Homeland Security:

Efforts Under Way to Develop Enterprise Architecture, but Much Work Remains

GAO-04-777: Published: Aug 6, 2004. Publicly Released: Aug 17, 2004.

Additional Materials:

Contact:

Randolph C. Hite
(202) 512-6256
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Department of Homeland Security (DHS) is attempting to integrate 22 federal agencies, each specializing in one or more interrelated aspects of homeland security. An enterprise architecture is a key tool for effectively and efficiently accomplishing this. In September 2003, DHS issued an initial version of its architecture. Since 2002, the Office of Management and Budget (OMB) has issued various components of the Federal Enterprise Architecture (FEA), which is intended to be, among other things, a framework for informing the content of agencies' enterprise architectures. GAO was asked to determine whether the initial version of DHS's architecture (1) provides a foundation upon which to build and (2) is aligned with the FEA.

DHS's initial enterprise architecture provides a partial foundation upon which to build future versions. However, it is missing, either in part or in total, all of the key elements expected to be found in a well-defined architecture, such as descriptions of business processes, information flows among these processes, and security rules associated with these information flows, to name just a few. Moreover, the key elements that are at least partially present in the initial version were not derived in a manner consistent with best practices for architecture development. Instead, they are based on assumptions about a DHS or national corporate business strategy and, according to DHS, are largely the products of combining the existing architectures of several of the department's predecessor agencies, along with their respective portfolios of system investment projects. DHS officials agreed that their initial version is lacking key elements, and they stated that this version represents what could be done in the absence of a strategic plan, with limited resources, and in the 4 months that were available to meet an OMB deadline for submitting the department's fiscal year 2004 information technology budget request. In addition, they stated that the next version of the architecture, which is to be issued in September 2004, would have much more content. As a result, DHS does not yet have the necessary architectural blueprint to effectively guide and constrain its ongoing business transformation efforts and the hundreds of millions of dollars that it is investing in supporting information technology assets. Without this, DHS runs the risk that its efforts and investments will not be well integrated, will be duplicative, will be unnecessarily costly to maintain and interface, and will not optimize overall mission performance. The department's initial enterprise architecture can be traced semantically with the FEA, which means that similar terms and/or definitions of terms can be found in the respective architectures. However, traceability in terms of architecture structures and functions is not apparent. Because of this, it is not clear whether the substance and intent of the respective architectures are in fact aligned, meaning that, if both were implemented, they would produce similar outcomes. This is due at least in part to the fact that OMB has yet to clearly define what it expects the relationship between agencies' enterprise architectures and the FEA to be, including what it means by architectural alignment.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of measurable technical goals and outcomes for managing technology products and services for the "To Be" architecture that enables the achievement of business goals and outcomes.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken and plans to take additional actions that are consistent with this recommendation. In particular, while the EA does not describe goals needed for other items such as network throughputs, it describes certain technical performance goals/measures, (e.g., 99.5 percent availability for IT infrastructure) and specifies measurable goals and outcomes for some applications and services (e.g., 'cycle time of 6 months or less for all immigrant services applications by fiscal year 2006'). According to program officials, specification of all technical goals/measures are pending execution of IT and business unit service level agreements. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of data management policies, procedures, processes, and tools (e.g., CURE matrix) for analyzing, designing, building, and maintaining databases in an enterprise architected environment.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken and plans to take additional actions that are consistent with this recommendation. The DHS Enterprise Data Management Office (EDMO) has developed an Enterprise Data Management Strategy. The EDMO has also established a DHS Data Governance Integrated Project Team to develop an Enterprise Data Management Directive and Data Stewardship program. In addition, DHS's EA outlines data management strategies and database management activities, including ensuring that the design, development, deployment, operation, and maintenance of an enterprise data environment support enterprise-wide management of data. For example, activities are identified for establishing procedures for coordinating data maintenance activities. Furthermore, the DHS EA includes a Create, Update, Reference, or Eliminate (CURE) matrix that describes the flow of information among business functions. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of the business and operational rules for data standardization to ensure data consistency, integrity, and accuracy, such as business and security rules that govern access to, maintenance of, and use of data.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken and plans to take additional actions that are consistent with this recommendation. DHS's enterprise architecture (EA) outlines the strategic initiatives for the standardization of data and, according to DHS program officials, work is currently underway in the Enterprise Data Management Office (EDMO) to address the enterprise-wide data standards through a standards vetting process. The EDMO facilitates the Data Management Working Group (DMWG) which focuses on facilitating collaboration on development of guidance, best-practices, and recommendations for effective data-sharing, distribution, and analysis tools and techniques, thus maximizing interoperability. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a data dictionary, which is a repository of standard data definitions for applications.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken actions that are consistent with this recommendation. The 2007 version of DHS's enterprise architecture includes a data dictionary with definitions of subject areas (e.g., event) and data objects (e.g., incident). Further, DHS's Enterprise Data Management Office has established an Integrated Project Team (IPT) to work on evolving the data dictionary. