and implementation of the BEA; 
and; 
* developed high-level performance measures that are to be used to 
develop the more specific results-oriented performance metrics that are 
needed to enable it to evaluate program progress and benefits; 
However, as discussed previously, accountability and responsibility 
have not been assigned to a committee or group comprised of 
representatives from across the DOD component organizations--which 
would be responsible for directing, overseeing, and approving the BEA. 
DOD plans to update the executive and steering committees' charters to 
include these responsibilities in June 2004. Also, the configuration 
control board has been tasked with reviewing changes to only some, not 
all BEA products (e.g., the board is not responsible for tracking 
changes that are being made to the transition plan as part of the BEA 
effort). In addition, both the charter and the procedures governing the 
configuration management process are still in draft. According to DOD, 
the charter is to be approved in June 2004, but no time frame has been 
provided for final approval of the procedures. The portfolio management 
policy does not address accountability for and approval of updates to 
the BEA--as called for by best practices. In addition, the policy does 
not address the issuance of waivers in those instances when exceptions 
to the BEA are justified on the basis of documented analysis. The 
department's current verification and validation contractor is not 
independent and is responsible for reviewing the BEA products and only 
selected program deliverables.

Recommendation: (3) The Secretary of Defense or his appropriate 
designee update version 1.0 of the architecture to include the 340 
Joint Financial Management Improvement Program requirements that our 
report identified as omitted or not fully addressed; 
Status of recommendation: Implemented; 
DODís comments and our assessment: [Empty].

Recommendation: (4) The Secretary of Defense or his appropriate 
designee update version 1.0 of the architecture to include the 29 key 
elements governing the "As Is" architectural content that our report 
identified as not being fully satisfied; 
Status of recommendation: Not implemented; 
DODís comments and our assessment: Of the 29 elements, DOD stated that 
it plans to address 26, but it did not have detailed plans on how and 
when they would be fully addressed. According to DOD, it is currently 
addressing 2 of the 26--system and process inventories--which will be 
part of the transition plan. With respect to the system inventory, 
DOD's Comptroller recently testified that the actual number of DOD 
systems could be twice as many as is currently reported; 
2,274. For the 3 elements that DOD did not consider to be relevant to 
the program, it did not provide any explicit analysis as to why the 3 
would be irrelevant. Until DOD provides such an analysis, we consider 
all 29 elements to be critical for the "As Is" architectural content.

Recommendation: (5) The Secretary of Defense or his appropriate 
designee update version 1.0 of the business enterprise architecture to 
include the 30 key elements governing the "To Be" architectural content 
that our report identified as not being fully satisfied; 
Status of recommendation: Not implemented; 
DODís comments and our assessment: According to DOD, it has partially 
addressed 21 elements, but it plans to address all 30. However, DOD did 
not provide any detailed plans showing how and when it would fully 
address these elements. In addition, the information provided for the 
21 elements shows that it had not addressed them but was planning to 
address them or had just begun to take needed actions.

Recommendation: (6) The Secretary of Defense or his appropriate 
designee update version 1.0 to ensure that "To Be" architecture 
artifacts are internally consistent, to include addressing the 
inconsistencies described in this report, as well as including user 
instructions or guidance for easier architecture navigation and use; 
Status of recommendation: Partially implemented; 
DODís comments and our assessment: DOD did not have information readily 
available to show that it had addressed inconsistencies identified in 
our report.

Recommendation: (7) The Secretary of Defense or his appropriate 
designee update version 1.0 of the architecture to include (a) the 3 
key elements governing the transition plan content that our report 
identified as not being fully satisfied and (b) those system 
investments that will not become part of the "To Be" architecture, 
including time frames for phasing out those systems; 
Status of recommendation: Not implemented;
DODís comments and our assessment: According to DOD, the next 
transition plan will be available in August 2004. However, DOD did not 
have information readily available to show how or when it would fully 
address our recommendations.

Recommendation: (8) The Secretary of Defense or his appropriate 
designee update version 1.0 of the architecture to address comments 
made by the verification and validation contractor; 
Status of recommendation: Not implemented;
DODís comments and our assessment: According to DOD, it has addressed 
some of its verification and validation contractor's comments and plans 
to address the majority of the others. However, DOD did not have 
documentation readily available to show that it had addressed some of 
the contractor's comments, and was unable to provide plans detailing 
how and when it would fully address the remaining comments. According 
to DOD, the verification and validation contractor's comments would be 
addressed in BEA updates after version 2.0.

Recommendation: (9) The Secretary of Defense or his appropriate 
designee develop a well-defined near-term plan for extending and 
evolving the architecture and ensure that this plan includes addressing 
our recommendations, defining roles and responsibilities of all 
stakeholders involved in extending and evolving the architecture, 
explaining dependencies among planned activities, and defining measures 
of activity progress; 
Status of recommendation: Not implemented;
DODís comments and our assessment: As discussed in this report, DOD has 
not developed well-defined near-term or long-term plans to be used to 
guide day-to-day program activities to enable it to evaluate its 
progress.

Recommendation: (10) The Secretary of Defense or his appropriate 
designee limit the pilot projects to small, low-cost, low-risk 
prototype investments that are intended to provide knowledge needed to 
extend and evolve the architecture, and are not to acquire and 
implement production version system solutions or to deploy an 
operational system capability; 
Status of recommendation: Not implemented;
DODís comments and our assessment: The accounting and finance domain 
has two ongoing pilot initiatives to acquire and implement production 
accounting systems by the end of 2005--at an estimated cost of $135 
million. This domain is also currently conducting workshops to develop 
needed business rules and requirements for extending and evolving the 
BEA in support of DOD's achieving objective of increment one, which 
includes achieving an unqualified audit opinion on DOD's fiscal year 
2007 consolidated financial statements. However, the department did not 
provide detailed plans that showed how or if the workshop results would 
serve as the basis for acquiring these production systems. 

