Skip to main content

Defense Financial Management: Immature Software Development Processes at Indianapolis Increase Risk

AIMD-97-41 Published: Jun 06, 1997. Publicly Released: Jun 06, 1997.
Jump To:
Skip to Highlights

Highlights

GAO reviewed the Defense Finance and Accounting Service Financial Systems Activity (FSA)-Indianapolis' capability for developing and maintaining software for its information systems.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense To better position FSA-Indianapolis to develop and maintain its software successfully and to protect its software investments, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) (USD (C)) to establish, for each project, a software configuration control board (SCCB) composed of software engineering specialists. Such a board should authorize the software baseline, configuration items, and other relevant software products.
Closed – Implemented
The Under Secretary of Defense (Comptroller) agreed that the functions specified for a software configuration control board should be performed but stated that it would rather place the functions within the existing configuration control board as opposed to establishing another board. Presently, for projects included in their Software Process Improvement (SPI) program, the DFAS-Indianapolis (DFAS-IN) Information Technology Directorate (ITD) (formerly Financial Systems Activity-Indianapolis) configuration control board performs software configuration control functions and includes software engineering technical representation. All migratory and interim migratory systems are included in the SPI program. Legacy systems are not included because of associated costs and the expected limited life cycle of these systems.
Department of Defense To better position FSA-Indianapolis to develop and maintain its software successfully and to protect its software investments, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) to ensure collaboration between the SCCB and the functionally-oriented configuration control board.
Closed – Not Implemented
The USD(C) position was that collaboration between the SCCB and the functionally-oriented configuration control board was already occurring and that the recommendation need not be addressed.
Department of Defense To better position FSA-Indianapolis to develop and maintain its software successfully and to protect its software investments, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) to ensure that any future contracts or contract modifications for software development require the contractor(s) to: (1) have an independently assessed software development capability of at least Capability Maturity Model level 2; (2) develop project specific software plans; and (3) perform software quality assurance and software configuration management activities.
Closed – Implemented
DOD did not agree with requiring a CMM Level 2 for contractors. On future projects, under the subcontract management key project area, an evaluation criteria will be included in contracts for consideration of contractors having level 2 capability.
Department of Defense To better position FSA-Indianapolis to develop and maintain its software successfully and to protect its software investments, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) to require that projects develop, document, and periodically update a risk management plan that identifies and assesses risks to cost, schedule, and quality goals. The plan should also outline strategies for mitigating the risks, including mechanisms for corrective action when projects exceed established thresholds.
Closed – Implemented
In its original comments, DOD stated that a formalized risk management process is not required at level 2, but at level 3, activity 10. DFAS-IN ITD now acknowledges that GAO recommended actions are included under CMM Level 2(Repeatable), Software Project Management, Activity 13. Accordingly, these activities are being performed for all projects included in their SPI program. All migratory and interim migratory systems are included in the SPI program. Legacy systems are not included because of associated costs and the expected limited life cycle of these systems. Three of the four projects included in the GAO evaluation are in the SPI program and have now achieved level 2. The fourth project-the Standard Finance System (STANFINS)--is not included because it is a legacy system that will be eliminated.
Department of Defense To better position FSA-Indianapolis to develop and maintain its software successfully and to protect its software investments, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) to require that each project perform both product- and process-focused software quality assurance activities throughout the system life cycle.
Closed – Implemented
DOD stated that the appropriateness of these activities should be determined on a project-by-project basis that considers cost versus the limited life cycle of many of the legacy and migratory systems. Both product and process quality assurance are being accomplished for SPI projects that have reached level 2.
Department of Defense To better position FSA-Indianapolis to develop and maintain its software successfully and to protect its software investments, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) to ensure that each project: (1) prepares a software configuration management plan that addresses all work products to be placed under configuration management; and (2) follows a documented procedure.
Closed – Not Implemented
DOD stated that the appropriateness of these activities should be determined on a project-by-project basis that considers cost versus the limited life cycle of many of the legacy and migratory systems. Both product and process quality assurance are being accomplished for projects that have reached level 2.
Department of Defense To better position FSA-Indianapolis to develop and maintain its software successfully and to protect its software investments, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) to expedite the promulgation of FSA-Indianapolis policies and procedures for software development.
Closed – Implemented
DFAS has promulgated software development policies and procedures to all 6 FSAs that are consistent with CMM provisions and in consonance with available resources and mission priorities.
Department of Defense To better position FSA-Indianapolis to develop and maintain its software successfully and to protect its software investments, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) to delay any major investment in software development for projects at FSA-Indianapolis beyond that needed to sustain critical day-to-day operations until the repeatable level of process maturity (level 2) is attained and validated through an independent performance audit or, at a minimum, until the above recommendations are fully implemented.
Closed – Not Implemented
DOD believes that mission needs preclude further delay of any planned investment on future software development projects. According to DOD, the appropriateness of achieving a CMM Level 2 should be determined on a project-by-project basis. Any significant restrictions placed on funding for development projects would work against the ability of DOD to reach a higher level of maturity.

Full Report

Office of Public Affairs

Topics

Software verification and validationFinancial management systemsProgram managementQuality controlRequirements definitionStrategic information systems planningSubcontractsSystems designSoftware developmentConfiguration control