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a conceptual data model that describes the fundamental things/objects (e.g., business or tourist visas, shipping manifests) that make up the business, without regard for how they will be physically stored. A conceptual data model contains the content needed to derive facts about the business and to facilitate the creation of business rules. It represents the consolidated structure of business objects to be used by business applications.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken actions that are consistent with this recommendation. Specifically, DHS's enterprise architecture (EA) contains a conceptual data model, which includes, for example, the definitions of subject areas (i.e., high-level categories of business information such as conveyances) and data objects (e.g., manifest) that are fundamental to the business and the relationships between the data objects. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a logical database model that provides (1) a normalized i.e., nonredundant) data structure that supports information flows and (2) the basis for developing the schemas for designing, building, and maintaining physical databases.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken actions that are consistent with this recommendation. The DHS Enterprise Data Management Office, in collaboration with key component agencies and programs (e.g., CBP, CIS, ICE, US VISIT and TSA), have developed the DHS Person Screening Logical Data Model. This model harmonizes the data elements for People Screening and provides logical data representations that are to be used to create information exchanges and design, build and maintain physical databases. Furthermore, the 2007 version of DHS's enterprise architecture includes a Metadata and XML Standards Review document, which specifies high-level rules and standards for representing data and accessing information. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a metadata model that specifies the rules and standards for representing data (e.g., data formats) and accessing information (e.g., data protocols) according to a documented business context that is complete, consistent, and practical.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken actions that are consistent with this recommendation. The DHS enterprise architecture includes a Metadata and XML Standards Review document, which specifies high-level rules and standards for representing data and accessing information. Further, the DHS Enterprise Data Management Office (EDMO) has established an Integrated Project Team to extend this document and develop a Metadata standards model that specifies the rules and standards for representing data (e.g., data formats) and accessing information (e.g., data protocols) according to a documented business context. The EDMO is guided by a DHS Data Stewardship Council (DSC), comprised of data stewards, data custodians and business owners with the responsibility of addressing the quality and usage of data as it relates to the business mission, and thereby enhance information sharing. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of the information flows and relationships among organizational units, business operations, and system elements.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken actions that are consistent with this recommendation. DHS and Department of Justice have established and are implementing the National Exchange Information Model (NIEM), which is an interagency initiative to provide the foundation and building blocks for national-level interoperable information flows and relationships among organizational units, business operations, and system elements. Information sharing across federal, state, local and tribal constituencies requires a common language for information exchange. The Enterprise Data Management Office is leading the development of NIEM. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of measurable business goals and outcomes for business products and services, including strategic and tactical objectives.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken and plans to take additional actions that are consistent with this recommendation. In particular, DHS is developing segment architectures, covering the mission and business functions within DHS (as required by OMB). DHS EA 2007 provides for describing the business priorities and constraints associated with two such segments -- the DHS Screening Segment and the DHS Human Capital Segment. Over time, additional segments are to be completed. Further, the EA includes a vision for developing business services: to develop an integrated system or system of systems that provide a comprehensive set of business services, and describes performance goals for some business services. For example, it states that the Immigrant Services program will achieve and maintain a cycle time goal of 6 months or less for all immigrant services applications by FY 2006. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of the processes for establishing, measuring, tracking, evaluating, and predicting business performance regarding business functions, baseline data, and service levels.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken and plans to take additional actions that are consistent with this recommendation, which if properly implemented, should satisfy the recommendation's intent. In particular, DHS is developing segment architectures, covering the mission and business functions within DHS (as required by OMB). DHS EA 2007 provides for describing the business priorities and constraints associated with two such segments -- the DHS Screening Segment and the DHS Human Capital Segment. Over time, additional segments are to be completed. Further, the EA includes performance levels for some business services. For example, the United States Coast Guard must ensure that it limits closures of operational channels for navigation to two days during average winters and eight days during severe winters. In addition, the architecture describes methods for collecting, measuring, tracking, and evaluating some business performance information. Further, DHS plans to create a framework for developing a performance reference model (PRM) and a process for populating the PRM. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of the organizational approach (processes and organizational structure) for communications and interactions among business lines and program areas for (1) management reporting, (2) operational functions, and (3) architecture development and use (i.e., how to develop the architecture description, implement the architecture, and govern/manage the development and implementation of the architecture).