Source: GAO analysis of DOD data.

[A]DOD DEFINES THE GLOBAL INFORMATION GRID AS THE GLOBALLY 
INTERCONNECTED, END-TO-end set of information, capabilities, 
associated processes, and personnel for collecting, processing, 
storing, disseminating, and managing information on demand to 
warfighters, policymakers, and support personnel.

[B]IN MAY 2003, THE DOD COMPTROLLER CHANGED THE ARCHITECTURE NAME FROM 
THE Financial Management Enterprise Architecture to the Business 
Enterprise Architecture to reflect the transformation of departmentwide 
business operations and supporting systems, including accounting and 
finance, budget formulation, acquisition, inventory management, 
logistics, personnel, and property management systems.

[C]IN SEPTEMBER 2003, DOD ESTABLISHED THE DOMAIN OWNERS INTEGRATION 
TEAM, comprised of domain representatives, to facilitate communication 
and coordination across the domains.

[D]DOD HAS SIX DEPARTMENTAL DOMAINS, WHICH ARE (1) ACCOUNTING AND 
FINANCE, (2) acquisition, (3) human resources management, (4) 
installations and environment, (5) logistics, and (6) strategic 
planning and budgeting. It also has one enterprise information 
environment mission area. The domains and the mission area, comprised 
of the Under Secretaries of Defense and the Assistant Secretary of 
Defense for Networks and Information Integration/DOD Chief Information 
Officer, have authority, responsibility, and accountability within 
their domains for business transformation, implementation of the BEA, 
development and execution of the transition plan, portfolio management, 
and establishment of a structure to ensure representation of the DOD 
components and the appropriate federal agencies.

[End of table]

Enclosure IV:

Comments from the Department of Defense:

UNDER SECRETARY OF DEFENSE 
1100 DEFENSE PENTAGON 
WASHINGTON, DC 20301-1100:

MAY 10 2004

COMPTROLLER:

Mr. Gregory Kutz Director:

Financial Management and Assurance 
United States General Accounting Office
Washington, DC 20548:

Dear Mr. Kutz:

Enclosed is the proposed response by the Department of Defense (DoD) to 
the General Accounting Office (GAO) Draft Report, "DoD Business Systems 
Modernization: Limited Progress in Development of Business Enterprise 
Architecture and Oversight of Information Technology Investments," 
(GAO-04-731R), dated April 30, 2004.

The referenced draft General Accounting Office (GAO) report accurately 
describes the size and scope of the Business Management Modernization 
Program (BMMP). As stated in the opening paragraphs of the draft 
report, "DoD is one of the largest and most complex 
organizations in the world, overhauling its business operations and 
supporting systems represents a huge management challenge." 
Furthermore, the draft report pointedly describes the adverse effect of 
long-standing business system problems, which have resulted in "a lack 
of adequate transparency and appropriate accountability across all 
major business areas.":

The DoD agrees with that assessment and concurs with the urgent need to 
undertake the largest ongoing transformation in the public sector. 
Since July 2001, we have been actively engaged in efforts to correct 
these long-standing problems. However, GAO's draft report characterizes 
DoD's progress so far as "limited." Though progress over the past 3 
years admittedly has been slower than either GAO or DoD would prefer, 
it has been significant, despite appearances to the contrary. The 
report also underestimates development methodology of the Business 
Enterprise Architecture (BEA), as well as the significant growth in 
program maturity. The Department remains committed to working with GAO 
to address these issues.

My point of contact for this matter is Dr. Paul Tibbits, Director for 
Business Modernization and Systems Integration (BMSI). Dr. Tibbits may 
be contacted by email: Paul.Tibbits@osd.mil or by telephone at (703) 
607-3370.

Sincerely,

Signed by: 

Lawrence J. Lanzillotta:

Acting 

Enclosure: As stated:

Department of Defense (DoD) Response to General Accounting Office (GAO) 
Draft Report, "DoD Business Systems Modernization: Limited Progress in 
Development of Business Enterprise Architecture and Oversight of 
Information Technology Investments" (GAO-04-731R):

DoD Response: The referenced draft General Accounting Office (GAO) 
report accurately describes the size and scope of the Business 
Management Modernization Program (BMMP). As stated in the opening 
paragraphs of the draft report, "...DoD is one of the largest and most 
complex organizations in the world, overhauling its business operations 
and supporting systems represents a huge management challenge." 
Furthermore, the draft report pointedly describes the adverse effect of 
long-standing business system problems, which have resulted in "a lack 
of adequate transparency and appropriate accountability across all 
major business areas." The Department of Defense (DoD) agrees with that 
assessment and concurs with the urgent need to undertake the largest 
ongoing transformation in the public sector. Since July, 2001, we have 
been actively engaged in efforts to correct these long-standing 
problems. However, GAO's draft report characterizes DoD' s progress so 
far as "limited." Though progress over the past 3 years admittedly has 
been slower than either GAO or DoD would prefer, it has been 
significant, despite appearances to the contrary. The report also 
underestimates development methodology of the Business Enterprise 
Architecture (BEA), as well as the significant growth in program 
maturity.

GAO's report states that DoD has little to show for its three-year 
effort and $203 million investment. However, GAO's assessment does not 
adequately consider or incorporate in their report important completed 
and ongoing activities, plans, and documentation. In addition to the 
scope and complexity of the BMMP, DoD must solve difficult, persistent, 
and tenacious culture, management and partnership barriers to defining 
and using the BEA to drive business transformation, conditions for 
which the GAO report seems to offer no allowances, although it 
certainly acknowledges them.

The draft report asserts that GAO has not observed significant change 
since their last review, which seems improbable considering the level 
of effort expended during the past year. However, it is possible that 
GAO's observations overlooked ongoing architecture development 
activity or governance deliberations and therefore did not recognize 
relevant improvements in their report. For example, the report should 
highlight the significance of the Information Technology (IT) Portfolio 
Management policy memorandum issued March 22, 2004. This document lays 
the foundation of the Department's portfolio management strategy and 
will be supplemented by the IT Portfolio Management Instruction, 
currently under development, and other management initiatives.

