DOD Business Systems Modernization:
Recent Slowdown in Institutionalizing Key Management Controls Needs to Be Addressed
GAO-09-586: Published: May 18, 2009. Publicly Released: May 18, 2009.
Since 1995, GAO has designated the Department of Defense's (DOD) business systems modernization program as high risk, and it continues to do so today. To assist in addressing DOD's business system modernization challenges, the Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005 (the Act) contains provisions that require the department to take certain actions and to annually report to its congressional committees on these actions. The Act also directs GAO to review each annual report. In response, GAO performed its fifth annual review of DOD's actions to comply with key aspects in the Act and related federal guidance. To do so, GAO reviewed, for example, the latest version of DOD's business enterprise architecture (BEA) and transition plan, investment management policies and procedures, and information in the department's business system data repositories.
The pace of DOD's progress in defining and implementing key institutional modernization management controls has slowed compared with progress made in each of the last 4 years, leaving much still to be accomplished to fully implement the Act's requirements and related guidance. In particular, the corporate BEA continues to evolve and address previously identified missing elements, inconsistencies, and usability issues, but gaps still remain. For example, while the BEA now identifies information assurance laws, regulations, and policies, it still does not include business rules for all business processes. Further, little progress has been made in the last year in extending (i.e., federating) the BEA to the entire family of business mission area architectures, including using an independent verification and validation agent to assess the components' subsidiary architectures and federation efforts. The updated enterprise transition plan continues to identify systems and initiatives, but important elements are still missing, as are individual component plans. For example, while the plan provides a range of information, such as budgets and performance measures, for key enterprisewide and component-specific investments, it is missing information on identified investments. The fiscal year 2009 budget submission included some, but omitted other, key information about business system investments, in part because of the lack of a reliable comprehensive inventory of all defense business systems. Investment approval and accountability structures have been established for DOD and the Air Force, and related policies and procedures that are consistent with relevant guidance have been partially defined. However, these structures and processes are still lacking for the Navy. Business system investments costing over $1 million continue to be certified and approved, but these decisions are not always based on complete information. For example, key Navy investments have not fully demonstrated compliance with the department's BEA, and their economic justifications were not based on reliable estimates of cost and benefits. In addition, the information in DOD's authoritative repository of system investments that is used to make these decisions is not always accurate. Department officials attributed this slowdown in large part to pending decisions surrounding the roles, responsibilities, authorities, and relationships among key senior leadership positions, such as DOD's Deputy Chief Management Officer and the military departments' Chief Management Officers. Until DOD fully implements these long-standing institutional modernization management controls provided for under the Act, addressed in GAO recommendations, and otherwise embodied in relevant guidance, its business systems modernization will likely remain a high-risk program. As a result, it is important that the department act quickly to resolve pending decisions about key positions.
Recommendations for Executive Action
Status: Closed - Not Implemented
Comments: The Department of Defense (DOD) stated that it has a number of policy and guidance documents currently under development to help clarify the roles and responsibilities associated with development of the business enterprise architecture (BEA) and investment management. For example, the department's most recent investment management guidance specifies roles and responsibilities associated with managing portfolios of business systems. In addition, DOD has established a BEA Configuration Control Board, which is to, among other things, review, assess, and provide recommendations on the priorities of proposed BEA changes and help ensure that the BEA meets the needs of BEA content owners. However, the department has not clarified in policy or guidance the roles, responsibilities, authorities, and relationships between the Deputy Chief Management Officer and military department Chief Management Officers relative to the BEA and enterprise transition plan federation.
Recommendation: To ensure that DOD continues to implement the full range of institutional management controls needed to address its business systems modernization high-risk area, the Secretary of Defense should direct the Deputy Secretary of Defense, as chair of the DBSMC and as DOD's CMO, to resolve the issues surrounding the roles, responsibilities, authorities, and relationships of the Deputy CMO and the military department CMOs relative to the BEA and ETP federation and business system investment management.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: The Department of Defense (DOD) has taken sufficient steps to address the intent of the recommendation. For example, the department has been working to integrate information contained in its system data repositories by developing and implementing the DOD Information Technology Investment Portal (DITIP), which DOD began to use in May 2013. According to DOD documentation, the system is now the authoritative source for DOD header (i.e., basic) information about information technology (IT) systems and is to serve as a one stop source for all information technology investment portfolio information. More specifically, the system will maintain a core database composed of common DOD IT Portfolio Repository (DITPR) and Select and Native Programming Data Input System- Information Technology (SNAP-IT) data elements as well as essential data elements required for initial registration of DOD IT systems (e.g., investment title, mission area, etc.). According to DOD, efforts to establish the portal include addressing common data errors and integrating data between the portal and the DITPR and SNAP-IT system data repositories. In addition, DOD's Portfolio Certification Request Memorandum template includes language indicating that the component Pre-Certification Authority is to assert that information contained in DITPR, DITIP, and SNAP-IT has been verified to be complete and accurate prior to any system's certification to spend appropriated funds.
Recommendation: To ensure that business system investment reviews and related certification and approval decisions, as well as annual budget submissions, are based on complete and accurate information, the Secretary of Defense should direct the appropriate DOD organizations to develop and implement plans for reconciling and validating the completeness and reliability of information in its DITPR and SNAP-IT system data repositories, and to include information on the status of these efforts in the department's fiscal year 2010 report in response to the Act.
Agency Affected: Department of Defense