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken actions that are consistent with this recommendation. Specifically, DHS has established an Enterprise Architecture Board (EAB), an EA governance process, and an organizational structure for reporting architecture development and use. DHS has implemented an EA Governance process through an Enterprise Architecture Center of Excellence (EA COE), which supports an EAB within the DHS investment management process. These governance entities meet periodically to review investment and technology requests from all of the component agencies. These meetings follow a formal, repeatable process for holding, conducting, and recording meetings, facilitated by a professional facilitation team. The facilitation team and the EA Program Management Office capture, record, and report metrics to measure the progress of the EA COE and EAB. The EA Project Management Office has established goals for the "to-be" architecture and progress is measured against these goals. DHS has also created an organizational approach for communications and interactions among business lines (e.g., Line of Business (LOB) chiefs) and program areas (e.g., portfolio managers) for management reporting. For example, transformational portfolio managers report directly to the Deputy Secretary of DHS and the Joint Requirements Council no less than twice a year to provide an update on capabilities deployed and to be deployed and reused capabilities. The architecture also describes an organizational approach (i.e., decision request submission/review/approval) and structure (e.g., Management Directorate number 007 states that the Under Secretary for Management coordinates with LOB chiefs to ensure integration between and among business functions) for communications and interactions among business lines for operational functions. As a result, we consider this recommendation to be largely implemented.

    Recommendation: To ensure that DHS has a well-defined architecture to guide and constrain pressing transformation and modernization decisions, the Secretary of Homeland Security should direct the department's architecture executive steering committee, in collaboration with the chief information officer (CIO), to ensure that the development of DHS's enterprise architecture is based on an approach and methodology that provides for identifying the range of mission operations and the focus of the business strategy and involving relevant stakeholders (external and internal) in driving the architecture's scope and content.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken a number of actions that are consistent with our recommendation. For example, DHS is using the EA framework by Zachman, EA planning by Steven Spewak, and OMB A-130 as the primary approaches in developing its EA. Furthermore, the DHS EA includes a business model that identifies major mission areas, business functions, performing organizations, user roles, and workplace environments and that is focused around a DHS business strategy. As a result, we consider this recommendation to be largely implemented.

    Recommendation: To ensure that DHS has a well-defined architecture to guide and constrain pressing transformation and modernization decisions, the Secretary of Homeland Security direct the department's architecture executive steering committee, in collaboration with the CIO, to develop, approve, and fund a plan for incorporating into the architecture the content that is missing.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has developed a project plan which outlines the timeframes for developing and incorporating additional content for the next release of its enterprise architecture (EA). All these content changes were approved by the Enterprise Architecture Board. As a result, we consider this recommendation to be largely implemented.

    Recommendation: In addition, to assist DHS and other agencies in developing and evolving their respective architectures, the Director of OMB should direct the FEA Program Management Office to clarify the expected relationship between the FEA and federal agencies' architectures. At a minimum, this clarification should define key terms, such as architectural alignment.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: OMB has taken a number of actions that are consistent with our recommendation. For example, OMB issued a collection of interrelated "reference models" designed to clarify the expected relationship between the federal enterprise architecture (FEA) and federal agencies' architectures. Furthermore, to provide additional assistance and clarification, OMB released a Federal Transition Framework, FEA PMO Action Plan, and provided FEA Profiles and Case Studies showcasing lessons learned and best practices. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a business assessment that includes the enterprise's purpose, scope (e.g., organizations, business areas, and internal and external stakeholders' concerns), limitations or assumptions, and methods; and a gap analysis that describes the target outcomes and shortfalls, including strategic business issues, conclusions reached as a result of the analysis (e.g., missing capabilities), causal information, and rationales.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has substantially met the intent of this recommendation. In particular, DHS EA 2007 includes a business view that describes the department's purpose, including strategic goals, and aspects of DHS's scope, such as organizational entities and their business area responsibilities. In addition, DHS EA 2008 identifies the limitations of DHS's current environment (e.g., information sharing) and describes the shortfalls and target outcomes of several investment portfolios that support core mission areas, business services, and enterprise services. For example, it describes reducing high latency and complexity in accessing data as a target outcome of the IT infrastructure portfolio. According to DHS officials, future versions of the architecture will describe the shortfalls and target outcomes of the remaining portfolios (e.g., Case Management).