In 2003-2004, DoD Chief Financial Officer (CFO) and Chief Information 
Officer (CIO) collaborated on the DoD portfolio management policy. The 
BMMP and its associated governance also enabled development of a 
comprehensive directive to leverage the BEA and portfolio management 
for near term IT investment decisions.

The DoD IT budget request for FY05 totals $29B. This budget includes 
business applications, warfighting systems, shared infrastructure, 
information assurance and related 
technical activities. The business applications portion of the DoD IT 
budget totals $5.0313 in FY05, which includes BMMP systems and IT 
activities that support business functions of the Department. 
Warfighting systems account for $7.813, shared infrastructure accounts 
for $12.813, and Information Assurance and related technical activities 
account for $3.113. DoD Domains clearly have responsibility for 
developing and implementing business transition plans and portfolios 
that will assure that the $4.813 annual business system expenditures 
cited in the referenced GAO report are focused on the established 
business transformation goals of the Department.

DoD's proposed Management Initiative is a key document that lays out 
specific Domain responsibility and authority for DoD business 
transformation. It is expected to be released in May 2004. The GAO 
report does not it recognize the magnitude of the BMMP governance 
accomplishments. For the first time in its history, DOD's business 
executives are taking an integrated view of the business environment 
and making collaborative decisions based on an enterprise view. In 
addition, a major accomplishment and strong indicator of DoD 
architecture management maturity is the series of completed and ongoing 
Domain-led workshops and the subsequent collaborative Domain-led 
Architecture Integration Team (AIT) sessions.

The portfolio management policy (Attachment 1), draft portfolio 
management instruction and other related documents, provide clear 
direction and accountability for management and oversight of IT 
investment decisions. This accountability structure, organized along 
functional business owner lines, is the key mechanism for achieving DoD 
investment control frequently called for in GAO and other audit and 
management reports. These policy documents will provide the Department 
the visibility and information necessary to make informed investment 
decisions.

The Department's BEA, containing the baseline "blueprint" of the 
Department's vast, worldwide business activities (e.g., business 
policies and rules, business process controls, information flows, and 
business operational data collection and use), is one of the largest, 
most complex, and most pervasive business architectures developed to 
date, in either the public or private sectors. The DoD progress in the 
past three years exceeds any experience in the private sector and 
government.

There is no proven roadmap to guide our actions thus far. Despite the 
absence of a direct precedent or example to follow, DoD continues to 
take full advantage of guidelines, lessons learned and consultant 
expertise in addition to the guidance provided by GAO.

BEA 5coue and Detail:

The BEA 1.1 Release provided the baseline and also illustrated the need 
to approach architecture extensions in an incremental manner on 
creating additional detail. As such, DoD is deliberately delivering 
these extensions in increments, each scoped to take approximately a 
year to define in the BEA. DoD identified and approved the focus areas 
of the additional two increments (Two and Three) at the Domain Owner 
Integration Team (DO/IT) meeting on March 22, 2004 and the BMMP 
Steering Committee meeting on March 25, 2004 (Attachments 2 and 3). The 
scope of increment one had already been approved.

* Increment One: Unqualified audit opinion (UAO), asset accountability 
and total force visibility.

* Increment Two: Acquisition best practices, total asset visibility, 
improved force management, improved military health care, and improved 
environmental safety and occupational health.

* Increment Three: Improved planning, programming, budgeting and 
execution, integrated total force management, and improved force 
management.

The scope for each increment includes the processes, information, 
requirements and business rules pertinent to accomplishing each of the 
major focus areas. For the BEA, the Executive Summary Concept of 
Operations (Attachment 4) defines the needed level of detail: "The BEA 
shall depict architecture products in sufficient detail to provide an 
unambiguous interpretation of cross-Domain business transactions".

Plans to Extend and Evolve BEA:

The BEA is an integrated plan for Departmental business transformation. 
It includes work products consisting of models, diagrams, tables, and 
narratives, all of which translate DoD's business activities into 
meaningful representations of business processes with comprehensive 
integration of relevant rules and regulations. These include the 
initial all views (AV), system views (SV), technical views (TV) and 
operational views (OV) of the business processes of the six key DoD 
business Domains. The Domains encompass the following business areas; 
Accounting and Finance, Acquisition, Human Resource Management, 
Installations and Environment, Logistics, and Strategic Planning and 
Budget. For the first time in the history of DoD, each Domain Owner is 
now serving as the single authoritative source of interpretation of 
rules and regulations for the Department in each of their respective 
areas of cognizance. In addition to the Business Domains, the Assistant 
Secretary of Defense (Networks and Information Integration)/Chief 
Information Officer - ASD(NII)/CIO - is the leader of the Enterprise 
Information Environment (EIE) Mission Area. This Mission Area is 
composed of equipment, software and common information capabilities or 
services for Enterprise use.

In the Fall of 2003, the BEA was extended to include the Reference 
Business Process Model (RBPM), which proposed a desired condition for 
the enterprise-level business processes for BEA 2.0. This Release was 
published in February 2004.

