Defense Financial Management:

Immature Software Development Processes at Indianapolis Increase Risk

AIMD-97-41: Published: Jun 6, 1997. Publicly Released: Jun 6, 1997.

Contact:

Jack L. Brock, Jr
(202) 512-4841
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

GAO reviewed the Defense Finance and Accounting Service Financial Systems Activity (FSA)-Indianapolis' capability for developing and maintaining software for its information systems.

GAO noted that: (1) although FSA-Indianapolis does not yet satisfy the criteria for a level 2 (i.e., repeatable) software development capability on any of the four projects GAO reviewed, the two projects under its software process improvement (SPI) program showed strengths and improvement activities in many of the key process areas; (2) for example, projects under the SPI program generally kept software-related work products consistent with requirements; (3) in contrast, projects not under SPI had few such identifiable strengths or improvement activities; (4) while SPI is making progress in ensuring that its projects implement defined and documented processes, many of its processes were not yet institutionalized; (5) for example, many policies were still in draft form or were in the planning phase, and therefore were not yet an ongoing way of doing business; (6) in addition, software quality assurance activities, such as audits, were not used to ensure that defined software processes and standards were being followed; (7) such deficiencies pose unnecessary risks to the success of the software project until they are addressed; (8) by more rigorously implementing its project management processes among its SPI projects, FSA-Indianapolis could accelerate progress toward reaching the level 2 capability; and (9) this would enhance its ability to repeat individual project successes within similar application areas.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To better position FSA-Indianapolis to develop and maintain its software successfully and to protect its software investments, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) to expedite the promulgation of FSA-Indianapolis policies and procedures for software development.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: DFAS has promulgated software development policies and procedures to all 6 FSAs that are consistent with CMM provisions and in consonance with available resources and mission priorities.

    Recommendation: To better position FSA-Indianapolis to develop and maintain its software successfully and to protect its software investments, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) to ensure that each project: (1) prepares a software configuration management plan that addresses all work products to be placed under configuration management; and (2) follows a documented procedure.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: DOD stated that the appropriateness of these activities should be determined on a project-by-project basis that considers cost versus the limited life cycle of many of the legacy and migratory systems. Both product and process quality assurance are being accomplished for projects that have reached level 2.

    Recommendation: To better position FSA-Indianapolis to develop and maintain its software successfully and to protect its software investments, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) to require that each project perform both product- and process-focused software quality assurance activities throughout the system life cycle.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: DOD stated that the appropriateness of these activities should be determined on a project-by-project basis that considers cost versus the limited life cycle of many of the legacy and migratory systems. Both product and process quality assurance are being accomplished for SPI projects that have reached level 2.

    Recommendation: To better position FSA-Indianapolis to develop and maintain its software successfully and to protect its software investments, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) to require that projects develop, document, and periodically update a risk management plan that identifies and assesses risks to cost, schedule, and quality goals. The plan should also outline strategies for mitigating the risks, including mechanisms for corrective action when projects exceed established thresholds.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: In its original comments, DOD stated that a formalized risk management process is not required at level 2, but at level 3, activity 10. DFAS-IN ITD now acknowledges that GAO recommended actions are included under CMM Level 2(Repeatable), Software Project Management, Activity 13. Accordingly, these activities are being performed for all projects included in their SPI program. All migratory and interim migratory systems are included in the SPI program. Legacy systems are not included because of associated costs and the expected limited life cycle of these systems. Three of the four projects included in the GAO evaluation are in the SPI program and have now achieved level 2. The fourth project-the Standard Finance System (STANFINS)--is not included because it is a legacy system that will be eliminated.

    Recommendation: To better position FSA-Indianapolis to develop and maintain its software successfully and to protect its software investments, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) to ensure that any future contracts or contract modifications for software development require the contractor(s) to: (1) have an independently assessed software development capability of at least Capability Maturity Model level 2; (2) develop project specific software plans; and (3) perform software quality assurance and software configuration management activities.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: DOD did not agree with requiring a CMM Level 2 for contractors. On future projects, under the subcontract management key project area, an evaluation criteria will be included in contracts for consideration of contractors having level 2 capability.

    Recommendation: To better position FSA-Indianapolis to develop and maintain its software successfully and to protect its software investments, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) to ensure collaboration between the SCCB and the functionally-oriented configuration control board.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: The USD(C) position was that collaboration between the SCCB and the functionally-oriented configuration control board was already occurring and that the recommendation need not be addressed.

    Recommendation: To better position FSA-Indianapolis to develop and maintain its software successfully and to protect its software investments, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) (USD (C)) to establish, for each project, a software configuration control board (SCCB) composed of software engineering specialists. Such a board should authorize the software baseline, configuration items, and other relevant software products.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: The Under Secretary of Defense (Comptroller) agreed that the functions specified for a software configuration control board should be performed but stated that it would rather place the functions within the existing configuration control board as opposed to establishing another board. Presently, for projects included in their Software Process Improvement (SPI) program, the DFAS-Indianapolis (DFAS-IN) Information Technology Directorate (ITD) (formerly Financial Systems Activity-Indianapolis) configuration control board performs software configuration control functions and includes software engineering technical representation. All migratory and interim migratory systems are included in the SPI program. Legacy systems are not included because of associated costs and the expected limited life cycle of these systems.

    Recommendation: To better position FSA-Indianapolis to develop and maintain its software successfully and to protect its software investments, the Secretary of Defense should direct the Under Secretary of Defense (Comptroller) to delay any major investment in software development for projects at FSA-Indianapolis beyond that needed to sustain critical day-to-day operations until the repeatable level of process maturity (level 2) is attained and validated through an independent performance audit or, at a minimum, until the above recommendations are fully implemented.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: DOD believes that mission needs preclude further delay of any planned investment on future software development projects. According to DOD, the appropriateness of achieving a CMM Level 2 should be determined on a project-by-project basis. Any significant restrictions placed on funding for development projects would work against the ability of DOD to reach a higher level of maturity.

    Mar 27, 2014

    Mar 13, 2014

    Mar 12, 2014

    Feb 27, 2014

    Dec 23, 2013

    Dec 16, 2013

    Dec 12, 2013

    Dec 11, 2013

    Looking for more? Browse all our products here