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a business strategy that describes the desired future state of the business, the specific objectives to be achieved, and the strategic direction that will be followed by the enterprise to realize the desired future state. The business strategy should include: (1) a vision statement that describes the business areas requiring strategic attention based on the gap analysis; (2) a description of the business priorities and constraints, including their relationships to, at a minimum, applicable laws and regulations, executive orders, departmental policy, procedures, guidance, and audit reports; (3) a description of the scope of business change that is to occur to address identified gaps and realize the future desired business state -- the scope of change, at a minimum, should identify expected changes to strategic goals, customers, suppliers, services, locations, and capabilities; (4) a description of the measurable strategic business objectives to be met to achieve the desired change; (5) a description of the measurable tactical business goals to be met to achieve the strategic objectives; and (6) a listing of opportunities to unify and simplify systems or processes across the department, including their relationships to solutions that align with the strategic initiatives to be implemented to achieve strategic objectives and tactical goals.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken and plans to take additional actions that are consistent with this recommendation. According to program officials, DHS's enterprise architecture (EA) is complementary to the DHS strategic plan, and thus reflects the plan's strategy and mission goals. Accordingly, they said that the EA business functions constitute a business strategy that is aligned to the DHS strategic plan. With respect to each of the elements of our recommendation, we found that: (1) The 2007 version of DHS's EA includes a business strategy that describes the department's strategic goals and the specific objectives to be achieved. Further, it includes an enterprise transition strategy. (2) According to program officials, the description of DHS's business priorities and constraints, including their relationships to applicable laws and regulations, and a description of the measurable strategic and tactical business objectives are being accomplished through the development of segment architectures. (3) According to program officials, DHS is describing the scope of expected business change in the context of its investment portfolios. Some of the portfolios, such as Finance, HR, Geospatial and Infrastructure, have identified expected changes. For other portfolios, change identification is either in progress of planned. (4) According to program officials, a listing of opportunities to unify and simplify systems has been documented within the following architecture artifacts: Functional Portfolios Diagram, OCIO Portfolio Descriptions, Portfolio Alignment with Lines of Business initiatives, and mapping of programs to DHS Performance Goals. As a result, we consider this recommendation to be largely satisfied.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include common (standard and departmentwide) policies, procedures, and business and operational rules consistent implementation of the architecture.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken actions that are consistent with this recommendation. For example, DHS has developed and published a series of common policies and procedures to address consistent implementation of the architecture which are used department-wide. Specifically, Management Directive (MD) 0007, issued on October 14, 2004, directs Senior IT officials to develop the enterprise architecture and implement IT services that are consistent with the DHS enterprise architecture. In addition, DHS has developed and published policies, within MD 1400, that require IT investments to conform to the EA. DHS has also published a guide that outlines the governance process used to review programs for alignment with the DHS EA. Furthermore, the EA includes Enterprise Architecture Principles that provide business and operational rules (i.e. integrated and comprehensive EA; data collection, quality, storage, sharing, and access; and compliance with law) describing the consistent implementation of the architecture. As a result, we consider this recommendation to be largely satisfied.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of key business processes and how they support the department's mission, including the organizational units responsible for performing the business processes and the locations where the business processes will be performed. This description should provide for the consistent alignment of (1) applicable federal laws, regulations, and guidance; (2) department policies, procedures, and guidance; (3) operational activities; (4) organizational roles; and (5) operational events and information.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken and plans to take additional actions that are consistent with this recommendation. DHS's enterprise architecture (EA) examines the context in which DHS operates, describing the major business processes the Department must perform to meet its mission, identifying the organizations within the organizational units that perform those functions, and describing the actual physical environments where the functions are performed. Each key business process is based on (1) applicable laws, regulations, and guidance (e.g., the National Strategy for Homeland Security), providing the rationale for performing the business functions; (2) departmental policies, procedures, and guidance; (3) operational activities that provide detail to each key business function; (4) organization roles describing the entities responsible for performing the business functions; and (5) operational events and information that describe how the business function is being performed. As a result, we consider this recommendation to be largely satisfied.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of the operational management processes to ensure that the department's business transformation effort remains compliant with the business rules for fault, performance, security, configuration, and account management.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken actions that are consistent with this recommendation. For example, the latest version of the enterprise architecture contains operational management and governance processes to ensure compliance between its business transformation efforts and the business rules for performance and security. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of the services and their relationships to key end-user services to be provided by the application systems.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken actions that are consistent with this recommendation. DHS's Notional Application Architecture describes applications in terms of the user workflows that they enable. While it is not specifically mentioned, these applications were derived from the usage of business functions by user classes, as mapped in the business model. This relationship of user to business function to application has been included in several versions of the DHS EA. The consumption diagram for the Communication Management Application also specifically calls out the consumption of Email services for managing some of the correspondence. Furthermore, the EA defines enterprise mission services and business services. The EA defines the types of business services (e.g., Person-Centric Information Services) that are enabled by target applications and application components. In addition, it defines the capabilities of the target applications and application components and maps these capabilities to the Federal Enterprise Architecture Service Component Reference Model. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a list of application systems (acquisition/development and production portfolio) and their relative importance to achieving the department's vision, based on business value and technical performance.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has substantially met the intent of this recommendation. In particular, DHS EA 2007 describes target applications (e.g., Incident Response Management) and application components (e.g., Incident Response Administrator). In addition, DHS EA 2008 identifies top priority projects (e.g., Secure Flight) that support a core mission area (i.e., Screening). Furthermore, DHS plans to describe the relative importance of systems that support other areas. For example, it plans to identify core systems (within each portfolio) and related systems (that are managed in separate portfolios) that are required to support each architecture segment (e.g., business service). According to DHS officials, portfolio managers maintain the details regarding the relative importance of application systems within their specific portfolios.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of the policies, procedures, processes, and tools for selecting, controlling, and evaluating application systems to enable effective IT investment management.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken actions that are consistent with this recommendation. Specifically, the DHS enterprise architecture (EA) addresses processes and tools for the selection, control and evaluation of application systems. For example, it contains the Enterprise Architecture Board (EAB) Governance Process Guide that outlines IT investments alignment with the architecture. Because GAO-07-424 contains recommendations that augment this recommendation by adding greater specificity, we are closing this recommendation and will track our more specific recommendations under GAO-07-424.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of operational security rules that are derived from security policies.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken actions that are consistent with this recommendation. DHS's enterprise architecture includes the DHS 4300A Sensitive Systems Handbook and 4300A Sensitive Systems Policy, which contain specific operational security rules and explicitly link the rules to the relevant DHS security policies. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of enterprise security infrastructure services (e.g., identification and authentication) that will be needed to protect the department's assets and the relationship of these services to protective mechanisms.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS IT Security Architecture Guidance describes network security as an enterprise security infrastructure service. In addition, it identifies protective mechanisms for implementing enterprise infrastructure services. For example, the guidance identifies network infrastructure protection, such as firewalls, network encryption, and network-based intrusion detection systems.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of the security standards to be implemented for each enterprise service. These standards should be derived from security requirements. This description should also address how these services will align and integrate with other elements of the architecture (e.g., security policies and requirements).