For Increment One, all Domains conducted preparatory workshops to 
define supporting business processes more fully. From October 2003 to 
January 2004, the Accounting and Finance Domain conducted 26 workshops 
(Attachment 5) to specifically analyze DoD business processes and 
associated financial management requirements. These formed the basis 
for extended analysis by the increment one Architecture Integration 
Team (AITs), which focus on the following process categories:

* Team #1: Apportionment:

* Team #2: Receipts & Acceptance:

* Team #3: Commitments & Obligations:

* Team #4: Receivables, Payables & Disbursements:

* Team #5: Asset Accountability:

* Team #6: Purchase Card/Travel Card:

Each of the AITs is comprised of 8 to 21 team members consisting of 
Domain Action Officers (DAOs) serving as a Team Lead, domain Subject 
Matter Experts (SMEs) and Business Modernization Systems Integration 
(BMSI) staff supporting the teams with process modelers, data modelers, 
requirements analysts and accountants. Although they did not take 
advantage of the DoD offer, GAO was invited to participate in any and 
all the AIT sessions to witness the significance and depth of this 
collaborative work. The AITs are key to assuring cross domain 
integration, unambiguous interpretation of requirements across the 
Department, and coherent representation of end-to-end processes that 
will serve as the roadmap for subsequent IT investment and system 
configuration decisions.

As described in the AIT methodology, DoD is developing the Enterprise 
Business Process Model (EBPM), and end-to-end descriptions of DoD 
business processes. This model will accurately identify financially 
relevant requirements and business rules necessary to resolve all known 
material weaknesses to support an Unqualified Audit Opinion and asset 
accountability. These rules and requirements, along with their 
associated data objects, are being linked to DoD business processes. 
The EBPM will update the RBPM previously published in BEA Release 2.0. 
The initial EBPM (in HTML) and updated Overview and Summary (AV-1) were 
released on April 30, 2004 (BEA 2. 1) as scheduled and approved. This 
Release represents a significant improvement of the BEA and can be 
found on the BMMP Portal (portal navigation instructions are at 
Attachment 6).

The near term schedules for completing Release 2.2 are shown in 
Attachments 7 and 8. The EBPM defines the complete end-to-end process 
of doing business in the Department, from planning to disposal. The 
activity model developed for the baseline BEA will be aligned with the 
enterprise processes (EBPM) to ensure architectural completeness, and 
to facilitate its use. BEA Release 2.1 Overview and Summary (AV-1, 
Attachment 9) explains that the content of BEA Release 2.2, scheduled 
for July 2004, will support IT investment decisions for the FY06 
Budget. Release 2.3 (October 2004) and 2.4 (January 2005) will augment 
BEA 2.2 for enhanced portfolio management acquisition decision support 
and business process re-engineering.	Attachment 10 maps architecture 
products to business utility and will serve to prioritize and focus 
development of BEA products.

In BEA Release 2.2, DoD will concentrate on completeness and 
correctness of the requirements repository, business rules, the 
enterprise business process model, the conceptual data model, and 
system functions, entities and information exchanges related to 
Increment One. Release 2.3 will add the relevant realigned activity 
model, and updated organizational nodes, roles, information and 
activities.

In summary, since the publication of BEA Release 1.0 in May 2003, the 
Department has:

* Completed an initial Transition Plan that identifies BMMP concept 
strategy and delineates steps for future business transformation.

* Established the enterprise-wide DoD Portfolio Management policy.

Page 4 of 10:

* Established a DoD-wide BMMP Governance Structure, which defines 
program strategies, performs strategic decision-making, and provides 
oversight and control of portfolio management responsibilities with 
respect to IT business system investments. 

* Established an incremental 
approach for extending the BEA into implementable parts that will drive 
transformed business operations into DoD. BMMP Increments One, Two, and 
Three have been approved by the BMMP Steering and Executive Committees.

* Established initial BMMP and BMSI program office performance metrics 
(i.e., goals, objectives, measures and targets), and is near completion 
of an integrated set of enterprise and domain business transformation 
metrics. DoD plans to begin data collection and reporting in the 4`h 
Quarter of FY04.

* Established the initial inventory of business IT systems.

* Identified the template and program entries to instruct the 
implementation of a Standard General Ledger (SGL).

* Developed a schedule for completion of initial business process 
reengincering and modeling for integration with the next extension of 
the BEA.

Independent Verification and Validation Contractor:

GAO states that "DOD does not have an independent verification and 
validation function to review the architecture products and management 
processes. The department's current verification and validation 
contractor is not independent and only reviews selected architecture 
products." The current independent verification and validation (IV&V) 
contractor is a neutral third party, a Federally Funded Research and 
Development Center (FFRDC), free of organizational conflict of interest 
(OCI) issues. The contractor is not directly involved with the BEA or 
the Transition Plan development; hence they provide the requisite 
independence. Under the recently revised BMSI organization structure, 
the 1V&V contractor is not within the BEA or Transition Planning chain 
of command. IV&V contractor activities are included in a separate 
directorate with Quality Assurance and Risk Management. To assure 
independence, reports of the IV&V contractor are provided directly to 
GAO and the Steering Committees. (The list of IV&V items reviewed since 
April 2003 and provided to GAO is included in Attachment 11):

The IV&V contractor provides input to evaluation criteria for major 
deliverables and reviews the significant architecture-related 
documentation developed by the BMSI office. These include; architecture 
methodology, requirements management methodology, BEA Releases and 
other significant documents. The BMSI office is in the process of 
extending the IV&V support through a competitive acquisition process. 
The contract award is anticipated by June 2004.

GAO and Verification and Validation Contractor Comments:

Attachment 12 is the verification and validation contractor's report on 
BEA Release 2.0 as submitted to DoD and GAO. It supports DoD statements 
that some of the contractor's recommendations were addressed in Release 
2.0. Specific comments are on pages 17, 18, 19,

21, 22, and 23. DoD expects Release 2.2 and 2.3 of the architecture to 
address the remaining IV&V comments. Attachment 13 is a matrix showing 
consolidated comments mapped to disposition.

