DOD Business Systems Modernization:
Progress Continues to Be Made in Establishing Corporate Management Controls, but Further Steps Are Needed
GAO-07-733: Published: May 14, 2007. Publicly Released: May 14, 2007.
In 1995, GAO first designated the Department of Defense's (DOD) business systems modernization program as "high risk," and GAO continues to do so today. To assist in addressing this high-risk area, the Fiscal Year 2005 National Defense Authorization Act contains provisions that are consistent with prior GAO recommendations. Further, the act requires the department to submit annual reports to its congressional committees on its compliance with these provisions and it directs GAO to review each report. In response, GAO assessed DOD's actions to address (1) requirements in the act and (2) GAO's recommendations that it reported as open in its prior annual report under the act. In doing so, GAO reviewed documentation and interviewed officials relative to the act and related guidance.
As part of DOD's recent efforts to strengthen management of its business systems modernization program, it has taken steps over the last year to build on past efforts and further comply with the act's requirements and relevant guidance. However, additional steps are needed. For example, the latest version of DOD's business enterprise architecture now contains information about the department's "As Is" corporate environment, which is important for effective transition planning. Further, this version represents a major step in building the family of architectures that are needed to fully satisfy the act and effectively guide and constrain thousands of system investments across all DOD component organizations. Nevertheless, GAO's reports since its last annual report under the act show that the strategy for extending the business enterprise architecture to defense components needs further definition to make it executable and the maturity of key components' architecture programs is limited. GAO has recently made recommendations to address these challenges. The updated enterprise transition plan, which is an essential component of an enterprise architecture, continues to identify systems and initiatives that are to fill business capability gaps and address DOD-wide and component business priorities contained in the business enterprise architecture. However, it does not include investments for all components and does not reflect key factors associated with properly sequencing planned investments, such as dependencies among investments and the capability to execute the plan, which GAO's existing recommendations provide for addressing. DOD has established and begun implementing the investment review structures and processes that are consistent with the act. However, it has yet to do so in a manner that is consistent with relevant guidance. In particular, it has yet to fully define the related policies and procedures needed to effectively execute both project-level and portfolio-based information technology investment management practices. GAO has recently made recommendations to address these shortcomings. DOD also continues to make progress in implementing GAO recommendations aimed at strengthening business systems modernization management. In particular, of the 14 open recommendations that GAO identified in its prior annual report under the act, 10 have either been largely implemented or subsumed by the more recent recommendations cited above. For example, DOD has implemented GAO's recommendations aimed at effectively using the assessments that have been performed by DOD's independent verification and validation contractor. Such assessments provide important information for department and congressional oversight bodies to use to better ensure the definition and institutionalization of the corporate management controls that GAO has cited as essential to addressing the DOD business systems modernization high-risk area. The department's annual reports have not included such assessments.
Recommendation for Executive Action
Status: Closed - Not Implemented
Comments: The Department of Defense (DOD) has yet to conduct an independent verification and validation (IV&V) assessment of the completeness, consistency, understandability, and usability of its federated business enterprise architecture (BEA). According to DOD, BEA-related IV&V activities have focused on the corporate business enterprise architecture and not on the entire federated family of architectures. According to Business Transformation Agency officials, the current requirement under the IV&V contract is to provide analysis of only the corporate business enterprise architecture. There are no plans for reviewing the military department's enterprise architectures and reporting on such an assessment in the department's annual report to Congress.
Recommendation: To facilitate congressional oversight and promote departmental accountability, the Secretary of Defense should direct the Deputy Secretary of Defense, as the chair of the Defense Business Systems Management Committee, to include in DOD's annual report to Congress on compliance with the section 332 of Fiscal Year 2005 National Defense Authorization Act, the results of assessments by its business enterprise architecture independent verification and validation contractor of the completeness, consistency, understandability, and usability of its federated family business mission area architectures, including the associated transition plan(s).
Agency Affected: Department of Defense