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has addressed this recommendation. In particular, the DHS EA TRM identifies the technical standards for each enterprise security service. For example, IEEE 802.11i is identified as the technical standard that governs wireless networking access in the target environment. In addition, the TRM lists products to be implemented for each enterprise security service. Further, the DHS IT Security Architecture guidance describes industry best practices that can address DHS security requirements and provide enterprise security service capabilities. Moreover, the DHS Sensitive Systems Policy and DHS Sensitive Systems Handbook describe security policies and procedures in terms of Capital Planning & Investment Control and the investment review process. Also, while these EA-related security artifacts are not aligned and integrated with the other elements of the EA, the DHS Chief Architect stated that this integration will be incorporated into future versions of the EA. Therefore, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of the protection mechanisms (e.g., firewalls and intrusion detection software) that will be implemented to secure the department's assets, including a description of the interrelationships among these protection mechanisms.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: The DHS enterprise Architecture (EA) describes protection mechanisms (e.g., firewalls, userID/password, virus protections, and cryptography) that will be implemented to secure assets, including networks, servers and hosts, and application systems. For example, virus scanning and patch management are used for server and host protection. Also, DHS will continue to use userID/password pair in the near term to manage user access to the DHS network. Further, while DHS's security architecture-related artifacts do not describe the interrelationships among protection mechanisms (e.g., the relationship among user authentication and message encryption for DHS's public key infrastructure (PKI) implementation), the DHS Chief Architect stated that this would be addressed in future versions of the EA. Therefore, we consider this recommendation to be laregly implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include analysis of the gaps between the baseline and the target architecture for business processes, information/data, and services/application systems to define missing and needed capabilities.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken and plans to take additional actions that are consistent with this recommendation, which if properly implemented, should satisfy the recommendation's intent. For example, DHS has adopted a portfolio management approach to analyzing the gaps between the baseline and target architectures to define missing and needed capabilities as well as identifying redundancies and overlaps. As a result, to date, DHS has analyzed the following portfolios: Finance, Human Resources, Infrastructure, and Screening, and is in process with the Alerts and Warnings portfolio. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a high-level strategy for implementing the enterprise architecture. This strategy should include: (1) specific time-phased milestones for acquiring and deploying systems; (2) performance metrics for determining whether business value is being achieved; (3) financial and nonfinancial resources needed to achieve the business transformation; (4) a listing of the legacy systems that will not be part of the "To Be" environment and the schedule for terminating these systems; (5) a description of the training strategy/approach that will be implemented to address the changes made to the business operations (processes and systems) to promote operational efficiency and effectiveness -- this plan should also address any changes to existing policies and procedures that affect day-to-day operations, as well as resource needs (staffing and funding); and (6) a list of the systems to be developed, acquired, or modified to achieve business needs and a description of the relationship between the system and the business need(s).