DoD is also addressing the 61 content elements identified by GAO. 
Attachment 14 shows the evaluation criteria for the detailed action 
plan for developing AS-IS BEA products. This action plan, scheduled for 
completion June 28, 2004, will provide the timeline to reconcile and 
address GAO content elements. Status for addressing the TO-BE 
architecture products is at Attachment 15. Attachment 16, BEA 
Information Assurance (IA) Guidance, illustrates DoD's plans to address 
IA and Security and Attachment 17 contains the BEA Configuration 
Management (CM) Plan as approved and implemented on January 28, 2004. 
To ensure that BEA considers and implements all of the GAO comments 
concerning the maturity of the architecture, DoD is using the GAO 
Framework for Enterprise Architecture Management Maturity to measure 
BMSI performance, as briefed to the BMMP Steering Committee.

DoD will measure BMSI performance relative to the quality of BEA 
content, and its alignment with the Federal Enterprise Architecture 
(FEA), using the Office of Management and Budget (OMB) Guidelines for 
Enterprise Architecture Assessment Framework. To ensure consistent 
mapping to FEA, DoD has developed a set of DoD enterprise reference 
models (see Attachment 18) that map to each of the FEA reference 
models.

BMMP Governance Structure:

The Department has established a BMMP Governance structure that 
institutionalizes the participation of senior civilian and military 
leaders from the Department's key business areas. We have created, and 
are using, a hierarchy of governance committees to address and resolve 
business transformation issues in the most efficient manner, at the 
lowest level possible.

Through the Program's Executive Committee, the Secretary's senior 
political leadership provides strategic direction and guidance. The 
BMMP Executive Committee and Steering Committee are jointly chaired by 
the DoD CFO and DoD CIO, and include representatives from both the 
Office of the Secretary of Defense and the Military Services. The 
Domain Owners Integration Team (DO/IT) are responsible for business 
transformation by establishing and maintaining intra-Domain governance 
processes, managing domain-specific Information Technology (IT) 
investment portfolios, ensuring systems compliance with the BEA, and 
assisting in the extension of the enterprise architecture..

The Governance Structure, at the appropriate level, has actively 
engaged in developing the Department's enterprise level Portfolio 
Management policies, and now is developing the guidance to the DoD 
Components regarding the submission of IT exhibits for the FY06 budget. 
With the release of the Department's Management Initiative, expected in 
May 2004, greater detail regarding roles and responsibilities will be 
explicitly articulated and Domain Owners will be provided additional 
direction to manage DoD IT investments as portfolios. DOD's Management 
Initiative will establish specific time frames (30 days from signature 
date) for the issuance of initial Portfolio Management guidance, to 
include the criteria for performing reviews of proposed IT investments.

Architectural compliance is noted as one of the criteria for decisions 
on what investments to make, and to modify or terminate a system in the 
recently issued Information Technology 
Portfolio Management policy memorandum. This policy memorandum states 
that the Under Secretary of Defense (Comptroller)(USD(C))/CFO is 
responsible for developing and maintaining the DoD BEA as a component 
of the overarching Global Information Grid (GIG) architecture. The 
USD(C) is therefore accountable for the approval of updates to the BEA, 
as called for by best practices.

The issue of waivers is addressed in DoD Directive 8100.1, "Global 
Information Grid (GIG) Overarching Policy", dated September 19, 2002. 
This directive is referenced in the Information Technology Portfolio 
Management policy memorandum. DoD Directive 8100.1 states that the DoD 
Chief Information Officer is responsible for establishing GIG 
compliance and enforcement mechanisms to minimize duplication of IT. 
The BEA Conops (Attachment 4) clarifies that the BEA is a component of 
the GIG and, as such, the GIG waiver policy applies to the BEA as well.

Timeframes have been established for the development and implementation 
of a DoD directive and instruction on IT Portfolio Management. The IT 
Portfolio Management policy memorandum was signed by the Deputy 
Secretary of Defense, March 22, 2004. This policy memorandum will be 
issued as a directive within 180 days (mid-September 2004). An 
accompanying IT Portfolio Management Instruction is under development, 
and as stated earlier, will be issued 30 days from signature of the 
Management Initiative. Coordination of this instruction will begin in 
June 2004, with a scheduled completion date of December 2004, The 
Department is not waiting for the publication of these documents to 
begin the review process. The Steering Committee completed its first 
round of IT Portfolio Management reviews for all Domains in March 2004. 
Decisions from these and subsequent reviews this Summer and Fall will 
guide the FY06 budget preparation process.

The Domains have a strong oversight responsibility for guiding 
investment in IT. However, the GAO has recommended that funds for DoD 
business systems be appropriated directly to the Domains in order to 
provide for accountability, transparency, and the ability to prevent 
"...a continued parochial approach to systems investments that exists 
today.":

The Department does not concur with this recommendation, and does not 
envision a governance structure in which Domain owners are assigned the 
management responsibility for the planning, design, acquisition, 
deployment, operation, maintenance, and modernization of individual DoD 
business systems. Similarly, DoD does not envision a governance or 
program management strategy in which funds are appropriated to Domain 
leaders rather than the military service and Defense agencies to 
operate, maintain, and modernize DoD business systems. The Department 
does not consider this recommendation to be advisable for several 
reasons.

The GAO's recommendation appears to have been made without 
consideration of the Department's long standing recognition of the need 
for operational expertise and perspective in the development of 
business IT systems. The recommendation was made without regard for 
collaborative consultation before advancing a concept that is radically 
different from the portfolio management concepts being implemented in 
DoD today. Finally, funds management by the Domains would require 
creation of a completely new layer of bureaucracy to assure proper 
management of appropriated funds.

Beginning with the FY06 DoD program budget development process, the 
Domains will be acting as an Investment Review Board, and will provide 
strong management oversight to the Department's business IT investment 
decisions. Therefore the Domains will oversee, coordinate and guide the 
business system investment decisions made by the DOD Components. IT 
investments will be based on Domain approval. The DoD demonstrated in 
last year's Program Review how the Logistics Domain realigned resources 
from lower priority efforts into programs that better support the BEA. 
In this case, the DoD moved $121M within the Army, $87M within the 
Navy, and the $139M within the DLA - clearly a successful demonstration 
of portfolio management. We are expanding that effort by working with 
all the Domains to identify opportunities for similar realignments in 
the FY06 budget.

