FBI Is Building Management Capabilities Essential to Successful System Deployments, but Challenges Remain
GAO-05-1014T: Published: Sep 14, 2005. Publicly Released: Sep 14, 2005.
The Federal Bureau of Investigation (FBI) is in the process of modernizing its information technology (IT) systems. Replacing much of its 1980s-based technology with modern system applications and supporting technical infrastructure, this modernization is intended to enable the FBI to take an integrated, agencywide approach to performing its critical missions, such as federal crime investigation and terrorism prevention. At the request of the Congress, GAO has conducted a series of reviews of the FBI's modernization management. GAO was requested to testify on the bureau's progress to date in several areas of IT management. In addition, GAO discusses the importance of these areas for maximizing the prospects for success of the bureau's ongoing and future IT system investments, including the FBI's flagship Sentinel program; this program replaces the bureau's failed Virtual Case File project and aims to acquire and deploy a modern investigative case management system. In this testimony, GAO relied extensively on its previous work on the FBI's management of its IT processes, human capital, and tools, and it obtained updates on these efforts through reviews of documentation and interviews with responsible FBI officials, including the Chief Information Officer (CIO).
Over the last 18 months, the FBI has made important progress in establishing IT management controls and capabilities that GAO's research and experience show are key to exploiting technology to enable transformation. These include centralizing IT responsibility and authority under the CIO and establishing and beginning to implement management capabilities in the areas of enterprise architecture, IT investment management, systems development and acquisition life cycle management, and IT human capital. The FBI has developed an initial version of its enterprise architecture and is managing its architecture activities in accordance with many key practices, but it has yet to adopt others (such as ensuring that the program office has staff with appropriate architecture expertise). The FBI is in the process of defining and implementing investment management policies and procedures. For example, it is performing assessments of existing systems to determine if any can be better used, replaced, outsourced, or retired, but these assessments have yet to be completed. The bureau has issued an agencywide standard life cycle management directive, but it has yet to fully implement this directive on all projects. Also, certain key practices, such as acquisition management, require further development. The FBI has taken various steps to bolster its IT workforce, but it has yet to create an integrated plan based on a comprehensive analysis of existing and needed knowledge, skills, and abilities. According to the CIO, he intends to hire a contractor to perform this and develop an implementation plan. The CIO also intends to establish a management structure to carry out the plan. The challenge now for the FBI is to build on these foundational capabilities and implement them effectively on the program and project investments it has under way and planned, none of which is more important than the Sentinel program. The success of this program will depend on how well the FBI defines and implements its new IT management approaches and capabilities, particularly those associated with acquiring a system made up of commercial components, which Sentinel is to be. In this regard, it will be crucial for the FBI, among other things, to understand and control Sentinel requirements in the context of (1) its enterprise architecture, (2) the capabilities and interoperability of commercially available products, and the (3) bureau's human capital and financial resource constraints. It will also be important for the FBI to prepare users for the impact of the new system on how they do their jobs. To the extent that the FBI does not take these steps, it will introduce program risks that could lead to problems similar to those that contributed to the failure of the Virtual Case File project.