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Not Implemented

    Comments: DHS's enterprise architecture (EA) includes a transition strategy for implementing the architecture. However, the strategy is still missing some important elements. Specifically, (1) milestones for acquiring and developing systems have been developed; (2) performance metrics for determining achievement of business value is being accomplished through the development of segment architectures, covering the mission and business functions within DHS, however, not all segments (e.g., asset management) are completed; (3) a high-level description of the financial, human, and contractor resources, which are determined through its portfolios, has been developed, although some portfolios, such as Screening and Alerts and Warnings, have yet to fully identify resources, and some portfolios (e.g., alert/disaster management) are in the planning stage; (4) a listing of legacy systems that will not be part of the "to-be" architecture have not been explicitly included; (5) training strategies are developed as part of the maturation of each portfolio; and (6) a plan to address the changes needed in existing policies and a list of the systems to be developed, acquired, or modified and the relationship between the system and the business needs is included. According to the DHS chief architect, the results of the Quadrennial Homeland Security Review, which will begin in fiscal year 2009, will be a key driver in establishing some of these missing elements (e.g., performance metrics). The chief architect also stated that other elements, such as a listing of legacy systems that will not be part of the "to-be" environment, are primarily managed at the program level.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a strategy for employing enterprise application integration (EAI) plans, methods, and tools to, for example, provide for efficiently reusing applications that already exist, concurrent with adding new applications and databases.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS's enterprise architecture (EA) identifies service oriented architecture (SOA) as the strategy for enterprise application integration (EAI). In this regard, it identifies SOA methods, tools, and steps that need to be taken for employing EAI.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a technical (systems, infrastructure, and data) migration plan that shows: (1) the transition from legacy to replacement systems, including explicit sunset dates and intermediate systems that may be temporarily needed to sustain existing functionality during the transition period; (2) an analysis of system interdependencies, including the level of effort required to implement related systems in a sequenced portfolio of projects that includes milestones, time lines, costs, and capabilities: and (3) a cost estimate for the initial phase(s) of the transition and a high-level cost projection for the transition to the target architecture.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS's enterprise architecture (EA) contains a transition plan, including technical migration plans/milestones for the development of systems. Specifically, the plan includes portfolios of projects with associated high-level milestones, timelines, costs, and capabilities. For example, DHS has established a milestone to consolidate e-mail systems by FY 2010. In addition, DHS's capital investment plan for implementing the EA provides cost estimates for the initial phase of the transition and high-level cost projections. Further, the plan does not outline the sunset dates for legacy systems, nor does it identify whether intermediate systems will be needed during the transition, and the DHS Chief Architect stated that these details are managed at the program level rather than in the DHS EA. As a result, we consider this recommmendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a listing of accountable organizations and their respective responsibilities for implementing enterprise security services. It is important to show organizational relationships in an operational view because they illustrate fundamental roles (e.g., who conducts operational activities) and management relationships (e.g., what is the command structure or relationship to other key players) and how these influence the operational nodes.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS's enterprise architecture (EA) contains the DHS Sensitive Systems Handbook which lists accountable organizations and their respective responsibilities for implementing enterprise security services for DHS sensitive systems. Additionally, each subsection of the document provides more specific delineation of the responsibilities for each role as they apply to that particular section of the security policy. In addition, the Information Security Architecture outlines the roles and responsibilities of the DHS management structure and its components and describes organizational, operational, and management relationships concerning DHS's information security architecture. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include definitions of terms related to security and information assurance.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS's enterprise architecture (EA) defines terms related to security and information assurance (IA). For example, the DHS Sensitive Systems Handbook defines sensitive information, vital records, and foreign threats. Definitions of other IA terms not included in the handbook are provided in the National Information Assurance Glossary.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of the policies, procedures, goals, strategies, principles, and requirements relevant to information assurance and security and how they (the policies, procedures, goals, strategies, and requirements) align and integrate with other elements of the architecture (e.g., security services).