DOD has the strongest requirements, acquisition and budgeting processes 
of any Federal Agency. Our efforts to govern BMMP within these existing 
processes, suggests that we will have an even more robust oversight 
process for controlling portfolio investments. All Major 
Automated Information Systems (MAIS) programs are subjected to the same 
acquisition oversight as Major Defense Acquisition Programs (MDAP), 
including adherence to Clinger-Cohen Act requirements.	IT Capital 
Planning and Investment Control have been instituted in DoD through 
longstanding processes and executive-level forums. The Department uses 
the Planning, Programming, Budgeting, and Execution System and the 
Defense Acquisition System to select, manage, and evaluate IT 
investments. DoD uses these existing management processes in lieu of 
creating parallel processes to manage IT investments - ensuring the 
integration of IT investments into the total DoD investment portfolio 
in compliance with the BEA.

Several decision-making forums govern the movement of proposed IT 
investments from one phase to the next, and ultimately determine 
whether programs will be approved for funding. These bodies include the 
Defense Resources Board, Defense Acquisition Board, IT Overarching 
Integration Product Teams (OIPT), the DoD CIO Executive Board, and the 
GIG Architecture Integration Panel. The roles of these bodies include 
ensuring proposed IT investments support core missions, allocating 
resources, overseeing and controlling IT investments, and overseeing 
the development and configuration management of integrated 
architectures.

Systems Review and Legislative Compliance:

The Department acknowledges that a more proactive approach is required 
to ensure certification compliance with the legislative requirement of 
the FY03 National Defense Authorization Act. To that end, we are 
currently finalizing and issuing guidance that will significantly 
improve the process by clearly delineating roles and responsibilities, 
establishing time frames and making key system modifications to better 
align budgets with actual IT expenditures. The guidance directs the 
Business Domains to develop and submit business 1T system certification 
compliance plans to the USD(C) within thirty days of issuance of 
Management Initiative. The plan must include a schedule to accomplish 
the reviews for all the systems comprising at least 80 percent of the 
total business system funding by August 23, 2004. To facilitate 
development of the plans the Department will use the Information 
Technology Application (ITMA) and system repositories of the 
Components, which serve as key components 
in developing the Department's IT budget requirements, as the primary 
source to identify Business IT systems needing USD(C) certification.

The completion of these reviews by Fall 2004 is required so that 
Domains will have the opportunity to review component budget 
submissions during the Program/Budget review cycle and make necessary 
funding adjustments to the FY06 budget.

Both the BEA and the Business IT investment governance structure depend 
significantly on the business system portfolio management process being 
established within the Department's key business Domains. Beginning 
with the FY06 budget development process, the Domains will provide 
strong management oversight to the Department's near-term business 
system investment decisions. Additionally, the Department has developed 
standard architecture criteria by which the business systems can be 
evaluated, to ensure they are being developed and managed in accordance 
with BMMP. These criteria will be enhanced as the BEA matures.

Metrics:

The Department understands the importance of establishing meaningful, 
tangible, and measurable program goals and objectives to guide and 
measure the value of business transformation investments. The 
establishment of a comprehensive performance measurement process for 
the transformation of DoD business operations, the largest business 
operations in the world, takes substantial time, resources, and 
extensive cross-organizational coordination. BMMP has made substantial 
progress establishing metrics (i.e., goals, objectives, measures, and 
targets) to include business transformation metrics and BMSI Program 
Management Office management metrics.

As approved by the Steering Committee and the DOAT, DoD is nearing 
completion of an initial integrated set of enterprise and domain 
business transformation metrics and plans to begin data collection and 
reporting in 4 Quarter FY04. BMMP expects the integrated set of metrics 
to encompass approximately 16 to 20 goals, 30 to 50 objectives, and 90 
to 120 measures. These metrics reflect a major accomplishment because 
they provide the basis for demonstrating the alignment of business 
transformation investments with strategic outcomes.

Additionally, BMSI has established Architecture Integration Team (AIT) 
performance metrics that track the number of requirements dispositioned 
relative to the total number of requirements and the percent of process 
steps reviewed relative to the total number of process steps. BMSI 
tasking to contractors is quite clear, serving as the basis for use of 
rigorous Earned Value Management metrics for BEA development. BMSI is 
establishing an Architecture and Program Management Maturity Plan and 
supporting metrics to address the quality, content, and utility of the 
BEA. BMSI is establishing a balanced scorecard (BSC) and supporting 
metrics focused on the organization's internal management processes.

Contracting Issues:

Under the General Services Administration (GSA) schedule through which 
the BEA Blanket Purchase Agreement (BPA) was awarded, only two types of 
contracts are permitted, 
Time and Materials (T&M) and Firm Fixed Price (FFP). Due to the 
complexity and evolutionary nature of the BEA development effort, it is 
not prudent acquisition strategy to use a firm, fixed price vehicle. 
Maintaining, extending and integrating the architecture can be 
accomplished in a variety of ways using many different approaches, such 
as the use of AITs.

The Government and the prime contractor establish acceptance criteria 
prior to work beginning on each deliverable. The Government uses the 
established criteria to evaluate the deliverables, after providing a 
clear understanding of the work expectations. Government personnel 
monitor the progress on a daily basis.

In addition, the Government holds weekly reviews with the Contractor to 
monitor deliverables, performance (Earned Value Management System-
EVMS). The attached work statement for Call 0009 (Attachment 19) 
includes additional EVMS requirements the Government is instituting to 
more closely monitor performance.

Pilot Initiatives:

The Accounting and Finance Domain is serving as the program advocate 
and oversight entity, to assure compliance with the BEA, in accordance 
with the responsibilities assigned to the Domains, for two Component 
acquisitions of Joint Financial Management Improvement 
Program (JFMIP)-compliant financial management systems (Defense 
Enterprise Accounting and Management System (DEAMS) and General Fund 
Enterprise Business System (GFEBS)) to support the Department's general 
and working capital fund activities. These initiatives are being funded 
by the individual Components, not the Accounting and Finance Domain. 

The following are GAO's comments on the Department of Defense's (DOD) 
letter dated May 10, 2004.

GAO Comments:

See the "Agency Comments and Our Evaluation" section of this report.

We have reviewed multiple versions of the architecture development 
methodology, including the latest version, which is currently draft. 
Based on our review of the latest draft, we concluded that this 
methodology does not provide a documented approach for performing 
activities in a coherent, consistent, accountable, and repeatable 
manner. Key DOD stakeholders also expressed concerns about the 
methodology. For example, these stakeholders stated that it is an 
"after-the-fact" description of work products rather than a 
prescriptive document that details the approach to be followed to 
develop the architecture.

The descriptions of increments 2 and 3 in DOD's comment letter are 
different than the descriptions the program manager provided to us on 
April 27, 2004, as reflected in this report. Because of the 
inconsistencies in the responses, it remains unclear what the 
department's focus is for increments 2 and 3. DOD's response also 
stated that the executive committee approved all three increments; 
however, DOD did not provide evidence of this approval.

As stated in our report, DOD's objective for achieving an unqualified 
audit opinion is not supported by a DOD-wide plan of action nor are the 
individual component plans linked to program activities.

As stated in our report, DOD does not expect to complete the next 
version of its transition plan until August 2004. In addition, as we 
previously reported,[Footnote 41] its initial transition plan was 
basically a plan to develop a transition plan and did not possess the 
attributes needed to guide its transformation efforts.

Attachment 11 does not list the deliverables the verification and 
validation contractor has reviewed since April 2003.

The matrix does not show the anticipated disposition (e.g., date and 
architecture version) of the verification and validation contractor's 
comments.

This information was provided after fieldwork was completed.

These briefings were presentations given by each domain describing its 
approach for conducting portfolio management reviews. The steering 
committee did not review actual systems investments nor was there 
detailed discussion about the domains' approaches.

The scope of our review did not include an evaluation of the 
realignment of funds made by the logistics domain to determine an 
effective demonstration of portfolio management.

DOD's characterization of its current process for oversight and control 
of modernization investments is inaccurate. We along with the DOD 
Inspector General continue to report on significant weaknesses in the 
department's requirements, acquisition, and budgeting processes for 
business systems modernization projects. For example, we 
reported[Footnote 42] that estimated costs for the Defense Procurement 
Payment System had increased by $274 million and the schedule had 
slipped by almost 4 years after having already invested 7 years and 
over $126 million. DOD Comptroller's noted that the project was being 
terminated due to poor program performance and increased costs.

We look forward to receiving DOD's forthcoming guidance to contracting 
and program officials that describes the process by which these 
officials obtain DOD Comptroller's statutorily required determination 
before making obligations exceeding $1 million for a financial system 
improvement. However, given the obligation data provided to us by DOD 
and included in our report, we are concerned that DOD plans no action 
to review previous obligations for system improvements to ensure that 
there have been no such violations since the enactment of the 
limitation.

We continue to believe that contractor tasks have not been clearly 
defined and that, because DOD is acquiring services on the basis of 
time and materials, it is essential that the department use efficient 
methods and effective cost controls to measure the work being 
performed. While we did not take issue with DOD on its use of a time 
and materials contract, we did state that DOD's failure to execute the 
required Determination and Finding to evaluate the cost and performance 
risks assumed by the government illustrates an overall lack of clear 
architecture development plans.

According to a program official, DOD did not begin requiring acceptance 
criteria prior to the contractor beginning work until August 2003. 
Further, DOD has paid the contractor under the time and materials 
contract even when the contractor did not meet all of the criteria for 
the deliverable. For example, based on reports provided by DOD, the 
department paid the contractor for delivery of version 2.0 of the 
architecture even though this version did not meet 50 percent of the 
acceptance criteria.

Enclosure V:

GAO Contacts and Staff Acknowledgments:

GAO Contacts Jenniffer Wilson, (202) 512-9192:

Cynthia Jackson, (202) 512-5086:

Acknowledgments In addition to the individuals named above, key 
contributors to this report included Beatrice Alff, Francine 
DelVecchio, Abe Dymond, Joanne Fiorino, Neelaxi Lakhmani, J. 
Christopher Martin, Mai Nguyen, Michael Peacock, David Plocher, 
Katherine Schirano, Darby Smith, and Bernard Trescavage.

(192114):

GAO-03-465.

FOOTNOTES

[1] U.S. General Accounting Office, Information Technology: 
Architecture Needed to Guide Modernization of DOD's Financial 
Operations, GAO-01-525 (Washington, D.C.: May 17, 2001).

[2] The Business Management Modernization Program is the department's 
business transformation initiative; it encompasses defense policies, 
processes, people, and systems that guide, perform, or support all 
aspects of business management--including development and 
implementation of the business enterprise architecture. The Under 
Secretary of Defense (Comptroller) established a DOD-wide program 
management office called Business Modernization and Systems Integration 
(BMSI), to oversee and manage the program.

[3] Business systems include financial and nonfinancial systems, such 
as civilian personnel, finance, health, logistics, military personnel, 
procurement, and transportation, with the common element being the 
generation or use of financial data to support DODís business 
operations.

[4] Bob Stump National Defense Authorization Act for Fiscal Year 2003, 
Pub. L. No. 107-314, ß 1004, 116 Stat. 2458, 2629 (Dec. 2, 2002).

[5] In May 2003, the DOD Comptroller changed the architecture name from 
the Financial Management Enterprise Architecture to the Business 
Enterprise Architecture to reflect the transformation of departmentwide 
business operations and supporting systems, including accounting and 
finance, budget formulation, acquisition, inventory management, 
logistics, personnel, and property management systems.