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS's enterprise architecture (EA) contains policies, procedures, goals, strategies, principles, and requirements for managing DHS security operations and protecting DHS IT systems. For example, the DHS Sensitive Systems Policy and DHS Sensitive Systems Handbook describe policies and procedures for protecting sensitive systems. In addition, the architecture includes DHS IT Security Architecture Guidance that provides general security requirements and best practices that should be applied to DHS applications and infrastructure systems. For example, the guidance includes a security requirement to regularly review firewall configurations against usage to ensure that unnecessary ports and services are disabled. In addition, while the EA does not integrate and align these security-related aspects of the EA with other enterprise architecture views (e.g., business architecture), the DSH Chief Architect stated that the department intends to introduce this alignment in future versions of the EA. Thus, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of the enterprise application systems and system components and their interfaces.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken and plans to take additional actions that are consistent with this recommendation. For example, DHS's enterprise architecture (EA) defines capabilities (e.g., Maintain Threat Notification) for target system applications and application components. In addition, it identifies business functions (e.g., 'Communicate Risks' and 'Threats to the Public') and descriptions of application systems and application components. According to DHS, descriptions of interfaces are being addressed via individual system solution architectures. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of the system development life cycle process for application development or acquisition and the integration of the process with the architecture, including policies, procedures, and architectural techniques and methods for acquiring systems throughout their life cycles. The common technical approach should also describe the process for integrating legacy systems with the systems to be developed/acquired.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken and plans to take additional actions that are consistent with this recommendation, which, if properly implemented, should satisfy the recommendation's intent. For example, the DHS enterprise architecture (EA) includes a draft System Development Life Cycle (SDLC) process guide that establishes policy for the life cycle management of the department's Information Technology portfolio, and other Capital Asset acquisitions (investment programs, systems, infrastructure, and projects), and this guide is intended to directly support the DHS Investment Review Process. In addition, the SDLC activities include procedures, techniques, and tools to conduct architecture related activities throughout the investment's life cycle. Furthermore, according to program officials, the DHS EA Project Management Office and the DHS Enterprise Business Process Office are in the process of finalizing the SDLC and ensuring that it reflects and is integrated with the architecture. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a list of infrastructure systems and a description of the systems' hardware and software infrastructure components. The description should also reflect the system's relative importance to achieving the department's vision based on constraints, business value, and technical performance.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken and plans to take additional actions that are consistent with this recommendation. In particular, DHS EA 2007 identifies enterprise infrastructure systems (e.g., network infrastructure systems such as DHS OneNet), infrastructure components, and infrastructure hardware/software products (e.g., Microsoft Exchange as email server software). In addition, DHS plans to identify the core IT systems within the IT infrastructure portfolio and related systems that are managed in other portfolios. According to DHS officials, the IT infrastructure portfolio manager maintains details regarding the relative importance of the IT infrastructure systems.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of the policies, procedures, processes, and tools for selecting, controlling, and evaluating infrastructure systems to enable effective IT investment management.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken and plans to take additional actions that are consistent with this recommendation, which, if properly implemented, should satisfy the recommendation's intent. DHS has begun to develop policies, procedures, processes and tools for the selection, control and evaluation of infrastructure systems. For example, the DHS Investment Review Process established an IT investment review process to manage the budgeting, acquisition, and management of investments and ensure IT investments align with the department's mission, and evaluate IT investments for performance and duplication. Further, the Enterprise Architecture Board Governance Process Guide outlines the requirements that must be met for IT investments to align with the architecture. Additionally, DHS developed investment review templates such a reviewer comment template and a decision request form. However, the department still needs to develop tools that will assist in making decision on investment selection (e.g., identifying investment overlaps) and investment control (e.g., determining EA alignment risks). Because GAO-07-424 contains recommendation that augment this recommendation by adding greater specificity, and given the actions DHS has already taken, we are closing this recommendation as largely implemented and will track the more specific recommendations under GAO-07-424.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of the technical reference model (TRM) that describes the enterprise infrastructure services, including specific details regarding the functionality and capabilities that these services will provide to enable the development of application systems.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS's enterprise architecture (EA) includes a Technical Reference Model (TRM) that describes infrastructure services, such as messaging services and integration services. In addition, the architecture describes the functionality and capabilities of infrastructure services relative to enabling the development of application systems. For example, it states that the messaging services are capable of delivering service requests and service responses to their intended recipients, hence application developers can simplify application development (i.e., focus on coding business logic) by reusing these services.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description in the TRM that identifies and describes (1) the technical standards to be implemented for each enterprise service and (2) the anticipated life cycle of each standard.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS EA 2008 includes a technical reference model (TRM) that identifies and describes the technical standards to be implemented for enterprise services. For example, it identifies ANSI/NISO Z39.2 - 1994 (R2001) Information Interchange Format as a technical standard for the search services. In addition, the TRM describes the anticipated life cycle of technical standards. For example, it identifies Secure Socket Layer v2.0 as one of the standards that will not be implemented in the target environment. According to DHS officials, the life cycles of certain technical standards, such as those associated with the transitions of each portfolio, are managed by their respective portfolio owners.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a description of the physical IT infrastructure needed to design and acquire systems, including the relationships among hardware, software, and communications devices.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS EA identifies the physical IT infrastructure, such as the DHS OneNet as the department's backbone network. In addition, the Technical Reference Model identifies infrastructure hardware, software, and communication products (e.g., network switches and routers). Further, while the architecture does not describe the physical IT infrastructure in sufficient detail to design and acquire systems (e.g., it does not identify the locations and configurations of DHS OneNet's routers and switches), the DHS chief architect stated that these details are described and managed by the IT infrastructure portfolio owner (Infrastructure Program Office).