[6] U.S. General Accounting Office, DOD Business Systems Modernization: 
Summary of GAO's Assessment of the Department of Defense's Initial 
Business Enterprise Architecture, GAO-03-877R (Washington, D.C.: July 
7, 2003).

[7] U.S. General Accounting Office, DOD Business Systems Modernization: 
Important Progress Made to Develop Business Enterprise Architecture, 
but Much Work Remains, GAO-03-1018 (Washington, D.C.: Sept. 19, 2003).

[8] GAO-03-1018.

[9] The steering committee, made up of senior leaders from across the 
department, is advisory in nature and is not accountable for directing, 
overseeing, and approving the architecture.

[10] DOD has six departmental domains, which are (1) accounting and 
finance, (2) acquisition, (3) human resources management, (4) 
installations and environment, (5) logistics, and (6) strategic 
planning and budgeting. It also has one enterprise information 
environment mission area. The domains and the mission area, comprised 
of the Under Secretaries of Defense and the Assistant Secretary of 
Defense for Networks and Information Integration/DOD Chief Information 
Officer, have authority, responsibility, and accountability within 
their domains for business transformation, implementation of the 
architecture, development and execution of the transition plan, 
portfolio management, and establishment of a structure to ensure 
representation of the DOD components and the appropriate federal 
agencies.

[11] U.S. General Accounting Office, Information Technology: A 
Framework for Assessing and Improving Enterprise Architecture 
Management (Version 1.1), GAO-03-584G (Washington, D.C.: April 2003).

[12] GAO-03-1018.

[13] GAO-01-525.

[14] U.S. General Accounting Office, DOD Business Systems 
Modernization: Improvements to Enterprise Architecture Development and 
Implementation Efforts Needed, GAO-03-458 (Washington, D.C.: Feb. 28, 
2003).

[15] GAO-03-1018.

[16] GAO-01-525; U.S. General Accounting Office, DOD Financial 
Management: Important Steps Underway But Reform Will Require a Long-
term Commitment, GAO-02-784T (Washington, D.C.: June 4, 2002); and U.S. 
General Accounting Office, Department of Defense: Further Actions 
Needed to Establish and Implement a Framework for Successful Business 
Transformation, GAO-04-626T (Washington, D.C.: Mar. 31, 2004).

[17] GAO-01-525.

[18] GAO-03-458.

[19] U.S. General Accounting Office, Information Technology: 
Observations on Department of Defense's Draft Enterprise Architecture, 
GAO-03-571R (Washington, D.C.: Mar. 28, 2003).

[20] GAO-03-877R and GAO-03-1018.

[21] GAO-03-1018.

[22] GAO-01-525.

[23] GAO-03-458.

[24] GAO-03-584G.

[25] Best practices recommend that the verification and validation 
function be independent of the architecture program and report directly 
to the steering committee.

[26] JFMIP requirements arise from various public laws, regulations, 
bulletins, circulars, federal accounting standards, and leading 
practices and are applicable governmentwide.

[27] The focus of this review was limited to the "As Is" and "To Be" 
architecture products, because the transition plan has not been 
updated.

[28] We also found that in issuing task orders to International 
Business Machines (IBM) pursuant to the General Services Administration 
contract, DOD did not execute a Determination and Finding to support 
its use of Time-and-Materials task orders, as required by Federal 
Acquisition Regulation 16.601, 48 C.F.R. ß 16.601 (2003). This 
Determination and Finding requirement guides agencies in evaluating the 
cost and performance risks assumed by the government in awarding Time-
and-Materials contracts compared to other types of contracts that may 
provide increased incentives for the contractor to control costs and 
efficiency.

[29] Subsection 1004(d) of the Bob Stump National Defense Authorization 
Act for Fiscal Year 2003, Pub. L. No. 107-314, 116 Stat. 2630, (Dec. 2, 
2002), provides that any amount in excess of $1 million may be 
obligated for Defense financial system improvements before approval of 
its enterprise architecture and a supporting transition plan only if 
the DOD Comptroller makes a determination that the improvement is 
necessary for (1) critical national security capability or critical 
safety and security requirements or (2) prevention of significant 
adverse effect on a project that is needed to achieve an essential 
capability. The act further provides that after the architecture and 
transition plan are approved, the DOD Comptroller must determine, 
before making obligations that exceed $1 million for system 
improvements, that such improvements are consistent with the enterprise 
architecture and the transition plan.

[30] GAO-01-525 and GAO-03-458.

[31] We requested the obligational data for fiscal year 2003 for the 
period December 2, 2002, the date of enactment of the act, through 
September 2003.

[32] GAO-04-626T.

[33] U.S. General Accounting Office, DOD Business Systems 
Modernization: Continued Investment in Key Accounting Systems Needs to 
be Justified, GAO-03-465 (Washington, D.C.: Mar. 28, 2003).

[34] Wide Area Workflow is a secure web-based system for electronic 
invoicing, receipt, and acceptance. 

[35] GAO-03-465.

[36] GAO-04-626T.

[37] U.S. General Accounting Office, Department of Defense: Further 
Actions Needed to Establish and Implement a Framework for Successful 
Financial and Business Management Transformation, GAO-04-551T 
(Washington, D.C.: Mar. 23, 2004) and GAO-04-626T.

[38] GAO-03-458.

[39] GAO-04-551T.

[40] U.S. General Accounting Office, Information Technology: A 
Framework for Assessing and Improving Enterprise Architecture 
Management (Version 1.1), GAO-03-584G (Washington, D.C.: April 2003).

[41] External requirements are those that are obtained from 
authoritative sources, such as the Joint Financial Management 
Improvement Program, and constrain various aspects of the architecture.

[42] GAO-03-1018.

[43] GAO-03-465.