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include common policies and procedures for developing infrastructure systems throughout their life cycles, including requirements management, design, implementation, testing, deployment, operations, and maintenance. These policies and procedures should also address how the applications will be integrated, including legacy systems.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS has taken and plans to take additional actions that are consistent with this recommendation, which, if properly implemented, should satisfy the recommendation's intent. DHS's enterprise level policies and procedures have been formulated as part of enterprise portfolio management processes. Under these processes, EA enhancements are evaluated and managed as configuration controlled baselines. For example, DHS has drafted a System Development Life Cycle (SDLC) process guide that establishes policies and procedures for the development of infrastructure systems throughout their lifecycles, including the design, implementation, testing, deployment, operations, and maintenance phases. In particular, the SDLC states that all DHS staff, project teams, and contractors must adhere to the DHS SDLC process for IT projects involving new development or modifications to existing IT capability, including application and infrastructure projects. As a result, we consider this recommendation to be largely implemented.

    Recommendation: The Secretary of Homeland Security should ensure that future versions of the architecture include a strategy that describes the architecture's governance and control structure and the integrated procedures, processes, and criteria e.g., investment management and security) to be followed to ensure that the department's business transformation effort remains compliant with the architecture.

    Agency Affected: Department of Homeland Security: Directorate of Management

    Status: Closed - Implemented

    Comments: DHS's enterprise architecture (EA) describes the architecture's governance and control structure, procedures, processes, and criteria to be followed, including business transformation effort compliance with the architecture.

    Apr 2, 2014

    Feb 26, 2014

    Feb 12, 2014

    Jan 13, 2014

    Nov 13, 2013

    Nov 6, 2013

    Sep 12, 2013

    Sep 11, 2013

    Looking for more? Browse all our products here